Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many Trojans/ZeroAccess Based Rootkit/Webkit. Powerful Hijacking !


  • This topic is locked This topic is locked
38 replies to this topic

#1 brendanbowles

brendanbowles

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 06 April 2016 - 03:43 AM

I have been battling with a virus that I am sure started on my samsung mobile. Please can you help me. This is a terrible thing !
 
After a bad breakup with my girlfriend who constantly claimed to monitor her ex and that she infact caught him cheating using camera spy software, 2 days after our breakup, my phone started acting odd... I never for a second thought what would happen next actually did. The phone was very hot, and appeared to have running applications open in the background, facebook, whatsapp, and some social chat apps, basically anything to do with social, so not my banking or any of that. It appeared that I had been using these when I have a habit of closing apps on my phone. Soon after the phone would call people hold the lines open and appear to just be listening, until turned off and eventually sms and whatsapp would send things to people on its own, links, filthy language etc. Thinking the phone had a bug and having NOD32 up to date and a very good edition loaded on my laptop, I plugged the phone in to flash the ROM to custom.
 
Essentially ... in a nutshell ! The phone had a tootkit of some sort on it that moved to my laptop without me knowing and then infected and opened our entire work network, to the point where we were being remote controlled by unknown sources ! I found my laptop to have a massive number of folders from a site called Xplodedsecurity.com. These were password sniffers and all sorts I had no idea what was on my desktop, couldnt recognise my pc. This was the following morning when I turned the computer on at work, to find it was not off as I left it, but suspended. No one has access to my office but me after 5 and I locked so certainly a remote attack. This all after plugging the phone in to reload the night before. This reload by the way I assumed workd (on the phone) but when I checked the phone the next morning after finding the laptop as it was, the phone was asd it was before I reloaded the night before !
 
So Bleeping computer has been amazing! I have found some , but never all symptoms of the problems I have found here and have tried a long list of repairs and fixes. This as we understand is a unique infection. Several massive IT companies have looked at it and failed to even understand the basics ! For 4 months I have tried to remove it and learnt exactly what and how it operates... I lived at my office for the 1st seven weeks as I was trying to hold hackers off. We lost R500000 in JAn despite my efforts (Thats $150 000) but I cannot remove the protection that keeps it going even though I have curbed alot of the remote control by restricting IP address handout to allowed MAC address only! So no IP if you dont have one of the listed MAC address's. It seems the services and limitations + trojans and viruses are still there tho !
 
So here goes ! Please help me... What I know and may be under correction by yourselves the experts, but bare with me please. I know all this by learning through reloads and 100's of hours of reading logs and sifting through hidden logs on PC and phone and internet articles etc. :
 
The windows we run and android on our phones appears to be a RDP session as apposed to running as Admin on your own PC or phone. Behind our session is the real PC or phone that cannot be accessed. At first had success using PSEXEC -i -s -c cmd.exe and then net user administrator /active:yes. This gave me proper admin and seemed to allow boot into the proper windows, but on next boot, it was back to normal or crashed for reload ! From then on and since (3 months ago) not even sfc /scannow with SYSTEM rights allows this ! Windows features on and off makes use of Internet Explorer 8, Dot Net 3,51, Windows Gadgets, XPS service, and IIS is evident but hidden. There is also a media centre sharing utility that I have linked to the whole spread of the virus as all PCs and phones are media centres, or KIES servers. Bizarre ! I have to remove these using features on and off. SIDEBAR package also seems a large player ina ll this as it cant be removed and like many other items seen, is not on the uninstall list !
 
Often effective removal efforts would be blocked on reboot and REMEMBERED by the entire system so you could not try it again ! .. I found WMI tied into our system, and I understand this to be centrally managed behind a secure certificate, resulting in the memory of the system right ? So trying to remove objects from WMI, like remove computer doesnt allow access as the user that has the rights is behind an almost one way WMI central management server. I found changes to WMI like deleting objects I could, would affect all cellphones and PC's not just the one. So behavioural changes across the board for a short while, but would fix itself over 1 or 2 days and then typically could be seen when repaired by sudden google play or windows updates being downloaded on mass.
 
I found that we have a DNS changer too and a hosts file that I believe is a .dll. I cant bypass this no matter what however, the proxy we are forced through can be deleted in registry... this results in no internet at all or windows update and ultimately a reload. The DHCP server is a dhcp 6 that seems to operate on boot before windows start. This is listed as ntdev.corp.microsoft.com and there are 5 dns servers in the registry that recreate themselves if removed I would guess by a rootkit. to discuss shortly. These dns servers are 172 and 157 ranges. There are also constant adverts that run normally during a scan on android and PC, I would guess part of the rootkits interrupt process to stop detection. Also, I have found links to what seems to be a hidden TOR proxy server. I found install file traces of this. The config file is nowhere to be seen for TOR as mentioned by the TOR team.
 
