Keep getting infected.. Rootkit, Bootkit, Keylogger ?


  1. Posts : 6
    Windows 10 Home x64
       #1

    Keep getting infected.. Rootkit, Bootkit, Keylogger ?


    Hello! from a new guy.

    I must say what a great forum ya have here, knowledgeable & helpful people. Tutorial's are awesome (even I can follow them & that's no small feat).

    Anyhow, I've been reading like mad trying to fix stuff myself.

    Following Kyhi's guide I made a Bootable USB Rescue Disk, with the ISO per NavyLCDR.
    Performed a couple wipes & clean installs, hoping it would cure things.
    Well didn't seem to fix it and now I think I may have infected the USB Rescue Disk.

    So, I'm admitting defeat & asking for your help / guidance.

    Anybody game?

    Tnx,
      My Computer


  2. Posts : 226
    Many
       #2

    As long as you're formatting the drive during the clean install only firmware malware would persist and they are extremely rare and difficult to create. You may want to create the install media on someone elses computer, format the drive completely and install Windows. First thing you should install is an AV product such as AVast or AVG which have decent free anti-virus protection.
      My Computer


  3. Posts : 6
    Windows 10 Home x64
    Thread Starter
       #3

    Ty for the reply.

    That's pretty much what I did & after reinstalling, everything seems OK. But give it a few days & things start happening again. E.G. this re-install is less than a week old & first thing today I was prompted to recover the bios? Then when surfing I got a full screen popup that said my system experienced an error & to call a number with a code. The system shut down & restarted so fast I didn't even get a good look at the popup.

    So I decided to wipe it & start over. Out of habit I run MBAM & ESET on the Recovery USB thumb drive before reconnecting the hard drive to perform the re-install.

    Normally it's all clean (except for the keyfinder program), however, today it found 6 Registry Data issues "Broken.OpenCommand, HKCR\exefile\shell"\open\command. So I think the USB recovery drive may have been infected?

    Here's "some" history & sorry for the book...


    I've been locked out of 3 routers in 6 months. Reset doesn't work & Verizon is unable to reset it either. On each new one the only way I could access it was to copy/paste the password.

    Sometimes when turning on the PC it doesn't take the password first time. The screen flashes & I have to type password again. This happens randomly but never when waking from sleep. At first I thought I must have typo'd it. But I took notice as it happened more & more and make sure I'm entering it correctly.

    Something else it does (and I warn you it's going to sound crazy). I've noticed this with MBAM, AVG, AVAST & Defender. It says it's updating, but doesn't seem like it is. Hard to explain so bear with me while I try to.

    After I install a program the first couple updates seem normal, you see it check, then download, and install. After those times, updating will just flash that it's checking then show it's updated to current version. This occurs so fast if you blink you'll miss it.

    This odd behavior prompted me to check updates on Mfr site before I updated the program. The updates were quite large. To me it doesn't seem possible it can check, download huge files & install in under 1 second. Where as before it took much much longer.

    Thoughts?
      My Computer


  4. Posts : 16,325
    W10Prox64
       #4

    Hi Greyslate and welcome to Tenforums.

    It's possible to have an infected router. I would check to make sure you have the latest firmware, and completely reset it. Then be sure to change the default access password, so no one can get into it and mess around.
    (Usually 192.168.x.x and "admin")

    For the flash drive, you can completely wipe it (in case of infection) using diskpart:
    At an Admin Command Prompt enter
    Code:
    diskpart
    enter
    Code:
    list disk
    enter
    Identify the flash drive - be VERY sure which one it is
    type
    Code:
    select disk <x>
    where <x> is the flash drive
    enter
    type
    Code:
    clean
    type
    Code:
    create par primary
    type
    Code:
    active
    type
    Code:
    format FS=FAT32 LABEL="name" QUICK
    "name" - call it whatever you want
    type
    Code:
    exit
    to exit diskpart
    type
    Code:
    exit
    to exit cmd prompt

    Make sure your BIOS is up-to-date.

    When installing the OS, use the custom install selection, and wipe all partitions, until you have nothing left but "unallocated" space on the drive.

    https://www.tenforums.com/tutorials/...n-install.html

    .
    Keep getting infected.. Rootkit, Bootkit, Keylogger ?-image.png

    Once you have the OS installed, create a base image using Macrium Reflect Free on an external HDD.
    https://www.tenforums.com/tutorials/...p-restore.html

    As you load your software, make more images, so you have something "clean" to fall back on, if you have problems. Create subsequent images as you load software, and be careful what software you load.


