• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

Need help with a persistent infection possible rootkit or other device.

J

jpeg666

New Member
Joined
Apr 30, 2024
Messages
16 (0.04/day)
So how I know I was infected at least once for sure is my PC was doing all kinds of weird crap and Wireshark showed crazy amounts of traffic to random IPs when idle. I started trying to get to the bottom of things when I booted into safe mode my pin was auto populated multiple times extremely fast until windows Brute force protection stepped in.

After that I said fuck this and wiped all my drives and flashes my bios to the most current available rom.

Even on new installs of windows my PC will start making tons of tcp and udp connections. My drives will be accessing files on the system constantly and massive amounts of stuff shows up in the temp folders.

I have clean wiped multiple times now. I even booted into Linux to clean wiped everything and even in Linux at idle my PC will connect to a handful of suspect IP addresses.

More recently my router has been restarting constantly or my Ethernet adapter will just lose connection every so often and I'll have to reset it to get connected.

I had an interesting file pop up in my temp folder in this most recent clean install of windows. Ran through virus total a few days ago showed up clean. I checked the same file again and someone posted some suspect info about it 2 days ago.


I don't know if it's a persistent threat on my PC hardware or if it is my router or another device on my network causing these issues.

Any help would be appreciated.

Here is the file, I'm not sure why it didn't attach to my original post
1000000889.jpg


I was using Kaspersky as my AV nothing ever showed up in scans. Although it would do weird things like skip over files during scans with no explanation why.

These last couple clean wipes I've just been relying on defender. This did get caught a few days into my most recent clean install.

1000000890.jpg


I may be misunderstanding this and it may be nothing but right after a fresh install of windows I check the event logs and there is an event for a workgroup PC that is not on my network and it is not my PC's ID

1000000891.jpg
 
Last edited:
On a separate system, download and use a new, new out of the box, ISB and make a windows install drive.

Download https://www.emsisoft.com/en/home/emergency-kit/

And put it on the USB.

Download https://www.malwarebytes.com/solutions/rootkit-scanner

And put it on the USB.

I would put them.in a folder
Boot and change your computer to boot to the USB. Boot to it and once it starts click repair and go to command line. You can use the CMD prompt and the following commands to run the programs

CD Change Directory
DIR List files and Folder in current Directory

If you start to type a file path you can use tab to fill the rest of a file or folder name to complete the command.

For example

You put Emergency Kit and MalwareBytes in a folder of the USB called Anti-virus.

At the CMD prompt

C:\system32>

Type

CD C:\Anti

And press tab, it should complete C:\Anti-virus.

Press enter and the command prompt should read.

C:\Anti-virus>

Type DIR

And it should list

Emergency Kit.exe
Malwarebytes.exe

Start typing Emerg and press tab and it should show

C:\Anti-virus\Emergency Kit.exe

Press enter and it should start the Emergency Kit program.

Run both and allow to clean up whatever they find.

Once both are complete, before you reboot.

Type

CD C:\system32
Press enter then Type
SFC /scannow

And let that run.

This will boot the system to a clean media, run anti-virus/rootkit software outside windows booted environment but with access to your system.
Once clean the SFC stands for System File Checker and it will scan windows files for altered, damaged, missing, or replaced versions and replace them with verified versions.

Before you reboot normally.

Unplug ALL network links. Boot to your version of windows and run the tools again.
 
Going to buy a new USB drive and load it up at a friend's house. I'll report back.

I can't run any of the programs
1000000899.jpg


I ended up installing emsisoft onto a different USB drive and was able to run the command line scanner. It found 1 herc something. I still cannot run malwarebytes in the WindowsRE though. It gives me the same message.
 
Is your OS on a Ssd or NVme?
 
jpeg666 said:
Going to buy a new USB drive and load it up at a friend's house. I'll report back.

