Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The most amazing virus and network hijacking ever... Please help me !


  • This topic is locked This topic is locked
2 replies to this topic

#1 brendanbowles

brendanbowles

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 05 April 2016 - 03:10 PM

I have been battling with a virus that I am sure started on my samsung mobile. Please can you help me. This is a terrible thing !
 
After a bad breakup with my girlfriend who constantly claimed to monitor her ex and that she infact caught him cheating using camera spy software, 2 days after our breakup, my phone started acting odd... I never for a second thought what would happen next actually did. The phone was very hot, and appeared to have running applications open in the background, facebook, whatsapp, and some social chat apps, basically anything to do with social, so not my banking or any of that. It appeared that I had been using these when I have a habit of closing apps on my phone. Soon after the phone would call people hold the lines open and appear to just be listening, until turned off and eventually sms and whatsapp would send things to people on its own, links, filthy language etc. Thinking the phone had a bug and having NOD32 up to date and a very good edition loaded on my laptop, I plugged the phone in to flash the ROM to custom.
 
Essentially ... in a nutshell ! The phone had a tootkit of some sort on it that moved to my laptop without me knowing and then infected and opened our entire work network, to the point where we were being remote controlled by unknown sources ! I found my laptop to have a massive number of folders from a site called Xplodedsecurity.com. These were password sniffers and all sorts I had no idea what was on my desktop, couldnt recognise my pc. This was the following morning when I turned the computer on at work, to find it was not off as I left it, but suspended. No one has access to my office but me after 5 and I locked so certainly a remote attack. This all after plugging the phone in to reload the night before. This reload by the way I assumed workd (on the phone) but when I checked the phone the next morning after finding the laptop as it was, the phone was asd it was before I reloaded the night before !
 
So Bleeping computer has been amazing! I have found some , but never all symptoms of the problems I have found here and have tried a long list of repairs and fixes. This as we understand is a unique infection. Several massive IT companies have looked at it and failed to even understand the basics ! For 4 months I have tried to remove it and learnt exactly what and how it operates... I lived at my office for the 1st seven weeks as I was trying to hold hackers off. We lost R500000 in JAn despite my efforts (Thats $150 000) but I cannot remove the protection that keeps it going even though I have curbed alot of the remote control by restricting IP address handout to allowed MAC address only! So no IP if you dont have one of the listed MAC address's. It seems the services and limitations + trojans and viruses are still there tho !
 
So here goes ! Please help me... What I know and may be under correction by yourselves the experts, but bare with me please. I know all this by learning through reloads and 100's of hours of reading logs and sifting through hidden logs on PC and phone and internet articles etc. :
 
The windows we run and android on our phones appears to be a RDP session as apposed to running as Admin on your own PC or phone. Behind our session is the real PC or phone that cannot be accessed. At first had success using PSEXEC -i -s -c cmd.exe and then net user administrator /active:yes. This gave me proper admin and seemed to allow boot into the proper windows, but on next boot, it was back to normal or crashed for reload ! From then on and since (3 months ago) not even sfc /scannow with SYSTEM rights allows this ! Windows features on and off makes use of Internet Explorer 8, Dot Net 3,51, Windows Gadgets, XPS service, and IIS is evident but hidden. There is also a media centre sharing utility that I have linked to the whole spread of the virus as all PCs and phones are media centres, or KIES servers. Bizarre ! I have to remove these using features on and off. SIDEBAR package also seems a large player ina ll this as it cant be removed and like many other items seen, is not on the uninstall list !
 
Often effective removal efforts would be blocked on reboot and REMEMBERED by the entire system so you could not try it again ! .. I found WMI tied into our system, and I understand this to be centrally managed behind a secure certificate, resulting in the memory of the system right ? So trying to remove objects from WMI, like remove computer doesnt allow access as the user that has the rights is behind an almost one way WMI central management server. I found changes to WMI like deleting objects I could, would affect all cellphones and PC's not just the one. So behavioural changes across the board for a short while, but would fix itself over 1 or 2 days and then typically could be seen when repaired by sudden google play or windows updates being downloaded on mass.
 
