Author Topic: Persistent root/bootkit that has tailored device firmware on my peripherals  (Read 4679 times)

0 Members and 1 Guest are viewing this topic.

January 31, 2019, 10:39:01 am

testuser7error@gmail.com

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
I'm dealing with a variant of APT-28s root/bootkit payload that affects my windows 10 64-bit machine.
There is absolutely no way I can remove this with any known anti-virus out at the moment. I need someone to come take a look if it's possible to do something with a hand-made removal script.
I simply cannot do anything the traditional way in this case, yes APT-28/Sofacy has stolen crypto from me before and after a new computer this one has grabbed what looks like the same infection.
It's advanced stuff, if anyone is interested in taking a look I thank you in advance.

PM/email me.

Reply #1January 31, 2019, 08:43:51 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2315
  • Reputation:
    82
    • View Profile
Hi,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full report with your next reply ?

Regards.

Reply #2January 31, 2019, 09:42:45 pm

Reply #3January 31, 2019, 11:56:53 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2315
  • Reputation:
    82
    • View Profile
Hi,
  • Please download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.

Reply #4February 01, 2019, 11:43:07 am

testuser7error@gmail.com

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Hi,
  • Please download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.


Kaspersky found nothing. Rescue disk does not let me load. Yesterday Windows Defender detected a newer trojan version, I attached the trojan detection as well.
System is not clean though.

Reply #5February 01, 2019, 11:47:36 am

testuser7error@gmail.com

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Also a newer scan of Roguekiller which catches suspicious registry edit.

https://diag.adlice.com/report.php?id=78e8d70c66c373a69b232faea26b7de8

Also an autorun analyze document by Comodo
« Last Edit: February 01, 2019, 12:15:55 pm by testuser7error@gmail.com »

Reply #6February 01, 2019, 01:20:53 pm

testuser7error@gmail.com

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Spybot logs & .reg files. This some wack shit yo
« Last Edit: February 01, 2019, 01:27:40 pm by testuser7error@gmail.com »

Reply #7February 02, 2019, 01:43:07 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2315
  • Reputation:
    82
    • View Profile
Hi,

These were likely false positives.
There is nothing suspicous in the logs you posted. Does your computer behave in a strange way ?

Regards.