Solved Rootkit? Bootkit? Kernel? IDK but I've never dealt with a virus like this

Status
Not open for further replies.

yarr

Level 2
Thread author
Verified
Jul 5, 2018
52
So this virus has taken over 4 computers at my house so far. Formatting didn't remove it but I also recognized that my router had something installed on it called chrootkit so I've been trying to repair these PCs offline or using a mobile hotspot. Problem is that even using this method the infection persists through formats. I also figured out the virus uses sideloaded elevation techniques to gain access. I was able to find a ntuser.dat it loaded and it seems to use windows cloud host, biometric loader and an x.509 certificate to gain a strong foothold on the computers. It also uses whatever wmic and wfpud. (Whatever that is) The problem is I only have control of the PC for about 15-30 minutes each time before losing administrator access. There has been no ransom or encrypted files so far that I've been able to tell. As for malwarebytes the scan picks up nothing across the board everytime but I will continue to run it and try to produce something for you. Anything more I'm able to find out or remember I will report
 

Attachments

  • FRST.txt
    46.2 KB · Views: 261
  • Addition.txt
    11.4 KB · Views: 257
  • RadarPro.Events.2019-03-16 - Copy.log
    145.3 KB · Views: 244
  • Shortcut.txt
    27.9 KB · Views: 291

yarr

Level 2
Thread author
Verified
Jul 5, 2018
52
I have files from a second install where I did not use anti-exe if those are helpful in anyway they will be attached here

changed title to something a little more unique
 

Attachments

  • FRST.txt
    50.3 KB · Views: 277
  • Addition.txt
    14 KB · Views: 340
  • Shortcut.txt
    28 KB · Views: 258
Last edited:
Upvote 0

yarr

Level 2
Thread author
Verified
Jul 5, 2018
52
That's kind of the problem for me so far. I really just don't know what to do :(
 
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
What partition do you use, MBR or GPT?

Edit.
On another thread, you mentioned that after the formatting you installed Windows when being connected to the router. You have all the computers infected in your home network, and this usually can happen when the router is infected. You have to disconnect the router from all computers and form the Internet, and restore the factory settings/firmware. Change the router default admin password. Set the appropriate router setting to disable the remote management feature. After that (router still disconnected from all infected computers) you have to format the system disk and install the fresh Windows. If this will help, then you have to do it on all the computers in the home network.
Finally you can connect the computers to the router. It is important to keep the router disconnected from all infected computers, because the infected computer can re-infect the router.
The router infection can be related to firmware vulnerabilities, so the update of firmware is welcome.
 
Last edited:
Upvote 0

yarr

Level 2
Thread author
Verified
Jul 5, 2018
52
GPT usually but I might try MBR if it makes things easier. My main PC uses optane and I'm not sure if that's compatible though
 
  • Like
Reactions: Andy Ful
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
GPT usually but I might try MBR if it makes things easier. My main PC uses optane and I'm not sure if that's compatible though
We made our posts at the same time. Did you read my edited post:
 
  • Like
Reactions: yarr and Moonhorse
Upvote 0

yarr

Level 2
Thread author
Verified
Jul 5, 2018
52
Yes thank you. I will try this, I bought an all new router just to be safe. I was very surprised when I found out the virus was still there after using DBAN. When I made that post I hadn't yet become aware of the routers infection but now it makes more sense that I was reinfected by the router. I wiped the disk of one of the pcs last night so when I get home I'll post an update after installing windows. Thanks again for helping
 
Upvote 0

yarr

Level 2
Thread author
Verified
Jul 5, 2018
52
Ok so after formatting and installing this time it was back again. No connection to the web at all. I guess that means it is some sort of bootkit infection. It for some reason would not let me take screenshots or copy text files I found suspicious so I took some photos. Some of these things may be normal but I'm no IT guy. (Just trying my best)

uploading album now I will whisper you with link in case it shows sensitive details
 
Last edited:
  • Like
Reactions: Andy Ful
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Ok so after formatting and installing this time it was back again. No connection to the web at all. I guess that means it is some sort of bootkit infection. It for some reason would not let me take screenshots or copy text files I found suspicious so I took some photos. Some of these things may be normal but I'm no IT guy. (Just trying my best)

uploading album now I will whisper you with link in case it shows sensitive details
What are the visible and concrete signs of the infection? Can you identify any payloads?
Can you install anti-exe and post the concrete alerts? Can you identify any command lines with wmic.exe, powershell.exe, cmd.exe, wscript.exe, cscript.exe, scrcons.exe, etc.?
 
  • Like
Reactions: roger_m and yarr
Upvote 0

yarr

Level 2
Thread author
Verified
Jul 5, 2018
52
I'll do what I can to find something for you. I wish I had more know-how because I feel like I can't put together exactly what's going on besides that its abnormal and the more I prod the more it seems to get worse. Especially when connected to the internet. I'll do my best to gather something together in the next few days.
 
  • Like
Reactions: Andy Ful
Upvote 0

yarr

Level 2
Thread author
Verified
Jul 5, 2018
52
I thought I'd give an update. On the PC I am working on first I installed a new sata HD and the problem still persisted but after resetting the cmos and reinstalling windows from the windows USB creation tool made on a non infected laptop it seems the things that were making me suspicious are no longer showing signs. I installed windows without my video card or optane memory in(not sure if that made any difference) problem is when I tried this on my laptop it didn't work. Since things went well the first time I wasnt able to collect any kind of logs for you but I thought you may find this interesting. Although I'm unable to update the bios on my mobo or video card so far I think I may be in the clear, atleast for PC 1. I think I'll post in the security config section just to make sure I have all my bases covered to avoid reinfection. I plan on posting in here again but I feel a little out of my depth. When I do find something more I at the very least plan on sharing in the forum for information sake. This isn't the concrete you asked for by any means but thought it was interesting and it's where I'm currently at in the process. Oh and I was able to fix the router as well. Thank you for the help
 
  • Like
Reactions: Andy Ful
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I thought I'd give an update. On the PC I am working on first I installed a new sata HD and the problem still persisted but after resetting the cmos and reinstalling windows from the windows USB creation tool made on a non infected laptop it seems the things that were making me suspicious are no longer showing signs. I installed windows without my video card or optane memory in(not sure if that made any difference) problem is when I tried this on my laptop it didn't work. Since things went well the first time I wasnt able to collect any kind of logs for you but I thought you may find this interesting. Although I'm unable to update the bios on my mobo or video card so far I think I may be in the clear, atleast for PC 1. I think I'll post in the security config section just to make sure I have all my bases covered to avoid reinfection. I plan on posting in here again but I feel a little out of my depth. When I do find something more I at the very least plan on sharing in the forum for information sake. This isn't the concrete you asked for by any means but thought it was interesting and it's where I'm currently at in the process. Oh and I was able to fix the router as well. Thank you for the help
You are welcome. Be safe.:giggle:(y)
 
  • Like
Reactions: roger_m and yarr
Upvote 0
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top