I found that we have a DNS changer too and a hosts file that I believe is a .dll. I cant bypass this no matter what however, the proxy we are forced through can be deleted in registry... this results in no internet at all or windows update and ultimately a reload. The DHCP server is a dhcp 6 that seems to operate on boot before windows start. This is listed as ntdev.corp.microsoft.com and there are 5 dns servers in the registry that recreate themselves if removed I would guess by a rootkit. to discuss shortly. These dns servers are 172 and 157 ranges. There are also constant adverts that run normally during a scan on android and PC, I would guess part of the rootkits interrupt process to stop detection. Also, I have found links to what seems to be a hidden TOR proxy server. I found install file traces of this. The config file is nowhere to be seen for TOR as mentioned by the TOR team.
 
The root kit is in the NTFS DR0 partition I suspect (dont know if I said this right). The partition is visible using 7ZIP and begins \\. Disk manager in windows doesnt show this and Diskpart reports the volume 10GB shy of what it is and nothing changes this including the show hidden diskpart command , unhide.exe, any number of utilities dont show this. 7ZIP allows no access to edit this at all. just view. In the rootkit partition is a full version of windows in several languages as well as BCD logs, bootmgr, and a file called class{various}.plk in it... there is also hidden system volume information - contains MountPointManagerRemoteDatabase file and several .hve.log files as well ass an SPP folder containing another folder OnlineMetadataCache which houses a {program id} file. None can be touched ! Theres a boot folder on all harddirves that contains bootmgr.exe.mui and memtest.exe.mui and there are several different language versions of these in the boot folder ! The registry has Currentcontrolset001 / 002 and the regulare currentcontrolset as well as a BCD container with a wide array of strange container folder objects. On the Androids there is a persistent folder and at root of all directories on addroid theres strange long Filename containing many zeros and a shader directory where files are created on there own.
 
Further to all this, Google seems instumental as I have found connections to google analytics, google messenging service and google ads in several locations. On the androids, theres a linux based rootkit that runs and can be seen by using an emulator. The androids and the PC's run totally fake security centres and on the android google seems to be logged in on reload and connected to your account hiding sync settings from you that are on by default aswell as your GPS location being given even if you turn it off. Bluetooth tethering, WIFI and mobile data always on even if turned off ! Google play downloads infected software and doesnt show you anything that may help. In the same breath browsers on both android and PC show nothing that helps and blanks out download links of helpful tools aswell as forums even that contain key items ! Its madness !!
 
On the PC's the windows defender and security centre (total frauds) seem to activate the action centre that always arrives a minute or 2 after reboot always witha  red cross no matter what, and I have linked this to the remote assistance connection used to remote control,and it seems via SMB over message system. I have also found that the audio service (and has addition endpoint audio mapper service dependency) in windows and several others seem to play a part. Theres an unusual amount of SVCHOST services traced this to a virus that seems to run via Performance monitor as there is a kernel trace and several others running that cannot find data collector set if you try delete ! Searchindexer and 2 other search services run when indexing is not installed and Wsearch is disabled ! - linked this to a virus SEARCHINDEXER but the files that should be there for manual removal are not ! A definate link to powershell as a common module used by the controllers - traced this to powerliks but again manual removal instructions dont work as the directories and Reg keys arent there and removal tools do nothing ! I have also linked ZEROACCESS Trojan to the entire issue aswell as FAKEAV. The PCS also remove a "security.disabler" bug (Dark comet bug) if scanned with the dark comet removal tool scanner, but it does nothing. Removal of any and all viruses found... does nothing... I found this entire issue connected to our websites managed internally but hosted via FTP remotely. We loaded SSL certificates on the domain as there was a rogue attached and cleared entirely the management consoles and secured and reloaded sites and servers. This only made the infection and issue change a little. It took longer to take control, by 1 day extra. I found the only time we can detect virus' is if I boot with no certificate verification in windows, so certainly dummy certificates being loaded on reload and infact, a low level format and reload, or android PIT file execution and original ROM download via Smart Switch or KIES (initialisation of android).... Windows or Android load exactly as I have explained above ! Exactly like above, it loads in a way that you cant seem to stop it just like above. Its insane ! Ive wondered often if theres a dns webkit securing the rootkit, but I cant find a way to see as alot is hidden and I suspect an encrypted proxy is on the LAN or on each PC and android ?
 
