Adlice forum

General Category => Malware removal help => Topic started by: testuser7error@gmail.com on January 31, 2019, 10:39:01 AM

Title: Persistent root/bootkit that has tailored device firmware on my peripherals
Post by: testuser7error@gmail.com on January 31, 2019, 10:39:01 AM
I'm dealing with a variant of APT-28s root/bootkit payload that affects my windows 10 64-bit machine.
There is absolutely no way I can remove this with any known anti-virus out at the moment. I need someone to come take a look if it's possible to do something with a hand-made removal script.
I simply cannot do anything the traditional way in this case, yes APT-28/Sofacy has stolen crypto from me before and after a new computer this one has grabbed what looks like the same infection.
It's advanced stuff, if anyone is interested in taking a look I thank you in advance.

PM/email me.
Title: Re: Persistent root/bootkit that has tailored device firmware on my peripherals
Post by: Curson on January 31, 2019, 08:43:51 PM
Hi,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full report with your next reply ?

Regards.
Title: Re: Persistent root/bootkit that has tailored device firmware on my peripherals
Post by: testuser7error@gmail.com on January 31, 2019, 09:42:45 PM
https://diag.adlice.com/report.php?id=1222c75ab9a24257c8125c31707c7e38
Title: Re: Persistent root/bootkit that has tailored device firmware on my peripherals
Post by: Curson on January 31, 2019, 11:56:53 PM
Hi,
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.
Title: Re: Persistent root/bootkit that has tailored device firmware on my peripherals
Post by: testuser7error@gmail.com on February 01, 2019, 11:43:07 AM
Quote from: Curson on January 31, 2019, 11:56:53 PM
Hi,
  • Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    (http://i1118.photobucket.com/albums/k611/lhs22/tds2.jpg)

  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.

    (http://i1118.photobucket.com/albums/k611/lhs22/2012081514h0118.png)

  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue

    (http://i1118.photobucket.com/albums/k611/lhs22/tds6.jpg)

  • Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.


Kaspersky found nothing. Rescue disk does not let me load. Yesterday Windows Defender detected a newer trojan version, I attached the trojan detection as well.
System is not clean though.
Title: Re: Persistent root/bootkit that has tailored device firmware on my peripherals
Post by: testuser7error@gmail.com on February 01, 2019, 11:47:36 AM
Also a newer scan of Roguekiller which catches suspicious registry edit.

https://diag.adlice.com/report.php?id=78e8d70c66c373a69b232faea26b7de8

Also an autorun analyze document by Comodo
Title: Re: Persistent root/bootkit that has tailored device firmware on my peripherals
Post by: testuser7error@gmail.com on February 01, 2019, 01:20:53 PM
Spybot logs & .reg files. This some wack shit yo
Title: Re: Persistent root/bootkit that has tailored device firmware on my peripherals
Post by: Curson on February 02, 2019, 01:43:07 AM
Hi,

These were likely false positives.
There is nothing suspicous in the logs you posted. Does your computer behave in a strange way ?

Regards.