Windows 10: Keep getting infected.. Rootkit, Bootkit, Keylogger ?

  1. Posts : 6
    Windows 10 Home x64
       31 Dec 2016 #1

    Keep getting infected.. Rootkit, Bootkit, Keylogger ?

    Hello! from a new guy.

    I must say what a great forum ya have here, knowledgeable & helpful people. Tutorial's are awesome (even I can follow them & that's no small feat).

    Anyhow, I've been reading like mad trying to fix stuff myself.

    Following Kyhi's guide I made a Bootable USB Rescue Disk, with the ISO per NavyLCDR.
    Performed a couple wipes & clean installs, hoping it would cure things.
    Well didn't seem to fix it and now I think I may have infected the USB Rescue Disk.

    So, I'm admitting defeat & asking for your help / guidance.

    Anybody game?

      My ComputerSystem Spec

  2.    31 Dec 2016 #2

    As long as you're formatting the drive during the clean install only firmware malware would persist and they are extremely rare and difficult to create. You may want to create the install media on someone elses computer, format the drive completely and install Windows. First thing you should install is an AV product such as AVast or AVG which have decent free anti-virus protection.
      My ComputerSystem Spec

  3. Posts : 6
    Windows 10 Home x64
    Thread Starter
       31 Dec 2016 #3

    Ty for the reply.

    That's pretty much what I did & after reinstalling, everything seems OK. But give it a few days & things start happening again. E.G. this re-install is less than a week old & first thing today I was prompted to recover the bios? Then when surfing I got a full screen popup that said my system experienced an error & to call a number with a code. The system shut down & restarted so fast I didn't even get a good look at the popup.

    So I decided to wipe it & start over. Out of habit I run MBAM & ESET on the Recovery USB thumb drive before reconnecting the hard drive to perform the re-install.

    Normally it's all clean (except for the keyfinder program), however, today it found 6 Registry Data issues "Broken.OpenCommand, HKCR\exefile\shell"\open\command. So I think the USB recovery drive may have been infected?

    Here's "some" history & sorry for the book...

    I've been locked out of 3 routers in 6 months. Reset doesn't work & Verizon is unable to reset it either. On each new one the only way I could access it was to copy/paste the password.

    Sometimes when turning on the PC it doesn't take the password first time. The screen flashes & I have to type password again. This happens randomly but never when waking from sleep. At first I thought I must have typo'd it. But I took notice as it happened more & more and make sure I'm entering it correctly.

    Something else it does (and I warn you it's going to sound crazy). I've noticed this with MBAM, AVG, AVAST & Defender. It says it's updating, but doesn't seem like it is. Hard to explain so bear with me while I try to.

    After I install a program the first couple updates seem normal, you see it check, then download, and install. After those times, updating will just flash that it's checking then show it's updated to current version. This occurs so fast if you blink you'll miss it.

    This odd behavior prompted me to check updates on Mfr site before I updated the program. The updates were quite large. To me it doesn't seem possible it can check, download huge files & install in under 1 second. Where as before it took much much longer.

      My ComputerSystem Spec

  4.    31 Dec 2016 #4

    Hi Greyslate and welcome to Tenforums.

    It's possible to have an infected router. I would check to make sure you have the latest firmware, and completely reset it. Then be sure to change the default access password, so no one can get into it and mess around.
    (Usually 192.168.x.x and "admin")

    For the flash drive, you can completely wipe it (in case of infection) using diskpart:
    At an Admin Command Prompt enter
    list disk
    Identify the flash drive - be VERY sure which one it is
    select disk <x>
    where <x> is the flash drive
    create par primary
    format FS=FAT32 LABEL="name" QUICK
    "name" - call it whatever you want
    to exit diskpart
    to exit cmd prompt

    Make sure your BIOS is up-to-date.

    When installing the OS, use the custom install selection, and wipe all partitions, until you have nothing left but "unallocated" space on the drive.

    Click image for larger version. 

Name:	image.png 
Views:	73 
Size:	68.4 KB 
ID:	115471

    Once you have the OS installed, create a base image using Macrium Reflect Free on an external HDD.

    As you load your software, make more images, so you have something "clean" to fall back on, if you have problems. Create subsequent images as you load software, and be careful what software you load.

    For protection, I can recommend Avast Free, or ESET NOD32 (paid), MBAM Free (or paid), and ADWCleaner (Free, run on demand), to ferret out problems as they arise.

    The issue of a screen appearing telling you your system has problems and you should call a number for assistance - well, that's not an infection. If you disconnect the router, close the browser and clear out the cache, reopen the browser and remove that tab from opening, then reconnect the router, it should solve that problem.