    For protection, I can recommend Avast Free, or ESET NOD32 (paid), MBAM Free (or paid), and ADWCleaner (Free, run on demand), to ferret out problems as they arise.

    The issue of a screen appearing telling you your system has problems and you should call a number for assistance - well, that's not an infection. If you disconnect the router, close the browser and clear out the cache, reopen the browser and remove that tab from opening, then reconnect the router, it should solve that problem.

    Hope that helps.
      My Computer


  5. Posts : 5,442
    Windows 11 Home
       #5

    Since you have already reinstalled, lets focus on trying to keep your system running malware free.
    For starters disable scripting within Windows, it prevents majority of malware from working.
    AV does not matter, since it is not working anyway. Run CMD as admin and copy/paste:
    Code:
    reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
    I would also recommend to remove powershell, which is being heavily used by the new malware:
    Code:
    takeown /f "%ProgramFiles%\WindowsPowerShell" /a /r /d y
    icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
    rd "%ProgramFiles%\WindowsPowerShell" /s /q
    takeown /f "%ProgramFiles(x86)%\WindowsPowerShell" /a /r /d y
    icacls "%ProgramFiles(x86)%\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
    rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
    takeown /f "%WINDIR%\System32\WindowsPowerShell" /a /r /d y
    icacls "%WINDIR%\System32\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
    rd "%WINDIR%\System32\WindowsPowerShell" /s /q
    takeown /f "%WINDIR%\SysWOW64\WindowsPowerShell" /a /r /d y
    icacls "%WINDIR%\SysWOW64\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /c
    rd "%WINDIR%\SysWOW64\WindowsPowerShell" /s /q
      My Computer


  6. Posts : 6
    Windows 10 Home x64
    Thread Starter
       #6

    I just came back to the PC & the lock screen has a popup that says the Recycle bin is corrupted & asked if I wanted to empty it? I just closed it out.

    Yes each time when the new router's arrived, I've changed the default login & password. But at some point it gets modified and my router user & password no longer work (and Verizon cant remote in). Doing a hard reset doesn't clear it back to the default login/pword. Verizon says it's just bad routers. I'm not sure about that.

    Actually I haven't done the reinstall yet.

    I planned too but MBAM found those Registry Data issues on on my Recovery USB thumb drive. So I wasn't sure if it is infected too, or safe to use for the reinstall?

    I put the codes in, that's like serious stuff.

    At this point I'm not sure if anything I have is clean. Would it be OK to wipe the USB drive on this PC & download Kyhi's recovery PE, then use that to wipe the HDD & reinstall?

    BTW................ HAPPY NEW YEAR !!!!!!!
      My Computer


  7. Posts : 7,254
    Windows 10 Pro 64-bit
       #7

    Since you use MBAM I would recommend not using version 3. I had no end of issues with permissions and modules not turning themselves on properly. So until they sort that out, consider going back to the last 2.2.1 code.
      My Computers


  8. Posts : 16,325
    W10Prox64
       #8

    I had some infected flash drives from a friend, which needed the personal data on them saved and then completely wiped. They each had a hidden partition on them, which is where I found all his personal data. Once the data was safe, I used diskpart (as above) to clean them. These infected flash drives infected the computer I was using to clean them (obviously). So, once I had the flash drives cleaned, I restored a Macrium image to the system, to get rid of the infection on it.
      My Computer


  9. Posts : 18,424
    Windows 11 Pro
       #9

    This is how to erase all partitions on a USB flash drive:

    Insert a USB flash drive into a running computer.

    Open a Command Prompt window as an administrator [Command Prompt (Admin)].

    Type diskpart.

    In the new command line window that opens, to determine the USB flash drive number or drive letter, at the command prompt, type list disk, and then click ENTER. The list disk command displays all the disks on the computer. Note the drive number or drive letter of the USB flash drive.

    At the command prompt, type select disk <X>, where X is the drive number or drive letter of the USB flash drive, and then click ENTER.

    Type clean, and the click ENTER. This command deletes all data from the USB flash drive.

    Type Exit and ENTER twice to get out of diskpart and then out of the command prompt window.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:25.
Find Us




Windows 10 Forums