Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

secret drive with suspicious drivers


  • Please log in to reply
8 replies to this topic

#1 lucidstorm

lucidstorm

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 January 2018 - 12:05 PM

hi

 

I have a hidden disk reappearing at each reboot after I format it. This jumping disk contains suspicious dlls  (dlls listed in attachement). that can't be seen by any program I have tried. They occupy disk space (image 1 and 2). They might be normal files or files deployed to obfuscate antivirus scans, since they correspond to antivirus installed. To confirm this, once I delete these dlls, I can see new files in the dll scanner (used: no virus please dllexplorer.exe). 

 

These drivers keep jumping from one drive to another after I format them disks

 

 

Once I delete these dlls from the disk and rescan for suspicious dlls I can finally get new entries of new dlls tagged as suspicious on other disks as well. To delete them I have to wipe the partition (format). I believe there might be dll hooks, yaguard stopped some explorer.exe attempt. Fixed hooks reported by Avz and suspicions for trojans, PC hunter showing some irregularities still (images below). I was able to remove hooks in red from origin.exe and disable a guest account that I never created (they are disabled). Any way to stop replication these disk?

 

I notice hacker activity when I use origin.exe by EA (gaming app), razer and discord. Uninstalled them completely. I suspect I have been hacked since I saw a crackwin10tool appearing live on  my desktop not long ago (closed thread 'hacker activity because nobody answered me). Removing these apps was very hard, they were alot of leftovers as sys drivers. 

 

this is the cracktool deployed by hacker (my windows is geniune), this happened after I clicked a link of somebody who appeared trustful on discord (I am still unsure if this is pure coincidence)

Bleeping.png

 

it might everything alright just the disk that keeps recreating, I only get suspisous files and no full confirmation (maybe they are created by some AV or windows). I would be suprised this is a hacker acitivity since I have nothing of interest on PC and just a non commercial boring user. 

 

best

Attached Files

  • Attached File  1.png   82.78KB   0 downloads
  • Attached File  4.png   65.96KB   0 downloads
  • Attached File  DLLExplorer.log   44.89KB   3 downloads
  • Attached File  Addition.txt   40.23KB   5 downloads
  • Attached File  FRST.txt   176.91KB   6 downloads
  • Attached File  3.png   165.04KB   0 downloads
  • Attached File  2.png   61.35KB   0 downloads

Edited by lucidstorm, 16 January 2018 - 12:31 PM.


BC AdBot (Login to Remove)

 


#2 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 January 2018 - 01:06 PM

to protect myself from potential hacker I installed TOR (my chrome was behaving strange with certificate failures), but uninstalled it after gathering info that it is used by criminals. Please help inb4 I install another weird program and compromize pc futher

 

anyway do u think is good idea? it might work vs hackers becuase I can't see myself inside router menu but I am afraid of finding illegal content there (tor I mean)


Edited by lucidstorm, 16 January 2018 - 02:49 PM.


#3 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 18 January 2018 - 11:53 AM

I have tried to reformat but after installing windows update I don't have permissions to modify any file and the UAC is set permanently to lowest

I can't install any windows update, it downloads even though I disabled internet wifi connection but fails to install and just install some of the updates

will somebody help me at some point or am I at ignore list permanently

best regards


Edited by lucidstorm, 18 January 2018 - 12:22 PM.


#4 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 18 January 2018 - 02:15 PM

since I believe this is weird I'd like to completely format every drive and install from nothing, I need assistance in that, I don't undertand why mountpoitmanagerdatabase is on disk D (with impossible to delete klmeta.dat and logs) and OS is on C, why ESP is on disk G at the same time, system image is on another disk entirely.  Its complete mess with structure with 3 partitions per drive and I need help with this (format everything) and unify. Also once I delete files on drive F $recycle bin the same $bin with files is remade on another drive. Why it is like this, because I installed a drive from a laptop that got an ESP, MBR and image on a system that already got all these!! I was happy it works so didn't bother changing anything

 

 

I will be installing win 7, then 10, on uefi capable card. 


Edited by lucidstorm, 18 January 2018 - 02:22 PM.


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:46 PM

Posted 18 January 2018 - 02:27 PM

Greetings,

Since this is better suited for the Windows 10 Forum I am going to move this topic there.

Edited by Oh My!, 18 January 2018 - 02:29 PM.
Moved to Windows 10

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Kilroy

Kilroy

  • BC Advisor
  • 3,362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:09:46 PM

Posted 18 January 2018 - 03:33 PM

Please see the Doing a Completely Clean Install of Windows 10 posting that is pinned to the top of this forum.  You should only need to format your Windows drive, normally C:.  After you have Windows reinstalled scan your other drives for infection.

 

Security is a fine line between security and usability.  Since you have been infected previously running with a standard account, rather than an Admin account is highly recommended.  Turning UAC down is also not recommended, it is there to protect you.  Once you have a machine set up UAC is rarely an issue.

 

TOR has known issues that have been exploited by the government to find TOR users by infecting their machines.



#7 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 21 January 2018 - 07:07 AM

Oh My!

 

Greetings, I am set to use multiple OS because I have valid license and SSD + ram drives were cheap 2 years ago so why not. Win 7 and 10 for now

after exactly 4 formats (I can format all and reinstall in 3 minutes with usb 3.0 on ssd pcie) I don't see dll hooks in avz or pc hunter nor additional streams, so either the hacker got clever or I am clean or he thought I am boring and moved on. Also it's cool that u can switch OS when u break something

 

 

Kilroy

@Kilroy

 

Indeed, I tried some security programs because I got hacked by a ''script kiddo'' (he hacked via discord just when I clicked his link then he planted a crackwin10 tool, he also managed to send me gibberish message via some unknown communicator when I was playing on origin by EA - I made screenshots) like VPN and ip showing apps + Tor which I used for literally 10 minutes - in my opinion I think its great for you are not seen in router but has bad fame and lags like hell. 

 

Since the downloads then I can see that as soon as I connect to INTERNET (not even opening a www site) I have ip blocking of UK Governement dep. for Work and Pensions, I checked and its them. If I go to any vpn sites I also receive connections attemps from UK GOV but with a far larger number. Peerblock is telling me that, but I am not sure it's legitimate and working security software (I am trying them all)

 

What I am saying is, that if u pick a random car in the street and follow it for 30 minutes you will see at least 5 infractions, now follow it for 1 year and you can put the whole country in jail. 

 

Sick world, u can either be hacked by crooks and if u try to protect yourself with vpn you are hacked by the UK government. I am sure these GOV exploits and 'checks' leave door open for bad people afterwards. I hope they patch their security holes!

I got this problem after installing vpn/tor

 

Starting to hate Internet , full of trolls, criminals, predators, secret service agencies/ISP/institutions spying even when u got to toilet, trying to datamine everything for profit,  I am going to vomit - how I am supposed to defend myself versus some kali linux kiddo skanning my ports if not with VPN, which in turns puts me on a red flag - suspicious for government

 

Imo and all that, cheers

/thread


Edited by lucidstorm, 21 January 2018 - 11:39 AM.


#8 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 21 January 2018 - 08:25 AM

if u still want to help it would be cool if u told me how to completely disable $administrative shares and allow ''unauthenticated user connections''. That would increase security a little - I managed to format + wipe/reinstall and fix efi structure

 

problems I am facing:

 

>>disk drives autorun is enabled (I disabled autoruns in control panel for all but it still shows up according to kaspersky)

>> administrative shares (C$, D$) are enabled

>>anonymouse user access is enabled

 

for win 7 and 10 (most urgent 7)

 

Please help me fix so I can feel better and the job is complete, especially that third info is scary. Hmm, maybe:  RestrictAnonymous, located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA key?

 

I am home user of windows, no weird logs in Farbar, this is clean install


Edited by lucidstorm, 21 January 2018 - 10:14 AM.


#9 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 22 January 2018 - 09:05 PM

ok so maybe I finally understand what is going on despite the total lack of help

kaspersky has indetified a threat after the format, at first it didn't want to install, and comodo has immediately tagged all system files as untrusted

 

trojan.win32.invader (!heur)

 

probably I have same issue on both stationary PC and my laptop

I was able to indentify a registry in services SENSS that might be related

the file was hidden inside $recycle_bin

 

since this starts with $ , maybe if I disabled administrative shares I would be more secure from re-infection. 

 

any ideas? am I just paranoid or its fine?

 

unfortunately stupid windows updates rebooted windows (goddamn), so the virus might be stored inside system volume information files still

 

sens.dll is not required in win 10 and yet I have it on win 10: 

https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/syswow64sensdll/26268536-44ac-4433-8247-2d1af79a2c54?auth=1

Attached Files


Edited by lucidstorm, 22 January 2018 - 09:50 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users