Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How I Solved My Rootkit / Bootkit Problem - Follow Up Post


  • Please log in to reply
3 replies to this topic

#1 SquidBoy02

SquidBoy02

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bay Area - San Francisco, CA
  • Local time:09:49 AM

Posted 07 November 2017 - 02:35 PM

Dear All,

 

 

What follows is the final result of the efforts I made, with the help of this Forum, to finally resolve a Bootkit / Rootkit Infection.

 

 

Please reference SquidBoy02 in two posts, August and September (?) 2017 for more information.

 

 

The following is a Step-by-Step Process for what worked for me, but is referenced to prior posts and help from BleepingComputer Forum Experts who have my deepest respect and appreciation.

 

 

*     *     *

 

How I Finally *Solved* My Rootkit / Bootkit Infection:

 

 

The asterisk is there because I didn't save the HDD in this process, since DBAN - Darik's Boot & Nuke - wouldn't load, further indicating that the Rootkit had control of my HDD, and possibly my CMOS on the MoBoard.  I might consider trying to save it later, using I just migrated all my files to an external HDD (Rootkit there now?  Remains to be seen...), and then physically destroyed the HDD, by opening it & removing the "Disk(s)" and recycling the rest at an e-Waste Facility. 

 

 

The Shiny, Mirror-Like HDD "Disk(s)" will be used as signaling devices in my backpack if I become stranded and need to signal for help...they're very reflective, with a viewing hole in the center...and it makes me smile to see my triumph over the R&B-Kits when I look at the Discs.

 

 

I tried to amend my earlier post(s) when I asked for help with a suspected Rootkit / Bootkit Infection, but they've been locked in the period of time it took for me to solve the problem...(2 Months)...hence the Post here.  Search for posts under Rootkit / Bootkit and SquidBoy02 to see if your situation is similar, if not exactly like, my situation.

 

 

*     *     *

 

Everything we tried failed on this Forum failed...but not without the efforts of some very fine people.  I thank you all.  I then spent hours and hours scouring all sorts of forums for other's takes on Rootkit / Bootkit Removal...and the number of entries is very large and getting larger as I looked.  But it gave me a few strategies...and I eventually solved the problem. 

 

 

That said, I have a Desktop Computer...not a Laptop...so your Mileage May Vary.  I just checked, and the process seems very similar except that you'd probably have to remove the Power...the Laptop Battery, too...and then open the case to access the HDD and Battery for CMOS.

 

 

What WORKED:

  1. Cracking the Case Open which *Voided the Warranty* on my ASUS G11CD Desktop Computer.  (Considering the pitiful Customer Support by ASUS for my product, that Warranty was worthless anyway...and it was time to take matters into my own hands.)
  2. Remove Power Supply & Push Power ON Button a 3 - 4 times to drain electrical capacitance on MoBo inside computer.
  3. Unplug & Remove the HDD...  (Not absolutely necessary, but I'll mention "Why" at the bottom.)
  4. Remove the Circular Battery for the CMOS on the MoBo...thereby depleting the "Memory Hold" of any Instructions held in the CMOS from the Rootkit on Boot-Up...r
  5. Research your Computer Model, and try to find a Schematic Diagram of the Mother Board to determine where the Clear CMOS Jumper is.  On my ASUS G11CD, it was toward the bottom edge.
  6. Lift the jumper on the MoBo to clear the CMOS (Bios) by jumping 2 of 3 posts, waiting a while...10 - 15 minutes is overkill, but I did that...and then returning the jumper to the Original Position.  **A picture w/ a cell phone might be handy BEFORE you do this step, if you forget where to put the jumper in the original position.
  7. Download a Recent Version of BIOS from ASUS to an empty Flash Drive...using a different computer (obviously).
  8. Return the Battery to the MoBo.
  9. If a Laptop, reconnect the Laptop Battery and lock it into place
  10. Reconnect Power Cord to Computer.
  11. Insert Flash Drive into USB Port in preparation for Flashing the BIOS.
  12. Turn Computer ON while pressing Del or F2 to enter BIOS Configuration, and then Navigate to Flash BIOS Utility.  (All Mfr.s will differ, but most have a Flash BIOS Utility.)
  13. Use the Utility to Flash the BIOS on the MoBo using the Flash Drive as reference for New BIOS.  (The BIOS was "cleared" when you removed the battery, as well as moving the Jumper on the MoBo to "clear" again...as an extra precaution...so now you have to restore the BIOS.
  14. ***Flashing the BIOS didn't work the 1st time, so I found different versions and kept trying until I found the right BIOS from ASUS.***  Keep Trying.
  15. Turn OFF Computer and Remove Power Connection.  (Leave Battery on MoBo and Laptop Battery in place!)
  16. Install compatible New HDD (Hard Drive).  I used a Samsung SSD (which I had always wanted) and a 2nd HDD - a Western Digital BLACK - 2 Terabyte Sata HDD. 
  17. Reconnect Power Connection.  (If no 2nd HDD, pls. disregard the info below).
  18. Insert Operating System Disk into CD/DVD Drive, or Flash Drive into USB Port.
  19. Install OS onto Computer...in my case, Windows 10...and then configure the 2nd HDD.
  20. Once OS is installed, Boot-Up the System...hit the Windows Button on the keyboard, or START Button in the lower left corner of the screen, and search for Disk Management.
  21. In Disk Management...assign a Drive Letter to Second HDD and do a simple format - NTFS in my case - to set the Drive for whatever you planned, and now the Computer will recognize both SSD & HDD.
  22. Reference this website, if you need help with configurations as they helped me a great deal with their videos: https://youtu.be/qMo8krAJd5Q