    Hope that helps.
      My ComputerSystem Spec

  5. Posts : 3,226
    10.5 Home 1803 x64
       31 Dec 2016 #5

    Since you have already reinstalled, lets focus on trying to keep your system running malware free.
    For starters disable scripting within Windows, it prevents majority of malware from working.
    AV does not matter, since it is not working anyway. Run CMD as admin and copy/paste:
    reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
    I would also recommend to remove powershell, which is being heavily used by the new malware:
    takeown /f "%ProgramFiles%\WindowsPowerShell" /a /r /d y
    icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
    rd "%ProgramFiles%\WindowsPowerShell" /s /q
    takeown /f "%ProgramFiles(x86)%\WindowsPowerShell" /a /r /d y
    icacls "%ProgramFiles(x86)%\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
    rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
    takeown /f "%WINDIR%\System32\WindowsPowerShell" /a /r /d y
    icacls "%WINDIR%\System32\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
    rd "%WINDIR%\System32\WindowsPowerShell" /s /q
    takeown /f "%WINDIR%\SysWOW64\WindowsPowerShell" /a /r /d y
    icacls "%WINDIR%\SysWOW64\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
    rd "%WINDIR%\SysWOW64\WindowsPowerShell" /s /q
      My ComputerSystem Spec

  6. Posts : 6
    Windows 10 Home x64
    Thread Starter
       31 Dec 2016 #6

    I just came back to the PC & the lock screen has a popup that says the Recycle bin is corrupted & asked if I wanted to empty it? I just closed it out.

    Yes each time when the new router's arrived, I've changed the default login & password. But at some point it gets modified and my router user & password no longer work (and Verizon cant remote in). Doing a hard reset doesn't clear it back to the default login/pword. Verizon says it's just bad routers. I'm not sure about that.

    Actually I haven't done the reinstall yet.

    I planned too but MBAM found those Registry Data issues on on my Recovery USB thumb drive. So I wasn't sure if it is infected too, or safe to use for the reinstall?

    I put the codes in, that's like serious stuff.

    At this point I'm not sure if anything I have is clean. Would it be OK to wipe the USB drive on this PC & download Kyhi's recovery PE, then use that to wipe the HDD & reinstall?

    BTW................ HAPPY NEW YEAR !!!!!!!
      My ComputerSystem Spec

  7.    01 Jan 2017 #7

    Since you use MBAM I would recommend not using version 3. I had no end of issues with permissions and modules not turning themselves on properly. So until they sort that out, consider going back to the last 2.2.1 code.
      My ComputersSystem Spec

  •    02 Jan 2017 #8

    I had some infected flash drives from a friend, which needed the personal data on them saved and then completely wiped. They each had a hidden partition on them, which is where I found all his personal data. Once the data was safe, I used diskpart (as above) to clean them. These infected flash drives infected the computer I was using to clean them (obviously). So, once I had the flash drives cleaned, I restored a Macrium image to the system, to get rid of the infection on it.
      My ComputerSystem Spec

  •    03 Jan 2017 #9

    This is how to erase all partitions on a USB flash drive:

    Insert a USB flash drive into a running computer.

    Open a Command Prompt window as an administrator [Command Prompt (Admin)].

    Type diskpart.

    In the new command line window that opens, to determine the USB flash drive number or drive letter, at the command prompt, type list disk, and then click ENTER. The list disk command displays all the disks on the computer. Note the drive number or drive letter of the USB flash drive.

    At the command prompt, type select disk <X>, where X is the drive number or drive letter of the USB flash drive, and then click ENTER.

    Type clean, and the click ENTER. This command deletes all data from the USB flash drive.

    Type Exit and ENTER twice to get out of diskpart and then out of the command prompt window.
      My ComputerSystem Spec


    Related Threads
    Solved Rootkit Virus? in AntiVirus, Firewalls and System Security
    I basically downloaded the 1607 Windows update, the latest one. And one time, my AVG came up with 800 plus threats to do with a rootkit or something, and I think ntoskrnl.exe. I can't remember. Basically, the threats I think were hidden, and either...
    steps taken for infected Pc's. in AntiVirus, Firewalls and System Security
    I was hoping someone could give me a list of step by step instructions you use as a guide to clean virus, malware...etc. so I can keep my PC clean if it gets infected. thx
    Solved Infected Web Source in AntiVirus, Firewalls and System Security
    Anyone else getting this. Bitdefender is throwing up this alarm every time I click on this web site or any post in this site. Never had this before, so it could well be a false positive.
    positive idea for a Bootkit in AntiVirus, Firewalls and System Security
    Ok I belive I know what your thinking but lets not go there. To start off I want to know if its possible to make one for my pc specifcally for security reasons as I find most of the bios's come standard with a password lock but it can be flushed. I...
    Does Windows 10 really include a keylogger? in AntiVirus, Firewalls and System Security
    Here is Ed Bott's take of the matter: Here we go again. With Windows 10, Microsoft has adopted a rapid-update development cycle. Maybe that faster pace is affecting the tech press too, because it took less than a week for the first ...
    Our Sites
    Site Links
    About Us
    Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

    Designer Media Ltd
    All times are GMT -5. The time now is 23:58.
    Find Us