Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows 7 Ultimate SP1 Trojan/Rookit from Thumb Drive (possibly)

  • Please log in to reply
1 reply to this topic

#1 JusticeMalzilla


  • Members
  • 2 posts
  • Local time:04:06 PM

Posted 12 February 2016 - 02:07 PM

I lost about 3 computers since September 4th, 2015 after being harassed on a live broadcast and realized someone was mad at me or simply accessed my computer with ease because I had no admin pass (two admin accounts) and router with default pass and a ton of possible open ports and malware, but I was never really concerned because I was thinking a reformat and viruses that you identify are not too hard to get rid of with a little knowledge and some preemptive measures. Anyway, my bad on the lack of security password wise. So I've been dealing with this sleeping beauty for quite a while and finally realized the thumb drive was causing the issue on two new computer and the original so now that thing is off limits(well in the trash basically, but maybe keeping it would have helped me find he type of virus or more of how it functioned. Now it just seems the last computer to be touched by it abuses Trusted Installer ownership, opens, tunnelers that don't connect, and a

according to the security event logs on one of my formats after a day or so seemed that someone was manually changing security permissions because it was on for about 10 hours. of error warnings... I'll stop there and wait for any issues with my initial scan...



You can skim some of this, it's just background on a sliver of what's happened. Again probably irrelevant info below until the scans but just want to give you an idea on that the first September 4th attack was targeted and very obviously revealed too. This may or may not be related to the next 2 computers, but given the thumb drive seemed to give my computer strange activity, I put it as patient zero and then branch out to Java/Flash malicious websites or being targeted by others who maybe found when I use things like Skype or Many Cam I seemed to find myself with something nasty within the week. I got fed up with those two programs, and the live broadcasting site run by large arab community which branched out to NY, NY headquarters and another HQ in Germany. They did this when they noticed the money potential for micro transactions was enormous and Stickam Broadcasting site went dead over night claiming they had been going bankrupt for months and had to shut down.


I could easily write  a few hundred pages about the next 6 months and my steps and what all went down, but it's mostly just a thumb drive with work files hopping a trojan auto run of some sort and then has been able to stay infected on formatting different machines. And even access Linux Ubuntu Live boot CD (I had not formatted yet, oops) and received a file silently on the Ubuntu Desktop called How Fast Are You with I believe a .mp3 extension. 


They had access to my computer and were able to destroy everything and it won't even power on now. So basically it went from what seemed like a simple name brand with what you would've expected such a Trojan which I became aware of after live links of my webcam and my computer being searched for hours was up. And the guy who I was friends with online at the time had friends over and got a phone call and I reviewed the video they save after every broadcast with extreme volume and overheard my name and something along the lines of how did you get into his computer?. And I had already basically I was being covertly streamed by someone else and to this day no one will admit what happened and there was one twitter post that night that I found the next morning from the guys broadcast that was deleted, and he never had deleted a twitter post ever in years.till the night. So knowing a little bit, I suspected my lack of security had gotten them inside my computer and a Trojan was being used to monitor my webcam, mic and keyboard. This could have been sleeping on my computer for weeks or months,could've been late 2014 even as far as I know. The virus doesn't show much to identify although ClamWin being a vigorous scanner with tons of signatures for every malware (I used to manually hex edit out signatures so I know a bit) but it's way more sophisticated it seems these days. 


I've pretty much used the premium free trials of about the top 25 scanners, including McAfee, AVG, Kaspersky, Avast, Malware Anti-Bytes, Zone Alarm, Rkill (which did strike down on separate occasions  system32/msiexec.exe and system32/synd***[sic[ something .exe. From there I have done a lot of manual hunting, Unfortunately over the time I did this I lost control of gmail account of 13+ years, a facebook account which was poisoned with tons of posts insects and bug doing the nasty as status updates(hadn't been on in a while, had my skype ruined and deemed a spam account with about 10 different names under the same e-mail and password reset does nothing to my original account so I lost a few accounts I really would like to have back, lost my secondary and third and 4th e-mail due to non-secondary login and being keylogged, and lost a grand total of 13 YouNow accounts which I believe this stems from, Someone must have gotten mad at the top level and put a target out on me and I've been hit in every way possible. But most recently I decided to go on that site YouNow (arab run but there's no great alternative, since twitch is only for gaming), and the rest sucks.