The root kit is in the NTFS DR0 partition I suspect (dont know if I said this right). The partition is visible using 7ZIP and begins \\. Disk manager in windows doesnt show this and Diskpart reports the volume 10GB shy of what it is and nothing changes this including the show hidden diskpart command , unhide.exe, any number of utilities dont show this. 7ZIP allows no access to edit this at all. just view. In the rootkit partition is a full version of windows in several languages as well as BCD logs, bootmgr, and a file called class{various}.plk in it... there is also hidden system volume information - contains MountPointManagerRemoteDatabase file and several .hve.log files as well ass an SPP folder containing another folder OnlineMetadataCache which houses a {program id} file. None can be touched ! Theres a boot folder on all harddirves that contains bootmgr.exe.mui and memtest.exe.mui and there are several different language versions of these in the boot folder ! The registry has Currentcontrolset001 / 002 and the regulare currentcontrolset as well as a BCD container with a wide array of strange container folder objects. On the Androids there is a persistent folder and at root of all directories on addroid theres strange long Filename containing many zeros and a shader directory where files are created on there own.
 
Further to all this, Google seems instumental as I have found connections to google analytics, google messenging service and google ads in several locations. On the androids, theres a linux based rootkit that runs and can be seen by using an emulator. The androids and the PC's run totally fake security centres and on the android google seems to be logged in on reload and connected to your account hiding sync settings from you that are on by default aswell as your GPS location being given even if you turn it off. Bluetooth tethering, WIFI and mobile data always on even if turned off ! Google play downloads infected software and doesnt show you anything that may help. In the same breath browsers on both android and PC show nothing that helps and blanks out download links of helpful tools aswell as forums even that contain key items ! Its madness !!
 
On the PC's the windows defender and security centre (total frauds) seem to activate the action centre that always arrives a minute or 2 after reboot always witha  red cross no matter what, and I have linked this to the remote assistance connection used to remote control,and it seems via SMB over message system. I have also found that the audio service (and has addition endpoint audio mapper service dependency) in windows and several others seem to play a part. Theres an unusual amount of SVCHOST services traced this to a virus that seems to run via Performance monitor as there is a kernel trace and several others running that cannot find data collector set if you try delete ! Searchindexer and 2 other search services run when indexing is not installed and Wsearch is disabled ! - linked this to a virus SEARCHINDEXER but the files that should be there for manual removal are not ! A definate link to powershell as a common module used by the controllers - traced this to powerliks but again manual removal instructions dont work as the directories and Reg keys arent there and removal tools do nothing ! I have also linked ZEROACCESS Trojan to the entire issue aswell as FAKEAV. The PCS also remove a "security.disabler" bug (Dark comet bug) if scanned with the dark comet removal tool scanner, but it does nothing. Removal of any and all viruses found... does nothing... I found this entire issue connected to our websites managed internally but hosted via FTP remotely. We loaded SSL certificates on the domain as there was a rogue attached and cleared entirely the management consoles and secured and reloaded sites and servers. This only made the infection and issue change a little. It took longer to take control, by 1 day extra. I found the only time we can detect virus' is if I boot with no certificate verification in windows, so certainly dummy certificates being loaded on reload and infact, a low level format and reload, or android PIT file execution and original ROM download via Smart Switch or KIES (initialisation of android).... Windows or Android load exactly as I have explained above ! Exactly like above, it loads in a way that you cant seem to stop it just like above. Its insane ! Ive wondered often if theres a dns webkit securing the rootkit, but I cant find a way to see as alot is hidden and I suspect an encrypted proxy is on the LAN or on each PC and android ?
 
I managed to access the Android SDK via Android Developer Studio, the project is called .android and I found a section that loads around 8 virus' one of which was WIN32, Another FAKEAV and some other I couldnt identify and google came up with a blank (like it does for many things with regards to this issue). My smart TV at home is also infected and it seems that the gateway for my home is being used in some way, as the PC's and Androids reflect this as their public address even if Im not home and on the road or anywhere ?. IP6 is a huge player in this ! It loads whether you disable or not. In addition to all of this... and key, is that all and any software installed, become services, and are controlled by conhost.exe and dllhost.exe when run. They are all listed as compatibility programs, and often when effective are silo'ed (put in a hive of some sort) on next boot. In addition to this, files are held open in user/{username}/appdata/local/temp with strange filenames (varying hugelely in type(dll, firefox, bcd, tmp and length 8 to 36 digits) and viruses both trojans and malware are dropped into the system regularly via these files !
 