I managed to access the Android SDK via Android Developer Studio, the project is called .android and I found a section that loads around 8 virus' one of which was WIN32, Another FAKEAV and some other I couldnt identify and google came up with a blank (like it does for many things with regards to this issue). My smart TV at home is also infected and it seems that the gateway for my home is being used in some way, as the PC's and Androids reflect this as their public address even if Im not home and on the road or anywhere ?. IP6 is a huge player in this ! It loads whether you disable or not. In addition to all of this... and key, is that all and any software installed, become services, and are controlled by conhost.exe and dllhost.exe when run. They are all listed as compatibility programs, and often when effective are silo'ed (put in a hive of some sort) on next boot. In addition to this, files are held open in user/{username}/appdata/local/temp with strange filenames (varying hugelely in type(dll, firefox, bcd, tmp and length 8 to 36 digits) and viruses both trojans and malware are dropped into the system regularly via these files !
 
Running windows update and loading SP1 sometimes works ie. it allows you to load these sometimes (other times access denied), but on reboot it reverts changes via file pending.xml found in c:\windows\winsxs directory which is locked TIGHT and if you manage to delete from the directory, the system instantly restores files as you delete. I found the Windows Module installer responsible for all this, but when turned off.. the system fails to do any updates and the update service is damaged irrepairably. Even Toollib.net Winupdatefix did nothing ! to avoid the roll back of updates, deleting the pending.xml allows the updates to install, however you eventually get to the point where the pc slows and takes 10 20 30 minutes to boot and is unuseable. Its almost like you run its software and dont interfere, allow remote access and all will be fine. The issue is, via WSUS the system seems to have an arsenal of its own versions of most pakages ! I found this list and can supply if needed. Its truly an amazing system, but is being used in a malicious way !
 
I know its alot and I apologise. But its been hard and cant get rid of it. Its a life (not network) wide problem. Androids and PCS's TV's and even in fact my BMW radio was infected via bluetooth. This bug seems to attach to USB ports in some way and SMARTCARD services are a big role player !...
 
My suspicion is that ISPYCONNECT (as per my extensive investigations) was possibly loaded or MSPY varient (MAXXSPY - as I have found reference to maxxmobi.com login site) on my mobile and this may have introduced a RAT like Androrat or opened us up to a virus, ANDRORAT and the likes Im sure you agree, lets everything in. TDSS rootkits, malware, trojans, hackers you name it !
 
I have identified the windows version as being Windows "Vienna 660" ? I dont know if this makes sense to you ? I have found references in a number of places and on the net. It runs XP and Vista Ultimate components together and wraps it all in a Windows 7 theme. Documents and settings, Programdata, Boot, SystemVolumeInformation, and $Recyclebin are all locked and hidden as system folders. There are duplicate folders under user, first one is mine, second one is locked and if unlocked, goes to another shortcut and then another and another ! I have found this to be connected to NULL Infections ? I have used the reset.cmd instructions for Windows resource kit to reset rights, half of which fail even when run as SYSTEM,  along with unhide.exe and stopping various services , cryptography is installed, NkeyCrypt ,Bitlocker service is there and several other scary ones. Ive tried combinations and brute attacks from my side to break through, It seems to be unstoppable ? Ive run DDS, TDSKiller, RogueKiller, GMER (detects ntoskrnl dispatch interupt - but delete BSOD occurs instantly), ASWMBR, BOOTFIX (Win 7 disk), Rootkitremover, HitmanPros, Sophos Virus Remover, Symantec NPE, and so many others ! I have 30 gigs of removal tools, and thank you bleeping computer for your services in offering these ! Combofix seemed close to resolving, but 5 reg keys cannot be opened no matter what, even use of reg key deleters, ddlete on next boot etc. Various rescue disks AVG, Bitdefender, Kasperky etc. Various AV packages and removal tools... I think running them in the right order might !!! Work, I just dunno what to do next as I cant find these symptoms (all of them) in one thread. Theres Many!!
 
Please come back, I will run and supply whatever is needed as needed... just need some help. Been a terrible 4 months !
 
Brendan Belle
South Africa

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 AM

Posted 05 April 2016 - 03:45 PM

After all that work.. Let's get a deeper look.
Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:04:46 AM

Posted 06 April 2016 - 02:01 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/610342/many-trojanszeroaccess-based-rootkitwebkit-powerful-hijacking/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users