Found Malware on PC, Need Help Locating Anything Ells.

Also, I know you didn't request this, but I did another registry search for "1048c0dc-0000-0000-0000-30083a000000"

 

I assumed this would be the next step, since the message/scan is not going away.

 

===================================================

Farbar Recovery Scan Tool (x64) Version: 26.02.2024 01
Ran by Soggy (04-03-2024 21:30:20)
Running from E:\Downloads\Bleeping Tools
Boot Mode: Normal

================== Search Registry: "1048c0dc-0000-0000-0000-30083a000000" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache\G:]
"VolumeLabel"="\\?\Volume{1048c0dc-0000-0000-0000-30083a000000}\"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\VolumeInfoCache\G:]
"VolumeLabel"="\\?\Volume{1048c0dc-0000-0000-0000-30083a000000}\"
[HKEY_USERS\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="Computer\HKEY_USERS\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{1048c0dc-0000-0000-0000-30083a000000}"
[HKEY_USERS\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{1048c0dc-0000-0000-0000-30083a000000}]

====== End of Search ======
 

Edited by dog6611, Yesterday, 09:34 PM.

It's the exact same volume.  Though, I do not think I can comfortably disconnect my drives without causing possible issues to my pc. 


I can possibly disconnect my E: and D: drives, but the F: is an m.2 drive which will require me to remove my GPU to uninstall, which at the moment is a bit difficult.


With those drives disconnected, I'd only be able to boot into safemode comfortably, would that be alright?

 

Edit: Waiting on confirmation before moving forward.

Edited by dog6611, Yesterday, 09:43 PM.

Thank you for all the information.
 

HKEY_USERS\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{1048c0dc-0000-0000-0000-30083a000000}]

This confirms it is related to an external drive.

Please do this.

===================================================

ListParts by Farbar for 64 bit Systems

--------------------

• Download ListParts.exe (for 64 bit systems) and save it to your desktop
• Right click on the icon and select Run as administrator
• Place a check mark in List BCD
• Select Scan
• Select OK and wait for a Result - Notepad document to open on your desktop
• Copy and paste the contents in your reply

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Results report

ListParts by Farbar Version: 31-07-2014
Ran by Soggy (administrator) on 04-03-2024 at 22:40:25
WIN_81 (X64)
Running From: E:\Downloads
Language: English (United States)
************************************************************

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 65443.72 MB
Available physical RAM: 52567.93 MB
Total Pagefile: 130979.72 MB
Available Pagefile: 112625.88 MB
Total Virtual: 131072 MB
Available Virtual: 131067.72 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:231.78 GB) (Free:123.74 GB) NTFS
2 Drive d: (Big Boi) (Fixed) (Total:1863.02 GB) (Free:1493.03 GB) NTFS
3 Drive e: (Mega Boi) (Fixed) (Total:3726.01 GB) (Free:3029.77 GB) NTFS
4 Drive f: (Fast Boi) (Fixed) (Total:1863.01 GB) (Free:1229.59 GB) NTFS


  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online         1863 GB      0 B         
  Disk 1    Online         3726 GB  1024 KB        *
  Disk 2    Online          232 GB      0 B         
  Disk 3    Online         1863 GB  2048 KB         

Partitions of Disk 0:
===============


Disk ID: 7CE549F1

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1863 GB  1024 KB

======================================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 0     D   Big Boi      NTFS   Partition   1863 GB  Healthy    Pagefile

======================================================================================================

Partitions of Disk 1:
===============


Disk ID: {4EB52694-D422-4749-9AC8-9D164A720FA2}

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Reserved            15 MB    17 KB
  Partition 2    Primary           3726 GB    16 MB

======================================================================================================

Disk: 1
Partition 1
Type    : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden  : Yes
Required: No
Attrib  : 0000000000000000

There is no volume associated with this partition.

