Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Believe network and all machines infected by remote access trojan

  • Please log in to reply
1 reply to this topic

#1 Taxbill


  • Members
  • 1 posts

Posted 29 August 2017 - 02:28 PM

First, thank you for all your efforts. For 3 years I have been fighting an infection that MSFT level 2 techs (remote/in store) and Apple techs (same) have been unable to diagnose much less repair. Symptoms are: new machines are infected by the time setup is completed. Very few A/V programs able to detect Norton, MBAM, Kaspersky, Vipre, Comodo all claim machines clean. Spy bot actually detected, as did hit man pro, and a few others but were unable to delete infects hosts files, registry keys, programs because infection- RAT, I believe- gives infected files NT permissions while changing any owner admin accounts to standard. I have tried disabling remote access but machines infected before I can get that far. I have tried VPN and static ip but remote simply bypasses. Since this seems to be result of an infected network as well as infected machines (+ no admin perms. That would allow net user, sfc chkdsk options but can't. Windows Defender allows access to connection settings- most settings that would help show as grayed out in GUI- I have tried creating rules that should block packets/streams from unidentified IP address. Tracert shows " up address unavailable

I could add quite a bit but probably more efficient for you t request specific info. Open to any outside of box options, e.g. Removing wireless cards and running thru Xytel USG 20W router, or any other suggestions you may have. If further equipment purchase necessary, (I believe Cisco now has business routers that offer far better security than isp router offers. I have never encountered anything as close to AI as this RAT. Capable of deleting text from screen, assessing software for threats and changing extension to .htm or .jpg on some of downloads from your site ( originally .exe)

Would be forever grateful if you were able to help me fix problem BTW almost no services available in safe mode - restarting in services.msc prompts error message. I have to very setting re. Remote access turned off but those essential to infection frayed out.

BC AdBot (Login to Remove)



#2 JohnnyJammer


  • Members
  • 1,111 posts
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:31 PM

Posted 29 August 2017 - 05:00 PM

Sounds to be a worm, have you tried Eset Online Scanner?

Also sounds that the machines are not fully upto date so its using an old exploit and by the time you re-image a PC it then gets connected to the domain and by the time it hits the Windows update store and or WSUS server its too late.


I would start updating a PC our side of the domain first, then i would open WireShark or something similar to see exactly where the infection/injection is taking place because it sounds like you have mimkatz running and token kidnapping to gain admin pillages mate.


Oh also maybe post on the "Am i Infected" section of this site mate.

Edited by JohnnyJammer, 29 August 2017 - 05:00 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users