Running windows update and loading SP1 sometimes works ie. it allows you to load these sometimes (other times access denied), but on reboot it reverts changes via file pending.xml found in c:\windows\winsxs directory which is locked TIGHT and if you manage to delete from the directory, the system instantly restores files as you delete. I found the Windows Module installer responsible for all this, but when turned off.. the system fails to do any updates and the update service is damaged irrepairably. Even Toollib.net Winupdatefix did nothing ! to avoid the roll back of updates, deleting the pending.xml allows the updates to install, however you eventually get to the point where the pc slows and takes 10 20 30 minutes to boot and is unuseable. Its almost like you run its software and dont interfere, allow remote access and all will be fine. The issue is, via WSUS the system seems to have an arsenal of its own versions of most pakages ! I found this list and can supply if needed. Its truly an amazing system, but is being used in a malicious way !
 
I know its alot and I apologise. But its been hard and cant get rid of it. Its a life (not network) wide problem. Androids and PCS's TV's and even in fact my BMW radio was infected via bluetooth. This bug seems to attach to USB ports in some way and SMARTCARD services are a big role player !...
 
My suspicion is that ISPYCONNECT (as per my extensive investigations) was possibly loaded or MSPY varient (MAXXSPY - as I have found reference to maxxmobi.com login site) on my mobile and this may have introduced a RAT like Androrat or opened us up to a virus, ANDRORAT and the likes Im sure you agree, lets everything in. TDSS rootkits, malware, trojans, hackers you name it !
 
I have identified the windows version as being Windows "Vienna 660" ? I dont know if this makes sense to you ? I have found references in a number of places and on the net. It runs XP and Vista Ultimate components together and wraps it all in a Windows 7 theme. Documents and settings, Programdata, Boot, SystemVolumeInformation, and $Recyclebin are all locked and hidden as system folders. There are duplicate folders under user, first one is mine, second one is locked and if unlocked, goes to another shortcut and then another and another ! I have found this to be connected to NULL Infections ? I have used the reset.cmd instructions for Windows resource kit to reset rights, half of which fail even when run as SYSTEM,  along with unhide.exe and stopping various services , cryptography is installed, NkeyCrypt ,Bitlocker service is there and several other scary ones. Ive tried combinations and brute attacks from my side to break through, It seems to be unstoppable ? Ive run DDS, TDSKiller, RogueKiller, GMER (detects ntoskrnl dispatch interupt - but delete BSOD occurs instantly), ASWMBR, BOOTFIX (Win 7 disk), Rootkitremover, HitmanPros, Sophos Virus Remover, Symantec NPE, and so many others ! I have 30 gigs of removal tools, and thank you bleeping computer for your services in offering these ! Combofix seemed close to resolving, but 5 reg keys cannot be opened no matter what, even use of reg key deleters, ddlete on next boot etc. Various rescue disks AVG, Bitdefender, Kasperky etc. Various AV packages and removal tools... I think running them in the right order might !!! Work, I just dunno what to do next as I cant find these symptoms (all of them) in one thread. Theres Many!!

 

As requested FRST addition and FRST log files ! Please let me know what you think...
 
Brendan Belle
South Africa

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 11 April 2016 - 03:45 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/610342 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 brendanbowles

brendanbowles
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 11 April 2016 - 07:41 AM

I repeat the issues as per the bots request. I also re ran FRST as requested. Logs attached.

 

MY ORIGINAL POST :

 

"I have been battling with a virus that I am sure started on my samsung mobile. Please can you help me. This is a terrible thing !
 
After a bad breakup with my girlfriend who constantly claimed to monitor her ex and that she infact caught him cheating using camera spy software, 2 days after our breakup, my phone started acting odd... I never for a second thought what would happen next actually did. The phone was very hot, and appeared to have running applications open in the background, facebook, whatsapp, and some social chat apps, basically anything to do with social, so not my banking or any of that. It appeared that I had been using these when I have a habit of closing apps on my phone. Soon after the phone would call people hold the lines open and appear to just be listening, until turned off and eventually sms and whatsapp would send things to people on its own, links, filthy language etc. Thinking the phone had a bug and having NOD32 up to date and a very good edition loaded on my laptop, I plugged the phone in to flash the ROM to custom.
 