======================================================================================================

Disk: 1
Partition 2
Type    : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden  : No
Required: No
Attrib  : 0000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     E   Mega Boi     NTFS   Partition   3726 GB  Healthy            

======================================================================================================

Partitions of Disk 2:
===============


Disk ID: 1048C0DC

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            350 MB  1024 KB
  Partition 2    Primary            231 GB   351 MB
  Partition 3    Recovery           775 MB   232 GB

======================================================================================================

Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System (partition with boot components)  

======================================================================================================

Disk: 2
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     C                NTFS   Partition    231 GB  Healthy    Boot    

======================================================================================================

Disk: 2
Partition 3
Type  : 27
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      RAW    Partition    775 MB  Healthy    Hidden  

======================================================================================================

Partitions of Disk 3:
===============


Disk ID: 017978DE

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1863 GB  1024 KB

======================================================================================================

Disk: 3
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     F   Fast Boi     NTFS   Partition   1863 GB  Healthy            

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 7CE549F1
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition: GPT Partition Type.

==============================
Partitions of Disk 2:
===============
Disk ID: 1048C0DC
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=775 MB) - (Type=27)

==============================
Partitions of Disk 3:
===============
Disk ID: 017978DE
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)


Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume5
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {bb6d58ea-7473-11ed-a6bf-d09bfc971386}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 0
displaybootmenu         No

Windows Boot Loader
-------------------
identifier              {aaf391eb-41b7-11e9-a6db-e20d6567feda}
device                  ramdisk=[unknown]\Recovery\WindowsRE\Winre.wim,{aaf391ec-41b7-11e9-a6db-e20d6567feda}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
locale                  en-US
inherit                 {bootloadersettings}
displaymessage          Recovery
osdevice                ramdisk=[unknown]\Recovery\WindowsRE\Winre.wim,{aaf391ec-41b7-11e9-a6db-e20d6567feda}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \WINDOWS\system32\winload.exe
description             Windows 10
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {f73a1c27-801f-11ee-b5d4-029846126161}
displaymessageoverride  Recovery
recoveryenabled         Yes
testsigning             No
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {bb6d58ea-7473-11ed-a6bf-d09bfc971386}
nx                      OptIn
numproc                 16
bootmenupolicy          Legacy
usefirmwarepcisettings  No
useplatformclock        No
useplatformtick         Yes
disabledynamictick      Yes

Windows Boot Loader
-------------------
identifier              {f73a1c27-801f-11ee-b5d4-029846126161}
device                  ramdisk=[C:]\Recovery\WindowsRE\Winre.wim,{f73a1c28-801f-11ee-b5d4-029846126161}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
locale                  en-US
inherit                 {bootloadersettings}
displaymessage          Recovery
osdevice                ramdisk=[C:]\Recovery\WindowsRE\Winre.wim,{f73a1c28-801f-11ee-b5d4-029846126161}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {bb6d58ea-7473-11ed-a6bf-d09bfc971386}
device                  partition=C:
path                    \WINDOWS\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
recoverysequence        {f73a1c27-801f-11ee-b5d4-029846126161}
recoveryenabled         Yes
allowedinmemorysettings 0x15000075
filedevice              partition=C:
filepath                \hiberfil.sys
bootmenupolicy          Standard
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume5
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 No

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {f73a1c28-801f-11ee-b5d4-029846126161}
description             Windows Recovery
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi


****** End Of Log ******

If it is manageable, disconnect the E: and D: drive and reboot. See if the boot scanning still appears.

Sure, give me a bit to wrap up what I'm doing and ill try it.

Well I need to log off.

If you disconnect both and the issue remains that means it is the F: drive. If the issue does not appear when D: and E: are disconnected, connect one at a time to see which one is the culprit. There is a general way to eliminate the issue but I would rather target the offending drive if possible.

I will check in the morning.

Alright I got the exact same message again with only my C: drive plugged in.  Removed my m.2 drive while I was at it.  

 

I'm pretty sure the issue goes back to my recovery partition.  

 

Going to plug all of my drives back in now.  I'll be back on my rig soon.

I unplugged the following drives: D, E, F.


Edit: Pretty sure I need to remake my Recovery Partition properly this time, because the way I did it previously obviously messed things up. 
This current issue popped up right after I made that change to my C: Drive. 

Edited by dog6611, Today, 01:27 AM.

I am always hesitant to manipulate a main drive at that deep of a level because I don't want to inadvertently make things worse rather than better. I can't recall ever having a MountPoint associated with other than an external drive. If you want to deal with the Recovery Partition feel free.

