Jump to content

win32/nevoros.B!Rakr rootkit virus


Recommended Posts

I have tried many different antivirus programs to try to get rid of a trojan called Win32/Nevoros.B!Rakr.   Its main file is one called isowebi.exe

The main problem is the file folder and all files in it are protected.   There is no way to change the name, edit, delete.  Taskkill cannot stop, or cancel the operations this application does.  Because the folder and all contents are protected my one trick was to lock out new programs or folders it created so it couldn't find them again yet that means leaving them on the system.

The program loads grenades, touchy, other svc's for the net, and even bit coin mining programs.  Used malware bytes rootkit beta didn't work either.  

The only thing I can think to do is to create a new window boot file, or edit the one I have, but not really sure if that will work.

Link to post
Share on other sites

Hello Koneko and welcome to Malwarebytes,

Run the following and post the produced logs:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Let me see those logs, also do you have access to another PC and USB flash drive 4GB or above...

Thank you,

Kevin

Link to post
Share on other sites

Hi Kevin, and thanks I will try that!

I was using my old dell laptop 2004 to help but never connected them together and it got the mining viruses too.   Thanks to the logs I figured some things out.   I will share an email with another threat agency and my conclusions.

To really understand the severity of this  threat you need to go back in time.
In 2001 on 9/11 America gets attacked and needs information.  Around the same time Microsoft is about to be broken up, but its not.  Microsoft gave the government information to data mine people.  This is the NSA stuff Snowden spoke about, and leaked.   The problem goes back that far.

Now how do I know this?
Its simple my windows 7 PC that I thought was protected was recently hacked for cryptomining last week.  Now I still had an old XP laptop with a 2004 processor on it....yet that one got hacked too.
One computer had logs for everything, and the logs show the new program trying to activate but instead having to use the old hack.  Now cryptocurrency was started in 2009, yet how can I have these hacks with installs and the needed files before that time?  That easy it was NSA data mining from before.  The hackers right now can still use the old codes which they probably are.  Not only does this make older computer vulnerable, it also make every flash drive, portable drive, and storage device vulnerable now.   People still use old storage devices, disks of saved information, etc.
    I came to this conclusion this weekend while trying to get rid of this crap.   I can't get rid of it, because for many they are using the older code as well, and since anti-virus companies do not remove all the programs related to a virus this will become a major issue.  The other issue is that I can find the new programs and where changes took place, yet finding the old original files is much harder.  I'm basically down to seeing what is in each dll file, batch file, bin file, vcd file, etc.....if I can and its not encrypted.   Add to this the related batch files, vcd files to reload the programs, all this stuff is still on here so I'm fighting two wars, one I didn't know about before 2009.   This is because microsoft years ago left junk on your system even when you removed the main program other junk remained, this can't be done anymore.   We need to look at total removal models now.
   I'm a person that thinks outside the box.  I've been using about 10 different programs trying to find every little batch, bin, configuration file on my computer related to this mess.  I gotten rid of it but then it comes back.  I'm literally hacking my own computer like I had to do back in the 80's and 90's.   Log files show how the virus gets back in, and its from the NSA data mining before 2009.   Why then would their supposedly new program state the needed programs are already on my computer from before 2009.
My Conclusion:
   These new attacks can go back from before cryptocurrencies were created.  This is because now they are using the old NSA files, this can also explain why windows and many antivirus programs are having trouble with it.   They are looking at only the new files, not the very old ones. 
1)  Is there a program that I can use to find and get rid of the old NSA files?  A special tape worm that can hunt down while the system is disconnected from the net.  This is another problem because many antivirus programs want you to stay connected to the net, so any smart virus is going to be actively fighting against you and you are at a disadvantage.
2)  Even someone advanced with knowledge of registry keys, and being able to write batch files, I'm having a heck of time deal with this. 

 

Link to post
Share on other sites

I can also help too.

PROCESSES:

(TOSHIBA CORPORATION) C:\Windows\System32\wmbhuxksvc.exe, () C:\Users\Koneko\AppData\Local\uprhtms\sbodexn.exe, () C:\Users\Koneko\AppData\Local\mbbwpun\mbbwpun.exe, () C:\Users\Koneko\AppData\Local\mbbwpun\spedrcb.exe,() C:\Users\Koneko\AppData\Local\mbbwpun\spedrcb.exe     My computer is not a Toshiba its an HP and this file popped up only when the virus came up.

The date I noticed a virus doing something was 2/24/2018 before 9pm.