Essentially ... in a nutshell ! The phone had a tootkit of some sort on it that moved to my laptop without me knowing and then infected and opened our entire work network, to the point where we were being remote controlled by unknown sources ! I found my laptop to have a massive number of folders from a site called Xplodedsecurity.com. These were password sniffers and all sorts I had no idea what was on my desktop, couldnt recognise my pc. This was the following morning when I turned the computer on at work, to find it was not off as I left it, but suspended. No one has access to my office but me after 5 and I locked so certainly a remote attack. This all after plugging the phone in to reload the night before. This reload by the way I assumed workd (on the phone) but when I checked the phone the next morning after finding the laptop as it was, the phone was asd it was before I reloaded the night before !
 
So Bleeping computer has been amazing! I have found some , but never all symptoms of the problems I have found here and have tried a long list of repairs and fixes. This as we understand is a unique infection. Several massive IT companies have looked at it and failed to even understand the basics ! For 4 months I have tried to remove it and learnt exactly what and how it operates... I lived at my office for the 1st seven weeks as I was trying to hold hackers off. We lost R500000 in JAn despite my efforts (Thats $150 000) but I cannot remove the protection that keeps it going even though I have curbed alot of the remote control by restricting IP address handout to allowed MAC address only! So no IP if you dont have one of the listed MAC address's. It seems the services and limitations + trojans and viruses are still there tho !
 
So here goes ! Please help me... What I know and may be under correction by yourselves the experts, but bare with me please. I know all this by learning through reloads and 100's of hours of reading logs and sifting through hidden logs on PC and phone and internet articles etc. :
 
The windows we run and android on our phones appears to be a RDP session as apposed to running as Admin on your own PC or phone. Behind our session is the real PC or phone that cannot be accessed. At first had success using PSEXEC -i -s -c cmd.exe and then net user administrator /active:yes. This gave me proper admin and seemed to allow boot into the proper windows, but on next boot, it was back to normal or crashed for reload ! From then on and since (3 months ago) not even sfc /scannow with SYSTEM rights allows this ! Windows features on and off makes use of Internet Explorer 8, Dot Net 3,51, Windows Gadgets, XPS service, and IIS is evident but hidden. There is also a media centre sharing utility that I have linked to the whole spread of the virus as all PCs and phones are media centres, or KIES servers. Bizarre ! I have to remove these using features on and off. SIDEBAR package also seems a large player ina ll this as it cant be removed and like many other items seen, is not on the uninstall list !
 
Often effective removal efforts would be blocked on reboot and REMEMBERED by the entire system so you could not try it again ! .. I found WMI tied into our system, and I understand this to be centrally managed behind a secure certificate, resulting in the memory of the system right ? So trying to remove objects from WMI, like remove computer doesnt allow access as the user that has the rights is behind an almost one way WMI central management server. I found changes to WMI like deleting objects I could, would affect all cellphones and PC's not just the one. So behavioural changes across the board for a short while, but would fix itself over 1 or 2 days and then typically could be seen when repaired by sudden google play or windows updates being downloaded on mass.
 
I found that we have a DNS changer too and a hosts file that I believe is a .dll. I cant bypass this no matter what however, the proxy we are forced through can be deleted in registry... this results in no internet at all or windows update and ultimately a reload. The DHCP server is a dhcp 6 that seems to operate on boot before windows start. This is listed as ntdev.corp.microsoft.com and there are 5 dns servers in the registry that recreate themselves if removed I would guess by a rootkit. to discuss shortly. These dns servers are 172 and 157 ranges. There are also constant adverts that run normally during a scan on android and PC, I would guess part of the rootkits interrupt process to stop detection. Also, I have found links to what seems to be a hidden TOR proxy server. I found install file traces of this. The config file is nowhere to be seen for TOR as mentioned by the TOR team.
 
The root kit is in the NTFS DR0 partition I suspect (dont know if I said this right). The partition is visible using 7ZIP and begins \\. Disk manager in windows doesnt show this and Diskpart reports the volume 10GB shy of what it is and nothing changes this including the show hidden diskpart command , unhide.exe, any number of utilities dont show this. 7ZIP allows no access to edit this at all. just view. In the rootkit partition is a full version of windows in several languages as well as BCD logs, bootmgr, and a file called class{various}.plk in it... there is also hidden system volume information - contains MountPointManagerRemoteDatabase file and several .hve.log files as well ass an SPP folder containing another folder OnlineMetadataCache which houses a {program id} file. None can be touched ! Theres a boot folder on all harddirves that contains bootmgr.exe.mui and memtest.exe.mui and there are several different language versions of these in the boot folder ! The registry has Currentcontrolset001 / 002 and the regulare currentcontrolset as well as a BCD container with a wide array of strange container folder objects. On the Androids there is a persistent folder and at root of all directories on addroid theres strange long Filename containing many zeros and a shader directory where files are created on there own.
 