Found someone using my admin while I had a standard account because I was advised of it, and not to change SSID too much or it screams hack me, just give a generic name like Tim Home TP-WirelessLT


So I am going to post my first logs as I have run out of options on what to do next and haven't even been able to identify the nature of the virus other than it lover to abuse Trusted Installer permissions, hates me like the devil when I un check Do not show hidden operating system files, and seems to just transfer files all over the place. At one point I got rid of every seemingly dangerous file by using various take ownership methods and trying to do it by folder using inherit subsequent files method but that didn't always work. Then System would give me issues at times too. Tired to run some of the known rootkit remover tdsss, windows stuff, umm a I believe one randomly named from avast, skipped the more advanced tools and they were said to be a bit useless for a noob to this vast trainwreck of viruses being spread so easily and literally not even being able to identify it is what gets me. If it had some clear stuff I noticed outside of getting really angry when I try to modify anything  and putting sevral tunnel adapters which I can cmd netsh remove I guess, but they never seem connected.


I figure I was targeted or am being used fornet purposes, or both. Not sure how to proceed so here is my low right now





Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-02-2016
Ran by JMalzilla (administrator) on JMALZILLA-PC (12-02-2016 14:02:41)
Running from C:\Users\JMalzilla\Desktop
Loaded Profiles: JMalzilla (Available Profiles: JMalzilla)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Panda Security) C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IntelPROSet] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [4791024 2013-07-17] (Intel® Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer]
Tcpip\..\Interfaces\{A22831B3-AF74-4352-A474-38604408947F}: [DhcpNameServer]

Internet Explorer:

FF ProfilePath: C:\Users\JMalzilla\AppData\Roaming\Mozilla\Firefox\Profiles\rv9a5i14.default