I can't run any of the programs
View attachment 345835

I ended up installing emsisoft onto a different USB drive and was able to run the command line scanner. It found 1 herc something. I still cannot run malwarebytes in the WindowsRE though. It gives me the same message.
Click to expand...
Looks like you possibly tried to run a 64-bit program on a 32-bit OS.
 
iepdf32.dll is a component of PDFium and is used by applications that have embedded pdf readers


That detection (Wacatac.h!ml) is a machine-learning heuristics detection. It's a VERY generic detection with a sky-high false positive rate (easily 9 out of 10 detections are false positives), just to be safe, upload that dll to virustotal and see what the major engines accuse of it.

This last one about SCEP Certificate Enrollment has something to do with the root CA store and incorrect fTPM configuration on AMD Ryzen processors

All in all does your computer show any symptoms that it is actually infected? High load under idle, any unusual processes, high memory usage, communicating through the internet? Have you made a note of the connections your machine is trying to make? Windows 10 and 11 actually do communicate to a lot of addresses upon configuration, something to do with user experience and advertisements. See if that's not what's happening to you. Shutup10++ and Winaero Tweaker are your friends.

Lastly, UEFI-based viruses are extremely rare, as a last resort re-flash your BIOS and do a secure-erase on your boot SSD, installing Windows with the other drives physically disconnected.
 
Dr. Dro said:
All in all does your computer show any symptoms that it is actually infected? High load under idle, any unusual processes, high memory usage, communicating through the internet? Have you made a note of the connections your machine is trying to make? Windows 10 and 11 actually do communicate to a lot of addresses upon configuration, something to do with user experience and advertisements. See if that's not what's happening to you. Shutup10++ and Winaero Tweaker are your friends.
Click to expand...
So I get that windows 11 makes a bunch of connections for updates and stuff but I went through and checked a lot of the ips out on virustotal and abused and a few were marked and malware or highly reported on abuseID

Also my PC would write massive amounts of stuff to the temp folder constantly while idle keeping my CPU temp above 60 degrees and I would look for the program taking up CPU resources and none would show as hammering the CPU but like I said there was large amounts of reading and writing being done. I would watch resource monitor to see what and where the activity was.

I missed the name of the file that emsisoft found but that file was marked and trojan.herc, something like that.

Farbar also caught the GPO had been altered and I did not touch the GPO on this last install.


I can list a massive amount of sus activity I saw. I just don't want to write a book and some of it is probably normal activity.




Dr. Dro said:
Lastly, UEFI-based viruses are extremely rare, as a last resort re-flash your BIOS and do a secure-erase on your boot SSD, installing Windows with the other drives physically disconnected.
Click to expand...
So I went ahead and secure erased everything on all drives, got a new router, and installed win11 from that brand new USB. This was yesterday.

This time after installing there was way less traffic and less tcp connections. After installing updates. My PC was quietly idling at 34 degrees and disk was being used way less when idle.

One concerning thing is the different Computer names that event viewer logs are picking up and a brand new install. 1 of those names is probably my PC before I renamed it but that doesn't explain the other's maybe 2 more different Computer names picked up on mobile devices management logs and credentials guard errors with another PCs name.

The new router and new IP has resolved a lot of the sus tcp and udp traffic.

I am still worried about some stuff with this new install though. The amount of update errors and security services warnings seems a bit odd.

I had an old ASUS RT-3200 it may have been letting things through that it shouldn't have or possibly infected.

I'm trying to get into IT work digging through all this and monitoring everything and learning about inner workings of windows is nice. I got my CompTIA A+ I'm currently working on my Network+ and then SEC+ after that.

When my old router was hooked up and I was on a previous install of windows I was digging through Wireshark and seeing a lot of interesting things. My PC was DNS querying a lot of odd sites when on a clean boot via MSconfig, I saw DNS entries switch from suspicious addresses to Google and azure servers after it was already logged and resolved.

I am trying to learn teach myself how to use farbar more effectively at the moment. I will attach the logs. Maybe you can see if you see anything out of the ordinary for a clean win11 install.

This is a clean install with only windows updates downloaded.
 