If you want to investigate further you can do this. Completely up to you which way you prefer to go.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST64 icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST64 will do it for you

Start::
ExportKey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================

Process Monitor Boot Log

--------------------

• Download Process Monitor and save it to your Desktop
• Right click on Procmon and select Run as administrator
• Agree to any permission requests
• Hit Ctrl + E to stop capturing events
• Hit Ctrl + X at the same time to clear the display
• Click Options then Enable Boot Logging
• Place a check mark in Generate thread profiling events
• Click OK
• Close Process Monitor
• Close any open programs and shut down your computer
• Start your computer and allow the boot up process to complete, including logging in if you use a password
• Wait 15 minutes before doing anything further
• Right click on Process Monitor and select Run as administrator
• Click Yes on the next window that appears and save the boot-time activity log onto your desktop using the default name
• Please zip and upload the file to GoFile or the file hosting site of your choice and send me a Personal Message with download link

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog
• Boot Log

I completely understand that, what would be ideal is maybe help to re-create the Recovery Partition the proper way. 

Since I most likely missed a step when following a guide.

PM Sent.

P.S. I re-installed NordVPN.

===================================================

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 05.03.2024
Ran by Soggy (05-03-2024 20:19:54) Run:9
Running from E:\Downloads\Bleeping Tools
Loaded Profiles: Soggy
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start::
ExportKey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
End::
*****************

================== ExportKey: ===================

[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]
[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]
[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{017978de-0000-0000-0000-100000000000}]
"Data"="d60d00000df0adba01000000080000000000008000000000000000300000000004000000ff06e703ff000000160000008039dcd71f00000004000000110000000000000000000000000000000000000000005c005c003f005c00530054004f0052004100 (the data entry has 2540 more characters)."
"Generation"="1"
[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{1048c0dc-0000-0000-0000-30083a000000}]
"Data"="d60d00000df0adba01000000080000000000008000000000000000100000000000000000bdaddbbabdaddbbabdaddbba000000001e000000040000000b0000000000000000000000000000000000000000005c005c003f005c00530054004f0052004100 (the data entry has 2540 more characters)."
"Generation"="1"
[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{1640e264-d1d7-4b15-a3b6-33b25776ec04}]
"Data"="d60d00000df0adba01000000080000000000008000000000000000300000000004000000ff06e703ff00000016000000c54d5bd01f000000040000000b0000000000000000000000000000000000000000005c005c003f005c00530054004f0052004100 (the data entry has 2540 more characters)."
"Generation"="1"
[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{1de0941c-f899-11e7-8252-806e6f6e6963}]
"Data"="d60d00000df0adba01000000080000000000008000000000000000300000000000000000ff06e703ff00000016000000b08c2e3a1f000000040000000b0000000000000000000000000000000000000000005c005c003f005c00530054004f0052004100 (the data entry has 2540 more characters)."
"Generation"="1"
[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{dd632419-f895-11e7-824f-806e6f6e6963}]
"Data"="d60d00000df0adba01000000080000000000008000000000000000300000000000000000ff06e703ff000000160000004a9e3f721e000000040000000b0000000000000000000000000000000000000000005c005c003f005c00530054004f0052004100 (the data entry has 2540 more characters)."
"Generation"="1"
[HKU\S-1-5-21-2538788236-3835922159-488444903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{dd63241a-f895-11e7-824f-806e6f6e6963}]
"Data"="d60d00000df0adba41000000080000000000008000000000000000300000000000000000ff06e703ff00000016000000e29746d01f000000044000000b0000000000000000000000000000000000000000005c005c003f005c00530054004f0052004100 (the data entry has 2540 more characters)."
"Generation"="1"

=== End of ExportKey ===

==== End of Fixlog 20:19:54 ====

Edited by dog6611, Today, 09:21 PM.

Also, I have a small update regarding the WinRAR issue.  It seems that the freezes happen when extracting .zip files.  The issue does not seem to happen when extracting .rar or .7z file formats.

Though it does seem pretty random so what files freeze.  It doesn't seem to be a size issue.

Personally, I care about this issue far more than the message I get on boot, since I don't specifically know if it's causing anything negative to happen to my system.

 

Please let me know if this forum isn't the best place for it, I'm fine with making another post in the correct location to diagnose this issue.

Edited by dog6611, Today, 10:48 PM.