Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Believe I have a Rootkit but canít remove/disprove - please help to prove clear


  • Please log in to reply
1 reply to this topic

#1 lukevdb

lukevdb

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 27 November 2017 - 02:03 PM

Hi running Windows 10 on a 64bit dell precisions 7510 I started having strange behaviour with something running power shell commands creating a new workgroup administrator with higher privileges and installing unwanted apps and services. The computer name was changed from the one I set and there were many open connections to ips that I didnt make. At this point I knew something was wrong so decided to wipe the pc

I performed a full format of the only drive (500Gb ssd) with the windows 10 recovery tool and reinstalled win10 with a fresh image from Microsoft.

Now I am beginning to see unwanted system services again. From what I remember during the reinstall of windows there were some large hidden volumes (other than the system volume) that were not empty, but showed not data stores in the file system. Is it possible there is a shadow volume that contains the malware that overrides the mbr running at every boot? I am guessing some variance of rootkit?

Please help me clear the issue. Ive come to the limit of my technical ability and I need to get the laptop back online for my job. In case it helps with assigning someone to help, I will be available in 4 hours from now for the following 12.
Thanks for your time


Edited by hamluis, 27 November 2017 - 02:35 PM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:20 AM

Posted 27 November 2017 - 03:55 PM

Reformatting and reinstalling Windows OS would of removed any malware from the hdd. Resetting the router and resecuring it

would be another step in removing malware from it. Resecure the router by changing default password, blocking remote access, enabling

the router's firewall and checking for firmware updates for the router.

 

Backups on other drives could contain malware if the backups were performed while malware was present before formatting. If you are

on your employer's business network...that is another source for malware. Other employees could help confirm if that was a source for malware.

 

Have you noticed any sign of malware being active on the computer? If so...what...such as slooooow computer, excessive hdd and processor activity,

popup ads, programs opening or refusing to open, security programs unable to update or scan, etc.


Edited by buddy215, 27 November 2017 - 03:56 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users