Jump to content

th3k3rst

Members
  • Posts

    8
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I updated, aswmbr is still crashing my system. Now i have to learn how to read .dmp files! this is actually pretty awesome.
  2. Hi Kevin. Sorry for the delay. I kind of freaked out because this machine started acting funny again. I did a clean reinstall. However, I did not totally reformat, which might be something I should do. I am a bit hyperactive, and I am trying my best to take a hands on approach because I am trying to develop a new skill. I realize that what I have done may throw your work off track, and I apologize for that. I do APPRECIATE your time. A quick question, since this was a memory based rootkit would it also employ writing something to hdd? So, after my reinstall, the asw still comes back as unknown mbr. There are two recovery sections. One is the windows, other is the OEM-HP. I have also run a live lubuntu on this machine. However, i have not done this since the reinstall. I am thinking (HOPING!!!) that its the OEM partition throwing this off. Due too my hyperactivity Ive been sort of scrambling, so I ran rogue killer as well. Trying to run aswMbr now causes my system to crash. I assume its because of rogue killer. I am going to uninstall that right now. For kicks, heres the rouge log. That dhcp is my isp. This log lists the HP as the unknown I think. Those other errors I havent been able to figure out. rogue.txt
  3. Here is the gmer. You know, i just reset and reconnected my router. It wouldnt let me connect, says bad ether adapter, airplane mode flashes on and off. Unhooked the router and twice ive seen cmd window flash and close. This thing evaded detection for almost 2 months. I couldnt catch it until it was active. I hope this thing didnt come back somehow through my router. It appears to have been using system process to do its thing so I have my firewall set to notify of all system activity. IDK what else to do. ark.txt
  4. Im sorry if i wasnt clear, i do that sometimes. I hope i havent wasted your time. I had already removed it. The att. is the removal log. I was trying to see if everything was gone. I have a couple questions, if you have a sec about this infection. I have found entries in the reg matching the open shell command key of the infection. They are empty but still there. I guess I am trying to find out where I could look to find remnants or active elements in this system. lksdfk;las.txt Also, do you think there might be something in my router or modem? stuxnet flashback...
  5. Awesome, thank you for your time. It is not wasted on me! I have to run a new FRST anyway because I deleted a few things. Just a thought...I am by no means an authority, but I am a knowledgeable enduser. When I stepped in to help, there were signs of a bad infection, but nothing could find it. These attacks have exploded this year and maybe some pointers on what to watch for could help others. I am also concerned about the way I found it. There is probably something to this, if we could figure out what works to bring these buggers out that could be of even greater help...Its scary, because people who don't fully understand the basics would never even know whats happening. The only way this one was caught was by its blowing through the low data limit here. When I spoke with the ISP, the first thing they tried to do was sell me more data! The layperson probably would have done that and gone on their way fully infected. Another concern for me is what this thing was doing, there was a constant data flow with spikes on certain days. Were they stealing the info from this pc, and could it have spread to other devices over WIFI? There is no home network here, just wireless signal. Or, was this just a part of a botnet or some sort of data network? Probably both, huh? Again, thank you for your time. FRST.txt Addition.txt
  6. Wow. So, I just talked to Norton support. Thats our current subscription. The person I spoke with was nice, and helpful, but when I told him I had removed a fileless rootkit he said those dont exist. I told him about my data usage issues, and showed him in windows data usage that SYSTEM had used 332gbs of data in the past 30 days. I suppose he was just being technical about the term "fileless", but when I showed him the MBAM logs he said that the entries were false positives since there was a zero value in the physical vector section. Now, my understanding is that is the whole point, hence the handle "fileless". Its dropped in memory. Not the HDD which is what the physical vector part is, right? I tried to direct him to the recent Wilders security post about the rise of "fileless" rootkits. I think the term should ring bells right away with anyone who is up to date with what is going on? He also told me that the problem was probably in my router? Is that something this type of infection does? I really appreciate his help, but i just feel like maybe he wasnt exactly on the same page. IDK, hes alot smarter than I am so what can I say?
  7. I wasnt thinking and i just deleted it. should have saved it for a sample. Could I do a sys restore, sandbox it then catch it?
  8. My data usage quadrupled in a month. Checked windows data usage and it said "SYSTEM" used 332gbs in the past month. Knew something was up. Ran a bunch of scans, plus I have norton, nothing. Disconnected router to scan wifi devices. Hooked the router back up and something started trying to call out. MBAM caught it, norton did not. Ran a scan and sure enough...(see att 1)lksdfk;las.txt Im also attaching the FRST. Lets see if anythings left.sdfhhseghsd.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.