Windows 10: Keep getting infected.. Rootkit, Bootkit, Keylogger ?
Keep getting infected.. Rootkit, Bootkit, Keylogger ?
Hello! from a new guy.
I must say what a great forum ya have here, knowledgeable & helpful people. Tutorial's are awesome (even I can follow them & that's no small feat).
Anyhow, I've been reading like mad trying to fix stuff myself.
Following Kyhi's guide I made a Bootable USB Rescue Disk, with the ISO per NavyLCDR.
Performed a couple wipes & clean installs, hoping it would cure things.
Well didn't seem to fix it and now I think I may have infected the USB Rescue Disk.
So, I'm admitting defeat & asking for your help / guidance.
As long as you're formatting the drive during the clean install only firmware malware would persist and they are extremely rare and difficult to create. You may want to create the install media on someone elses computer, format the drive completely and install Windows. First thing you should install is an AV product such as AVast or AVG which have decent free anti-virus protection.
Ty for the reply.
That's pretty much what I did & after reinstalling, everything seems OK. But give it a few days & things start happening again. E.G. this re-install is less than a week old & first thing today I was prompted to recover the bios? Then when surfing I got a full screen popup that said my system experienced an error & to call a number with a code. The system shut down & restarted so fast I didn't even get a good look at the popup.
So I decided to wipe it & start over. Out of habit I run MBAM & ESET on the Recovery USB thumb drive before reconnecting the hard drive to perform the re-install.
Normally it's all clean (except for the keyfinder program), however, today it found 6 Registry Data issues "Broken.OpenCommand, HKCR\exefile\shell"\open\command. So I think the USB recovery drive may have been infected?
Here's "some" history & sorry for the book...
I've been locked out of 3 routers in 6 months. Reset doesn't work & Verizon is unable to reset it either. On each new one the only way I could access it was to copy/paste the password.
Sometimes when turning on the PC it doesn't take the password first time. The screen flashes & I have to type password again. This happens randomly but never when waking from sleep. At first I thought I must have typo'd it. But I took notice as it happened more & more and make sure I'm entering it correctly.
Something else it does (and I warn you it's going to sound crazy). I've noticed this with MBAM, AVG, AVAST & Defender. It says it's updating, but doesn't seem like it is. Hard to explain so bear with me while I try to.
After I install a program the first couple updates seem normal, you see it check, then download, and install. After those times, updating will just flash that it's checking then show it's updated to current version. This occurs so fast if you blink you'll miss it.
This odd behavior prompted me to check updates on Mfr site before I updated the program. The updates were quite large. To me it doesn't seem possible it can check, download huge files & install in under 1 second. Where as before it took much much longer.
Hi Greyslate and welcome to Tenforums.
It's possible to have an infected router. I would check to make sure you have the latest firmware, and completely reset it. Then be sure to change the default access password, so no one can get into it and mess around.
(Usually 192.168.x.x and "admin")
For the flash drive, you can completely wipe it (in case of infection) using diskpart:
At an Admin Command Prompt enter
Identify the flash drive - be VERY sure which one it is
where <x> is the flash drive
"name" - call it whatever you want
format FS=FAT32 LABEL="name" QUICK
to exit diskpart
to exit cmd prompt
Make sure your BIOS is up-to-date.
When installing the OS, use the custom install selection, and wipe all partitions, until you have nothing left but "unallocated" space on the drive.
Once you have the OS installed, create a base image using Macrium Reflect Free on an external HDD.
As you load your software, make more images, so you have something "clean" to fall back on, if you have problems. Create subsequent images as you load software, and be careful what software you load.
For protection, I can recommend Avast Free, or ESET NOD32 (paid), MBAM Free (or paid), and ADWCleaner (Free, run on demand), to ferret out problems as they arise.
The issue of a screen appearing telling you your system has problems and you should call a number for assistance - well, that's not an infection. If you disconnect the router, close the browser and clear out the cache, reopen the browser and remove that tab from opening, then reconnect the router, it should solve that problem.
