Solved What kind of Malware do I have?

Bunaby Jones · Apr 10, 2023

Long story short I suddenly started having issues about 5 days ago when my keyboard was pressing buttons. I opened up notepad to see if my keys were sticking.

To my horror my usernames and passwords to many things started typing themselves out. Such as steam, google, Microsoft etc.

I naturally panicked and shut down my pc. I had the files I needed backed up already so I wiped my PC and downloaded Windows 11 from MS and reinstalled.

I immediately got Kaspersky which my family has used for a while and Changed all my passwords. Ram scans and found nothing on any drive.

Unfortunately it happened again with my passwords typing themselves out. There was no communication and it seemed automatic as if a bot was doing it. Then it started pasting out time stamps as if it was copied and pasted.

Now it was also reposting direct 1 to 1 text of things I googled and messages I sent in discord.

But anything typed on a different device such as my phone was not shown or anything.

I removed all drives and left only my m.2 and reinstalled once more. It did it again. This time I disconnect the internet, router and lan cables and disabled my Wi-Fi on the motherboard. It still typed stuff out without internet. So I think it’s an automatic bot.

I’ve done some research and I think this is a UEFI Bootkit/Rootkit.

I am unable to
Fix this so I took it to Geek Squad at BestBuy and am currently waiting to hear from them. But does it sound like a deep embedded bootkit or BIOS virus to you all?

I don’t have my desktop so I can’t be sure but the Windows Version is 22H2

Try3 · Apr 10, 2023

I was surprised that you did not mention
Run Microsoft Defender Offline Scan - ElevenForumTutorials
since that is specifically designed to detect rootkits and which you can still use depsite your Russian software.

The last time I checked, Kaspersky's equivalent was
Anti-rootkit utility TDSSKiller

All the best,
Denis

Bunaby Jones · Apr 10, 2023

Try3 said:
I was surprised that you did not mention
Run Microsoft Defender Offline Scan - ElevenForumTutorials
since that is specifically designed to detect rootkits and which you can still use depsite your Russian software.

The last time I checked, Kaspersky's equivalent was
Anti-rootkit utility TDSSKiller

All the best,
Denis

I don’t have my PC it is currently at GeekSquad. I was more-so asking if the community thinks it’s a bootkit/rootkit.

But the information you have given me is very useful, so for that I thank you.

flashh4 · Apr 10, 2023

Doesn't have the characteristics of any virus or Rootkit i have ever worked on ! I would do an exorcism, sorry but couldn't help that !!
Lets see what the bad incompetent (charges to much) Geek squad has to say !
Also as @Try3 said run the TTDSKiller !

kelper · Apr 10, 2023

Bunaby Jones said:
I immediately got Kaspersky which my family has used for a while

So what AV / Antimalware were you using before you got infected?

Birk · Apr 10, 2023

I tried the MS rootkit scan by following Brink's instructions - nothing happened. When I tried the command prompt I got this response:

Something is wrong - but what is it and how can I fix it?

Try3 · Apr 10, 2023

Bunaby Jones said:
I was more-so asking if the community thinks it’s a bootkit/rootkit.

Assuming that you Clean installed in accordance with the tutorial & with all other disks removed
Clean Install Windows 11 - ElevenForumTutorials
then your initial post says, "Yes, it's a rootkit."

Bunaby Jones said:
I removed all drives and left only my m.2 and reinstalled once more. It did it again.

All the best,
Denis

Try3 · Apr 10, 2023

Birk said:
Something is wrong - but what is it and how can I fix it?

Birt,

I urge you to start a thread of your own or ask your question in that tutorial thread.
This is Bunaby Jones' thread.

All the best,
Denis

TechnoMage2021 · Apr 10, 2023

Kaspersky? I just have a hard time trusting anything owned and operated by the Russians.
The Russian maffia controls so much of what goes on in that country!

Bunaby Jones · Apr 10, 2023

kelper said:
So what AV / Antimalware were you using before you got infected?

Just Windows Defender.

kelper · Apr 10, 2023

Could you have visited any dodgy websites?

Bunaby Jones · Apr 10, 2023

kelper said:
Could you have visited any dodgy websites?

