Rootkit infection

[user1509]

Hello, my PC is infected with a rootkit which has persisted over several Windows reinstallations. I think this might be MBR related.

This rootkit enables remote control of my PC over the Internet and creates an "unallocated" area at the end of the disk which I think to be an encrypted partition.

On this Windows installation I have run GMER and aswMBR beforehand, logs attached.

MBAM scan showed nothing.

FRST.txt

Addition.txt

aswMBR.txt

gmerfirstboot.log

gmerfullscan.log

[Aura]

Hi user1509

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

• As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
• As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
• The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
• If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
• If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
• Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
• I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
• In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
• I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
  

This being said, it's time to clean-up some malware, so let's get started, shall we?

If you did a clean reinstall of Windows, the MBR is destroyed and a new one is created, so any rootkit present in it will be wiped. How do you know that your computer is infected with a rootkit, and why do you say that this rootkit enable remote control for it over the Internet?

[user1509]

First of all, thank you for replying.

 

16 hours ago, Aura said:

why do you say that this rootkit enable remote control

Some sites and services have reported numerous log ins from my IP that I did not do or through certain ways I do not(cue telnet), and nobody who has physical access to this PC is capable of this. Neither this could be happening if somebody just got into my router.

Sometimes sites showed a different IP from what my router displayed.

Somebody also had the capability to type whatever into browser forms and manipulate some of the devices.

16 hours ago, Aura said:

the MBR is destroyed and a new one is created

I do believe it is getting overwritten, but things outside of it might not be.

I also want to refer to this thread I found which hints that it is indeed possible.

https://community.norton.com/en/comment/672323

As I have already mentioned, somebody had remote control over my PC even after formatting and reinstalling. Diskpart clean should have been able to wipe MBR as well, yet the rootkit came back even if all the soft and drivers were downloaded straight from the net and not my backup drivers folder outside the disk.

Why do I think it is a rootkit and not just some other malware:

-netstat does not show any out-of-place connections;

-something is using resources of my PC as in bandwidth, CPU time, disk space or reads/writes with no specific program linked to it. For example, CPU usage in task manager when idle is off by 20% even if I were to sum up everything including "Idle" - I have never seen this happen before. Of course, "Show all users" option was checked. Also the unallocated space at the end of a disk is growing in size over time to hundreds of megabytes;

-no antivirus and anti-rootkit tool have been successful in finding anything suspicious, which might be a result of a rootkit hiding itself from the system.

On the current situation:

When I swapped my motherboard, thinking some parts of my hardware were infected(this indeed might be too far-fetched and overly paranoid) to the UEFI one(thus partition table of a HDD becomes GPT during the install), I was not able to properly reinstall the system - I was getting boot error c0000225 on the second stage of it(after installation copying necessary files to a SSD and rebooting), which google says to be linked to a hardware configuration change or a boot sector virus. And I did not change any hardware. Then I performed a secure erase of a disk and voila - installation continues to a second stage until the end without a hitch. So then I decided to post here to have someone help me to be sure it is in fact clean, so I inserted a USB stick with all kinds of diagnostic stuff like GMER - I did not want to connect my PC to the Internet just yet. When I did, I remembered that I did not disable the Autorun feature, but did not pay it any mind. After running the tools mentioned in the first post and posting the results here, I left my PC running. When I later came back to it, it displayed the "windows restored after a serious crash" message. So I have shut the PC down, and the next day it wont boot... with a c0000225 error. No option helped - safe mode, repair, last working config, not even a repair from an installation disk and bootrec commands. Reinstallation process breaks after first stage yet again.

So here I am, lost. I guess I could try doing secure erase and a reinstallation again, but I shall wait for your advice.

[Aura]

Which sites and services? Can you list them, as well as listing how they got your IP address?

Which websites are showing a different IP address than the one returned by your router?

What do you mean the CPU usage is off by 20%? Task Manager allows you to see every processes running on your system and do the maths with the CPU column.

Your installation problems could be related to a bad UEFI and Secure Boot configuration. Is your BIOS set to UEFI, and is Secure Boot enabled?

I looked at your aswMBR and GMER logs, and I don't see anything suspicious. We can use MBRScan to dump and analyze your MBR.

• Please download MBRScan and save it to your desktop.
• Double-click on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on run as administrator).
• Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
• When the scan is finished, a log file will appear.
• Save that log file to your desktop and post its content in your next reply.
  