 

That's it, though it might seem like a lot.

 

 

In essence, you're: Saving your Files First...and then Removing Any Trace of R&B-Kit from the HDD & the CMOS on the MoBo...prior to Flashing New BIOS onto MoBo...and Re-Installing OS onto System.

 

*     *     *

 

Thought Process:

 

 

Nothing I did worked to remove the Rootkit / Bootkit from my Computer...and I mean *every-single-program* designed to remove R&B-Kits, Provide Logs to Study, etc., etc.

 

 

Therefore, after searching dozens of Forums...I learned that the Newest Trend in Malicious Code Writing was to install the Rootkit / Bootkit Virus beyond the level of detection of most Programs...e.g. a Section of the HDD that couldn't be wiped out, or on the MoBo itself, so that any time a Pgm. would try to remove the Rootkit / Bootkit...it would FAIL...since the Kit was controlling initiation of said pgm., etc. 

 

 

That's what really made me realize that I had a Rootkit / Bootkit Virus.

 

 

This process, detailed above, worked very well and I'm typing at that computer right now...and it works better than it ever did before w/ 2nd HDD and Primary SSD plus 16 GB more RAM. 

 

 

But...it was a long haul, and I wanted to Return the Love I felt with this group of very talented experts...hence my final post on my original request for help.  Others might come up with different versions of this approach, and I would defer to them as I'm NOT a Computer Expert (though I'm definitely getting there in some regards), and they might be able to speed up the process.

 

 

(SIDEBAR: BTW - Walmart is an amazing resource for Computer Parts.  I was able to order 10 (Yes...10!) Sata 3, Locking Cables for MoBo connections for under $10...shipped.  Knowing Global Exploitation, I probably walked over 14 skulls that day in my purchase of those cables...so I'll have to send the rest of my paycheck to Amnesty International to help my Conscience and Soul.

 

But that beats $14.95 for a Simple, Non-Locking, SATA Cable (Non Sata 3 / No Locking) from the Local Computer Store, though I DO try to keep those guys in business when I can.  If "I" can order 10 for $10.00 Shipped...what can the LCS order with Wholesale Pricing?  Seems like a Sata 3 Cable shouldn't cost more than $4.00 in a Brick and Mortar Store, but maybe I'm uninformed...???)

 

 

*     *     *

 

Best of Luck!

 

-- S.B.

 

 

p.s.  I'll log in a few more times after this posting to see how it's going, or if others disagree...inevitably...or suggest process changes.  After that...I'm off and running until the next time I need help from BleepingComputer.com -- S.B.


