Solved What kind of Malware do I have?

Long story short I suddenly started having issues about 5 days ago when my keyboard was pressing buttons. I opened up notepad to see if my keys were sticking.

To my horror my usernames and passwords to many things started typing themselves out. Such as steam, google, Microsoft etc.

I naturally panicked and shut down my pc. I had the files I needed backed up already so I wiped my PC and downloaded Windows 11 from MS and reinstalled.

I immediately got Kaspersky which my family has used for a while and Changed all my passwords. Ram scans and found nothing on any drive.

Unfortunately it happened again with my passwords typing themselves out. There was no communication and it seemed automatic as if a bot was doing it. Then it started pasting out time stamps as if it was copied and pasted.

Now it was also reposting direct 1 to 1 text of things I googled and messages I sent in discord.

But anything typed on a different device such as my phone was not shown or anything.

I removed all drives and left only my m.2 and reinstalled once more. It did it again. This time I disconnect the internet, router and lan cables and disabled my Wi-Fi on the motherboard. It still typed stuff out without internet. So I think it’s an automatic bot.

I’ve done some research and I think this is a UEFI Bootkit/Rootkit.

I am unable to
Fix this so I took it to Geek Squad at BestBuy and am currently waiting to hear from them. But does it sound like a deep embedded bootkit or BIOS virus to you all?

I don’t have my desktop so I can’t be sure but the Windows Version is 22H2

I was surprised that you did not mention
Run Microsoft Defender Offline Scan - ElevenForumTutorials
since that is specifically designed to detect rootkits and which you can still use depsite your Russian software.

The last time I checked, Kaspersky's equivalent was
Anti-rootkit utility TDSSKiller


All the best,
Denis

Try3 said:

I was surprised that you did not mention
Run Microsoft Defender Offline Scan - ElevenForumTutorials
since that is specifically designed to detect rootkits and which you can still use depsite your Russian software.

The last time I checked, Kaspersky's equivalent was
Anti-rootkit utility TDSSKiller


All the best,
Denis

Click to expand...

I don’t have my PC it is currently at GeekSquad. I was more-so asking if the community thinks it’s a bootkit/rootkit.

But the information you have given me is very useful, so for that I thank you.

Doesn't have the characteristics of any virus or Rootkit i have ever worked on ! I would do an exorcism, sorry but couldn't help that !!
Lets see what the bad incompetent (charges to much) Geek squad has to say !
Also as @Try3 said run the TTDSKiller !

Bunaby Jones said:

I immediately got Kaspersky which my family has used for a while

Click to expand...

So what AV / Antimalware were you using before you got infected?

I tried the MS rootkit scan by following Brink's instructions - nothing happened. When I tried the command prompt I got this response:



Something is wrong - but what is it and how can I fix it?

Bunaby Jones said:

I was more-so asking if the community thinks it’s a bootkit/rootkit.

Click to expand...

Assuming that you Clean installed in accordance with the tutorial & with all other disks removed
Clean Install Windows 11 - ElevenForumTutorials
then your initial post says, "Yes, it's a rootkit."

Bunaby Jones said:

I removed all drives and left only my m.2 and reinstalled once more. It did it again.

Click to expand...

All the best,
Denis

Birk said:

Something is wrong - but what is it and how can I fix it?

Click to expand...

Birt,

I urge you to start a thread of your own or ask your question in that tutorial thread.
This is Bunaby Jones' thread.

All the best,
Denis

Kaspersky? I just have a hard time trusting anything owned and operated by the Russians.
The Russian maffia controls so much of what goes on in that country!

kelper said:

So what AV / Antimalware were you using before you got infected?

Click to expand...

Just Windows Defender.

Could you have visited any dodgy websites?

kelper said:

Could you have visited any dodgy websites?

Click to expand...

Well I was on a site streaming a series and I made the mistake of trying to download an episode. I cancelled within 30 seconds because it was gonna take forever.

These things started very shortly after this.

You need a better antimalware if you are visiting naughty websites!

kelper said:

You need a better antimalware if you are visiting naughty websites!

Click to expand...

It wasn’t porn. It was MoviesJoy and I was watching a series. Windows defender didn’t detect anything so I don’t think anything else would have. Unfortunately I didn’t know how volatile that site was and how unsafe. That’s on me.

@Bunaby Jones

You might want to try unhooking all the other drives (like you did), and unhooking the internet... then using some bootable partitioning software to "wipe" the drive you intend to re-install Windows on.

You can burn this to a CD or use RUFUS to put it on a USB stick.
It's the ISO for Minitools Partition Wizard 11...



Then, boot from the CD or USB stick and "wipe" the drive (write zeroes to it).
Then... install Windows on that drive, and see if the problem still exists.



IF the problem still exists, then it's probably the BIOS chip or possibly the router, that's infected.
[I don't know how you have all your devices hooked up, so I can't be sure about the router.]

Ghot said:

@Bunaby Jones

You might want to try unhooking all the other drives (like you did), and unhooking the internet... then using some bootable partitioning software to "wipe" the drive you intend to re-install Windows on.

You can burn this to a CD or use RUFUS to put it on a USB stick.
It's the ISO for Minitools Partition Wizard 11...

Dropbox

www.dropbox.com

Then, boot from the CD or USB stick and "wipe" the drive (write zeroes to it).
Then... install Windows on that drive, and see if the problem still exists.



IF the problem still exists, then it's probably the BIOS chip or possibly the router, that's infected.
[I don't know how you have all your devices hooked up, so I can't be sure about the router.]

Click to expand...

I do not have my PC right now. It’s checked Into GeekSquad at Best Buy. My Desktop was LAN connected.

Bunaby Jones said:

I do not have my PC right now. It’s checked Into GeekSquad at Best Buy. My Desktop was LAN connected.

Click to expand...

They will probably do the same thing.
And as for router infections (I don't even use a router).
A while back I read about bad guys intercepting router packages, manually infecting them, the re-packaging them, so no one knew. If it still happens, I have no idea. I just pointed it out cause it's... possible.

Another way to get recurring infection is via infected USB stick or USB device.
You get everything cleaned... then stick the USB device back in... and you're infected again.




If all else fails... make a free account here, and let them clean the computer.
They're not fast, but they are the best...




It's not like a normal forum, where many people answer. You'll get something like a case worker.
One person who will take you from start to finish. It's all free.

Follow their directions exactly. Don't skip ahead, or try to 2nd guess them.
They've been doing this for 20 years that I know of... probably longer.

I can do the same job as they do at Bleepingcomputer & i have been doing it for 20 yrs. also !
!

flashh4 said:

I can do the same job as they do at Bleepingcomputer & i have been doing it for 20 yrs. also !
!

Click to expand...

I shall remember that if ever the case I get one of these 'hidden' modern malware.

Birk said:

I tried the MS rootkit scan by following Brink's instructions - nothing happened. When I tried the command prompt I got this response:

View attachment 57585

Something is wrong - but what is it and how can I fix it?

Click to expand...

You have to uninstall any third party antivirus or antimalware first. I use Webroot and pausing it was not enough, I got the same error in Powershell as you. But Defender offline ran fine once I had uninstalled Webroot.