3
« on: November 22, 2018, 08:09:27 AM »
Hello all,
Since June 11 of this year I have been infected with what I determined to be a kernel-mode rootkit two days after the initial infection. Although I could not prove this is in fact what I was infected with at the time, I am now personally confident without a doubt that unless it's a "virtualized" rootkit (which I know very little about), due to the things I've seen over the past several months, it has to have subverted the Windows Kernel. Hopefully I'm wrong and it is just some very advanced and persistent malware, but nothing that has subverted the Windows Kernel (wishful thinking at this point, in my opinion).
I have attached logs from FRST, GMER, and Adlice Diag. Please note that the scan log from GMER is only composed of the 5 to 10 second auto scan that GMER performs every time it is launched. Just this simple and short auto scan detected 13 hidden rootkit/malware Services. GMER then notified me of these detections and asked me if I wanted to conduct a full scan. Of course I clicked yes, however for the first time out of the 50+ times I've ran GMER on my infected computers (yes, there are multiple infected systems, including a dedicated server), it was scanning very, very slow. However, for the first time ever (unsurprisingly as far as I'm concerned), it wasn't detecting anything. With that said, due to the fact that it was running so slow, I could see (in the status bar on its GUI) that it was scanning over hooks that it had detected as malicious many times in the past. If this doesn't indicate a kernel-mode rootkit, I'd love to know what it is that is present on my systems. Lastly, for some reason GMER always eventually triggers a BSoD when I run it on any system that has Windows 10 installed. However, on any system with a version of Windows below version 10, there is no BSoD.
As far as aswMBR, it too triggers a BSoD on all Windows 10 systems. Please note that I also attached a screenshot of the GMER GUI displaying the 13 hidden rootkit/malware Services after it had finished its auto scan. Lastly, there is a screenshot that shows an RPC error. This error occurred when I tried to open the "rKits_mWare.png" screenshot with the results hours after I had taken it. Whether it's related to any rootkit(s) or malware that is present on my systems, I cannot be 100% certain.
Below I'm going to try my best to only list certain things that I feel are important enough to include in my original post. There will be a lot that I leave out, but I will only come forth with the information that will be left out if requested to do so (as in, if it's even needed).
1) If you take a look at the attached screenshot "Corrupted_MBR.jpg" you will see that my current MBR is corrupted, however this is nothing new. The message is displayed very early within the boot process and it doesn't matter whether I select Yes or No. This message is occurring on the computer that generated the attached scans.
2) Ever since the initial infection, I've honestly lost count but I want to say 4 or 5 HDDs have been "sabotaged" so-to-speak. What I mean by this is the MBR was corrupted beyond repair on one HDD, with another HDD the computer wouldn't or could no longer recognize the HDD (the same computer quit recognizing any removable media inserted into its USB ports two to three hours before it restarted on its own only to not be able to boot because it could no longer recognize the HDD), and then two other HDDs (when trying to install Windows) would trigger the Windows' 10 Advanced System Repair (but of course it could not be repaired and these HDDs are now useless), and with these same HDDs, I remember trying to install Ubuntu but was met with an error that mentioned the Windows Kernel (although this is all I remember about this specific error message), and lastly these last two HDDs I'm referencing could no longer boot into Live Windows or Linux environments. I believe there was one more HDD that was rendered useless but this was the first one to go very early on and I'm pretty sure aside from the HDD, the one and only Administrator account all of a sudden was disabled and the only other accessible User account couldn't perform basic tasks such as launching File Explorer, Task Manager, etc.
3) Within the past two or three weeks, for reasons unknown to me, the rootkit(s) and/or other malware that has been dropped and loaded since the initial infection really started attacking certain systems. One system could no longer access the Internet and would not even make an attempt to connect upon booting into Windows. From then on I was prevented from opening Settings, the Network and Sharing Center, running any troubleshooters, etc. Also, on every infected system, one of the hallmark traits of these infection(s) is that (of course) Windows Update is rendered useless.