Further to all this, Google seems instumental as I have found connections to google analytics, google messenging service and google ads in several locations. On the androids, theres a linux based rootkit that runs and can be seen by using an emulator. The androids and the PC's run totally fake security centres and on the android google seems to be logged in on reload and connected to your account hiding sync settings from you that are on by default aswell as your GPS location being given even if you turn it off. Bluetooth tethering, WIFI and mobile data always on even if turned off ! Google play downloads infected software and doesnt show you anything that may help. In the same breath browsers on both android and PC show nothing that helps and blanks out download links of helpful tools aswell as forums even that contain key items ! Its madness !!
 
On the PC's the windows defender and security centre (total frauds) seem to activate the action centre that always arrives a minute or 2 after reboot always witha  red cross no matter what, and I have linked this to the remote assistance connection used to remote control,and it seems via SMB over message system. I have also found that the audio service (and has addition endpoint audio mapper service dependency) in windows and several others seem to play a part. Theres an unusual amount of SVCHOST services traced this to a virus that seems to run via Performance monitor as there is a kernel trace and several others running that cannot find data collector set if you try delete ! Searchindexer and 2 other search services run when indexing is not installed and Wsearch is disabled ! - linked this to a virus SEARCHINDEXER but the files that should be there for manual removal are not ! A definate link to powershell as a common module used by the controllers - traced this to powerliks but again manual removal instructions dont work as the directories and Reg keys arent there and removal tools do nothing ! I have also linked ZEROACCESS Trojan to the entire issue aswell as FAKEAV. The PCS also remove a "security.disabler" bug (Dark comet bug) if scanned with the dark comet removal tool scanner, but it does nothing. Removal of any and all viruses found... does nothing... I found this entire issue connected to our websites managed internally but hosted via FTP remotely. We loaded SSL certificates on the domain as there was a rogue attached and cleared entirely the management consoles and secured and reloaded sites and servers. This only made the infection and issue change a little. It took longer to take control, by 1 day extra. I found the only time we can detect virus' is if I boot with no certificate verification in windows, so certainly dummy certificates being loaded on reload and infact, a low level format and reload, or android PIT file execution and original ROM download via Smart Switch or KIES (initialisation of android).... Windows or Android load exactly as I have explained above ! Exactly like above, it loads in a way that you cant seem to stop it just like above. Its insane ! Ive wondered often if theres a dns webkit securing the rootkit, but I cant find a way to see as alot is hidden and I suspect an encrypted proxy is on the LAN or on each PC and android ?
 
I managed to access the Android SDK via Android Developer Studio, the project is called .android and I found a section that loads around 8 virus' one of which was WIN32, Another FAKEAV and some other I couldnt identify and google came up with a blank (like it does for many things with regards to this issue). My smart TV at home is also infected and it seems that the gateway for my home is being used in some way, as the PC's and Androids reflect this as their public address even if Im not home and on the road or anywhere ?. IP6 is a huge player in this ! It loads whether you disable or not. In addition to all of this... and key, is that all and any software installed, become services, and are controlled by conhost.exe and dllhost.exe when run. They are all listed as compatibility programs, and often when effective are silo'ed (put in a hive of some sort) on next boot. In addition to this, files are held open in user/{username}/appdata/local/temp with strange filenames (varying hugelely in type(dll, firefox, bcd, tmp and length 8 to 36 digits) and viruses both trojans and malware are dropped into the system regularly via these files !
 
Running windows update and loading SP1 sometimes works ie. it allows you to load these sometimes (other times access denied), but on reboot it reverts changes via file pending.xml found in c:\windows\winsxs directory which is locked TIGHT and if you manage to delete from the directory, the system instantly restores files as you delete. I found the Windows Module installer responsible for all this, but when turned off.. the system fails to do any updates and the update service is damaged irrepairably. Even Toollib.net Winupdatefix did nothing ! to avoid the roll back of updates, deleting the pending.xml allows the updates to install, however you eventually get to the point where the pc slows and takes 10 20 30 minutes to boot and is unuseable. Its almost like you run its software and dont interfere, allow remote access and all will be fine. The issue is, via WSUS the system seems to have an arsenal of its own versions of most pakages ! I found this list and can supply if needed. Its truly an amazing system, but is being used in a malicious way !
 