Edited by hamluis, 07 November 2017 - 02:50 PM.
Moved from MRL to Announcements - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 SquidBoy02

SquidBoy02
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bay Area - San Francisco, CA
  • Local time:09:49 AM

Posted 09 November 2017 - 06:45 PM

Amendments to Post Above...

 

  1. Item - Remove the Power Supply - I meant to indicate you should *Disconnect the power cord to the Computer*...not *physically* remove the internal power supply via screws, etc.
  2. Item - HDD Can't Be Saved - Not true.  It's just that to install a Fresh OS, and not waste time with a compromised HDD w/ Rootkit, you're likely better off trying to save the HDD "later on" using a Utility Connector w/ Pwr. Supply and HDD Data Connectors vs. trying to re-install the OS and get the computer running w/ an Unknown HDD Status.  I bought a new HDD - WD Black 2 TB - and used that for the install...and it worked flawlessly.
  3. I'll consider what to do with the the prior HDD at some point...once I learn how to keep it from infecting my system entirely...or disassemble it and recycle everything but the Disk, to be used as a Signaling Mirror at some point in the Post-Apocalyptic-Future.

Best of Luck,

 

--S.B.

 

 

 



#3 lilking420

lilking420

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:11:49 AM

Posted 14 November 2017 - 12:27 PM

Squidboy02,

 

Thanks for all of your work and especially thank you for the followups!  I have been dealing with a similar long term infection myself since the begin of 2012.  In fact to this day, I have yet to identify the source of the bleepery that has spanned 2 desktop three laptops, numerous mobile devices and a couple routers too.  Including it's persistence through multiple reformats and HDDs.  While your posts did not help me directly to eradicate my own problem, i wanted to reach out to thank you for sharing your experiences in this endeavor.  I have involved many specialists, including Nasdaq, long ago, but to no avail.  Most of whom certainly questioned my sanity and insistence that I was dealing with a malicious infection or compromise at all.  Sadly, I have pretty much given up on my own infection at this point, choosing to live with it, rather than exhaust my sanity completely trying to solve what seems to be unsolvable.  Eventually i expect whatever it is i am dealing with will come to be known and resolved, but at this point it is beyond my own and all others' who have been involved ability to comprehend.  Anyhow, I wanted to offer a link to a thread on MS sysinternals forum i have been a part of since i first came to learn about rootkits first and then when Snowden leaked the alphabet agency stuff i became hyper aware that something was amiss.  

 

https://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706_page1.html

 

I am sharing this thread with the hope that it will help someone in the future with their own rootkit problems, but more importantly that it will help someone to expose and eradicate such dastardly bugs from the face of the Earth.  Those who employ these malicious tools should be exposed from what they are and held accountable.  Until then, we must continue sharing knowledge and understanding.  Thanks again Squidboy2!  Glad you got your issue handled even though you were not able to identify it specifically, every little bit of info we can put together to help others I consider a win.

 

Stay safe. Stay vigilant.    ✌



#4 SquidBoy02

SquidBoy02
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bay Area - San Francisco, CA
  • Local time:09:49 AM

Posted 14 November 2017 - 01:58 PM

Lilking420,

 

 

 

Your comments are much appreciated!  It feels good to know that I've helped someone, so that we can begin to get a handle on what steps are necessary to protect our COMS, Data, etc.

 

 

I read through your post and the Link to the sysinternals forum...and I have to say, I would really advise you to NOT just *live with the problem,* as your data is likely being constantly corrupted / scanned / mined.  If you're SYNC'ing your Cell Phone with the Desktops and Laptops, it's going to have the same problem, and might cross-infect your computers (???).  Not sure if that's possible, but I'd treat it like it is. 

 

 

If you follow through on the steps I took - not that hard, really, you just have to be persistent - you should be able to get back to where you're fairly safe and no longer infected.

 

 

*     *     *

 

 

First off, I'd backup your important files to an external HDD...or possibly, The Cloud...depending on how you feel about that Data Transfer to "The Aether."  I went with a Local Backup vs Cloud, but I may have the same problem occur if I allow my External HDD back onto my computer, so...some Isolation might be worthwhile.  (See Virtual Machine / Virtual Box note, below.)

