Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hidden Servers, Domain, Drivers + Rootkits, fake Windows, and no tl;dr

  • Please log in to reply
No replies to this topic

#1 1ocalhost


  • Members
  • 1 posts
  • Local time:10:05 AM

Posted 05 October 2013 - 11:39 AM

Apology #1 for the length, this has been a real strain on life as of lately.

Initially the problem occured on Windows 7 64 Ultimate and Windows XP 86 PCs that were connected on a home network. I had noticed on the XP machine that the bios had been modified with an "NVIDIA boot agent" which would cause it to do a network boot. My searches online wouldn't say anything negative about it and anything I uploaded to virustotal had been previously scanned not long before, but once I started losing priviledges and saw my comodo firewall failing to block selected remote services it certainly sparked my investigation. Well... that and the blatant entries in the registry about screen capturing and keylogging and transferring the information when there was idle bandwidth.

Not long after the surprising discovery, two of my computers wound up in an inoperable state - one goes into a lightning fast boot loop and the other has its' I/O's/usbs disabled even if I remove the battery and use the cmos jumpers. If this rootkit/backdoor/toolkit-user is upset with me I lose priviledges to the point where I'm not even permitted to generate passwords with Keepass. At the very least I get a noscript that doesn't work and pages flooded with javascript like zeusclicks, remote-agent, various webkits, and files:/// and resources linked from the unknown network on my own system along with self-declared fake Microsoft Corporation certificates off of a brand new Windows disc. More often than not I'm left "unharmed" and am free to roam around in my virus-riddled Windows 7 sandbox.

Since the tragic strokes my computers suffered (RIP) any new system or hardware I install seemingly gets the payload put back on it. My first response was to replace the HDD/Motherboard and it wasn't long before PXE network boot entries were being added to the bios and TrustedInstaller was owning files in my documents. Windows Updates that were previously unlisted (I was keeping a hawk's eye on these things at this point) were being selected for downloading. Firewalls are overridden by hidden registry entries pushing SMB,SQL,SFTP,FTP,SSHD servers or connections and my eventual packet analyzing with wireshark/snort/nmap confirmed it and more oddities such as being spammed with 6-8 ARP requests per second.

I downloaded TDSS and GMER from a friend's website - each with random file names/extensions. I went into Windows Recovery and ran both from cmd > notepad with the new hardware and fresh hard drive. TDSS showed that about 95% of the 300ish files scanned were detected as Trojan.Multi.Gen's yet when I ran GMER after the full windows install it found only a few infected files but revealed a huge chunk of my registry that wasn't visible previously on my other computers, The TDSS scan was solely directed in the X: Boot drive/ramdisk that either is holding on to an .img with a payload or is just purely created legitly from the install disc

In the registry pretty much anything to do with Domains/Workstations/Groups/Users, Crypto, Printing, SQL, SMB, SFTP, NDIS, Remote Connections, WormYAMAHA, ActiveX, Flashplayer, and the like was flagged red and malicious (mostly the Security, SAM(s), Policy, and "Secrets" registry trees).

After those initial scans GMER and TDSS never detected a thing again (and not because it cleaned it, nearly my entire system folder was allegedly fake) until I started reformatting. GMER would get stuck on some fat32 filesystem and TDSS would report everything was fine, and most security programs followed that behavior in a similar fashion.

...After a replacement of the Motherboard, HDD, and RAM along with a new genuine Windows Home Premium OEM cd I started the fresh install. I disabled the Onboard LAN in the BIOS before starting and unplugged the cable modem and what-not. X: Boot was there again with the same 32mb size and was filled with the usual WinSxS, SysWOW64, ras, rdp, SQM, and plenty to do with windowsPE/PXE install which got me paranoid. While installing it showed me on a domain called MININT- until I configured my own hostname.

Once installed and still not having connected my ethernet I made a standard account, switched to it after a warning that I may cause other people logged in to lose their work, unhid folders to see two hidden desktop.ini's on my desktop with different offsets linked to a shell, and tried to disabled the many firewall rules left open.

