Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple issues after hard drive nuke, possible rootkit?


  • Please log in to reply
3 replies to this topic

#1 Chirality

Chirality

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 19 November 2017 - 06:15 PM

Hi, so I've been having issues with my PC since March, when I suspected that my network got compromised on windows 7. I was using bitdefender without a TPM, but I decided to update to windows 10 home version. Since that time, I have reformatted windows 2 times, and nuked my new SSD drives twice because I began having issues with USB devices going out intermittently, (mouse, keyboard, monitor). After one nuke and attempt at windows update, windows install got corrupted during the update process, and never even got to a stable running version.

 

I'm running on an install post-Dban now that will run completely stable offline, but shows strange artifacts in event viewer (different system times logged sequentially, desktop name has changed, possibly indicating registry/hardware ID changes, soundcard and onboard sound both will occasionally go out)

 

I located several redundant hidden devices in device manager (which I found odd for a clean install that has only had one set of devices paired with it) and tried uninstalling them. I still continue to have issues intermittently, however.

 

Timeline:

03/17 - suspected windows compromise, used it as an opportunity to upgrade to win10. Roommate and I had suspicious networking issues despite solid connection from cable company. Google redirects and search results began being clipped. At times issues seemed to be located PC-side rather than NAT-side (lag with low ping, massive unexplained stutters despite having run MemTest and stress tests on system)

 

04/17 - Bought new SSD and installed win10 on it to reformat, and issues seemed to subside for a time.

07/17 - Reformatted again to adjust hardware inside PC case, comp seemed to run normally

08/17 - Connected PC to home wifi with Netgear dongle, and devices began to cut out on me. Reformatted using Windows 10 usb with same results.

09/17 - Used Dban to erase all hard drives. However, after new install of windows, windows update would not stay up to date. Would claim current, but KB versions did not match. Phone and Nexus tablet (on home network) began showing outdated versions of security patches. Began to suspect my whole home network was targeted. (Uploaded firmware to router using tablet that began showing issues, so possible infected router?)

10/17 - Dban erased again, and installed windows updates from another network. Continuing issues with install of windows, typically within minutes or sometimes hours of hooking ethernet cable back up. Phone completely stopped functioning and was forced to do hard reset. (have never rooted phone or tablet, but after checking android logs, somehow com.android.phone process was written to 0x0)

 

11/17 - Current PC install still has issues intermittently, phone shows signs that hard reset did not correct infection. Made a small airgapped system with my windows7 install that I plugged in a (previously used) formatted thumb drive into, and immediately system began having trouble locating drivers. Hoping to turn this into a gateway for home devices, but I want to solve my PC issues and possibly even save some logs etc if I need to provide info to police. Other members of my family have begun having the same problem. (I have my suspicions about the source of all of the trouble, but I need to collect info first.)

 

Tried running MBAR with no results, ran GMER but had program crashes on IAT/EAT, and bluescreen crash on Trace I/O. Any help would be very appreciated.


Edited by hamluis, 19 November 2017 - 06:39 PM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Unworn_Kilt

Unworn_Kilt

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:07:23 AM

Posted 29 November 2017 - 04:39 AM

G'day and Welcome,

 

 

Please note: I am a Standard Member like you. I am NOT a Trained Malware Removal Expert. If you are worried by anything I suggest please speak to a Staff Member or Moderator. That said, I will do my best to assist you. I have been working on and with computers since the 1970s.

 

 

My apologies for the delay in getting to your Topic. Things get very busy around here!

 

 

There are a couple of options you have here:

 

 

OPTION 1:

 

Go to the Virus, Trojan, Spyware, and Malware Removal Logs Section and Follow the Instructions there. Be prepared to wait a quite a while as I know they are Extremely busy at present.

 

OPTION 2:

 

 

I'm happy to assist you as best I can.

 

 

Please bear in mind that the tools I'm permitted to use are not as extensive as those of the Experts. This is for your protection!

 

 

If you would like me to assist you, please follow the steps I will outline below. (You may wish to print them out for reference purposes.)

 

Please remember if you choose this option, if anything is unclear or you have any doubts or concerns, please message me before proceeding. Some of the terminology will likely be foreign to you. Take your time and don't stress. There should be very little that can cause problems if the instructions are followed. If you need help, please ask me. There is no such thing as a "silly question" when troubleshooting!!

 

 

For OPTION 2, please continue.........