 

 

Second, I'd Pull the Power...then push power ON buttons to de-power the capacitors in each Computer...and then Crack the Case(s)...**May Void Your Warranty** - (It did for my ASUS G11CD Desktop, but their Customer Service was severely lacking anyway...and Dear Baby Jesus, it felt good to Break the Ruleszz, Get My Hands in the Guts of the PC to Gain Control, and GO FAST Again - "Ricky Bobby" Style!)...and remove the HDD's from Desktops & Laptops. 

 

 

(Obtain New HDD's for All, or maybe an SSD here and there and some extras if you like.)

 

 

Third, Time to clear the CMOS by the battery on the Mobo and by using a Jumper on the MoBo to clear the CMOS Settings.  I let it go overnight (which is overkill, but little doubt was left in my mind if it was cleared the next A.M.), and reinstalled a Fresh Battery, to save future Firmware Flashing...which comes next. 

 

 

Fourth, Get a Clean Flash Drive (Only BIOS on the Flash Drive, and 0 Else) and download the BIOS Settings for all MoBo's using another Computer...and prepare to flash the MoBo.

 

 

Fifth, Return Jumper to Original Position on MoBo after CMOS is cleared, Install New HDD's, Verify New Battery on MoBo(s), Plug in Power Cord and Power Up OS...pressing DEL or F2 to enter BIOS.

 

 

Sixth, Flash the BIOS - Reconnect the Power Cords, Enter BIOS Flashing Utility and Point to Flash Drive for New BIOS Install.

 

 

Seventh, Install Clean OS...**But WAIT to Install Programs until you have more security setup.**  You might want to leave the Old Data off this computer entirely, choosing to use only one computer for that data as a Stand-Alone PC that won't connect to the Internet or Anything that touches this Primary PC. 

 

Why?  This is a potential cause of re-infection if you haven't determined the source.  I trashed my old HDD's, as they were old and small...never looking back once...and the Disk(s) should make Cool Signal Mirror(s) if I'm ever stranded on a long hike, etc.  Sure, it was The Nuclear Option / Scorched Earth Policy...but I haven't been re-infected, either.  I installed an SSD, new 2.0 TB HDD and 16 GB of additional RAM...and this thing rocks even more than before.

 

 

But it's only a matter of time until it happens again, as "The Zombies are Always Testing the Fence", so I'm taking additional steps to change my Security.

 

 

*     *     *

 

 

Here's the Current Plan:

 

 

#1.  More Secure OS Install - Linux Mint: I'm going to migrate to LINUX Mint OS & occasionally run Win 10 when needed, running in a Virtual Machine Setup, though I'm a Noob in that regard and am still learning.

 

 

#2.  Run OS in a Virtual Machine Environment - Oracle Virtual Box: I've picked up Oracle's Virtual Box Software - https://www.virtualbox.org - and watched a video of it running on YouTube where the Operator has backups of each OS installed.  In the event of compromise, he simply deletes the copy of the existing OS...loads a New Copy...and he's back in business.  At least that's what it looks like, though doing it might be considerably more difficult.

 

 

#3.  Configure Firefox Browser with Add-On Protections - AdBlockPlus, NoScript, WOT - Web of Trust, and Ghostery:  I highly recommend NoScript, but you have to occasionally allow it to run on certain websites.  If they're known websites, just allow full permissions.  When searching, the WOT add-on lets you know if a website has a poor reputation or isn't known at all.  Ghostery shields your Online Presence from Trackers.  **I shopped at Walmart.com...and the # of Trackers on that site is just OBSCENE - close to 30 Trackers were blocked - but it also makes the site features more difficult to use, so I turned it off briefly so I could run around Walmart,com "Unzipped" so to speak.

 

 

*     *     *

 

I'll re-post in a while after I configure the Virtual Machine Settings and let you know how that goes.  Hope you get it all sorted out.  Also, please don't take my word as an Authority or Expert; I'm just relaying what worked for me since nobody I contacted was able to figure it out.  Not saying they're not out there, but I wasn't able to contact them for help.

 

 

Best of Luck!

 

 

-- S.B.


Edited by SquidBoy02, 14 November 2017 - 02:05 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users