Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit detected by gmer. Infection persisted through DBAN


  • This topic is locked This topic is locked
3 replies to this topic

#1 willfs

willfs

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 03 May 2016 - 01:32 AM

To begin with, some context. My sister called me for help after a malicious person posing as customer support duped her into installing malware. Over the phone, he instructed her to visit a malicious website using an insecure browser (she mentioned Win+r, hh h, iexplore -extoff). She recognized it was a ruse when the guy demanded $300 to fix the mess.

 

I connected to her laptop from my workstation with Teamviewer 11. We first ran Malwarebytes Anti-Malware which found nothing. A couple tools later, we ran gmer, which found evidence of a rootkit. To my surprise, the gmer log also contained evidence that the malware had neutered MBAM.

 

I offered her two choices: research the malware and manually remove it, or wipe the laptop and reinstall Windows. She preferred the latter. I guided her through preparing two flash drives containing DBAN and Windows 10. She ran DBAN overnight, and installed Windows yesterday.

 

She called me back because gmer detected the rootkit on her new Windows installation.

------

 

 

She is sending me the laptop. I am posting on this forum for advice on best methods/practices.

 

First, I underestimated the sophistication of this malware. Obviously it infected the thumbdrive she used to reinstall Windows. Is there any chance it may have infected my PC via Teamviewer?

 

My intuition is that's incredibly unlikely, but I'd like reassurance. I imagine the hacker would've needed knowledge of an unpatched vulnerability in the Teamviewer client process to execute remote code on my system. As far as deliberate transfer of files initiated by me, only some logs in plaintext.

 

When the laptop arrives, here's what I plan to do:

1) Airgap it. No LAN, no internet.

2) Buy a cheap flash drive for DBAN.

3) Prepare the DBAN disk and Windows 10 disk on a known clean machine.

4) Wipe the laptop with DBAN and discard the flash drive.

5) Install Windows 10

 

Is this sufficiently paranoid? The gmer log indicated the rootkit had infected the MBR on her laptop's SSD. Is it possible the rootkit is present in other writable flash memory soldered to the motherboard? The UEFI BIOS is my first thought, but I imagine other non-volatile memory could be targeted.

 

If anyone is interested, I can share the gmer logs. Thanks in advance for your feedback.



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:40 PM

Posted 05 May 2016 - 09:13 AM

Greetings willfs and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • [First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please post the GMER log. When you are able please complete the below.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your Desktop. <<< Important
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:40 PM

Posted 08 May 2016 - 07:10 PM

Greetings,

===================================================

3 Day Bump

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:40 PM

Posted 10 May 2016 - 02:08 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users