Intelligent Malware - Responds in Real-Time

[Matt-the-Compromised]

It even tried to keep me from downloading FRST,  it corrupted the beta root kit scanner pretty instantly/

Driver Highjack

Bios Highjack

Windows Completely Highjacked

Windows 10 home, user restrictions placed, access to management apps removed, file protection subverted, McAfee Live Safe Highjacked, remote management deployed, installation of server functions and domain protocols on a home computer, highjacking of devises.

It spreads through the network or through windows proximity system update protocol, it doesn't need permission to use, create, modify, or hide connections. Even highjacked my router from Spetrum business, which they said was impossible...

System resets just make it stronger, takes completely over faster after a reset, is undetected by malwarebytes(highjacked malwarebytes, cannot activate advanced settings or protection, simply does not respond) 

After last reset, this morning, activated file protection on Windows folder, it recreated the files hidden in C:, neither the powershell or folder for it exist anymore, attempting to disable services for RDP or RTP are impossible, and it get cranky and decides not to let ANYTHING execute or open, network devices disappear, probably watching right now...

Read through these forums a whole lot, attached the threat scan and FRST files. All computers at home and office are infected NT_User is my enemy, not sure if a basic subscription will be enough, MsAffaa Live Safe subscription lasted a whole 3 hours before it was completely taken over and blocked processes or programs suddenly became McAfee "name of blocked proccess"

 

 

1.txt

Addition.txt

FRST.txt

Shortcut.txt

[Matt-the-Compromised]

update, a remote user logged in and used group policy on windows 10 home to modify my privileges.

 

From event log, the remote user is able to impersonaye SYSTEM

+ System 

  - Provider 

   [ Name]  Microsoft-Windows-Security-Auditing 
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D} 
 
   EventID 4798 
 
   Version 0 
 
   Level 0 
 
   Task 13824 
 
   Opcode 0 
 
   Keywords 0x8020000000000000 
 
  - TimeCreated 

   [ SystemTime]  2018-10-05T04:59:13.857801800Z 
 
   EventRecordID 4706 
 
  - Correlation 

   [ ActivityID]  {E4F7016B-5C5C-0006-9001-F7E45C5CD401} 
 
  - Execution 

   [ ProcessID]  820 
   [ ThreadID]  9620 
 
   Channel Security 
 
   Computer DESKTOP-EVBN5TI 
 
   Security 
 

- EventData 

  TargetUserName Matthew Pillado PLLC 
  TargetDomainName DESKTOP-EVBN5TI 
  TargetSid S-1-5-21-3315767533-3666575624-1109542102-1001 
  SubjectUserSid S-1-5-21-3315767533-3666575624-1109542102-1001 
  SubjectUserName Matthew Pillado PLLC 
  SubjectDomainName DESKTOP-EVBN5TI 
  SubjectLogonId 0x4bab5 
  CallerProcessId 0x1004 
  CallerProcessName C:\Windows\System32\PickerHost.exe 

A user's local group membership was enumerated.

Subject:
    Security ID:        DESKTOP-EVBN5TI\Matthew Pillado PLLC
    Account Name:        Matthew Pillado PLLC
    Account Domain:        DESKTOP-EVBN5TI
    Logon ID:        0x4BAB5

User:
    Security ID:        DESKTOP-EVBN5TI\Matthew Pillado PLLC
    Account Name:        Matthew Pillado PLLC
    Account Domain:        DESKTOP-EVBN5TI

Process Information:
    Process ID:        0x1004
    Process Name:        C:\Windows\System32\PickerHost.exe
 

[Matt-the-Compromised]

The bad person or the intelligent malware, whichever, not something I did

 

+

System

- Provider       [ Name] Microsoft-Windows-Security-Auditing       [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4624

Version 2

Level 0

Task 12544

Opcode 0

Keywords 0x8020000000000000

- TimeCreated       [ SystemTime] 2018-10-05T04:59:03.434445800Z

EventRecordID 4702

- Correlation       [ ActivityID] {E4F7016B-5C5C-0006-9001-F7E45C5CD401}

- Execution       [ ProcessID] 820       [ ThreadID] 896

Channel Security

Computer DESKTOP-EVBN5TI

Security

-

EventData

SubjectUserSid

S-1-5-18

SubjectUserName

DESKTOP-EVBN5TI$

SubjectDomainName

WORKGROUP

SubjectLogonId

0x3e7

TargetUserSid

S-1-5-18

TargetUserName

SYSTEM

TargetDomainName

NT AUTHORITY

TargetLogonId

0x3e7

LogonType

5

LogonProcessName

Advapi

AuthenticationPackageName

Negotiate

WorkstationName

-

LogonGuid

{00000000-0000-0000-0000-000000000000}

TransmittedServices

-

LmPackageName

-

KeyLength

0

ProcessId

0x320

ProcessName

C:\Windows\System32\services.exe

IpAddress

-

IpPort

-

ImpersonationLevel

%%1833

RestrictedAdminMode

-

TargetOutboundUserName

-

TargetOutboundDomainName

-

VirtualAccount

%%1843

TargetLinkedLogonId

0x0

ElevatedToken

%%1842

 