 

 

Things have been extremely busy around here recently. Apologies for the delay!

 

 

I suggest you consider downloading and running the following Tool on the affected machine(s.)

 

Ensure that the computers are removed from the Network before running the file.

 

You access the following EXTERNAL LINK at YOUR OWN RISK. Neither BleepingComputer.com nor anyone associated with BleepingComputer.com can accept or assume any liability for the results of accessing external links. By accessing the external link you assume all liability for doing so and any resultant effect whatsoever.

 

https://www.avg.com/en-us/remove-win32-neshta

 

 

I am suggesting this as I had this infection a short while ago and your symptoms are very similar.

 

That said, in your instance, I believe this to be a reasonable starting point based on the information supplied.

 

I have a personal interest in this type of infector.

 

Please post back any resulting logs.

 

 

That's a starting point. Please post back the results of the scan. If it is not a solution, we will work toward one.

 

 

All the best!

 

 

 

 

Kilt. :thumbup2: 


PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#3 Chirality

Chirality
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 01 December 2017 - 03:14 AM

For OPTION 2, please continue.........


Things have been extremely busy around here recently. Apologies for the delay!


I suggest you consider downloading and running the following Tool on the affected machine(s.)

Ensure that the computers are removed from the Network before running the file.

You access the following EXTERNAL LINK at YOUR OWN RISK. Neither BleepingComputer.com nor anyone associated with BleepingComputer.com can accept or assume any liability for the results of accessing external links. By accessing the external link you assume all liability for doing so and any resultant effect whatsoever.

https://www.avg.com/en-us/remove-win32-neshta


I am suggesting this as I had this infection a short while ago and your symptoms are very similar.

That said, in your instance, I believe this to be a reasonable starting point based on the information supplied.

I have a personal interest in this type of infector.

Please post back any resulting logs.


That's a starting point. Please post back the results of the scan. If it is not a solution, we will work toward one.


Here's the log for you. https://expirebox.com/download/aabf6fc8c3eaef8bfd11bf0ff5c92d5b.html
I've been having so much trouble with my computer lately because my parents have been asking for my help, and I can't understand them at all. This whole situation makes me feel like I'm being punished for something I didn't do.

Edited by Chirality, 01 December 2017 - 04:04 AM.


#4 Unworn_Kilt

Unworn_Kilt

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:07:23 AM

Posted 01 December 2017 - 05:16 PM

G'day again Chirality,

 

 

 

Thanks for running that tool. It appears clean. That's good. Excellent in fact!!

 

Sorry about the wait. I have tailored these next steps together for you.

 

We will do all we can to get this computer back to good health.

 

 

 

 

Now for some more steps........

 

 

 

 

 

These instructions will be quite complex and lengthy. I suggest you print them out to make things easier; if possible.

 

 

 

 

Please save the tools to your Desktop for simplicity.

 

 

 

DO NOT ENCLOSE REPORTS IN QUOTES OR DELETE OR INSERT ANY CHARACTERS!!!!!!!

PLEASE POST ALL REPORTS IN PLAIN TEXT. ENSURE YOU INCLUDE REPORT HEADERS.

Don't Attach them either.....Pleeeez!

 

 

Please make sure you have Backed Up your Files and Save any Work you have Open before proceeding!

You can find free Back Up Software in the Bleeping Computer "Downloads" Section.

It's unlikely that anything I ask you to do will wipe your data, but better to be safe than sorry.

 

 

Some Tools may Close Down any Open Windows or Programs, please be aware of this!

 

 

 

Remember that there is no such thing as a "Stupid Question." If you encounter ANY problems or difficulties along the way, STOP & Message Me!!

 

 

 

**Read All Notes Below Individual Instructions BEFORE Running the Tools.**

 

 

 

 

 

Let's Get Started..........

 

 

 

Please download a copy of a program called RKill (Courtesy of Grinler at Bleeping Computer) which is available at the links below:

(This program attempts to stop any running malware processes so other tools may function efficiently. This is in addition to a few other useful things.)

 

Save it to your Desktop so you can easily locate it.

 

(If one won't run, download the other: Malware sometimes recognises RKill.exe and tries to interfere with it.)

 

 

  • RKill.exe                             <<== Try this first.
  • RKill as iExplore.exe         <<== Try this one if option one doesn't work.