Personally, I do not believe that you are infected with a rootkit, since I don't have enough evidences to come to this conclusion, and your installation errors are normal under certain circumstances. On top of the fact that scans didn't return anything at all. This being said, we'll push the investigation further and look for a rootkit just to see if there's one or not.

[user1509]

Log attached.

MbrScan.log

[Aura]

Looks like MBRScan didn't return a good log. Let's use FRST instead to dump the MBR, it'll be easier that way. We'll also run a TDSSKiller scan (to search for rootkits).

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
• Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S); );

  SaveMbr: drive=0

• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  

• Click on the Fix button;
  
  

• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  

• A file called MBRDUMP.txt will be saved on your desktop. Attach it in your next reply;
  

Edited September 22, 2016 by Aura

[Aura]

TDSSKiller

• Download TDSSKiller from BleepingComputer, then move the executable file on your Desktop;
• Right-click on tdsskiller.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Accept the End User Licence Agreement (EULA) and the KSN Statement;
• Once the application is done initializing, click on the Change parameters button;
• In addition to the current checked boxes, check these two as well:
  
  • Verify file digital signature;
  • Detect TDLFS file system;
    
• Once done, click on Ok then click on Start scan;
• After the scan is complete, click on the Report button, in the top right corner;
• A report window will open with the scan log. Copy and paste it in your next reply;
  

Your next reply(ies) should include:

• Attached MBRDUMP.txt;
• Copy/pasted content of the TDSSKiller scan log;
  

[user1509]

MBRDUMP appears to be empty, but it is 512 bytes, so I attached it just in case.

MBRDUMP.txt

Fixlog.txt

tdsskiller.txt

[Aura]

I just noticed in your TDSSKiller log that your disk is GPT partitionned. In which case it's impossible to dump your MBR since it simply doesn't exist, and therefore it's impossible that you have a rootkit there (since the MBR) isn't present. Also the scan didn't return any rootkit, so once again, I doubt that you are infected with one.

Did you try resetting your router to default settings yet? Also, do you know if your IP address is static or dynamic?

[user1509]

I have reset my router and reflashed it as well before. None of the forms of the web configuration panel seem to have any changes to it. Normally router hijacks are done by simply changing DNS server settings. F-center's router checker reports DNS is fine. Neither I have open ports on it. So the tools hackers use imply NAT traversal from inside the system, which is not a hard thing to do.

I do not believe router has to do anything with it, unless it was tampered with in a way so that resetting and reflashing is not a working solution.

 

Yes, MBR implies MS-DOS partition table. And GPT is another thing of the same type.

I should have worded it differently, my bad.

Yet the system has to have its bootloader somewhere, am I correct? And that's what aswMBR must be showing.

My motherboard supports UEFI booting, but there is no Secure boot option, only a Windows 8 one, which, if activated, refuses to boot since my video card's BIOS is not updated. And I am trying to use Windows 7.

Thus the bootloader has to be on the disk itself.

I have run countless tools before, TDSSKiller, MBAR and what not, that are supposed to help against rootkits and viruses. None would say there is anything wrong with the system, yet somebody still had control over it.

Rootkits are made to disguise altered system files, malicious drivers, hooks and other activity of the malware, right?

So that diagnostic tools would be misled in a way and report "everything is fine". Not only that, but they are also getting outdated, even if they did work at the time they were released. When hackers control the system, they can update the infection which would be undetectable by anti-rootkit tools at the time.

You still have not provided the answer as to why I have growing unallocated data area at the end of the disk.

I also have to mention that it was present before I had to use GPT, so it is not just 2048 bytes GPT backup.

This area does not show up in diskmgmt.msc, yet it does in Gparted from outside the system.

What I have found out that it is likely to be a result of a malware activity.

https://labs.bitdefender.com/2011/11/tdss-bootkit-spawns-clones/

Not only that, but bootkits like SST infect the partition table.

http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/

The article says boot record stays untouched, which is why it can persist over reinstallations and MBR fixing tools.

How do I make sure it is wiped out?

The secure erase should help against that, it would seem.

Yet the system crashed last time and would not boot any longer, reinstallations and bootrec did not help. That is, until I performed a secure erase again. Could something damage/infect the partition table? Or do you still think it is simply hardware conflict/misconfiguration? If so, what do I look for?

