Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"MS Support" scam, possible Rootkit / Bootkit infection...


  • Please log in to reply
9 replies to this topic

#1 HALlives

HALlives

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 18 February 2017 - 09:45 PM

Hi All 

A friend was caught by an "MS Support" scam last week; they downloaded GoToAssist 3.1x, and Citrix Online Launcher, on her HP Elitebook running Win7 Pro 64Bit on a Crucial MX300 SSD. 

I uninstalled GoToAssist in Safe Mode, but when I booted into Windows the "MS Alert" scammer window immediately appeared on the Desktop - see the attached PHOTOS of the window and link on the Task Bar - not in a browser, so I'm assuming there's a rootkit/bootkit in the system, and the system would shut down every 10mins or so, as promised in the scammer window. 

 

I rolled the system back to a Restore Point about 2 months before the infection, and when I rebooted the scammer window was still there, and the system was shutting down every 10mins, so again I'm thinking that whatever this is, it's hiding in the MBR. 

 

Now things get more complicated... I spent the last 6 days working with someone on another site; the machine was scanned with Farbar (repeatedly), Malwarebytes + Rootkits, Emsisoft Emergency Kit, SilentRunners, Eset Online Scanner, Combofix, TDDSSKiller, adwCleaner, Junkware Removal Tool, BitDefender Online Scanner, and aswMBR, in that order, in full Windows mode. 

 

None of these tools found anything other than a few junk files to be removed, certainly nothing that was displaying the scammer window and shutting the machine down every 10mins. 

 

Now things get really freaky; when I tried to run Combofix, I got an error message telling me it was out of date and asked if I wanted to run it in Ruduced Functionality mode. When I clicked "Yes" the program disappeared from the desktop and the system! I searched for "Combofix" and got NO hits, it was gone, and when I rebooted the notebook the scammer window didn't appear, and the machine is no longer shutting down! 

 

I'm at a loss to explain what has happened here - the other guy didn't even try (move along, nothing to see here), but said the machine is clean and my friend can go back to doing her online banking, taxes etc etc etc without any worries - needless to say I'm not convinced.  

 

Any help with this would be greatly appreciated. 

Attached Files


Edited by HALlives, 18 February 2017 - 09:49 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 19 February 2017 - 11:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I must admit that your Farbar logs are clean.

Let check further.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#3 HALlives

HALlives
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 19 February 2017 - 05:57 PM

Hi nasdaq, thanks for the fast response! 

 

The machine "seems" to be fine, now, but after all that has happened I'm not ready to trust to luck... I'd rather KNOW! :) 

 

 

 
RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Barb [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/19/2017 14:16:26 (Duration : 00:08:15)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 4 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Crucial_CT750MX300SSD1 ATA Device +++++
--- User ---
[MBR] eed24fa47595f248217c0bd90bd025fe
[BSP] 6582eb83e1a69e099b363822e8777e83 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 715302 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Barb on Sun 02/19/2017 at 14:35:18.68.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Barb\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
2/19/2017 2:36:41 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\Program Files\HP USB Port Replicator deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~3\Synology deleted successfully
C:\Users\Barb\AppData\Local\VirtualStore deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\Users\Barb\AppData\Roaming\TechSmith deleted
C:\PROGRA~3\Package Cache deleted
"C:\PROGRA~3\{92D5D750-AA6D-437A-9732-D540EA9E7693}" deleted
 
==== Chromium Look ======================
 
 
Chrome Media Router - Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Chromium Fix ======================
 
C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage deleted successfully
C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
 
==== Reset Google Chrome ======================
 
C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Barb\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=2162 folders=301 298407884 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Barb\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Barb\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Sun 02/19/2017 at 14:47:36.98 ======================
 

Edited by HALlives, 19 February 2017 - 09:03 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 20 February 2017 - 08:43 AM

This scan may take an hour or two. Execute it when you know you will not need the comuuter.

Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

#5 HALlives

HALlives
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 20 February 2017 - 08:34 PM

Hi nasdaq 

 

ESET Online didn't find anything, the infected notebook is actually running the full ESET Smart Security suite... the Online scanner was run previously with the same result. 

 

Also, would you recommend deleting these registry keys that were found by RogueKiller? 

 

¤¤¤ Registry : 4 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
 
Thanks 
Paul 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 21 February 2017 - 08:22 AM



Also, would you recommend deleting these registry keys that were found by RogueKiller?

If you do the default settings will be used.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#7 HALlives

HALlives
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 21 February 2017 - 08:29 AM

So, no other ideas? 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 21 February 2017 - 08:33 AM

What is bothering you?

#9 HALlives

HALlives
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 21 February 2017 - 08:26 PM

Well, none of the tools that were used ever found anything amiss, and that was while the machine was being shut down every 10 minutes by whatever was downloaded onto it. 

 

Do you know of any tools that are run from a bootable stick drive, and can scan the MBR? 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 22 February 2017 - 10:24 AM



Is the computer still being shot down(re-started) every 10 Minutes.

That being the case Open your TaksManager (CTRL+ALT+DEL) Select Startup

Verify if you have a process that your do not know of or that there is no Publisher's name listed.

Or check your Task Scheduler

http://www.makeuseof.com/tag/windows-10-task-scheduler-gives-power/

Any thing strange that you do not know about?

===

You can check the MBR from your desktop. Not sure if you an run it from a USB drive.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users