Well I was on a site streaming a series and I made the mistake of trying to download an episode. I cancelled within 30 seconds because it was gonna take forever.

These things started very shortly after this.

kelper · Apr 10, 2023

You need a better antimalware if you are visiting naughty websites!

Bunaby Jones · Apr 10, 2023

kelper said:
You need a better antimalware if you are visiting naughty websites!

It wasn’t porn. It was MoviesJoy and I was watching a series. Windows defender didn’t detect anything so I don’t think anything else would have. Unfortunately I didn’t know how volatile that site was and how unsafe. That’s on me.

Ghot · Apr 10, 2023

@Bunaby Jones

You might want to try unhooking all the other drives (like you did), and unhooking the internet... then using some bootable partitioning software to "wipe" the drive you intend to re-install Windows on.

You can burn this to a CD or use RUFUS to put it on a USB stick.
It's the ISO for Minitools Partition Wizard 11...

Dropbox - File Deleted - Simplify your life

www.dropbox.com

Then, boot from the CD or USB stick and "wipe" the drive (write zeroes to it).
Then... install Windows on that drive, and see if the problem still exists.

IF the problem still exists, then it's probably the BIOS chip or possibly the router, that's infected.
[I don't know how you have all your devices hooked up, so I can't be sure about the router.]

Bunaby Jones · Apr 10, 2023

Ghot said:
@Bunaby Jones

You might want to try unhooking all the other drives (like you did), and unhooking the internet... then using some bootable partitioning software to "wipe" the drive you intend to re-install Windows on.

You can burn this to a CD or use RUFUS to put it on a USB stick.
It's the ISO for Minitools Partition Wizard 11...

Dropbox - File Deleted - Simplify your life

www.dropbox.com

Then, boot from the CD or USB stick and "wipe" the drive (write zeroes to it).
Then... install Windows on that drive, and see if the problem still exists.

IF the problem still exists, then it's probably the BIOS chip or possibly the router, that's infected.
[I don't know how you have all your devices hooked up, so I can't be sure about the router.]

I do not have my PC right now. It’s checked Into GeekSquad at Best Buy. My Desktop was LAN connected.

Ghot · Apr 10, 2023

Bunaby Jones said:
I do not have my PC right now. It’s checked Into GeekSquad at Best Buy. My Desktop was LAN connected.

They will probably do the same thing.
And as for router infections (I don't even use a router).
A while back I read about bad guys intercepting router packages, manually infecting them, the re-packaging them, so no one knew. If it still happens, I have no idea. I just pointed it out cause it's... possible.

Another way to get recurring infection is via infected USB stick or USB device.
You get everything cleaned... then stick the USB device back in... and you're infected again.

If all else fails... make a free account here, and let them clean the computer.
They're not fast, but they are the best...

Virus, Trojan, Spyware, and Malware Removal Help Forum

Virus, Trojan, Spyware, and Malware Removal Help: One of the last bastions of computer security warriors and healers. Bring your troubled PC here for top-of-the-line help with Malware Analysis and Removal by our trained professionals. This forum is only for those seeking aide with Malware...

www.bleepingcomputer.com

It's not like a normal forum, where many people answer. You'll get something like a case worker.
One person who will take you from start to finish. It's all free.

Follow their directions exactly. Don't skip ahead, or try to 2nd guess them.
They've been doing this for 20 years that I know of... probably longer.

flashh4 · Apr 10, 2023

I can do the same job as they do at Bleepingcomputer & i have been doing it for 20 yrs. also !
!

Fabler2 · Apr 11, 2023

flashh4 said:
I can do the same job as they do at Bleepingcomputer & i have been doing it for 20 yrs. also !
!

I shall remember that if ever the case I get one of these 'hidden' modern malware.

kelper · Apr 11, 2023

Birk said:
I tried the MS rootkit scan by following Brink's instructions - nothing happened. When I tried the command prompt I got this response:

View attachment 57585

Something is wrong - but what is it and how can I fix it?

You have to uninstall any third party antivirus or antimalware first. I use Webroot and pausing it was not enough, I got the same error in Powershell as you. But Defender offline ran fine once I had uninstalled Webroot.