Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit nightmare - Virus across multiple devices


  • This topic is locked This topic is locked
3 replies to this topic

#1 kizza91

kizza91

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:15 PM

Posted 28 August 2017 - 03:27 PM

Hi all,

 

Just want to start off by saying that I work in the IT industry and have done for the last 8 years, and even I cannot shake this nasty Rootkit which so far has infected, to my knowledge, 1 x Win10 Dell Work Desktop PC, 1 x Win7 Laptop , 2 x Windows 10 Laptops, 1 x Android Phone (Moto G), 1 x MacBook Pro, 1 x old Lenovo which I use for Kali Linux (just for messing around, learning IT Sec, the irony!), 1 x Synology 412+ NAS Drive, and even my Nokia N95 (believe it or not).

 

I've used Wireshark to monitor traffic coming in and out of my property, to which Wireshark is telling me that it's completely abnormal. This is using home broadband and also a Mobile 4G Router, same results.

 

On my main Laptop, a Clevo P375SM-A Gaming Laptop, I was battling with someone who had gained access and was controlling my mouse, locking me out of my machine, firing up random services, and then eventually I found traces that he had been broadcasting me from webcam across Flikr.com and Vox.com, which is really quite unnerving and shocked me (I've put some Bluetack across the lens now)

 

If I disable the WiFi in the BIOS of my Clevo, the computer fails the boot. This is the same with Bluetooth. On one machine  (Win 7 Laptop) I was able to pull the WiFi adapter out so there was no way they could bypass the WiFi being turned off. I managed to pull off some logs which prove that they were tampering with my N95 and pushing Python script to it.

 

I've removed Network access to the N95 (now turned off) and saved the files (which are all encrypted) and suspect that they are photos of me or where I've been. I only say this as the N95 is an old phone now and you can actually hear the lens clicking every 5 seconds or so when turned on. Also, these files would disappear when I connected back to the network, suspect they all get uploaded to some remote location, so hopefully I can decrypt these files and get some idea on who is messing with me.

 

I've been dealing with this for the past month and am afraid to even turn my machines on. Currently using the Mac to start this topic as it seems the least affected. My gaming Laptop, from research, appears to have been used to mine bitcoins for someone, which would explain the performance decrease before I discovered that this is a much, much more sinister issue.

 

I have spent countless hours with the Clevo (being a £2k+ Laptop) reinstalling the BIOS, doing SSD secure erase, reinstalling Windows, to no avail - keeps on coming back.

 

MalwareBytes picks up "Backdoor.Trojan Bot" plus multiple related Trojans after every reinstallation of Windows, but again, they just keep on coming back.

 

I've used TDSSKiller, MBAM, MBAM Anti-Rootkit, MBAM Chameleon... pretty much all Anti-Rootkit software to try and remove this depressing annoyance.

 

My GMail of 10+ years has been hacked, which mean 50'000 emails and other account compromised, and Google are telling me that they're not satisfied that I am the rightful owner (unbelievably infuriating as they can surely tell that my recovery details have been changed) so I've had to create a new account and reset countless passwords, which have no doubt been key-logged.

 

 

 

Whoever is doing this to me is making my life a complete misery and I've come here to seek advice. They're not just messing with my devices, they're messing with my sanity & life.

 

I warned work about this issue I'm having and noticed signs there that someone was querying our main server and bad packets of data were flying round the network. 

 

To their naivety, they told me I was looking into something that's not there (which is the whole idea of a RootKit virus) and even got a written warning because I was too fixated on and issue that they thought I was making up. Even spent many hours out of work time on making sure our systems didn't get infected, staying at work until gone 12am to make sure we were secure, but in all honesty I think we're already infected as the same "Backdoor.Trojan.Bot" keep reappearing on my Work Computer. I can only think this has followed me to work through Google Chrome and signing in, possibly initiating some dodgy Javascript? I just don't know and am tired even writing this now. It's utterly depressing.

 

The only software which has been successful so far in picking up any oddities is GMER.exe, which goes off the scale with red text saying "RootKit/Malware". This is on my Clevo which is my priority. Work was priority, but after the written warning... go figure.

 

 

Thanks in advance,

 

Cannot wait for this nightmare to end. I am tech savvy so any logs or further information you guys require, I will be gladly obliged 

 

Cheers,

 

Kieran


Edited by kizza91, 28 August 2017 - 03:39 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:15 PM

Posted 28 August 2017 - 05:31 PM

As you can se rootkits are difficult and should be removed properly. Please repost your info with an FRST log from the guide below. Start with step 6.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kizza91

kizza91
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:15 PM

Posted 29 August 2017 - 04:27 AM

Thanks boopme, I was up quite late trying to get FRST to run on my Clevo but my Keyboard has been completely disabled. Even an external Keyboard wasn't working. All USB ports disabled.

 

Currently at work so may as well start there as can already see some anomalies in the log

 

Will keep you posted!



#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,104 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:15 PM

Posted 29 August 2017 - 05:19 AM

New topic in MRL posted, https://www.bleepingcomputer.com/forums/t/655633/multiple-devices-infected-with-rootkit-virus-frst-logs/ .

 

Now that you have a properly posted topic in the Malware Removal Logs forum, the personnel there will assist you with your issues.

 

To avoid confusion, I am closing this topic in the Am I Infected forum.  Thanks for your cooperation :).

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users