Attachments

Last edited:
Took a quick look, it doesn't seem like there's anything wrong with that. Azure's Microsoft's cloud, from what I could find this is a root CA enrollment bug that's caused by the processor's security system. I found both these threads:

SCEP Certificate Enrollment Initialization Errors Are Back Again w/ Windows 11 22H2

Some months back, I switched from an Asus X570 motherboard to a Gigabyte B550 motherboard and the SCEP Certification Errors I'd been getting constantly went away. Today, I updated to the latest Windows 11 version (22H2 - Build 22621.521), and they're back. Once again, I'm getting Event 86...
community.amd.com community.amd.com

and specifically this comment

Re: SCEP Certificate enrollment initialization failed

I have some more information to share on this issue since last time reporting: I don't think PSU has anything to do with this issue at all I do think issue is caused by TPM(AMD fTPM and Windows OS) As I mentioned in my last post, I stopped experience SCEP errors and at the same time my pc did...
community.amd.com community.amd.com

You might wanna check these out... I can't recall having this problem back when I had my 5950X system, or maybe I never even noticed. It definitely isn't happening on my current Intel.
 
Dr. Dro said:
Took a quick look, it doesn't seem like there's anything wrong with that. Azure's Microsoft's cloud, from what I could find this is a root CA enrollment bug that's caused by the processor's security system. I found both these threads:

SCEP Certificate Enrollment Initialization Errors Are Back Again w/ Windows 11 22H2

Some months back, I switched from an Asus X570 motherboard to a Gigabyte B550 motherboard and the SCEP Certification Errors I'd been getting constantly went away. Today, I updated to the latest Windows 11 version (22H2 - Build 22621.521), and they're back. Once again, I'm getting Event 86...
community.amd.com community.amd.com

and specifically this comment

Re: SCEP Certificate enrollment initialization failed

I have some more information to share on this issue since last time reporting: I don't think PSU has anything to do with this issue at all I do think issue is caused by TPM(AMD fTPM and Windows OS) As I mentioned in my last post, I stopped experience SCEP errors and at the same time my pc did...
community.amd.com community.amd.com

You might wanna check these out... I can't recall having this problem back when I had my 5950X system, or maybe I never even noticed. It definitely isn't happening on my current Intel.
Click to expand...

Agreed, I havent seen anything that indicates infection other than the FP on this PDF reader. The logs and the activity seem normal.
 
Dr. Dro said:
Took a quick look, it doesn't seem like there's anything wrong with that. Azure's Microsoft's cloud, from what I could find this is a root CA enrollment bug that's caused by the processor's security system. I found both these threads:

SCEP Certificate Enrollment Initialization Errors Are Back Again w/ Windows 11 22H2

Some months back, I switched from an Asus X570 motherboard to a Gigabyte B550 motherboard and the SCEP Certification Errors I'd been getting constantly went away. Today, I updated to the latest Windows 11 version (22H2 - Build 22621.521), and they're back. Once again, I'm getting Event 86...
community.amd.com community.amd.com

and specifically this comment

Re: SCEP Certificate enrollment initialization failed

I have some more information to share on this issue since last time reporting: I don't think PSU has anything to do with this issue at all I do think issue is caused by TPM(AMD fTPM and Windows OS) As I mentioned in my last post, I stopped experience SCEP errors and at the same time my pc did...
community.amd.com community.amd.com

You might wanna check these out... I can't recall having this problem back when I had my 5950X system, or maybe I never even noticed. It definitely isn't happening on my current Intel.
Click to expand...
I've looked for hours for a solution to this there is a thread on amd forums that has gone on for years about this. Some people say the amd hasn't updated their URL some say FTPM is broken. The most recent posts some people have fixed it by updating the chipset drivers. That never fixes it for me though.

One things I have tried many times without success and many hours of research is get the security processes to run.

sysinfo.png


Even if I go into GPO and enable and configure the available security properties they will never list as running, also Firmware protection will never get turned on no matter what I do.
 
So I started installing what I normally use and this looked interesting, 44 startup apps under discord. Someone on reddit has the same thing. Some people are saying it looks like compromise and others are saying it's normal

disco.png



I was removing edge from startup when I looked over a couple minutes later and the icon had changed and the CHCP file name changed and the publisher became github


disco2.png


I just installed my Nvidia driver's last night now this is what I get trying to access the control panel...

1000000914.jpg


1000000915.jpg
 
Last edited:
You must log in or register to reply here.
Back
Top