I know its alot and I apologise. But its been hard and cant get rid of it. Its a life (not network) wide problem. Androids and PCS's TV's and even in fact my BMW radio was infected via bluetooth. This bug seems to attach to USB ports in some way and SMARTCARD services are a big role player !...
 
My suspicion is that ISPYCONNECT (as per my extensive investigations) was possibly loaded or MSPY varient (MAXXSPY - as I have found reference to maxxmobi.com login site) on my mobile and this may have introduced a RAT like Androrat or opened us up to a virus, ANDRORAT and the likes Im sure you agree, lets everything in. TDSS rootkits, malware, trojans, hackers you name it !
 
I have identified the windows version as being Windows "Vienna 660" ? I dont know if this makes sense to you ? I have found references in a number of places and on the net. It runs XP and Vista Ultimate components together and wraps it all in a Windows 7 theme. Documents and settings, Programdata, Boot, SystemVolumeInformation, and $Recyclebin are all locked and hidden as system folders. There are duplicate folders under user, first one is mine, second one is locked and if unlocked, goes to another shortcut and then another and another ! I have found this to be connected to NULL Infections ? I have used the reset.cmd instructions for Windows resource kit to reset rights, half of which fail even when run as SYSTEM,  along with unhide.exe and stopping various services , cryptography is installed, NkeyCrypt ,Bitlocker service is there and several other scary ones. Ive tried combinations and brute attacks from my side to break through, It seems to be unstoppable ? Ive run DDS, TDSKiller, RogueKiller, GMER (detects ntoskrnl dispatch interupt - but delete BSOD occurs instantly), ASWMBR, BOOTFIX (Win 7 disk), Rootkitremover, HitmanPros, Sophos Virus Remover, Symantec NPE, and so many others ! I have 30 gigs of removal tools, and thank you bleeping computer for your services in offering these ! Combofix seemed close to resolving, but 5 reg keys cannot be opened no matter what, even use of reg key deleters, ddlete on next boot etc. Various rescue disks AVG, Bitdefender, Kasperky etc. Various AV packages and removal tools... I think running them in the right order might !!! Work, I just dunno what to do next as I cant find these symptoms (all of them) in one thread. Theres Many!!

 

As requested FRST addition and FRST log files ! Please let me know what you think...
 
Brendan Belle
South Africa"

Attached Files



#4 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:02:34 PM

Posted 12 April 2016 - 03:44 AM

Hello brendanbowles  and welcome to BleepingComputer!                        :)

 

My name is Sirawit and I'm here to help you.

 

Please note that I'm currently in training and my fixes need to be approved first, that may delay our fix a bit, but I will normally reply back in 24 hours.

 

If I don't reply after 3 days, feel free to PM me.                         :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 3 days I will bump the topic, if you didn't reply in next 3 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

 

I've submitted by reports to the instructor and will reply as soon as possible.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#5 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:02:34 PM

Posted 13 April 2016 - 11:41 AM

Hi brendanbowles.

 

To be honest, based on your log files, I can't find any real problems with your computer, just some mild unwanted programs while we can remove that without much problem. I think you should calm down and see if each of your problems are really connected together. It's quite hard if not impossible for any malware in one platform (i.e. your phone) to infect another platform (i.e. your computer) since they're completely different system.

 

See some examples of myths about malware: http://securitysnapshots.blogspot.com/2012/04/malware-myths.html

4 reasons BadBIOS isn't real: http://www.infoworld.com/article/2609622/security/4-reasons-badbios-isn-t-real.html

 

But if you think your report is accurate, what you have described indicates a serious cyber attack. A public help forum is not an appropriate medium to receive assistance with this type of attack. I strongly urge you to contact the authorities immediately, and report your findings to them. As helpers in a public forum, we are not in a position to assist with targeted cyber attacks of this nature, involving servers and a multitude of different devices.

 

Link to South African Police website: http://www.saps.gov.za/

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#6 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:02:34 PM

Posted 16 April 2016 - 03:07 AM

Are you still there?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#7 brendanbowles

brendanbowles
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 16 April 2016 - 07:17 AM

Yes indeed !!

Sir, SA police ... there is no cyber crime or legal aids here. Unlike other countries... they do nothing.

Also.. I am 100% sure that the reason FRST may not have worked is that the FAKEAV bug included in this attacks arsenal has a

package that can identify what is run and classify it into anti malware etc. Its most likely isnt showing the issues.

