Messages

1

Malware removal help / Re: Persisent malware, survives disk/ssd wipes

« on: June 14, 2017, 03:26:03 PM »

Yes but we can't see any other abnormalities, right?
Yes I have installed Windows 10 SDK and WDK to debug with Windbg.
What to do from here?

2

Malware removal help / Re: Persisent malware, survives disk/ssd wipes

« on: June 14, 2017, 01:59:12 PM »

I'm 100% certain that if we have two PC's. My PC and another one which is 100% clean and install and use the exact same Windows DVD my PC will be limited in updates and the clean one will get a lot of updates.

Regarding Gmer and RogueKiller I believe that the Windows is rooted so much that we can't believe any security tool.

If we search for stuff with things like Autoruns, Process Explorer, Process Hacker etc. we will see changes to Windows services.

I have attached the log from tdsskiller.

3

Malware removal help / Re: Persisent malware, survives disk/ssd wipes

« on: June 13, 2017, 10:02:42 PM »

What do you mean by "affected" ? Could you please provide the error code displayed when you try to update your system ?

I don't get any exact error codes. But when I search for updates it doesn't show all. I can recall this from formatting a lot before, with this CD and exact build and I'm supposed to get a lot more updates. Is there any way we can look more into this?

This may be caused by a misbehaving driver. Which operating system are you currently running ?

I'm running Windows 8.1 at the moment. Could we assume that the malware is running as a driver then?

BadUSB is quite hard to detect but is not spreading in the wild. Did you try another keyboard device ?

I haven't tried with a clean combo of new mouse and new keyboard yet. But I have tried with a different keyboard but the same mouse and it seemed like both devices got messed with in the end.

I have attached logs from Gmer and RogueKiller.

4

Malware removal help / Persisent malware, survives disk/ssd wipes

« on: June 13, 2017, 01:08:14 PM »

Hey guys!

I have for a while been struggling with some persistent malware. I have been getting weird entries in the Rootkit/Malware tab in Gmer.

My Windows update is affected and I'm limited in updates and are not able to fully update.
A lot of processes is hidden and it seems like the PC is giving false results regarding system usage, especially disk and memory usage.

I'm getting a lot of hard pagefaults and DPC spikes, especially if my mouse and keyboard have input(movement) simultaneously.

I have been using DBAN to wipe all disks, formatted them and reinstalled but I keep getting infected. I have also used a live linux CD, to boot and use the dd command in the terminal, to remove all mbr data.
My installation media is 100% legit. I have been testing on Windows 8.1 and Windows 10. All above mentioned returns.

I have used any security tool out there without any luck!

If you look further into the system with tools like Autoruns, Process Hacker, Process Explorer, Process Monitor, you can see that something is wrong.

It seems like legitimate Windows services have been injected and I have used x64dbg to debug some executables. I tried to attach Explorer.exe and it seems to be hacked. But I dont know what to do from here.

At the moment I'm trying to study Windows internals and USB protocol so I can dig deeper.

I have been thinking about either my keyboard or mouse is hiding a bootkit/rootkit with BadUSB exploit.

If anyone wants to help me debug I can provide all information and I don't care if I lose any data or have to reformat, since I'm becoming quite desperate!

Any feedback would be awesome!