Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit keeps coming back


  • This topic is locked This topic is locked
5 replies to this topic

#1 Alley Cat

Alley Cat

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 26 January 2017 - 01:26 AM

3 weeks ago, I noticed a Network drive.  Inside is 8 files: TXT, XLS, DOCX, other excel files.
 
These files cannot be opened.  I used PERMANENTLY DELETE option on my antivirus to remove the directory.
 
I looked into how to remove Network drive, couldn't figure it out.  So I wiped the entire HDD, Windows 7 on a clean install.
 
Reinstall firewall, antivirus and drivers while offline (ethernet cord unplugged). Rebooted, online and downloading Win updates. Out of 177 updates, only 136 installed.  Security Monthly Quality Rollups (Oct 2016, Nov 2016, Dec 2016 always needs to be rolled back, unsuccessful updates)
 
50 % of my things are reinstalled.  Like before, reformat, computer runs fine.  No malware or ransomware notices.
 
But, this rootkit is back, and spread across all 3 HDDs. These directories are hidden, cannot be viewed in Windows Explorer (my settings were changed to see all).
 
 
PS: Why can't I attach screenshots?


BC AdBot (Login to Remove)

 


#2 Havachat

Havachat

  • Members
  • 1,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.
  • Local time:06:25 AM

Posted 26 January 2017 - 02:00 AM

Did you disconnect the Other Drives prior to Reinstalling Windows on the Main Drive.

Sounds like the Malware is on those other drives.

 

You may need to Post in the Virus, Trojan, Spyware, and Malware Removal Logs

Or have a Moderator move this one to that area { PM them }.



#3 grinyx

grinyx

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 26 January 2017 - 02:44 AM

I got the same issue over last weekend.

There were 2 new folders with 10 random files in each of them on each drive, plus a "disconnected network drive A:" that could not be removed.

Also, there were 2 new random named folders under users directory and one never changed name folder under Windows\temp

Avast was able to identify some of the files as "decompressing bomb" but was not going to find the root cause of this infection.

Anytime I delete these folders they were regenerated after about 2 minutes with other random names and files.

 

I tried:

sfc /scan now
DISM /Online /Cleanup-Image /RestoreHealth
but there was nothing found.

 

I used AVs: Avast, Bitdefender and Sophos with no success.

I also checked with Malwarebytes, F-Secure, HerdProtect, RootkitBuster, plus few more, but everything came clean.

 

I used System Explorer to log the history of processes change when I was deleting those folders and waited for them to be re-created.

There were always 2 processes like these going down and coming up in less than 2 minutes:

 

New PID=5388 PPID=852  C:\WINDOWS\system32\DllHost.exe /Processid:{72A7994A-3092-4054-B6BE-08FF81AEEFFC}  Parent Filename="C:\Windows\System32\svchost.exe

 

I tracked the bug to a scheduled task with this command:

C:\WINDOWS\System32\pcalua.exe -a "C:\Program Files (x86)\InstallShield Instalation Information\{72A7994A-3092-4054-B6BE-08FF81AEEFFC}\Setup.exe" -c uninstall -removeonly

 

Apparently, there was a newly created directory under C:\Program Files (x86)\InstallShield Instalation Information\ after each system restart, each time with a different key name.

 

I deleted the C:\Program Files (x86)\InstallShield Instalation Information\ with all its subfolders.

I removed the scheduled task.

The effect was ZERO. It kept coming back after each reboot and after each anomalous folder deletion.

 

The files and folders completely disappeared after I uninstalled the RansomFree program by Cybereason: https://ransomfree.cybereason.com/

I did install this program about a month ago on 3 computers. None of the other computers were impacted by this malicious payload.

Somehow RansomFree was the root cause of the bug I got.

After 1 week it did not show up again (not even as hidden files). I also removed this program from my other 2 computers, just in case.

 

Sorry for not keeping better records on my tests, but this bug kept me awake for many hours and my last concern was to save what I did there.

 

I hope it helps in identifying this bug.

 

 

 

 



#4 Alley Cat

Alley Cat
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 26 January 2017 - 06:27 PM

Did you disconnect the Other Drives prior to Reinstalling Windows on the Main Drive.

Sounds like the Malware is on those other drives.

 

Yes, only Drive C is connected during install.  Drive E and H is not connected until Windows is done installing. Each time this rootkit comes back, 3 folders are created on Drive E and H.  6 to 20 random files, TXT, XLS, PEM, SQL, DOCX, other excel files.

 

I asked a Moderator to move this topic to the correct section.


Edited by Alley Cat, 26 January 2017 - 06:29 PM.


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 56,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:25 PM

Posted 26 January 2017 - 07:39 PM

This topic cannot be moved to MRL...the posts here have no relevancy to the way that MRL topics are posted and pursued.

 

What you need to do is initiate a new topic in the MRL forum (as suggested by Havachat above), following the instructions at Steps 6-8 at Preparation Guide, Before Using Malware Removal Tools and Requesting Help - http://www.bleepingcomputer.com/forums/topic34773.html .

 

Once that is done, this Am I Infected forum topic will be closed and all your attention should be focused on your new MRL topic.

 

Louis



#6 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:12:25 PM

Posted 28 January 2017 - 11:31 PM

Hello,

Now that you have posted a log here: https://www.bleepingcomputer.com/forums/t/638561/rootkit-survived-clean-install/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log. I also deleted the duplicate log topic that was posted.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users