 

As we run anything that is AV related, conhost.exe and dllhost.exe runs, we als have Searchindexer running even if you disable windows search, a ton of SVCHOSTS.EXE. User/appdata/localtemp is filled with locked temp files, Windows/WINSXS is locked and in use. We have locked Documents and settings folders under C: , theres many items that are not right.

 

I also and sure we reload by default "Windows Vienna", so this suggests a rootkit. You can format and reload, it loads this weird version of windows 7 with SIDEBAR and GADGETS included and too many others to even try cover.The pc IS ! Windows Ultimate, wrapped as windows 7... it definately is a problem. I really need help.

 

I loaded a fresh install and have tried to run FARBAR I get an error box : "Autoit error (File "") Error: This keyword cannot be used after a "Then" keyword."

 

Got no idea why ?? Ive tried a few things to get it to run... please assist ? What else can I run or try ?



#8 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:02:34 PM

Posted 16 April 2016 - 12:50 PM

Hi brendanbowles.

 

Let's me clarify something for you.

 

 

I loaded a fresh install and have tried to run FARBAR I get an error box : "Autoit error (File "") Error: This keyword cannot be used after a "Then" keyword."

Based on the message you got, looks like FRST has a bug, I've contacted the author and will ask you to download a fixed one shortly. Now, could you please tell me the exact error message? This will help debugging the tool.

 

 

Also.. I am 100% sure that the reason FRST may not have worked is that the FAKEAV bug included in this attacks arsenal has a

package that can identify what is run and classify it into anti malware etc. Its most likely isnt showing the issues.

Could you please clarify this? Based on your log files I can't find any evidence of fake av.

 

 

As we run anything that is AV related, conhost.exe and dllhost.exe runs, 

Those two files are Windows process, having them running is normal.

http://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/

http://www.file.net/process/dllhost.exe.html

 

 

 

 

we als have Searchindexer running even if you disable windows search

This doesn't make your computer less secure. You can ignore that.

 

 

a ton of SVCHOSTS.EXE. User/appdata/localtemp is filled with locked temp files, Windows/WINSXS is locked and in use. We have locked Documents and settings folders under C: , theres many items that are not right.

  • Lots of svchost.exe is normal. Windows divided services running under svchost into parts as a fail-safe mechanism.
  • Windows\winsxs is a system folder, that one stored spare files in case Windows needs a replacement for corrupted ones.
  • Locked Documents and Settings folder in Windows 7 is normal, it's called "junction point". Windows use this as a backward-compatibility for older programs.
  • Locked temp files is also normal, since some running programs may be using them.

 

 

 

 

 

 
I also and sure we reload by default "Windows Vienna", so this suggests a rootkit. You can format and reload, it loads this weird version of windows 7 with SIDEBAR and GADGETS included and too many others to even try cover

Windows Vienna is modified version of Windows XP SP3. That's not Windows 7, it just looks similar. And it's NOT a rootkit.

You can see more here: http://getintopc.com/softwares/operating-systems/windows-xp-vienna-edition-free-download/

 

 

 

The pc IS ! Windows Ultimate, wrapped as windows 7... it definately is a problem. I really need help.

"Ultimate" is a sub-version of Windows 7, not a Windows version. (It's called Windows 7 Ultimate.)

 

-----------

 

So, did you reinstalled Windows on your machine yet? Did you modified anything on your PC before you make this reply?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#9 brendanbowles

brendanbowles
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 18 April 2016 - 06:32 AM

So, I very much appreciate the time you have put in here, and alot of this is relief, makes me realise we may be clearer than we thought !

Now the FRST being corrupt or infected.. not uncommon for anything downloaded to become a virus on our systems, also, everything installed becomesa  service. Example we have QBW32.exe on a system that

doesnt have quickbooks running, but this appeared after we installed Quiknbooks on  another network PC. The FakeAV is infact a security centre breech here. IE, windows defender doesnt seem to run as it should.

 

Then Windows Vienna has never been loaded here. In addition to this, yes we have done a fresh reload to see what loads. What we loading is not whats on the CD STILL. It seems to say at Windows 7 Professional

install "Copying files" which takes 5 seconds and is done, cd drive, never responds... Then during extracting files, the cdrom flicks now and then, and then after first reboot, the system doesnt reference the CDROM at all. It tells me that its loading windows from somewhere else... GMER Finds these and ASWMBR finds these attached.

