Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistant Rootkit for over 6 months now Infects Routers Windows x32 and x64 Linux Android Phones etc


  • This topic is locked This topic is locked
3 replies to this topic

#1 CaroleO

CaroleO

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 22 January 2012 - 12:33 PM

I have been fighting this virus/rootkit/bootkit whatever it is for getting close to 6 months now. It started as some virus on my little brothers computer at his house which infected his router and about 5 other computers in the house. I connected to the router and it proceeded to infect my laptop, the router at my home and all the computers there as well. It also has infected 4 android phones a Palm Treo Pro with windows mobile and a palm Pre. Along with infecting anyone who connected to any of the routers. I am currently writing this from my mothers laptop which has the worst infection. She purchased a new one to replace the old one which seemed to be impossible to to fix at a cost of around $2,000. 1 Day later her new laptop was infected although it wasn't apparent to to her. I am currently go to school for my Bachelors in Computer science, my Cisco CCNA and Network security certifications. Have been building computers since I was 10 (am 28 now) and I have never come across anything like this in my life. She has been content with just letting it be because the computer works to a point. I on the other hand will not have someone or something controlling my computer. The os on this computer is Windows 7 Home Premium x64 HP laptop with a 2nd gen core i-7 that runs like its a 486 and its so infected its unreal. Also the infection causes the computers to load in Windows PE mode in a virtualized environment so nothing picks it up. I have 2 desktops and a several laptops and 1 laptop is a brick now. Purchased a completely new system several months ago I5-2500k, Asus P8z68-v pro motheboard with UEFI, various other things and it was infected by what I believe was my cell phone which hacked my router. Overall we have literally replaced 10 or more bricked routers, she is currently using an Asus RT-n16 which is hacked at the firmware level. On the regular login screen everything appears to be fine, but ssh tunnel into the router and I find all kinds of backdoors and remote control mechanisms which are very hard to remove. I have a buffalo wzr-hpg300nh and I have succesfully cleaned it countless times and it just keeps coming back. It involves sshing into the router manually erasing all the mtd partitions and jtaging the firmware back onto the router or it wont go away. My new asus computer is seemingly unfixable although I think I may have found a way to fix it. I have secured erased ssds and hard drives, reflashed bios's probably 100 times now. The infection appears to have spread to just about every piece of flashable firmware on the motherboard on each computer. I am in the process of engineering a bios update with all the firmware packed in and forcibly flashing the network adapters, pci bridge, usb controllers, sata controllers, the UEFI bios which hasn't helped at all, everything that can be flashed. I have secured erased my hdds from the dos prompt with MHDD cold plugging them so the bios doesn't interfere, and the majority of the drives all of HPA areas that have to be removed each time. On a fresh windows install with a freshly flashed bios and video card and secure erased HD the virus will be in the x:\sources directory before windows has even started the installation. And this is using GPT partitioning and EFI. Pretty sure windows setup is starting in a virtualized environment each time. There are multiple calls from the acpi tables that I can see in linux along with conflicting memory addresses and various other signs. I can pretty much cut it off in Linux on a live cd but as soon as its installed it all goes to hell. About to go mad trying to fix this problem and extremely angry that It has pretty much destroyed all my computers. Had to drop last semeseter due to taking online classes and the state of my computers, this all started back in August. It has infected my late EVO4g 2 nexus s 4gs, and a galaxy s 2. Anyways I will stop ranting attaching the requested dds log also the log from Unhackme which has some very interesting information. Thanks any help will be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 CaroleO

CaroleO
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 22 January 2012 - 12:38 PM

here is the dds log as well as an additional one. Will c if if it uploads this time.

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 PM

Posted 28 January 2012 - 10:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your DDS log is clean.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 PM

Posted 03 February 2012 - 09:51 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users