teemo

CLOSED Suspected Persistent Malware, Rootkit, and/or Keylogger

Recommended Posts

Hi There!

In the interest of keeping this short and to the point, I believe I have some sort of persistent malware / rootkit / keylogger, which apparently, is able to survive a clean format and installation of Windows 10.

Right now, I have a relatively clean installation (as far as I can ascertain) of Windows 10 Home 64bt, along with some minimal software:

  • Chromium based Edge Browser
  • Office 365 
  • OneDrive
  • Windows Defender

I've attached the Emsisoft Rescue Kit and Farbar Recovery Scan logs per the instructions.

---

Below is the, not so short, possibly irrelevant details about what was happening prior to the current configuration...

I've been dealing with a stalker situation offline. Specifically, my upstairs neighbor. That along with some curious behavior from my laptop, led me to suspect malware. Additionally, I live in a city with an unusually robust community of hackers. There are over a dozen of hacking/coding/security boot camps within a 1 mile radius of where I live.  It is not out of the realm of possibility here, as it might be elsewhere.

I've also observed various fishy incidents:

  1. For instance, in one such incident, Windows Update, one day, notified me of a keyboard driver update, all of a sudden out of nowhere. When I went to verify these drivers with the manufacturer, there were no such drivers. (When I reinstalled Windows, as noted above, and updated all drivers, this same driver wasn't offered again.) When I initiated a support chat with Microsoft, the support technician directed me to a shady non-Microsoft site to get more information about this driver. It could just be Microsoft being cheap and hiring inexperienced support people, but it was extremely strange, and immediately set off alarm bells in my head. (I have screenshots of this incident if you would like to see. )
  2. A terminal window starting popping up on every startup, apparently running some script, before quickly closing
  3. My BIOS admin/user password along with the startup lock disappeared all by itself
  4. Various suspicious Wi-Fi networks probing the area, and repeated  disconnections, as might happen during a deauthorization attack. All this leading me to use ethernet instead instead of Wi-Fi.
  5. Numerous other incidents, which in retrospect were extremely suspicious and should have set off alarm bells.

Before reinstalling Windows 10 from scratch*, for the final time, the following security software was installed on another clean installation of Windows 10:

  • Sophos AV
  • novirusthanks OS Armor
  • Voodoo Shield
  • malwarebytes Windows Firewall Control

This resulted in a weird Windows "black screen of death" crash:

  • Logon was normal
  • Post Logon was greeted with a black screen showing only my mouse cursor, that's all (almost as if a remote desktop session had been initiated, but this is Windows 10 Home and I had disabled all remote access...
  • CTRL+ALT+DEL did not work
  • SHIFT + Power Button also didn't work
  • Safe Mode Threw Errors when I tried to restore to an earlier restore point

I consider myself relatively computer savvy, so yes, you can assume I tried all the usual tricks to boot into Windows, nothing worked. I did this a couple of times, installing only Sophos, or only OS Armor and VooDoo shield. They all ended with this black screen of death after an initial period of working. So I'm thinking, maybe those security programs set off some sort self-defense mechanism? 

So I started from scratch* and came here for help to see if perhaps I am missing something. I did notice in the Farbar logs something about a modified boot sector, but I'll leave the analysis to you...

* Well, I started from scratch as much as I could. Normally, in this situation, I would have removed the drive entirely and attached it to another computer running Linux or something, and done full format, making sure I had overwritten everything, unfortunately, on this laptop, the main drive is an NVMe SSD located in a very difficult area to reach. Instead, in this case, I tried to overwrite everything using the Windows installation software on a USB stick I had made for me from a Microsoft Store in town.

Addition.txt FRST.txt

scan_200419-184855.txt

Share this post


Link to post
Share on other sites

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

GroupPolicy\User: Restriction ? <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
2020-04-15 13:26 - 2020-04-15 13:26 - 000000000 ____D C:\Users\alx\AppData\LocalLow\HitmanPro.Alert
2020-04-15 10:50 - 2020-04-15 10:50 - 000000000 ____D C:\Program Files\Malwarebytes
2020-04-14 18:15 - 2020-04-14 18:15 - 000000000 ____D C:\Program Files\NoVirusThanks
2020-04-14 10:10 - 2020-04-14 10:10 - 000000000 ____D C:\Users\alx\AppData\Local\Sophos
2020-04-14 09:47 - 2020-04-16 18:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VoodooShield
2020-04-14 09:46 - 2020-04-16 18:59 - 000000000 ____D C:\Program Files\VoodooShield
2020-04-14 09:46 - 2020-04-16 17:47 - 000000000 ____D C:\ProgramData\VoodooShield
2020-04-14 08:29 - 2020-04-16 01:29 - 000000000 ____D C:\ProgramData\HitmanPro.Alert
2020-04-14 08:29 - 2020-04-16 01:29 - 000000000 ____D C:\Program Files (x86)\HitmanPro.Alert
2020-04-14 08:29 - 2020-04-16 00:06 - 000000000 ____D C:\Windows\CryptoGuard
2020-04-14 08:27 - 2020-04-16 01:29 - 000000000 ____D C:\Program Files\Sophos
2020-04-14 08:27 - 2020-04-14 08:27 - 000000000 ____D C:\Program Files\Common Files\Sophos
2020-04-14 08:24 - 2020-04-14 08:29 - 000000000 ____D C:\ProgramData\Sophos
2020-04-14 08:24 - 2020-04-14 08:29 - 000000000 ____D C:\Program Files (x86)\Sophos
2020-04-13 11:44 - 2020-04-16 18:59 - 000000000 ____D C:\Program Files\Macrium
2020-04-13 11:42 - 2020-04-16 18:59 - 000000000 ____D C:\Users\alx\Downloads\Macrium
2020-04-07 20:26 - 2020-04-16 10:06 - 000000000 ____D C:\ProgramData\Macrium
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Share this post


Link to post
Share on other sites

Hi Kevin,

First of all, thanks for helping me!

I've run FRST with the custom txt file you gave me and attached the logs.

The computer seems to be running fine, however it seemed fine before as well.

Sophos was still in its 30 day trial when the computer 'crashed'. I wanted to give emsisoft AV a go, but didn't want another black screen of death. So I've held off installing any other security software other than Windows Defender for now...

Fixlog.txt

Share this post


Link to post
Share on other sites

Other than the one restriction, I saw no malware in the logs.  The system does not appear to be infected.

Share this post


Link to post
Share on other sites

Okay, thanks for your help.

What do you think caused those 'black screen with only mouse cursor working' crashes? Have you ever heard of that before?

...and when I install emsisoft AV, is it okay to install apps like OS Armor and VoodDoo shield?

Share this post


Link to post
Share on other sites

I would need a crash dump from when everything frozen in order to figure out what caused the crash.

I know of no conflicts between our software and OS Armor or VooDoo Shield.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.