Hope that helps.
Be nice to all, please?!
Since you have already reinstalled, lets focus on trying to keep your system running malware free.
For starters disable scripting within Windows, it prevents majority of malware from working.
AV does not matter, since it is not working anyway. Run CMD as admin and copy/paste:
I would also recommend to remove powershell, which is being heavily used by the new malware:
reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
takeown /f "%ProgramFiles%\WindowsPowerShell" /a /r /d y
icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles%\WindowsPowerShell" /s /q
takeown /f "%ProgramFiles(x86)%\WindowsPowerShell" /a /r /d y
icacls "%ProgramFiles(x86)%\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
takeown /f "%WINDIR%\System32\WindowsPowerShell" /a /r /d y
icacls "%WINDIR%\System32\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%WINDIR%\System32\WindowsPowerShell" /s /q
takeown /f "%WINDIR%\SysWOW64\WindowsPowerShell" /a /r /d y
icacls "%WINDIR%\SysWOW64\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
rd "%WINDIR%\SysWOW64\WindowsPowerShell" /s /q
I just came back to the PC & the lock screen has a popup that says the Recycle bin is corrupted & asked if I wanted to empty it? I just closed it out.
Yes each time when the new router's arrived, I've changed the default login & password. But at some point it gets modified and my router user & password no longer work (and Verizon cant remote in). Doing a hard reset doesn't clear it back to the default login/pword. Verizon says it's just bad routers. I'm not sure about that.
Actually I haven't done the reinstall yet.
I planned too but MBAM found those Registry Data issues on on my Recovery USB thumb drive. So I wasn't sure if it is infected too, or safe to use for the reinstall?
I put the codes in, that's like serious stuff.
At this point I'm not sure if anything I have is clean. Would it be OK to wipe the USB drive on this PC & download Kyhi's recovery PE, then use that to wipe the HDD & reinstall?
BTW................ HAPPY NEW YEAR !!!!!!!
Since you use MBAM I would recommend not using version 3. I had no end of issues with permissions and modules not turning themselves on properly. So until they sort that out, consider going back to the last 2.2.1 code.
I had some infected flash drives from a friend, which needed the personal data on them saved and then completely wiped. They each had a hidden partition on them, which is where I found all his personal data. Once the data was safe, I used diskpart (as above) to clean them. These infected flash drives infected the computer I was using to clean them (obviously). So, once I had the flash drives cleaned, I restored a Macrium image to the system, to get rid of the infection on it.
This is how to erase all partitions on a USB flash drive:
Insert a USB flash drive into a running computer.
Open a Command Prompt window as an administrator [Command Prompt (Admin)].
In the new command line window that opens, to determine the USB flash drive number or drive letter, at the command prompt, type list disk, and then click ENTER. The list disk command displays all the disks on the computer. Note the drive number or drive letter of the USB flash drive.
At the command prompt, type select disk <X>, where X is the drive number or drive letter of the USB flash drive, and then click ENTER.
Type clean, and the click ENTER. This command deletes all data from the USB flash drive.
Type Exit and ENTER twice to get out of diskpart and then out of the command prompt window.
I basically downloaded the 1607 Windows update, the latest one. And one time, my AVG came up with 800 plus threats to do with a rootkit or something, and I think ntoskrnl.exe. I can't remember. Basically, the threats I think were hidden, and either...
I was hoping someone could give me a list of step by step instructions you use as a guide to clean virus, malware...etc. so I can keep my PC clean if it gets infected.
Anyone else getting this. Bitdefender is throwing up this alarm every time I click on this web site or any post in this site. Never had this before, so it could well be a false positive.
Ok I belive I know what your thinking but lets not go there. To start off I want to know if its possible to make one for my pc specifcally for security reasons as I find most of the bios's come standard with a password lock but it can be flushed. I...
Here is Ed Bott's take of the matter:
Here we go again.
With Windows 10, Microsoft has adopted a rapid-update development cycle. Maybe that faster pace is affecting the tech press too, because it took less than a week for the first