 

  • Right Click RKill and Select "Run As Administrator."
  • Soon after a Black Box will appear while RKill Runs. (This is normal. It may seem to stall, please be patient.)
  • When the RKill has finished it will Open a Report in Notepad.
  • RKill will also save a copy of its log to your Desktop called "RKill.log"
  • After RKill has run successfully Don't Restart your computer until the other tools have run.(If you need to reboot, re-run RKill please.)
  • Please Copy and Paste the contents of the Report into your Next Reply.
  • If RKill will not run in Normal Windows Mode, Restart in Safe Mode and Repeat the above Steps.

 

 

NOTES:

 

  • Please Ignore any warnings from about RKill containing Viruses or Trojans etc.
  • If necessary, shut down or temporarily disable your Antivirus while RKill runs.
  • Don't forget to Re-enable your Anti-Virus(if you needed to shut it down) once RKill completes.
  • If RKill still won't run, please Post back here and advise me.(After trying Both Versions and Safe Mode.) Please note any Error messages or other useful troubleshooting information and Include it in your Reply.

 

 

 

Next.....

 

 

 

 

Please Download the Security Check Tool (by screen317) from HERE & save it to your Desktop.

 

 

  • Right Click on SecurityCheck and Select "Run As Administrator."
  • Follow the Prompts in the Black Box which opens on your screen.
  • A Notepad Document called Checkup.txt should open Automatically.
  • Please Copy & Paste the Contents of Checkup.txt into your Next Reply.

 

 

Please Note the Following:

 

 

  • If you receive an "UNSUPPORTED OPERATING SYSTEM! ABORTED!," please Restart Windows and Security Check should Run Fine.
  • Should a problem persist, please Post Back Here and include any Error Messages & Other Useful Information.
  • Security Check may require you to permit "Dig.exe" to access the internet. Please allow access through your Firewall if necessary.
  • It is not uncommon for Security Check to generate "false positives" from  some Anti-Virus/Anti-Malware Programs. Please Ignore These if They Occur.

 

 

 

Next.....

 

 

 

Download Farbar Service Scanner onto your Desktop (FSS:)  HERE

 

 

Please Ensure the following Options are Selected:

 

 

  • RpcSs and PlugPlay <= (May be greyed out.)
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other Services

 

(Please Don't Click the "Search Files" or "Export Service Buttons")

 

Click the Scan button to start scanning.

 

(FSS can take a short while to complete. )

 

 

  • When the Scan is Complete, a Report should Pop-Up.
  • Please Copy and Paste the Contents into your Reply.

 

*(The Tool will create a log file called FSS.txt in the Folder the Tool is Run From.

That log will be saved. If there are any problems with the Pop-Up one, Copy from FSS.txt.)

 

 

 

Next.....

 

 

 

Download MiniToolBox(By FARBAR) to your Desktop:  HERE

 

Right Click the Blue\Black MiniToolBox Icon and Select "Run as Administrator."

(The Tool will show Version: 17-06-2016 in the title bar.)

 

 

Select the following Check-boxes:

 

 

  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (DO NOT change any settings for this - Only "Problems" should be set by Default.)
  • List Users, Partitions and Memory size
  • List Minidump Files
  • List Restore Points

 

 

Click the "Go" Button.

 

 

  • A Report should Pop-Up on your screen. Please copy the contents into your Next Reply.
  • (If you accidentally "kill" the Notepad Report, all is not lost, it should be saved on your Desktop as MTB.txt)

 

 

 

 

Next.....

 

 

 

Download a Copy of Malwarebytes V.3.3.1.2183HERE

 

 

Please Save To Desktop.

 

 

Right Click the Installer Icon and Select "Run as Administrator."

 

 

Follow the Prompts throughout the Installation Process. Then give it a minute.

 

 

If Malwarebytes has not auto-started, Right Click the Desktop Icon and select "Run as Administrator."

 

 

If you wish to use it now, enable the Trial License. (I suggest you enable the Trial[Once Only, Time Limited] if the option is available and you don't have a license. This should permit Auto-Updating to the latest versions and definitions during the trial period.) I believe a license costs about US$39.00. I use this myself and it's surprising how much it catches(I'm not on the payroll!) A license is not necessary to perform a Simple Scan.

 

Once it has started, Malwarebytes may Update. If it does, allow it to complete the process.

 

You should now be at the "Dashboard."

 

 

  • Click Settings, then Application:

 

Enable the Following available Options if Not Enabled:(Note that Trial Mode/License is Required for Some Options) A Simple Scan doesn't need a license.

 

  • Automatically download and install application updates (Trial or License Only)
  • Notify me when full version updates are available (Trial or License Only)
  • Show Malwarebytes notifications in the Windows System Tray
  • Show Notifications when Real Time Protection settings are turned off (Trial or License Only)
  • Set Manual Scans have high priority (May Require Trial or License)
  • Configure Proxy Server if you use one. (If you don't know what this means you likely don't. If in doubt, CHECK!)

 

 

Now switch to the Protection Tab and where possible Enable:

 

  • Web Protection (Trial or License Only)
  • Exploit Protection  (Trial or License Only)
  • Malware Protection (Real-time - Trial or License Only)
  • Ransomware Protection  (Trial or License Only)
  • Scan for Rootkits. (May Require Trial or License)
  • Scan within Archives.
  • Use Signature-Less anomaly detection for increased protection (If available)
  • Always detect PUPs
  • Always detect PUMs
  • Automatically check for updates (Select Check every 15 Mins.)  (Trial or License Only)
  • Notify if time since last update exceeds 24 hours  (Trial or License Only)
  • Start Malwarebytes at Windows Startup (Trial or License Only)
  • Enable Self Protection Module (May Require Trial or License)
  • Enable Self Protection Early Start (May Require Trial or License)
  • Automatically quarantine detected Malware (May Require Trial or License)

 

Now Return to Dashboard.

 

(See Note Below BEFORE CLICKING.) Click Scan. Malwarebytes may update again prior to starting the scan.

The scan may take some time. 

 

 

NOTE:

 

*If you've activated Trial or have a License, and, you have more than one accessible drive partition (i.e. C: & D: etc.,) consider using Threat Scan, Select All Drives and ensure scanning for Rootkits is enabled. (The Rootkit option MAY not be available to you if you haven't activated Trial, or, don't have a license. I don't recall.) Threat Scan should be available anyhow, but, a Rootkit Scan would be helpful but is not mandatory at this point.

 

Once the Scan is complete, please ensure you select any Threats found and Remove Them.

 

Please obtain a copy of your Scan Report from the Reports section and Paste in to your Next Reply.

 

Note: If you're not running the Updated Program Via Trial or License, you may need to Obtain your Scan Log by going to History, then Application Logs.

 

 

 

 

Next.....

 

 

 

Please Download Sophos Virus Removal Tool:  HERE

 

 

Please save this to your Desktop.

 

 

Right Click the Installer Icon to commence the Installation Process.

 

  • Click Next
  • Accept the Terms and Conditions if you agree. (If not things sort of grind to a halt for a while :)  You'll need to Post here again.)
  • Click Next
  • Click Install
  • Click Finish to end the Installation process.

 

 

Once the Install is complete you should be the proud "Licensee" of a copy of Sophos Virus Removal Tool, complete with Shiny New Desktop Launch Icon and Start Menu Additions!!

 

 

  • Right Click on the Sophos VRT Icon and Select "Run as Administrator."
  • The SVRT should now launch and Update.(Make sure you're connected to the 'Net if possible.)
  • The SVRT will announce that it is Up to Date.
  • Click Start Scanning.
  • The SVRT should start scanning accordingly.
  • Allow the scan to complete.
  • Dispose of any located Threats, ensuring that you Copy and Paste the Log File into your Next Reply!

 

 

 

 

And.........  There endeth today's effort.

 

 

One last thought. Please search your android contacts list for the word "global" and let me know if anything turns up. 

 

 

 

It's going to take me a little while to go over your logs and conduct any necessary research.

Once I've completed that and grabbed a few winks of sleep, I'll post back with any Results. 

It may take me a little while, but I know you can do without the "grief" you mentioned, so, I'll be as quick as I can.

By the way, you can keep the SVRT on your computer and Update it to Scan Regularly.

Please don't assume that if Sophos finds something all is well. We need to check the logs too.

If it was as simple as just SVRT, I would have jumped straight there. Fingers crossed.

Watch your email.

 

Once we're done with Cleaning your computer, we'll get rid of any excess tools.

 

Next.....

 

Take some downtime and get some rest yourself.

 

 

Cheers for now!

 

 

 

 

 

KILT   :thumbup2: 


Edited by Unworn_Kilt, 01 December 2017 - 06:01 PM.

PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users