 

+

System

- Provider       [ Name] Microsoft-Windows-Security-Auditing       [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4672

Version 0

Level 0

Task 12548

Opcode 0

Keywords 0x8020000000000000

- TimeCreated       [ SystemTime] 2018-10-05T04:59:03.434452000Z

EventRecordID 4703

- Correlation       [ ActivityID] {E4F7016B-5C5C-0006-9001-F7E45C5CD401}

- Execution       [ ProcessID] 820       [ ThreadID] 896

Channel Security

Computer DESKTOP-EVBN5TI

Security

-

EventData

SubjectUserSid

S-1-5-18

SubjectUserName

SYSTEM

SubjectDomainName

NT AUTHORITY

SubjectLogonId

0x3e7

PrivilegeList

SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege

[kevinf80]

Hello Matt-the-Compromised and welcome to Malwarebytes, Run the following and post the produced logs... Reset your router, instructons available at the following link: http://setuprouter.com/networking/how-to-reset-your-router/ Follow those instructions very carefully. Next, Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary. Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper   Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run. rom the left hand pane select "Flush DNS" From the main interface select the dropdown under "Choose a DNS Server" From the list select either "Google Public DNS" or "Open DNS" From the left hand pane select "Apply DNS" When done re-boot your system.... Next, Please download Malwarebytes Anti-Rootkit from here   Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable) Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process. When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt Thanks, Kevin..

[Matt-the-Compromised]

Hey @kevinf80 thanks for stopping in, should I uninstall the current copy of the malwarebytes rootkit installation? It wouldn't run earlier, for resetting my router, that's difficult, there is a factory reset button on it, but, when I do that I get about 1 or 2 minutes inside to cut off the inbound connections and change the password before the thing reboots and I no longer have access(password changed and settings back to welcome Singapore! oh and Germany now and then but I think that dude backed off.

I'm gonna go ahead and give it a swing though, right now

[kevinf80]

MBAR is portable, no installation required. I would prefer to have your router reset, if that is difficult we can leave it for now..

[Matt-the-Compromised]

2 minutes ago, kevinf80 said:

MBAR is portable, no installation required. I would prefer to have your router reset, if that is difficult we can leave it for now..

I removed the router and plugged directly from the modem for inner network, the mbam is running now

 

[kevinf80]

I want you to use MBAR not MBAM, if malwarebytes is running wait until finished and post the log

[Matt-the-Compromised]

sorry that was my goof, I ran mbar-1.10.3.1001, no malware found no cleanup needed.

so far, I haven't been able to find a scanner that can see it as anything other than windows system files or authorized proccesses once it's had a few hours, by morning my home PC will be a full fledged server hosting gods know what and i'll have access so long as I do not mess with anything, all restore points are gone, cannot even open the program for that or the file protection anymore at this time, most things have the warning at the top "Some settings and configurations are handled by your organization" but it's a windows 10 home, on a PC I bought 4 days ago...

 

[Matt-the-Compromised]

yesterday with McAffee live safe, firewall, where it displays your network, I had my WORKGROUP(not mine, I didn't create it) and then there were 3 virtual adapters also running entire blocks of internal IP addresses, with a ton more traffic than mine for sure.

[kevinf80]

See if you can run RogueKiller:

Download RogueKiller and save it on your desktop, ensure to download correct version.. RogueKiller (X86) RogueKiller (x64)   Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply.

 

[Matt-the-Compromised]

maybe load into a command environment and load it from there? I have a laptop that I reset this morning and turned off so it's still fresh and the entity is very active changing things, i'll run it on both, this PC has been on all day so it's already a domain controller...

[kevinf80]

Thanks for the update...

 

[Matt-the-Compromised]

So far RK has pulled out some regkeys and I tell you Kevin, after reading up some there, I understand the network overlays and backend being used on our computers and servers, I actually wouldn't even mind if the bastards would stop messing with my clients accounts. You know a piece of the whole, but I have a responsibility to my clients for securing their data.

[Matt-the-Compromised]

Thanks for your help @kevinf80 I hit you up on PP

[kevinf80]

Can I see RK log...?

[Matt-the-Compromised]

12 minutes ago, sirajmehr said:

nice

?

[kevinf80]

Can I see the log from RogueKiller..?

 

[kevinf80]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks