teemo Posted April 20, 2020 Report Share Posted April 20, 2020 Hi There! In the interest of keeping this short and to the point, I believe I have some sort of persistent malware / rootkit / keylogger, which apparently, is able to survive a clean format and installation of Windows 10. Right now, I have a relatively clean installation (as far as I can ascertain) of Windows 10 Home 64bt, along with some minimal software: Chromium based Edge Browser Office 365 OneDrive Windows Defender I've attached the Emsisoft Rescue Kit and Farbar Recovery Scan logs per the instructions. --- Below is the, not so short, possibly irrelevant details about what was happening prior to the current configuration... I've been dealing with a stalker situation offline. Specifically, my upstairs neighbor. That along with some curious behavior from my laptop, led me to suspect malware. Additionally, I live in a city with an unusually robust community of hackers. There are over a dozen of hacking/coding/security boot camps within a 1 mile radius of where I live. It is not out of the realm of possibility here, as it might be elsewhere. I've also observed various fishy incidents: For instance, in one such incident, Windows Update, one day, notified me of a keyboard driver update, all of a sudden out of nowhere. When I went to verify these drivers with the manufacturer, there were no such drivers. (When I reinstalled Windows, as noted above, and updated all drivers, this same driver wasn't offered again.) When I initiated a support chat with Microsoft, the support technician directed me to a shady non-Microsoft site to get more information about this driver. It could just be Microsoft being cheap and hiring inexperienced support people, but it was extremely strange, and immediately set off alarm bells in my head. (I have screenshots of this incident if you would like to see. ) A terminal window starting popping up on every startup, apparently running some script, before quickly closing My BIOS admin/user password along with the startup lock disappeared all by itself Various suspicious Wi-Fi networks probing the area, and repeated disconnections, as might happen during a deauthorization attack. All this leading me to use ethernet instead instead of Wi-Fi. Numerous other incidents, which in retrospect were extremely suspicious and should have set off alarm bells. Before reinstalling Windows 10 from scratch*, for the final time, the following security software was installed on another clean installation of Windows 10: Sophos AV novirusthanks OS Armor Voodoo Shield malwarebytes Windows Firewall Control This resulted in a weird Windows "black screen of death" crash: Logon was normal Post Logon was greeted with a black screen showing only my mouse cursor, that's all (almost as if a remote desktop session had been initiated, but this is Windows 10 Home and I had disabled all remote access... CTRL+ALT+DEL did not work SHIFT + Power Button also didn't work Safe Mode Threw Errors when I tried to restore to an earlier restore point I consider myself relatively computer savvy, so yes, you can assume I tried all the usual tricks to boot into Windows, nothing worked. I did this a couple of times, installing only Sophos, or only OS Armor and VooDoo shield. They all ended with this black screen of death after an initial period of working. So I'm thinking, maybe those security programs set off some sort self-defense mechanism? So I started from scratch* and came here for help to see if perhaps I am missing something. I did notice in the Farbar logs something about a modified boot sector, but I'll leave the analysis to you... * Well, I started from scratch as much as I could. Normally, in this situation, I would have removed the drive entirely and attached it to another computer running Linux or something, and done full format, making sure I had overwritten everything, unfortunately, on this laptop, the main drive is an NVMe SSD located in a very difficult area to reach. Instead, in this case, I tried to overwrite everything using the Windows installation software on a USB stick I had made for me from a Microsoft Store in town. Addition.txt FRST.txt scan_200419-184855.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted April 20, 2020 Report Share Posted April 20, 2020 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. GroupPolicy\User: Restriction ? <==== ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 2020-04-15 13:26 - 2020-04-15 13:26 - 000000000 ____D C:\Users\alx\AppData\LocalLow\HitmanPro.Alert 2020-04-15 10:50 - 2020-04-15 10:50 - 000000000 ____D C:\Program Files\Malwarebytes 2020-04-14 18:15 - 2020-04-14 18:15 - 000000000 ____D C:\Program Files\NoVirusThanks 2020-04-14 10:10 - 2020-04-14 10:10 - 000000000 ____D C:\Users\alx\AppData\Local\Sophos 2020-04-14 09:47 - 2020-04-16 18:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VoodooShield 2020-04-14 09:46 - 2020-04-16 18:59 - 000000000 ____D C:\Program Files\VoodooShield 2020-04-14 09:46 - 2020-04-16 17:47 - 000000000 ____D C:\ProgramData\VoodooShield 2020-04-14 08:29 - 2020-04-16 01:29 - 000000000 ____D C:\ProgramData\HitmanPro.Alert 2020-04-14 08:29 - 2020-04-16 01:29 - 000000000 ____D C:\Program Files (x86)\HitmanPro.Alert 2020-04-14 08:29 - 2020-04-16 00:06 - 000000000 ____D C:\Windows\CryptoGuard 2020-04-14 08:27 - 2020-04-16 01:29 - 000000000 ____D C:\Program Files\Sophos 2020-04-14 08:27 - 2020-04-14 08:27 - 000000000 ____D C:\Program Files\Common Files\Sophos 2020-04-14 08:24 - 2020-04-14 08:29 - 000000000 ____D C:\ProgramData\Sophos 2020-04-14 08:24 - 2020-04-14 08:29 - 000000000 ____D C:\Program Files (x86)\Sophos 2020-04-13 11:44 - 2020-04-16 18:59 - 000000000 ____D C:\Program Files\Macrium 2020-04-13 11:42 - 2020-04-16 18:59 - 000000000 ____D C:\Users\alx\Downloads\Macrium 2020-04-07 20:26 - 2020-04-16 10:06 - 000000000 ____D C:\ProgramData\Macrium ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. Link to comment Share on other sites More sharing options...
teemo Posted April 20, 2020 Author Report Share Posted April 20, 2020 Hi Kevin, First of all, thanks for helping me! I've run FRST with the custom txt file you gave me and attached the logs. The computer seems to be running fine, however it seemed fine before as well. Sophos was still in its 30 day trial when the computer 'crashed'. I wanted to give emsisoft AV a go, but didn't want another black screen of death. So I've held off installing any other security software other than Windows Defender for now... Fixlog.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted April 20, 2020 Report Share Posted April 20, 2020 Other than the one restriction, I saw no malware in the logs. The system does not appear to be infected. Link to comment Share on other sites More sharing options...
teemo Posted April 20, 2020 Author Report Share Posted April 20, 2020 Okay, thanks for your help. What do you think caused those 'black screen with only mouse cursor working' crashes? Have you ever heard of that before? ...and when I install emsisoft AV, is it okay to install apps like OS Armor and VoodDoo shield? Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted April 20, 2020 Report Share Posted April 20, 2020 I would need a crash dump from when everything frozen in order to figure out what caused the crash. I know of no conflicts between our software and OS Armor or VooDoo Shield. Link to comment Share on other sites More sharing options...
Recommended Posts