4) *VERY IMPORTANT* With all of these HDDs being rendered useless, surely I replaced at least one of them with a new HHD, right? Yes, I did, and the rootkit(s)/malware survived this HDD replacement. Although I had not flashed the BIOS on this particular computer in which I replaced the HDD in at this point, I think it's important to point out that the computer I am speaking of is the same computer that generated all of these scan logs. What's more, I literally just formatted this same computer for likely the 7th or 8th time within the last month and a half (no, I'm not kidding) with the latest format and subsequent re-installation of Windows occurring only several days ago on 11/16/2018 at 1:42:45 PM. This is important because prior to re-installing Windows this time around, I did go ahead and flash the BIOS and I also securely erased and wiped my current HDD sector by sector after purchasing a program which I will not name or link to out of fear of doing so being an act that breaks forum rules and/or policy(s). What I will say is that this program can be installed locally, or it can be burned as an ISO file thus creating a Windows PE Live CD/DVD/USB which I verified can boot into both Windows 7 Pro and Windows 10 Pro without any problems (I opted for the live boot option using a DVD).
The last thing I'll say about this software is that one of the many data sanitation methods it utilizes is DoD 5220.22-M which was once the official software-based data wiping standard for several US governmental agencies. However, this doesn't impress me in the least bit and neither does the fact that I was either re-infected by the rootkit(s)/malware (wherever they may be hiding), or it's even possible I didn't need to be "re-infected" again because formatting during a regular Windows installation, securely erasing and wiping the disk, flashing the BIOS, and most importantly, a darn HDD replacement didn't even prevent this nasty thing from either maintaining persistence or regaining persistence.
5) *VERY IMPORTANT* Over the last week or so, MEGAsync, SpiderOakONE, Chrome, Firefox, and possibly another program or two I am forgetting (all which are currently installed and running on the system that generated the scan logs) alerted me to the fact that it was highly possible that there were active Man in the Middle attacks being conducted within my OS environment. Although I personally have not had any of my accounts compromised thus far (that I know of at this point), others who own computers infected by these rootkit(s)/malware haven't been so lucky. Two different people have had their personal debit card information stolen and fraudulent charges were transacted, and one of these people also had the company's (in which they work for) bank account and debit card compromised as well. When it comes to the company's bank account information being compromised, the perpetrators used this info to print out fraudulent checks and they were good enough fakes because they were able to cash them without any issues.
6) *IMPORTANT* I currently have SMB v1 and SMB v2 enabled (not by choice) on a minimum of two systems that I'm aware of, and even more than these two systems (likely ALL infected systems) have a hidden Remote Admin share enabled, as well as a hidden Remote IPC share. The Admin share can be removed but it immediately returns after the computer(s) are rebooted and the IPC share cannot be removed. If needed, I can provide screenshots of these shares as well as any other evidence pertaining to the things I've mentioned within this post.
I could literally go on and on for the next 24 hours (probably longer), but I think this is plenty of information, not to mention a good stopping point. However, PLEASE NOTE that whichever helper is assigned to my thread (as well as any Moderators or Admins on this forum), I do have some very important information I need to share with the helper at the very least, although I am not willing to do so in public (you will understand why). With that said, once my helper has been assigned I will send him/her a PM with this information and in the meantime (or at any time) if any Moderators or Admins would like to be privy to this private information, please send me a PM and I will respond accordingly.
Thanks to everyone in advance for taking the time to read my thread. I will be patiently awaiting a response from whichever helper I am assigned. Lastly, if any further information and/or screenshots/logs will be required from me (in case the attached logs and screenshots in this post are not enough), please do not hesitate to ask because I have loads and loads of both screenshots and logs, as well as notes and likely other things that I have saved over the past several months. I would only need to gather all of this info and put it in one spot as it's currently spread across various systems and removable media. However, judging by the previous malware removal threads that have been posted in which I have read, I'm not sure any of this will be necessary, although I wanted to make sure I offered anything and everything I've accumulated.
Thanks again!