 

Let me know please, We have alot of adverts that we see everywhere, adfix will no longer run. I know it seems we nuts by what you are seeing... on logs, but this system is certainly not ok. Ive attached alot here just

for you to look at in your spare time. Theres a process list and service list for your perusal aswell

 

We are so greatful for your time.

Please come back to us. We are honoured to have the attention of Bleepingcomputer.com !

 

Info on attachements. ASWMBR will find these everythime, no FIX option, button greyed, and fixmbr does nothing, in that a rescan, shows the same

GMER, You can restore code on all items, does nothing, they appear next time. Then Im sure we should have more repar options as per attachements. In GMER, removing NTOSKRNL item 1 reusults in BSOD 1 minute after restore. Removeing item 2 NTOSKRNL is an instant BSOD. And they are there next scan.'

Process list and services list attached aswell...

Attached Files



#10 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:02:34 PM

Posted 18 April 2016 - 06:45 AM

Hi Brendanbowles.

 

OK I will read your info quickly, for now please download the fixed version of FRST here and create a new log file for me. Make sure addition.txt check box is checked before you start. The tool will create 2 log files (FRST.txt and addition.txt), please include both files in your next reply.

 

Please note that it's not your system that caused FRST to corrupt, it's a known issue other users found too and was fixed recently.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#11 brendanbowles

brendanbowles
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 18 April 2016 - 07:25 AM

Ok... I ran this, I will run it on my laptop aswell, which has a 64bit OS.

But ALL Computers run the same software version etc.

Please see attached as requested.

Laptop 64bit OS FRST to follow.

Attached Files



#12 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:02:34 PM

Posted 18 April 2016 - 07:27 AM

Wait, on which machine do you need help? All of which you currently have???

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#13 brendanbowles

brendanbowles
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 18 April 2016 - 07:35 AM

No no no.. All machines have the same thing on them !

Thats all... thought a 64 bit OS log may come in handy too.

But if we remove from one, I could do all, that I know. They pretty much all the same issue !



#14 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:02:34 PM

Posted 18 April 2016 - 07:38 AM

Well, then please provide log from one machine only, posting logs from multiple machines will just cause confusion.

 

Now I've received your log files, please wait for my next instruction.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#15 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:02:34 PM

Posted 18 April 2016 - 12:28 PM

Hi Brendanbowles.

 

Those lines from ASWMBR and GMER logs aren't always bad. From your picture ASWMBR log is perfectly clean and you don't have to do anything.

 

I need to see GMER log though, instructions on how to get a log is below.

 

Your another concern about NTOSKRNL.exe is also false. That file is a protected Windows system file that you can't touch. If you try to mess up with it the computer will throw a BSOD like you got. This file is perfectly clean.

 

About Quickbooks. Well, you have that installed so seeing it's services is not strange.;

QuickBooks Pro 2011 (HKLM\...\{11E0AC7D-6822-4F67-865F-EE1C13D28C38}) (Version: 21.0.4003.904 - Intuit Inc.)

Now, please run these tools for me. Please don't do anything outside what the instruction said.

 

===============

 

Please download GMER from one of the following locations and save it to your desktop:
 

  • Main Mirror which will download a randomly named file
  • Zipped Mirror - Unzip the file to its own folder such as C:\gmer
  • Disconnect from the Internet and close all running programs
  • Temporarily disable any real-time active protection
  • It is very important you do not use your computer while GMER is running
  • Double-click on the randomly named GMER gmericon_zps951fd5aa.jpg icon
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
  • If you receive a warning about rootkit activity and are asked to fully scan your system click NO
  • Please check in the Quick scan box
  • Please uncheck the following:
    • IAT/EAT
    • Show All <<< Important
    GMER2new_zpsdd936679.jpg
  • Click Scan
  • If you see a rootkit warning window click OK
  • When the scan is finished, Save the results to your desktop as gmer.log
  • Click Copy then paste the results in your reply
  • Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled

Note:

 

  • If you encounter any problems, try running GMER in Safe Mode
  • If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning

=================

 

Ky7CZ60.png Malwarebytes Anti-Malware (MBAM)

  • Please download the Malwarebytes Anti-Malware setup file to your Desktop.
  • Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme. 
  • Open Malwarebytes Anti-Malware.
  • Click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab and ensure Threat Scan is selected.
  • Click Start Scan.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs, followed by the first Scan Log.
  • Click Export, followed by Copy to ClipboardPaste the log in your next reply. 

 

=================

 

Emsisoft Emergency Kit

 
Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually C:\).

  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objectsNote, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

===============

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users