Final stretch, nothing to loose: going to WAR with my rootkit! Any input appreciated!

aSILENTfire · Apr 17, 2013

Please, please help me!

College finals are coming up, and I have a test online tonight, but am unable to fill in any form in any browser on my school site on my network.

Anyway I'm sick and tired of it, so I'm going to pull a marathon war session here.. I don't want to go on too long with background information as what I'm trying to do is pretty straightforward, but let me sprint thru the briefing:

(this ended up being kind of long, the bottom part is the URGENT part, so if you like, please just skip past the quoted text.)

Note: When one computer detects a virus, most other computers detect it on themselves too; when one computer crashes, the others computers sometimes crash at the same time.

T+2yr: Active remote connections on Windows 7; Norton 360 compromised, reporting known malware as safe and trusted. Ended up not being able to right click or open task manager etc.. Sold computer and went without one for a while.

T+1.5yr: Heard about Backtrack Linux (must have misheard) and thought it could keep me safe; bought a laptop with and installed Backtrack. This was my first experience with Linux, and I was way over my head. Maybe I wasn't the only one in over my head with Linux, as when I hit the up arrow key in a terminal (scrolls thru command history), I noticed a lot of network stuff like wan, bluetooth, ras, udp, etc.. that I didn't type, and the best part is, a lot of it was misspelled and incorrect syntax and retyped and retyped.. Ended up removing the hard drive and only using a Hirens Boot CD, then the CD drive stopped working, so I switched to USB, then the computer stopped booting completely.

T+1yr: Bought another laptop and installed XP (tried to run a couple rootkit scans, FAILED. Tried a few bootCDs and operating systems like Win2000 and Win7, still couldn't scan for rootkits). After a persistent theme of antivirus software being disabled, I ended up just repeating the above Hirens Boot CD method, with a newer version.. Laptop stopped booting just like the last one did.. Two bricked laptops, I have up on computers and stuck to drinking Bourbon for a few months.

T+5mo: Got a laptop with Windows 8, ignored suspicious behavior, didn't try to hard to resolve anti-virus alerts, as they seemed to disappear by themselves anyway. Some antiviruses I used on this system have been visibly disabled, such as ZoneAlarm, which would have all important settings unchecked occasionally after restart; and Comodo, which simply refused to start, which seemed to happen more when I was away from my home network. Just a few days ago I couldn't take it anymore after I was unable to access the internet from this laptop. There was a lot of internet activity moving through, but I couldn't browse to do schoolwork (I tried many browsers). Windows Update only worked for about the first month of owning this laptop, after that it told me it has never updated and there are no new updates.. Secunia and Kaspersky both reported Microsoft update missing, Kaspersky only reported it the first scan though.

What I ended up doing is installing the newest Backtrack (I'm taking a linux class, so I'm better off than before) from where I could access the internet and complete schoolwork. Battery life only lasted under 2 hours vs. the 4-5 hours I originally got from it, and 3 hours I usually got: which wouldn't long enough for my needs. So I tried running DBAN (a disk wiper) from Hirens Boot CD (HBCD) but it failed repeatedly, I stayed up until 4am last night trying to figure it out. I ended up having to use the version from the new Ultimate BootCD (UBCD), but it ended up with a still image advertisement for Blancco, which only the power button would close. I didn't get the confirmation that I wanted that the disc has been erased, and I'm not confident that it truly has.

I eventually want to install Windows 8 with NOTHING on it except LibreOffice, FireFox, a VPN, and security software with HIPS. I am also considering jumping on the Sandboxie bandwagon.
Click to expand...

SITREP!
I have just erased the hard drive on my laptop with DBAN, I am using HBCD 15.2 and/or the latest UBCD to access it now. A previous Hitman scan has mentioned something along the lines of "a hook? on the hard drive that can hide things from the scan", and I have never been able to successfully scan for a rootkit/bootkit.

In Hirens, GMER 1.0.15.15281 reported approx 10 things while scanning X:\ and B:\ (both should be on RAM, but IDK), then I got a BSOD (bluescreen) reporting "IRQL_not_less_or_equal". I rebooted and rescanned X:\ with GMER, most of the things it found are gone, but there are 63 Disk entries with the name \Device\Harddisk0\DR0 with the value of "sector [01..63]: copy of MBR.
I am running from miniXP so the 5 other entries such as "kernel module suspicions modification" are probably due to that.

TDSSKiller also opened and appeared to run, although I could not check Loaded modules. It repots No threats found, but its Duration was 00:00:00 long. 2 objects processed, details+show information messages= objects: System memory; [Global]; \Device\Harddisk0\DR0 all OK.

RootkitRevealer does not run, it extracts in a cmd window then closes. I have had this problem on every computer I have owned on every operating system I can imagine..

!OBJECTIVE!

The objective is to secure the hard drive, by any means necessary! If that means tossing it into Mordor then I would do it. my precious!!!

It would be nice to have a normal detection of this thing with some antirootkit program, but I don't think I will have that pleasure.. I want to have every and all of those 1s and 0s FUBAR. I need to destroy the MBR, plus any and all other backup/hidden/evil sectors on that disk.

Then and only then can the MBR and OS be built.. On a flat surface, not a bug or byte in sight.

Thank you so much!

Significant contributions to the success to this operation will not be overlooked.

aSILENTfire · Apr 17, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

Progress: most disk wiping utilities that I have tried either don't see the disk or see it as around 470GB instead of 500GB. But a program called HDD Low Level Format Tool 4.25 by HDDGURU sees the disk:

[0] Hitachi HTS545050A7E380 GG20A6C0 [500.1 GB]
device capacity: 976,773,168 sectors

Unfortunately it fails to format or Perform quick wipe (just remove partitions and MBR) at Locking device... with the message:

Unable to lock device. Make sure you do not have open files on thie device and try again.

