Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dan, $ donate for help-pc has possible firmware infection?


  • Please log in to reply
40 replies to this topic

#1 danakabradpit

danakabradpit

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 26 July 2015 - 07:43 PM

Hi guys I am fairly new here and I am stuck using mobile device until I temporarily fix my snag again. I have a Samsung all in one PC , windows 8.1 w/8.0 preinstalled. 64bit.

Its complicated but quick break down is this, after a mbr code reset , a fresh windows reinstall, there is a service management configuration that comes on system and quietly installs new services and drivers right away after all that. If you let it go, it will operate tasks and install numerous network drivers and modify the registry to open up all the gates to let other malware in as well. Meanwhile extracting info, even accessing my cloud drives and my cell phone which is connected to the network(wifi/bluetooth). It has toppeled over every security tactic, voodoo shield, comodo, avast, eset,spyshelter,and all third party tools will pick up on svc host infected (rogue ki ller) and other bad drivers-never getting to the main source or cause of this. I managed to take some phone pics of some events i seen while in emergency mode, and right after latest install. One more thing chkdsk command in administrator mode in recovery came back as upper case NTFS files in C drive corrupted , but command to fix a no go.

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 AM

Posted 31 July 2015 - 06:33 AM

Hi danakabradpit,

 

I'm not sure what you are having issue with here? This looks like your PC has bluetooth and the bluetooth device is functional. This is normal behaviour for Win8. Every Device gets a unique ID, which is what you see in the system information you're showing us.

 

Do you want to deactivate bluetooth?  You can do so in the Wifi Settings by simply toggling it ON/OFF.

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 danakabradpit

danakabradpit
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 31 July 2015 - 12:23 PM

Enmsisoft detected changes in my registry settings in their emergency kit. I tried to get help from several different sources and paid money do so and either I was waved off with someone either barely analyzing it assuming no infection or I took it into a shop later for it to be re infected. What Is being shown here is a blue tooth driver automatically installing changes to itself no even five minutes after the time I just did a complete disk clear command from command prompt in emergency mode , from which I even cleared out all sectors on disk 0 with partitions . The command was chkdsk - disk part - clear all. It took several hours followed by windows 8 recovery disc from factory.



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 AM

Posted 31 July 2015 - 12:26 PM

Hi,

 

Windows will automatically reinstall the 'default' drivers which come with the OS if the device is present. If you kill/remove a part of the OS it will try to regenerate itself by reinstalling them. This is not a sign of intrusion.

 

Do you have the log of the registry keys that Emsisoft found?

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 danakabradpit

danakabradpit
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 31 July 2015 - 12:30 PM

That is the beginning if what it does, it rapidly takes over my machine by altering registry , shutting down comodo firewall, any third party tools and a/v start to never pick up anything anymore, I've even had my icon in control panel in hardware device managent dissappear on me and if that's not a infection slap me silly. It sometimes will hault itself so you can go about your business, and with process hacker I've noticed if i have all notifications turned on, all of a sudden this thing will bloom from no where and then machine will freeze up and you go to reboot you get the black screen with a mouse common symptom I hear about. Now , its not a failing hardrive either. The NTFS upper case files in c drive were found corrupt in command prompt. The biggest lead I have from the source its coming from, is that file displayed Alaska day 2006, and its associated with those drives because



#6 danakabradpit

danakabradpit
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 31 July 2015 - 12:37 PM

the drives that are hidden or infected , that somehow appear from nowhere, are labeled 2006 signed Microsoft, they have a properties attachment you find labeled -k networks . Also they come from a mysterious hkey users acct found in my registry and when you try to access some of these files and adjust permissions you are locked out entirely. I'm theorizing, here but for something to survive a complete mbr sector,partitions and so on wipe , it would have to be either in your firmware like a router, or even crazier yet, when you sign I with your Microsoft acct when you first set up windows 8, your previous settings migrate over to the metro side and some other random things on desktop. What if it access some way to lodge itself In there so that when you run your account on,setting back up you get re infected?



#7 danakabradpit

danakabradpit
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 31 July 2015 - 12:38 PM

Ok I do, I will try to post them



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 AM

Posted 31 July 2015 - 12:53 PM

Hi,stea

 

To my knowledge there is no such infection. Nowadays malware has the primary goal of making money for this it either needs to ransom the money off you or it must run stealthily to be able to collect your data/rent out your PC to others etc. In addition the more 'obvious' the interference of the malware with the PC, the more easily it is detected and picked up by anti virus programs.

The fact that so much things are happening are usually more a sign of conflicting security solutions or programs. However we will take a close look at what is on the PC and make the call then and try to understand what is causing the symptoms as much as possible.

 

The HKey_Users  is a standard key in your registry, deleting that one would break your machine beyond repairing. This key contains at least 4 separate "users": Your own account, the system account which has higher privileges to be able to run installers and such without problems (This is a default OS account that must exist. All core processes will be run by the user system). The "network account", which is a limited account that handles incoming and outgoing calls to programs and the 'local service' which is basically a system account with less permissions than the system account.

Except for your account, all these accounts are inbuilt, but you can't log in to them and for some parts the permissions are set such that only these inbuilt accounts can access the settings, that's normal in particular for the network account.

 

The -k netsvcs/-k bhtsvc is also a 'windows feature'. Basically what you're seeing here is a work around to launch a dll file as a service where usually only exe-files are allowed. Therefore the svchost.exe exists that will launch the dll and the command line will be something like svchost.exe -k bhtsvc. The term following -k is a group of services which will be launched in specific orders to make sure that all cross dependencies between the services are met.

 

Can you tell me what the NTFS Upper case files were? How did you determine that it's not the hard drive?

 

It is possible for malware to set itself up in the router, unfortunately. However it will not gain admin access to your PC from there, this is not how it works. The infections that set themselves up in the router will usually redirect your traffic through routes that are either giving you additional popups or rerouting your search results still so that they can gain more income from displaying ads.

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 danakabradpit

danakabradpit
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 31 July 2015 - 01:05 PM

Ok you see in that picture that displays the message Alaska day 2006 ? What kind of file is that then? And if its not associated with Microsoft how did it appear only several minutes exactly right after booting up from a 100% fresh re install from windows 8 disc?



#10 danakabradpit

danakabradpit
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 31 July 2015 - 01:07 PM

also I am having issues, I took a pic from my windows phone the logs incase they wouldn't survive and at the time I was being blocked from uploading them. How do I upload these pics from my Windows phone?



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 AM

Posted 31 July 2015 - 01:10 PM

Hi,

 

Bleepingcomputer only allows a limited amount of storage for uploads since we have so many users. Can you upload it to the cloud and post the link to them here? (Or PM me the link if you prefer. However the help stays in this thread. :))

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 danakabradpit

danakabradpit
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 31 July 2015 - 01:15 PM

ok, btw thanks for helping me on this, nobody else wants to touch me with a ten foot pole it seems like so this does mean alot to me. I depend alot on this, PC lol. I am using a Nokia 830 Lumia so its wired real well to one drive. You think one drive, well It asks for a URL so if I upload it or i think it automatically does, it would have a URL? Btw do you have a PayPal acct so if we get this somewhat handled i can throw in the bucket so to speak?



#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 AM

Posted 31 July 2015 - 01:24 PM

Hi,

 

these topics are always difficult. It's much harder to be sure that nothing is there than to find something is there. It's much simpler for us to remove what is there, than to ensure that nothing is there

 

I was thinking that your photos from the phone might be sync'd to some kind of online storage. I've unfortunately never touched a Lumia, so I can not really help with that.  This is a link to upload the pictures to skydrive: http://www.windowsphone.com/en-us/how-to/wp7/pictures/upload-pictures-to-the-web and share it.

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 danakabradpit

danakabradpit
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:omaha ne
  • Local time:01:24 AM

Posted 31 July 2015 - 03:16 PM

in these you can see how the user account is modifying my components to block me from areas I am usually accessing , I've seen it block me from msconfig, task manager, control panel, delete partitions, block my keyboard even when booting from the f2 key, you name it, it has a mind of its own and is very intelligent. It has attempted to quirk itself around shadow defender too, but sometimes if it doesn't work on the first reboot a second reboot will do the the trick so then it will have to start all over again. Lol

Attached Files



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 AM

Posted 31 July 2015 - 03:53 PM

Hi,
 
what did you run previously to Emsisoft's emergency kit? These are all values which are detected by Emsisoft because they don't exist by default and irrespective of their setting.
Did you notice the taskmanager no longer opening before you ran the emergency kit? Or regedit?
 
Can you tell me what program the second & third pic are from? Also Emsisoft? I can't make it out from the pictures.
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 

Let me know if you run into problems with that. The tool can also be run from recovery console, where no interference is possible. But I would prefer a log from normal mode for now.
regards
myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users