Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect rootkit Windows 7 64 on RAID1


  • This topic is locked This topic is locked
3 replies to this topic

#1 pbolduc

pbolduc

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 13 September 2018 - 11:39 AM

Unfortunately, I've tried to resolve this problem myself before I found this forum so I've already attempted some scans as mentioned below.

I've spent the better half of yesterday attempting to fight back against a problem I couldn't see. Mouse and Keyboard would stop working. Sometimes the mouse would click a button in a program other times it wouldn't.  The problem would come and go. Naturally at first I suspected the system to have faulty hardware. However, after remoting into the computer I quickly realized that my remote control was exhibiting the same behavior. The system has a running and legal copy Symantec Small Business Edition Endpoint Protection.Cloud. It doesn't seem to recognize any suspicious activity. I've also ran Combofix, RogueKiller, Junkware Removal Tool, TDSSKiller & Malware Bytes full scan. I loaded up GMER but it doesn't indicate anything rogue.

 

 I definitely know there's suspicious activity based on Explorer.exe randomly crashing, Internet Explorer wanting to be debugged and the random nature of my mouse and keyboard functionality coming and going on a variety of different windows buttons or key strokes in a text field.

 

I haven't been able to run any off line scans yet nor was I able to run RKILL before the scanning as I was remoted in to said PC and RKill would terminate my connection. I've downloaded Sophos Anti-root kit scan tool but I haven't had the chance to run it. I've attempted to try and spot any suspicious dll's that fly by on Process monitor but so far none have caught my eye.
 

 I've attempted to run most scans from Safe mode with networking and when I chose to run MalwareBytes Rootkit scanner which took 6 1/2 hrs it never did properly complete as the scan seemed to hang during heuristic scanning.
 

Also running SFC /scannow doesn’t complete as it comes back with a Resource Protection error around 67% in both normal mode and safe mode. I was however successful in running a thorough "chkdsk /f /r" on the primary boot\system partition and I don't suspect a problem with the hard-drives. I have attached a STOP error which occurred while I was trying to revert to an older system restore point with the intentions of breaking the infection enough to make it visible to remove.

This possibly could be an MBR Boot rootkit as I wasn't able to retrieve the MBR information using mbr -t from the command line. Not sure if Windows or the Antivirus may have blocked my request when I ran said command from the Windows folder.

 

For good measure I reset TCP/IP "Netsh int ip reset reset.txt" & "Netsh winsock reset" & flushed the DNS after a reboot. I've inspected the System Path Environmental Variables to make sure nothing rogue has added itself to the path and I've run Microsoft SysInternals Autoruns to check the start-up nature of the system with no indications of anything unusual. I suspect the infection is attaching itself to device drivers and it makes its way from one device to another as I do my scans since I experience different oddities that come and go while I try and source the problematic software.

 

Any help or suggestions to fight back against this nasty infection would be much appreciate. Thank you.

Attached Files


Edited by pbolduc, 13 September 2018 - 11:42 AM.


BC AdBot (Login to Remove)

 


#2 pbolduc

pbolduc
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 14 September 2018 - 05:06 PM

I think I may have finally identified the service which is hiding the rookit. The service is called: ufldypob.sys and it is located in %localappdata%\temp\ufldypob.sys.  The ufldypob.sys is not a visible file on the file system as a result of the service hiding the file.

 

The associated registry key service is set to start this driver automatically on start-up under: HKLM\System\CurrenControlSet\Services\ufldypob.sys.

I will disable this service which should reveal the infection to the computer and i'll let the Anti-virus clean up the rest.


Edited by pbolduc, 14 September 2018 - 05:10 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:23 PM

Posted 15 September 2018 - 08:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

If you would like I can check the computer for remnan items.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:23 PM

Posted 21 September 2018 - 07:52 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users