Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware now controls my lojack antitheft built in rootkit.


  • This topic is locked This topic is locked
2 replies to this topic

#1 bigrobifer

bigrobifer

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 28 June 2014 - 11:47 PM

So the title says it all. I am aware that anything i might do to defeat the malware (removing lojack would be impossible i believe since its hardcoded) could possibly damage the computer irreversibly.To make the story short. There are 2 persistant rpc services that have greyed options in there properties box. None of the mandatory OS services are registering consistantly, I cant stop several other services and there are services such as print spooler an p2p plus others that will restart from a disabled state. 

I was able to find the fbi ransomware install log. Oddly enough its dated 9 months BEFORE i bought this laptop (hp-2000-299, win7 home prem. with intel T3500 processor, InsydeH20 f.33 bios ) . Thanks alot for selling me a refurbished laptop labeled new WAL-MART.

 

Now i want to rename all the offending MS .dll's and .exe's but trusted installer wont let. If there was a way to disable trusted installer i could rename the corrupted files and then replace them with good ones right? IDK  but i'm bound to find out.

Another option is to tweak the partition call table for the corrupt files locations. It would make them be bad sectors at the least i'm sure and might be irreparable damage as i don't know if those specific offsets are dedicated to those specific files ect. Lots of unknowns on this option.

I really dont care about the lojack itself even though i dont like the idea of a built in back door and the fact that i never activated the service. But now that malware has taken it over and it virtualizes my user account (this virtualization can be gotten around temporarily i have found which means i can escape it for good if i do something just right in just the right way) i truly despise it for how easy it made this infection to be persistant. The malware helper in another forum thread here gave up as he couldn't do anything without actually saying that or figuring the problem out. Its not really his fault since he can only get second hand info from me and my scan from a virtualized account. 

If anybody thinks they can be of assistance or have any usefull directions or ideas please contribute. Thank you bleepingcomputer for the help thus far.

Here is a link for work done in the last week or so on this issue.

http://www.bleepingcomputer.com/forums/t/538108/backdoorexploitwin32krootkitbootkit-im-all-messed-up-please-help/

 

To any mods i also had this same issue posted in the windows 7 forum as the bleeping computer help guy instructed. However i thought it would be better here in the general maleware discussion. If i'm wrong on doing this just let me know.



BC AdBot (Login to Remove)

 


#2 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 29 June 2014 - 12:11 AM

edit: I also have a few file folders with the windows command scripts and other .js files. I dont have a clue how to decipher this stuff and other than looking in the folder after it became visible on my recovery drive i renamed it and made a copy for myself, i havent done anything to or with them. If these would help in any way i can find someway to get them puplic but i cant upload any files to this website at all.



#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:11 PM

Posted 29 June 2014 - 02:12 PM

To avoid confusion, I am closing this topic which someone moved to the AII forum.  Please stick with the topic you created  in the Windows 7 forum which your helper suggested that you do.

 

Orange Blossom :cherry:


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users