I do have access to another pc, yet I also think its contaminated as well now, as I'm locked out of most everything again on it.  It was running windows XP.  I can get access to another computer and do have a flash drive that hold over 4 gigs.   I'm also a little worried because one flash drive that a i used to transfer files might have been destoryed by something.

I also loaded a print screen of the task manager with 2 strange client files running.   This only happens when connected to the net.  At one time the name showed up quickly before disappearing back to client.   The name was vmxclient.exe

FRST_04-03-2018 22.11.40.txt

Addition_04-03-2018 22.11.40.txt

funny client files.jpg

Link to post
Share on other sites

Hello Koneko,

You have the lastest infection doing the the rounds named "smartservice" This is not a revamped old infection, it is more or less very much new. To deal with this infection you will need access to a spare clean PC and a USB Flash drive 4GB or above.

First do this:

Open FRST, copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop or the folder FRST is saved to. Attach it in your next reply.
 
Quote

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
End::



user posted image

Next,

Plug USB Flash Drive into spare PC, navigate to that drive and Right click on it directly, select > Format. The quick option is adequate.

When the format completes download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Do NOT plug the Flash drive into the sick PC untill booted to the Recovery Environment

If you are using Vista or Windows 7 enter System Recovery Options as follows.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Next,

Boot back to Normal Windows, now run Malwarebytes as follows:

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Let me see those logs in your reply..

Thank you,

Kevin.

 

Edited by kevinf80
typing error
Link to post
Share on other sites

Another question

I cannot rename or change these folders, and ones like them.  So the information the FRST program showed me is really helpful to know where things are.

since i cannot change the name, or delete or move it.  is there a way to find it within the registry and kill it there so it cannot load?   I did find the "spedrcb.exe" file in the registry.   So technically if I know what to change I can make it so it can't load again.  I'm just making ti so I have the best chance of getting rid of everything!    I'm not  pro anymore yet i'm not an amature either.

thanks for all your help!   (Now I remember why I left this world...LOL)

 

mbbwpun file info.jpg

uphrtms file info.jpg

spedrcb reg area.jpg

Link to post
Share on other sites

PS: do I need to have a clean windows 7 machine to format the flash drive? or can it be vista, 8, 9, or 10?

PSS:  Will resetting and reformatting to factory defaults, brand new work?  I really don't want to go that far back, but if i have too I will.  There is the recovery factory reset still on D: drive, with the hp stuff on E:

Link to post
Share on other sites

The spare PC can have any version of Windows. The only way to shift the protective root kit is via the recovery environment. There is no other way to kill of that protection, without that done the infection and all parts will reinstall and main driver will rename itself..  Follow the instructions in reply #4

Thank you,

Kevin

Link to post
Share on other sites

thanks...for the help....still looking for clean PC.   At family and friends houses, had them download and run a check with yours software or add in hitman pro too...but found multiple rootkits on theirs......so decided to keep looking.  Gates and Jobs should've warned the general public better before just making computer too readily available to the public.

Link to post
Share on other sites

Hey do these log files help you in any way.  i forgot I always kept windows logs on.

PS: Is it possible the info this person is getting is still active, and the frst logs changed a little, will include the last ones too.

Oh ya does windows 10 get rid of this?  I heard win 10 has rootkit blocking?  Not sure if that is totally true.

ntbtlog.txt

WindowsUpdate.log

PFRO.log

PerfStringBackup.rar

FRST_07-03-2018 22.08.41.txt

Addition_07-03-2018 22.08.41.txt

Link to post
Share on other sites

I have included the fixit log

Problems:

I cannot do anything once into the recovery option...it keeps counting down then loads windows back in.   I even found a recovery disk which did the same.  Tried to get into bios options and failed that way too.   The arrow keys and tab and any other function keys seem disabled not allowing me to make any choice but to continue on into windows login.

I did find a bootable flash drive I probably made when I made the recovery disks(made both just incase).  Just not sure if it will boot to the flash first because I cannot check bios settings.   I can see the options I just cannot change to them using the arrows keys, its like they are locked out.   Is that possible?

Fixlog.txt

Link to post
Share on other sites

f10 key is needed for bios on hp  so checking that now

key delay was set to zero so i had to be fast...got in though. and added more time.

order is: notebook hard drive.....internal cd/dvd/ rom drive.....usb diskette on key/usb hard disk......usb cd/dvd rom drive    (should these be changed?)

Link to post
Share on other sites

ok I can get the HP recovery disk to work, and for it to load from the disk. or Hd...i chose disk to see what comes up.

MICROSOFT SYSTEM RESTORE-restore system from an earlier date

SYSTEM RECOVERY:  Restore your computer to its original factory condition

MINIMIZED IMAGE RECOVERY: restore operation system, drivers, and select software only (clean image)

FACTORY RESET:  Reset computer to by erasing the entire hard drive and restoring to the original factory condition.

RUN COMPUTER CHECK UP:  use the hardware diagnostics tool to diagnose your computers memory, hd, etc....

So I can use that disk, but  not sure if that will help solve my problem.   I didn't select anything, just exited out.

On booting the advanced boot options F8 appears....its listed but doesn't let me change to it, or select it.   It just stays locked on load windows.    So not sure which to do?   I will be reading up on HP's site to get more information to help.

Link to post
Share on other sites

I'll try that thanks.    If not i guess the only thing left is a total factory reset maybe.

Although I don't believe this is just a trojan...its more like a hydra instead.  I don't use office 11 or adobe, so tried getting rid of both again.  Found that when I tried it would reload the parts back in it needed.   Re-growing a head is a hydra.   Even after its off, tying to watch a movie on media player, the task is changed to try an upload the security leaks again.   Hidden task scripts in the registry prove it.    For me a hydra is the mythical creature with multiple heads so cutting off one doesn't hurt it and it regrows.   Is it too scary for the public to know such things so malware companies stick to terms like trojans, rootkits, and ad-ware to classify stuff?

I also noticed that any back saved points on the HP recovery disks do not work.   All that comes up is factory resets.   If that is all that is left, would it be better to just install and re-partition and put in a whole new OS from scratch then?   Since Windows 7 is pretty much obsolete.

Link to post
Share on other sites

PS:  I have gotten rid of the 4 of the programs that show up on the processes.   Question I have is how can rename or delete locked out files.   Found the  spedrcb.exe  in registry pic included. 

That would leave one more and just being able to find a way to look at application extensions, or view task programs to find the ones I need to delete.  I may not be able to get rid of the rootkit, but I'm not against making it so it cannot work for the time being, especially if I can close off all the doors.

can't delete or rename.jpg

unable to find.jpg

spedrcb reg area.jpg

Link to post
Share on other sites

OPTION #1: KEEP FIGHTING IT AND BRING MY SKILLS BACK UP TO DATE

I found a tab where i could go into a windows recovery from the HP disk, and it shows the options but I cannot select or change to them.

I've tried using takeown, Cacls, Icacls to get control back of the program or folder and I'm locked out.   Even though I'm running this under admin commands.   That is the reason I showed you the registry line.   The folder says its empty if the cursor is on it, but the registry shows there are files in it that it loads.   So if I could get rid of the folder, I could cut another head off this thing.

Last night I also tried to make data cd/dvd's using different programs and they do the same thing the making a recovery disk does.   It builds the data and disk and makes the cache then when it tries to burn the disk the error happens.   So somehow the burner for the CD is locked out.   I don't know how to find out if its turned off in the registry.

Keeping it isolated from the net is what has gotten me this far.   I can see the faults in the bad programs now trying to get net access to update, or reload the tasks and vcd's it needs.   With all the svc hosts on here I have no idea how tell which it might be using and which it can't.  I locked out all public access, and the active X backdoor, and now that its been over a week since it was last connected to the net tasks are running to get back on....I can see it....found a log entry in the tasks where the next update would be a week later

The windows fixes today seem to have office security and other things this virus is using.   Just because a kernel exploit hasn't been used on windows 10, doesn't mean they might not have tried it on older system first.   Personally I don't trust microsoft to be honest on whether someone has used an exploit or not.

OPTION #2: RESET EVERYTHING

The problem here is the risk in going out and getting a new external HD to store the files I need to save.  If I scan it before hopefully nothing can sneak back on.

The other problem is making sure the rootkit is gone from a factory  re-install.   A new OS I could re-partition the C: drive and then reset a whole new boot section, and install the new OS on it if I have too.

Link to post
Share on other sites

To make sure cdrom and usbstor are active in the registry do the following:

Click on Start > All Programs > Accessories:

Right-click on the Command Prompt entry

Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type or copy paste the following:

reg add HKLM\System\CurrentControlSet\Services\cdrom /t REG_DWORD /v "Start" /d 1 /f

reg add Hkey_Local_Machine\System\ControlSet\Services\USBStor /t REG_DWORD /v "Start" /d 3 /f

Make sure to hit the enter key after each command..

When complete type or copy/past exit hit enter key to close out command window.

Next,

Open FRST, copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop or the folder you`ve. Attach it in your next reply.
 
Quote

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
End::



user posted image

post log from FRST, also let me know if you can access the Recovery Environment. Also if you have a USB flash drive 4gb or above and access to a clean PC

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.