~fast forward sorry for length #2~
I ended up being told I needed to authenticate windows within a couple hours and putting it off would cause my computer to crash, Warcraft 3 showed my operating system as Windows NT and said it wasn't compatible. I had fourty-something-thousand windows updates being installed along with various drivers (including wireless) after my first reboot even though I selected not to recieve updates yet and hadn't connected to the internet.Two certificates for Microsoft Corporation were labled as fakes, I had many folders/files and NTUSER.DAT/LOG's with 0 bytes, UAC showed microsoft programs such as msconfig to be in an unknown location or they had odd parameters. The worst was the unremoveable hidden silently-installed bluetooth & network miniport drives/adapters for WWAN, WLAN, Wireless, etc. As a side note in system32 files there were various mentions of X11, WinX, cgwyin

When doing a live boot onto Ubuntu the hidden Windows server shows up as "Windows Network", which shows as smb and can't be messed with. I have no idea if that's normal to have or if I can continue talking as if I've seen aliens. Sometimes there is a local network displayed as well, and both of these will persist even if I supposedly disable networking.

My most recent build is completely new aside from the cpu and chassis, but I am still experiencing some of these symptoms and they only get worse the more I update windows or install software. Normally all of the files in X: Boot are hidden to me but using dir I was able to get a good look at them. The options the ramdisk has for a windows install is PCAT, PXE, EFI, and two more things I'd have to go back and check =]

Since I had installed offline I checked to see how any of these could have completed the process. In the log file it stated I did an offline install and it used a O: drive that I've never seen before to do it. I don't know why it installed toshiba drivers on my custom system or 20 ethernet drivers along with hundreds of other variations but it basically loaded everything it had. If it means anything I believe config.sys and autoexec.bat reference X: as well.

*Notes (not sure how many of these are suspicious):

-Public Network is shown to be unconnected but in the bottom right it says connected.

-In linux many folders relating to boot, kernel, or ram are 0 kb and their folders loop to infinity or in a reverse direction i.e. found in /bin/sh but located in //bin/sh/usr://bin/sh/bin/sh./.bin/sh

-Familiar sites like hushmail had subtly altered certificates and behaved oddly like not encrypting my username. Another example is only on occassion would gmail and others -require- a phone number. Every site was rigged with webkits or remote-agent.js type material that was sourced to seemingly somewhere on my mystery network, including the homepage.

-The live cd for Ubuntu would also get altered (not sure if normal) where the first few boots would show a different try now/install screen before the install icon linked off into unknown :// territory with a debian installer. With each launch more applications would get added, so if this actually means anything I'm guessing initrd has a part in this.

-Unix distro's like Hardened Gentoo and Kali Linux would either have their install menus replaced with a vanilla debian or run into problems with the kernel that would result in messages like ~~kernel panic~~ ~~end trace~~, and during installs there are specific messages about disabling/not allowing grub bootloaders/SELinux/other boot-time security. It would skip it entirely. The source-lists are modified also and every linux cd has fakeroot on it by default (not sure if standard). Updating useful network discovery applications or rootkit/backdoor detectors would often get the program to start crashing.

-chkrootkit detected a possible Adore worm and l10n worm

-Home pages are file:///'s linked from wherever and nearly every microsoft link referenced in Windows is prefixed with go.microsoft while all of the boxed documentation from CD's or manuals don't use go. fwdlinks

I'm really looking forward to and would very very much appreciate any sort of suggestions or thoughts on this mess about how to pinpoint the root of the problem or if this seems more like a network based attack. I wish I could have been more concise with the entire deal and not put out a tl;dr

Now that I have my pleas for assistance out there I'm set up perfectly to have no replies for days ;D thanks in advance however, and feel free to let me know if I'm just crazy

Edited by 1ocalhost, 05 October 2013 - 11:44 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users