I remember trying to use hdparm to perform a secure erase on the HDD last night, and it was frozen by the BIOS. Going into sleep mode is supposed to unfreeze it but my laptop won't wake from sleep mode now for some reason. I turned off the power management stuff in the BIOS but it still won't fully wake; the capslock/numlock keys are responsive and everything seems to work but the screen doesn't wake.

Anyway, I'll be trying to unlock the hard drive, feel free to jump in if you have any thoughts. Thanks

aSILENTfire · Apr 18, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

PLEASE! someone help, I have a lot of homework to do I just want to wipe the drive.. please

aSILENTfire · Apr 18, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

*inserts laptop in microwave* :hammer

chaslang · Apr 20, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

Continued posting bumps your thread to the bottom of the work queue as noted in the below sticky/pinned thread.

Forum Rules and Guidelines - Do not post HijackThis logs

I'm not clear on exactly what you are asking help for. If you are looking to totally erase your hard disk then you are posting in the wrong forum. This is the Malware Removal forum. For questions about software, you should post in the Software Forum. For questions about hardware, please post in the Hardware Forum.

aSILENTfire · Apr 20, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

chaslang said: ↑

I'm not clear on exactly what you are asking help for. If you are looking to totally erase your hard disk then you are posting in the wrong forum. This is the Malware Removal forum. For questions about software, you should post in the Software Forum. For questions about hardware, please post in the Hardware Forum.
Click to expand...

Well I just wanted to remove the Malware, plain and simple, I didn't care if anything worked afterwards I just wanted it gone. It turned out there was a suspicious modification if the MBR, and I used a tool to reset it and then filled the disk with 00s, (and reset MBR again) then I was able to run DBAN without problems. Its looking good so far!

If anyone has a really bad persistent infection, it might be a bootloader. If your going to reformat anyway, I recommend looking in to cleaning out your boot sectors as well, as that is overlooked in a typical disk wipe.

chaslang · Apr 21, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

There are many types of MBR infections these days. Most can be removed by simple rewriting the MBR, however there have been qa number of new types that either block rewriting the MBR or that are actually partition infections. Some of these ( if not most ) can be remove by malware removal processes which will remove the partition infections. The brute force method can also be used. This brute force method is to simply delete all partitions on the hard disk. Then recreate new partitons, format and reinstall. Formatting is not sufficient with this kinds of infections.

aSILENTfire · Apr 24, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

Thanks, I'm actually using Windows 8 secure boot now, any opinions on that?

When I tried to fill the MBR with 00s it looked like it worked but there was i think 4 symbols at towards the end of the sector that kept coming back.. One program would always tell me my MBR was unrecognized/corrupt or modified, with XP's default MBR and Windows 7's default, as well as "wiped*".

I'm trying NoVirusThanks EXE Radar Pro, I like it, but I'm seeing a few Windows OS files that are not signed by Microsoft.. like system32's rundll32.exe, and TiWorker... and a few more I don't remember..

Shouldn't these windows OS files be signed by Microsoft? What gives?

chaslang · Apr 24, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

aSILENTfire said: ↑

Thanks, I'm actually using Windows 8 secure boot now, any opinions on that?
Click to expand...

Not currently. I'm sure it will be just a matter of time before malware figures out how to circumvent this. And if/when you do get malware, the secure boot feature will probably make it very difficult if not impossible to repair.

aSILENTfire said: ↑

Shouldn't these windows OS files be signed by Microsoft? What gives?
Click to expand...

Yes you would think so. Especially rundll32.exe. If that is not signed then it is not the valid MS file. Same for TiWorker.exe.

You should check their Properties yourself.

aSILENTfire · Apr 25, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

I was just watching procmon (process monitor, by sysinternals) and I had 1000's of "buffer overflows", "remote management", and something like "BOOTVID" and also my command prompt is not signed by Microsoft.

I'll admit I've never leaned to use this program properly, but in the Event Stack summary there was one anomaly, and still is: WinLogon.exe has only one entry under "count" and has 9 decedents, all in the system32 or SYSTEM32 folders, and may have previously been in the System32 folder. The names include:

U winlogon.exe
U RtlUserThreadStart + 0x21
U BaseThreadInitThunk + 0x1a
U RtlFreeActivationContextStack + 0x21c
U RtlExitUserThread + 0x4e
U ZwTerminateThread + 0xa
K KeSaveStateForHibrenate + 0x2a33
K RtlDowncaseUnicodeString + 0x1d20
K RtlDowncaseUnicodeString + 0x1c0e
K NtCreateEvent + 0x2148

chaslang · Apr 25, 2013

Re: Final stretch, nothing to loose: going to WAR with my rootkit! Any input apprecia

If you have questions about or issues with how Windows 8 is working, I suggest that you post in the Software Forum to have a general discussion about it. We are really too busy here removing malware and fixing damage caused by malware to work non-malware topics. My Windows 8 files are signed. I suggest that you check your manully by right clicking on the files and selecting Properties and then look at the information on the Details tab to see if signed info shows up.

Log in or Sign up

Final stretch, nothing to loose: going to WAR with my rootkit! Any input appreciated!

aSILENTfire Private E-2

aSILENTfire Private E-2

aSILENTfire Private E-2

aSILENTfire Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

aSILENTfire Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

aSILENTfire Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

aSILENTfire Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Final stretch, nothing to loose: going to WAR with my rootkit! Any input appreciated!

aSILENTfire Private E-2

aSILENTfire Private E-2

aSILENTfire Private E-2

aSILENTfire Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

aSILENTfire Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

aSILENTfire Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

aSILENTfire Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches