Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This will go down as most complex infestation by malware trojan


  • Please log in to reply
5 replies to this topic

#1 Melanie1

Melanie1

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 28 March 2018 - 01:18 AM

My computer has been taken over by C&C. It's malicious. There is someone on the other end monitoring my efforts by running interference on my efforts. Logging into here, gave me website down error msg

Every antimalware, antivirus, anti...whatever logs comes clean on every scan. It takes complete control from a remote registry on hid server bypassing the router. Microsoft support couldnt figure it out.

Take 'God' control over system, trusted installer, audio, taskscheduler, wmi, windows host media, ctfmon,group policy.

Each day I have hacked copies of various microsoft windows OS and office programs. All my software is licensed. I'm finding Win7 64bit on 33 bit system running 2015 office 365, next day it will be Win10 etc.

I have narrowed it down to hard drive and wiped the hard disk clean, formatted with OEM recovery disk, formatted with licensed copy Win7 ultima, deleting all partitions including 100mb boot, redirected boot to c drive, zeroed out the entire drive with DVD 7 passes.

I have used rescue disks from each of the vendors to no avail. Nothing wrong. It's probably scanning a clean mounted win.iso image.

I've used disk part to list disk, partition, volume etc nothing unusual

I've use partition wizard etc

Auto runs shows that jump to entry states,registry is not located on this computer.

So I figured I ran into the Intel emergency management exploit, ems loader exploit, MS SAC NDAS Connection exploit, as you can install OS on computers not connected to the Internet nor plugged in using rom memory which needs no eletricity. I am ether net wired no wireless or Bluetooth disabled

All version of Avira rescue shows 57 variants TR/Crypt.XPack.Gen3
AutoKMs.TR/Dropper, win32/UBBE sessions\i\ApiPort, goopdater_Zh-TW.dlk.vir, blog.crysys.hu,x-tunnel, uxtheme.dll, Vir.IT.eXplorer, Inject she'll code into privileged process
Goopdatesres.ar.dll

I have most of there code. I believe it at bios level. I cannot flash bios as they password the bios so everytime I boot up up ,auto hide process started on any device. They have erased several USB disks with data on it.

So I can attach other log files to show the infection. COMBO FIX Found some infections but they erase and denied access to all scans.

The key is to relax the bios but if they control everything, don't know if that will work. I was running emet,ensisoft, malwarebytes anti ransom, anti exploit, windows defender, but now they are using js script files,

The programs they are using are older windows files 2009 that had known vulnerabilities as Win OS which should be 2011 to bypass the issue of verified code signatures and operate below level of most scans

Nest step. Can u help?

I will post the autorun files. I have others if they have not deleted them. I'm on smartphone with limited capabilities.

Attached Files


Edited by Melanie1, 28 March 2018 - 01:27 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 02 April 2018 - 01:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/674309 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Melanie1

Melanie1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 04 April 2018 - 02:16 PM

Yes I still need help. I've been sick with the flu and just recoverying enough to try and fix the computer.

I have no Internet connection other than phone.

I have OEM recovery disks Windows Home premium as well as retailed license copy of Windows ultima. I wiped partition with minitools partition magic formatted ntfs installed OEM windows home. 100mb reserve sector has malware even after wiping it, diskpart, wiped all patitions, formatting, zeroing out 320gb drive. Tried installing lic. retail windows 7 Ultima but same problem boots up but uses older hacked version of windows 2009

Problem is in system bios. Tried flashing bios could not as they password protected it.

Will try to to get FRST logs. Only have phone now. If I go into recovery console command prompt or shift f-10. I get X:drive with hacked windows files using terminal service and remote registry.

I get C: drive with my valid license copy of windows, D: data drive E:drive with malware boot folder, windows, sources, users, default

I will try to post new logs hopefully today

Thanks for your inquiry and help!

#4 Melanie1

Melanie1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 04 April 2018 - 04:07 PM

Unfortunately, my phone won't allow me to view copy and paste the files into the editor. I get an error msg on my phone that says no app is able to perform this action.

 

I ran in normal mode. Ran defogger first than Rkill before running FRST. I also include ESET rescue disk scan.

 

Caveat: When running these scans, computer on boot-up goes into "God" mode and takes control of system, group policy, etc. so all these scans and processes under security have unknown SID with full control S-1-5-5-0-× to redirect scans

 

 

Attached Files



#5 Melanie1

Melanie1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 06 April 2018 - 03:19 AM

Are you going to be able to or do I need to go elsewhere??? I have limited communication? Please advise?

 

Myself I believe computer is bricked. They have gotten into the system firmware. I see code scanning all devices and checking with matches from all versions of Windows OS from XP, Server, to Win10. Using audio noise via their statements thru Bluetooth to send bits of code but have code parked at each module on the motherboard in their firmware. They even managed to compromise Eset Read Only DVD rescue disk. Each day they clean up after themselves by keeping folder tracking my activities. Each day I might have different einfows versionon my computer.

 

They are using Windows system X, Unix, Their IP is 1.28.0.9 China. 

Using getadmx.com NCSI_CorpSitePrefixes

On D drive have hidden files in Recycle bin under SID and list numerous malware files

 

.XO-Lock, .X11-unix, .ICE-unix, .Xauthority 

 

They scan each and everone of OSI protocols such as udp, tcp, tty,  terminal, IPv6, etc using remote access socket 0

 

Found file copyright 1992 Microsoft

Module name rasctrnm.h

This file has RAS symbols used for loading counters to registry

Created Thomas j. Dimitry 28May93

 

Remote connection folder lists:

Protocol size    sockets memory press MaxHd Slab  Module

TCP         1340        1           0            No      304     Yes   Kernel

UNIX          704        271      -1           NI          0        Yes  Kernel

Etc:

 

It's pretty sophisticated. I'm so Frick'in in pissed off right now.

 

So appreciate it if you let me no if this is too hard to fix. Exploiting vulnerabilities in older versions of signed windows code and files to bypass scanners. MS CVE 2017 & 2018 fixed  security holes but it's too late for me.


Edited by Melanie1, 06 April 2018 - 03:27 AM.


#6 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 07 April 2018 - 01:25 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

 

Mod Edit:  Topic reopened - Hamluis.


Edited by hamluis, 07 April 2018 - 04:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users