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273136 2013-07-17] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3377904 2013-07-17] (Intel® Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-12 15:53 - 2016-02-12 15:53 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WUDFUsbccidDriver_01_09_00.Wdf
2016-02-12 15:52 - 2016-02-12 15:52 - 00000000 ____D C:\Windows\CSC
2016-02-12 13:36 - 2016-02-12 13:36 - 00000015 _____ C:\Users\JMalzilla\Desktop\50.txt
2016-02-12 13:27 - 2016-02-12 14:02 - 00003303 _____ C:\Users\JMalzilla\Desktop\FRST.txt
2016-02-12 13:27 - 2016-02-12 14:02 - 00000000 ____D C:\FRST
2016-02-12 13:27 - 2016-02-12 13:27 - 00008931 _____ C:\Users\JMalzilla\Desktop\Addition.txt
2016-02-12 13:27 - 2016-02-12 13:26 - 02370560 _____ (Farbar) C:\Users\JMalzilla\Desktop\FRST64.exe
2016-02-12 13:26 - 2016-02-12 13:26 - 02370560 _____ (Farbar) C:\Users\JMalzilla\Downloads\FRST64.exe
2016-02-12 13:19 - 2016-02-12 13:19 - 00003128 _____ C:\Windows\System32\Tasks\PandaUSBVaccine
2016-02-12 13:19 - 2016-02-12 13:19 - 00000000 ____D C:\ProgramData\Panda Security
2016-02-12 13:19 - 2016-02-12 13:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Security
2016-02-12 13:19 - 2016-02-12 13:19 - 00000000 ____D C:\Program Files (x86)\Panda USB Vaccine
2016-02-12 13:17 - 2016-02-12 13:17 - 00838857 _____ C:\Users\JMalzilla\Downloads\USBVaccineSetup50a.zip
2016-02-12 13:12 - 2016-02-12 13:18 - 00000000 ____D C:\Users\JMalzilla\AppData\Local\Mozilla
2016-02-12 13:12 - 2016-02-12 13:12 - 00000000 ____D C:\Users\JMalzilla\AppData\Roaming\Mozilla
2016-02-12 13:12 - 2016-02-12 13:12 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-02-12 13:10 - 2016-02-12 13:10 - 00000000 ___HD C:\Windows\system32\WLANProfiles
2016-02-12 13:10 - 2016-02-12 13:10 - 00000000 ____D C:\Users\JMalzilla\AppData\Roaming\Intel
2016-02-12 13:09 - 2016-02-12 13:09 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel PROSet Wireless
2016-02-12 13:09 - 2016-02-12 13:09 - 00000000 ____D C:\ProgramData\Package Cache
2016-02-12 13:09 - 2016-02-12 13:09 - 00000000 ____D C:\ProgramData\Intel
2016-02-12 13:09 - 2016-02-12 13:09 - 00000000 ____D C:\Program Files\Intel
2016-02-12 13:09 - 2016-02-12 13:09 - 00000000 ____D C:\Program Files\Common Files\Intel
2016-02-12 13:09 - 2016-02-12 13:09 - 00000000 ____D C:\Program Files (x86)\Intel
2016-02-12 13:09 - 2016-02-12 13:09 - 00000000 ____D C:\Program Files (x86)\Cisco
2016-02-12 13:08 - 2016-02-12 13:08 - 00000000 ____D C:\ProgramData\Dell
2016-02-12 12:57 - 2016-02-12 13:09 - 00000000 ____D C:\Users\JMalzilla
2016-02-12 12:57 - 2016-02-12 12:57 - 00001413 _____ C:\Users\JMalzilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-02-12 12:57 - 2016-02-12 12:57 - 00000020 ___SH C:\Users\JMalzilla\ntuser.ini
2016-02-12 12:57 - 2016-02-12 12:57 - 00000000 _SHDL C:\Users\JMalzilla\My Documents
2016-02-12 12:57 - 2016-02-12 12:57 - 00000000 _SHDL C:\Users\JMalzilla\Documents\My Videos
2016-02-12 12:57 - 2016-02-12 12:57 - 00000000 _SHDL C:\Users\JMalzilla\Documents\My Pictures
2016-02-12 12:57 - 2016-02-12 12:57 - 00000000 _SHDL C:\Users\JMalzilla\Documents\My Music
2016-02-12 12:57 - 2016-02-12 12:57 - 00000000 ____D C:\Users\JMalzilla\AppData\Roaming\Adobe
2016-02-12 12:57 - 2016-02-12 12:57 - 00000000 ____D C:\Users\JMalzilla\AppData\Local\VirtualStore
2016-02-12 12:57 - 2011-04-12 03:28 - 00000000 ____D C:\Users\JMalzilla\AppData\Roaming\Media Center Programs
2016-01-13 11:22 - 2016-02-12 13:17 - 00865272 _____ (Panda Security ) C:\Users\JMalzilla\Desktop\usbvaccine.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-12 15:55 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-12 15:55 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2016-02-12 13:27 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-02-12 13:21 - 2009-07-13 23:45 - 00026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-12 13:21 - 2009-07-13 23:45 - 00026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-12 13:11 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppCompat
2016-02-12 13:00 - 2009-07-14 00:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-12 12:57 - 2015-09-10 00:40 - 00000000 ____D C:\Windows\Panther
2016-02-12 12:11 - 2009-07-14 00:32 - 00032768 _____ C:\Windows\system32\config\BCD-Template

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-09-09 23:41

==================== End of FRST.txt ============================





Attached is the Addition.txt


Hope I did this right as I have spent a lot of time trying to make sure I am not wasting other people's time. I easily 200 hours deeps into this investigation of what's going on. I get the feeling that I have a brick now but I have ordered a new computer and have another computer it's an old office computer that you wouldn't want running more than say a browser with some tabs and notepad with slow 1GB DDR2 Ram.


Please advise if anything looks fishy or what I should do next. For now this computer is shelved till I see a reply as I know any changes could make it hard to diagnose anything to get to the "Root of the Problem." heh :)

Edited by JusticeMalzilla, 12 February 2016 - 03:22 PM.

BC AdBot (Login to Remove)



#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • Gender:Male
  • Location:@localhost
  • Local time:04:06 PM

Posted 13 February 2016 - 08:36 AM



I dont see anything in the log that looks out of place, no malware.

The addition.txt didnt attach. You can copy/paste it in instead if you want.

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users