Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit help


  • This topic is locked This topic is locked
3 replies to this topic

#1 rootkithelp

rootkithelp

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 05 May 2014 - 11:03 PM

Hey all

 

My computer has been hacked badly, and any help would be appreciated.

 

I have tried virus scans, format + reinstall, linux + windows, nuke+boot, AV rescue discs, live cds, clearing cmos, and reflashing the bios. Bitdefender rescue disk finds no virus but finds 3000 I/O errors and cant access many folders.

 

The problem i think is that the rootkit is presenting a virtualised bios, such that any flashing of the bios doesn't delete the virus. A fake MBR partition with high permissions is created, that is undeletable no matter what I try. 

 

I have tried booting only from a live linux cd with no hdd connected, but it persists so it is definitely a rootkit. 

 

I am all out of ideas, aside from trying to gain access to the bios code itself or replacing the bios chip. But even then I am unsure if it is backed up in the graphics card and hdd firmware. I infected my laptop just by using a flash drive i had used with the pc, and that too now has a compromised bios. I noticed that the recycle bin on the laptop was the same as the recycle bin from the pc despite me never having used the same files. There are tcp and udp connections out that i cannot stop and form part of a botnet. The RPC calls are tied to the rootkit and the local address refers to a memory location, so I know it is coming from the bios.

 

Interestingly if I remove a stick of ram I get a PMBUS error, as the configuration of the pc has been saved by the hack; but i can then boot normally. I tried using an old mobo but naively didnt disconnect the HDD so that too got infected.

 

I have analysed a few of the ip locations the bios calls with the packet sniffing tool in trinity rescue disc, and they are global, from beijing to usa. The chinese connection made me think of mebromi but my bios isnt award

 

Virus scans find nothing except some PUP software that repeatedly installs itself even after deletion from fresh install of AV on fresh install of OS. They are no longer found after a restart as my antivirus reports being active but in fact is largely disabled. Rootkit scans find nothing.

 

I think the only thing to do is burn everything. I cant even donate it to charity.

 

Any suggestions welcome. <3


Edited by rootkithelp, 05 May 2014 - 11:07 PM.


BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 10 May 2014 - 10:21 AM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 

Please download DDS from either of these links
 
LINK 1
LINK 2
 
and save it to your desktop.

  • Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:
 
DDS.txt
 
Attach.txt
----------
 

81mYIKe.jpg  AdwCleaner
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------
 

weVCzW0.jpg Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan but do nothing else as we are just looking for what is there.
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 12 May 2014 - 06:25 AM

Still need help?


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 14 May 2014 - 08:08 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users