So what the vector of (re?)infection would be?

Could it be my USB drive I used to deliver diagnostic tools to the PC in question?

How likely it is to have my hardware infected from when it was under hackers' control? Like an external USB hub or disk firmware? That is theoretically possible.

Can you please answer that? Thank you for your time, and feel free to correct me.

[Aura]

Quote

I have reset my router and reflashed it as well before. None of the forms of the web configuration panel seem to have any changes to it. Normally router hijacks are done by simply changing DNS server settings. F-center's router checker reports DNS is fine. Neither I have open ports on it. So the tools hackers use imply NAT traversal from inside the system, which is not a hard thing to do.

I do not believe router has to do anything with it, unless it was tampered with in a way so that resetting and reflashing is not a working solution.

In that case, please provide me logs, reports, screenshots, etc. that can show the weird network behaviors you have been experiencing. Without them, then I can't see anything wrong with your current setup.

Quote

Yes, MBR implies MS-DOS partition table. And GPT is another thing of the same type.

I should have worded it differently, my bad.

Yet the system has to have its bootloader somewhere, am I correct? And that's what aswMBR must be showing.

My motherboard supports UEFI booting, but there is no Secure boot option, only a Windows 8 one, which, if activated, refuses to boot since my video card's BIOS is not updated. And I am trying to use Windows 7.

Thus the bootloader has to be on the disk itself

There is no known GPT rootkit in the wild to my knowledge. And I'm not even sure there are PoC for them. Also, your aswMBR log isn't showing anything wrong at all. It did create a dump of your MBR, called MBR.dat in your Documents folder. You can attach it in your next post if you want.

Quote

Rootkits are made to disguise altered system files, malicious drivers, hooks and other activity of the malware, right?

So that diagnostic tools would be misled in a way and report "everything is fine". Not only that, but they are also getting outdated, even if they did work at the time they were released. When hackers control the system, they can update the infection which would be undetectable by anti-rootkit tools at the time

Yes they are, and this is why Anti-Rootkits exists, to detect, find them and delete them. Otherwise, why would they be called Anti-Rootkits? I can assure you that TDSSKiller, aswMBR and Malwarebytes Anti-Rootkit are far from being outdated. They are still being developed and worked on.

Quote

You still have not provided the answer as to why I have growing unallocated data area at the end of the disk.

Can you provide me a screenshot of that? Open the Disk Management Utility, screenshot the whole window (where I can clearly see that Unallocated Space) and post it here.

Quote

What I have found out that it is likely to be a result of a malware activity.

https://labs.bitdefender.com/2011/11/tdss-bootkit-spawns-clones/

Not only that, but bootkits like SST infect the partition table.

http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/

The article says boot record stays untouched, which is why it can persist over reinstallations and MBR fixing tools.

How do I make sure it is wiped out

This is TDL 4, and from what I can read in your articles, it'll affect MBR disks, not GPT ones. Also, doing a clean install will wipe a whole drive and make it "clean", since Windows will recreate the partitions it needs (EFI, MBR, etc.) during the installation.

Quote

Yet the system crashed last time and would not boot any longer, reinstallations and bootrec did not help. That is, until I performed a secure erase again. Could something damage/infect the partition table? Or do you still think it is simply hardware conflict/misconfiguration? If so, what do I look for?

I still think that it's an hardware conflict/misconfiguration. There's no partition table if you wipe the drive clean before installing Windows on it, since it'll create what it needs during the install, and not before. It can be tricky to install Windows 7 on a GPT partitionned disk depending on the hardware you have. Most people install it on MBR disks.

Quote

So what the vector of (re?)infection would be?

Could it be my USB drive I used to deliver diagnostic tools to the PC in question

I still don't think that you are infected, as there are no signs of infections in your logs, and there's nothing to show that you've been infected.

Quote

How likely it is to have my hardware infected from when it was under hackers' control? Like an external USB hub or disk firmware? That is theoreticallypossible.

Unlikely. Usually these kind of infections required direct physical access to the computer,

So far, you're talking as if you were infected/targetted with an APT, which I highly doubt (unless you are an important figure like a CEO, politician, etc. and I don't know it).

https://en.wikipedia.org/wiki/Advanced_persistent_threat

[user1509]

On 9/23/2016 at 2:46 AM, Aura said:

There is no known GPT rootkit in the wild to my knowledge.

Well this is a good thing to hear.

I have attached the Gparted screenshot of a disk with reappearing unallocated space from another infected PC, running XP SP3. The now GPT-formatted SSD does not seem to have it(also attached).

I think I have managed to discover the source of the c0000225 error - to trigger it all I had to do is to hook my second HDD up.

Apparently UEFI/BIOS tries to boot from the second (MBR) disk for whatever reason, even if I was to choose where to boot from myself.

People who reported the same only had to disconnect the second disk and they would be able to boot in WIndows successfully again - this does not work in my case, however.

That second disk which is MSDOS partitioned has some windows leftovers as well, and I suspect it might be also infected - it also has unallocated area.

What is probably happening - BIOS tries to boot from the second drive, malicious code from the partition table/boot sector is executed and is spread(at least Mebroot is known to do that) to the GPT-formatted SSD, getting in the way of the actual Windows installation boot area, which makes the disk to become unbootable.

I don't see any other reason for this to happen - people in general do not seem to have problems with Windows 7 installed on a GPT drive.

So what I plan to do is to backup my data, secure erase both drives, format them to GPT.

Would this be enough, if this was the problem?

 

I also tried to scan my second PC(the one with HDD in the screenshot) with TDSSKiller and it did not detect anything. So if TDSSKiller was unfallible, this is not Alureon or other known TDL family rootkit.

Anyhow, if all of this works out, the second PC I plan to clean the same way later - to wipe the disk completely, probably turn it GPT and install something other than XP on it.

Too bad we were not able to identify the problem so that I or someone else reading this would know what exactly is to be done.

That's it, I guess.

If the threat would reappear, should I ask for this thread to be reopened or create a new one?

And thanks for everything.

[Aura]

Quote

I have attached the Gparted screenshot of a disk with reappearing unallocated space from another infected PC, running XP SP3. The now GPT-formatted SSD does not seem to have it(also attached).

How do you know that the Windows XP SP3 computer is also infected? Also, did you check the Disk Management Utility under Windows directly to say how it shows these partitions? For now, it just looks like two leftovers to me, as I can see that the disk have 3 different partitions instead of 1. Is there any specific reason for that?

Quote

I think I have managed to discover the source of the c0000225 error - to trigger it all I had to do is to hook my second HDD up.

Apparently UEFI/BIOS tries to boot from the second (MBR) disk for whatever reason, even if I was to choose where to boot from myself.

People who reported the same only had to disconnect the second disk and they would be able to boot in WIndows successfully again - this does not work in my case, however.

That second disk which is MSDOS partitioned has some windows leftovers as well, and I suspect it might be also infected - it also has unallocated area.

What is probably happening - BIOS tries to boot from the second drive, malicious code from the partition table/boot sector is executed and is spread(at least Mebroot is known to do that) to the GPT-formatted SSD, getting in the way of the actual Windows installation boot area, which makes the disk to become unbootable.

I don't see any other reason for this to happen - people in general do not seem to have problems with Windows 7 installed on a GPT drive.

So what I plan to do is to backup my data, secure erase both drives, format them to GPT.

Would this be enough, if this was the problem

Once again, you're assuming that one of the disk is infected, yet we still have no proofs of that. If you want, you can run DBAN on both the drive, use diskpart to convert the disks to GPT during the Windows installation and then install Windows on one of them. And your issue could be because the disk you want to boot from is connected to the SATA1 port instead of SATA0. I would check that as well. Make sure that the disk you want to install Windows on really is in the SATA0 port. It'll make things way easier. And I also had issues during the Windows 10 upgrade because of multiple drives. I had to disconnect my two hard drives, and my CD-DVD player for the upgrade to go through.

Quote

If the threat would reappear, should I ask for this thread to be reopened or create a new one?

It depends. If the threat reappears within 5 days, you can post in this thread, otherwise, if it gets closed, you should start a new one.

Once more, I really, really doubt that you are infected with a rootkit of some sort since I have yet to see any evidences proving that theory. I'm a tech, and one of the first thing I learned was to always confirm, never assume, and always valid the facts myself, otherwise, these are just assumptions and in the troubleshooting world, this leads to a lot of "trial and error" solutions. I can see your two unallocated partitions on the disk hosting your Windows XP SP3 installation, but like I said, it could be remnants from a bad partitioning operation.

[Aura]

Hi user1509,

Are you still with me?

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!