Sushi414 Posted January 9, 2019 ID:1291485 Share Posted January 9, 2019 Hello Malware Fighters! My PC was infected by a HKU\S-1-5-21 related trojan. Since the infection keeping back after removals I decide to tottaly nuke a HDD (3 x Low Level Format + Manual "Zero Fill" first 1MB on a drive). Now i need to find out that my system is totally clean, because after fresh installation of OS my PC works rather slow and some fonts in system windows are blurry. Also a task manager shows a lot of processes that look like an infection (Lanman Workstation, mDNS, server etc.). After spending some time with a Microsoft documentation I think those tasks are OK, but I'm a little paranoid now And last thing - it is possible that Windows become activated even if I didn't log in to my MS account? Please help me to figure it out. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 10, 2019 Root Admin ID:1291693 Share Posted January 10, 2019 Hello @Sushi414 and The logs are not showing any obvious signs of an infection. Let me have you run a few different scans though and we'll see if anything turns up. Please run the following steps and post back the logs as an attachment when ready.STEP 01 If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. If you don't have Malwarebytes 3 installed yet please download it from here and install it. Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply. If Malwarebytes won't run then please skip to the next step and let me know on your next reply. STEP 02 Please download AdwCleaner by Malwarebytes and save the file to your Desktop. Right-click on the program and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is updated. Click Scan Now. When finished, please click Clean & Repair. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Copy its content into your next reply. RESTART THE COMPUTER Before running Step 3 STEP 03 Please download and run the following Kaspersky antivirus scanner to remove any found threats Kaspersky Virus Removal Tool Let me know if it finds anything or not Thanks Ron Link to post Share on other sites More sharing options...
Sushi414 Posted January 10, 2019 Author ID:1291760 Share Posted January 10, 2019 Hello Ron @AdvancedSetup, thank you for your reply! 😃 I do all the steps, as you tell me. Please keep in mind, that PC was untouched until my last post. Result is always the same - everything is good, nothing was found and PC is safe😋 "Andrew" of course back with all his family (yeah, after a month of fighting I give a name to it - lame, I know 😜), and here is a brief description of what happened: STEP 1 I have installed MBAM and start a scan. "Andrew" don't like Malwarebytes and IObit (if installation of IObit Malware Fighter don't be very quick - just after the OS installation - it is almost impossible to install, you can see miracles on a screen 🎆 "Andrew" is a wizard 🧙♂️). I only clicked on your link to download MBAM, and all fans starts spinning. Anyway, all the times result is the same - 0 detections, PC is safe! It's no matter what software is used to scan - probably I have tried every possible - free and premium (we spent for now 700$ for the software...). Log is in the attached zip. STEP 2 Traditionally, AdwCleaner is the only software that is detect something and removing. Yes, as you probably expect it was IObit files and tasks. I of course follow your steps and click to clean, and than allow to restart. This is the moment, that "Andrew" like very much! Nothing is now forcing the DNS correction and nothing helps a Windows Defender - with all the settings on a paranoid level configured. The time of restart is the a time of the most OS modifications. After reboot you can see now good old welcome screen with always the same photo. Generally everything looks perfect, and fans stops spinning. But when you check a Task Manager you can see 100-150 background tasks, 80-200 (!!!) system tasks, if you have opened a browser like I right now, for every opened card you have 5-10 tasks. Of course service-workers are already registered and keeps working. But something is new, these beautiful alert in console never appears earlier: As I mentioned before, Windows security settings was set to paranoid level, now of course "nothing changed" in UI, but folders protection stops working 🤔 UAC too... Mysterious!😱 But nothing surprising 😃 "Andrew" always do the same jokes when you try to tell him, that he must move out 😂 OK, so now we don't have any protection, the scanning log is in the zip, so let's go next 😊 STEP 3 Here will be short, because nothing new happened. Kaspersky scans everything, during the scan it starts syncing and downloading OneDrive files marked as "not to sync". This is actually good behavior since we used business version of OneDrive, that shows files on the drive. Only noticable difference was, that now it's ONLY SCANS files with a sensitive data (email backups, business proposals and documents, databases etc.) so I decide to terminate a OneDrive task. Kaspersky continue and finished a scan successfuly - of course nothing found, everything is great. Even if the interface of a scanner lost polish letters 😅 OK, END OF FUN As I mentioned, we fight with these all "Andrew" stuff from a month now (1 week before December 2018 I discover the malicious procesess and redirects or content replacement on websites). It's affect all computers in our company and homes. It doesn't matter if you have used a Windows, Linux or Mac (Linux ditributions are affected only if they use GRUB bootloader, also the infection is not so harmful. Since MacOS is a UNIX based system, there also it's not so harmful). Since it's using only legit MS Windows components for work and sets a priority for it's own tasks that they started on full CPU/GPU/Memory usage after 5-10 minutes of idle, and you don't try to remove it is very hard to detect. The worst thing is it's PERSISTANCE! At the beginning I just try to remove a infection. Later we make backups of files and decide to reinstall systems. It didn't work of course. Later I tottaly nuke every HDD/SDD with every possible scenario and tool. With flashing of SDD/HDD new firmware of course. Still no luck. Than I realized, that I don't need any Hard Drive, because correct and original Linux LiveCD/DVD sessions without hard drive attached are also infected 😣 Sure, at the first time I also think, that I am paranoid, people with simmilair problems on forums gets feedback, that everything is OK, that stuff what they can see in /tmp folder of Ubuntu Live session are correct and should be there, that it's normal, and everything is OK. NO, they are not OK! Spoofing new DNS server addressess is not OK! Hiding devices is not OK! Swaping system bash utils for the useless one is not OK! Example? Partition tools are configured/replaced that they do not display hidden ones also as mapping of memory and partitions. It is very easy to check with other tools (lspci, lsmod etc.) or just run on a clean PC. Also look into GRUB boot files 🤩 This is easiest. Where I am now with my research? For now I am pretty sure, that I found a correct place and I think that I'm close to find a solution (I get the idea at 4.00 AM). Generally I'm a web developer and designer - so keep in mind, that I'm a total NOOB in security related stuff and also in Kernel programming things. But if even for me it looks simple and easy, and threat living on low level I think it will be better if don't will write about it here. Since these logs zipped are not very helpful I am attaching new FRST logs. logs.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 11, 2019 Root Admin ID:1291880 Share Posted January 11, 2019 Well if all of those different OS are being affected by some redirect it would have to tie to your Router. There is no infection I'm aware of that is able to target both iOs, Android, Linux, and Windows I would recommend the following if you're using a home router. If you're using an actual more advanced business router then I would have someone with router security experience take a look at it. Please review the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router. This information is only for resetting the router DO NOT erase, install, or update the firmware, just reset your router to factory defaults. Reset And Reboot Hard reset or 30/30/30 Thanks again Ron Link to post Share on other sites More sharing options...
Sushi414 Posted January 12, 2019 Author ID:1292115 Share Posted January 12, 2019 A router infection was the 3rd/4th thing that we have checked 😐 since there was a hidden configuration made (hotspot with hidden SSID) we just bought a new router 😐 Maybe there is some way, that it connects to other devices via other interfaces... In my opinion the problem is in EFI variables "efivars". You can change a lot of things, and one of the most used features are those connected with boot process. And what is most important here, they can be very easy changed from the OS level. If a rootkits exist, these kind of infection must also exist. It's logical for me. If an infection can make some changes to partitions on your HDD, it also can use a command, to add, remove and manipulate efivars 🤨 Every OS has it's own toolkit to manipulate efivars. Efivars are powerful, for example they can create any kind of a phony device on your PC, like USB storage device 😎 And now the best! Efivars are a standard of (U)EFI system, it means that one efivar can work on any (U)EFI device! Boom... 🤯 💩 "Thank you Intel for another buggy crap!" 💩 A one thing that I can't understand is a storage handling and memory mapping. All efivars are stored in NVRAM and I can't figure out, how much storage space there is, because it will determine where all the configurations are stored. In my case, all configs are loaded into memory even without a hard drive attached or any other physical storage and with no internet connection I think, without any Internet connection. Of course it's good to have some proofs 🤗 My efivars: 5bce4c83-6a97-444b-63b4-672c014742ff-IrsiInfo 605dab50-e046-4300-abb6-3dd810dd8b23-MokListRT 8be4df61-93ca-11d2-aa0d-00e098032b8c-BootCurrent 8be4df61-93ca-11d2-aa0d-00e098032b8c-ErrOutDev 8be4df61-93ca-11d2-aa0d-00e098032b8c-ConInDev 59d1c24f-50f1-401a-b101-f33e0daed443-ConOutCandidateDev 8be4df61-93ca-11d2-aa0d-00e098032b8c-ConOutDev 8be4df61-93ca-11d2-aa0d-00e098032b8c-ActiveVgaDev 59d1c24f-50f1-401a-b101-f33e0daed443-ConInCandidateDev 8be4df61-93ca-11d2-aa0d-00e098032b8c-OsIndicationsSupported a17d3ac5-4897-47b5-9912-21a9697ebdde-SaveHddPasswordInfo 8be4df61-93ca-11d2-aa0d-00e098032b8c-PlatformLangCodes e6c2f70a-b604-4877-85ba-deec89e117eb-PchS3Peim 8be4df61-93ca-11d2-aa0d-00e098032b8c-SignatureSupport 8be4df61-93ca-11d2-aa0d-00e098032b8c-BootOrder 59d1c24f-50f1-401a-b101-f33e0daed443-BootPrevious 8be4df61-93ca-11d2-aa0d-00e098032b8c-Boot0000 8be4df61-93ca-11d2-aa0d-00e098032b8c-Boot2001 59d1c24f-50f1-401a-b101-f33e0daed443-PhysicalBootOrder 14ef381c-9721-434e-be09-192ab97e781f-S3RestoreDataVariable d719b2cb-3d3a-4596-a3bc-dad00e67656f-dbx 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot 59d1c24f-50f1-401a-b101-f33e0daed443-RestoreFactoryDefault a04a27f4-df00-4d42-b552-39511302113d-Setup 59d1c24f-50f1-401a-b101-f33e0daed443-SecureBootEnforce 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_DriverSiStatus 59d1c24f-50f1-401a-b101-f33e0daed443-BootPreviousData b2b7c21f-1786-4a64-be69-16cef7647331-SwitchableGraphicsVariable 8be4df61-93ca-11d2-aa0d-00e098032b8c-Timeout a9b5f8d2-cb6d-42c2-bc01-b5ffaae4335e-PBRDevicePath 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_EntRevokeSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_ATPSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_WinSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_SkuSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_RvkSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_SiStatus ba57e015-65b3-4c3c-b274-659192f699e3-BugCheckParameter1 ba57e015-65b3-4c3c-b274-659192f699e3-BugCheckCode ba57e015-65b3-4c3c-b274-659192f699e3-BugCheckProgress 8be4df61-93ca-11d2-aa0d-00e098032b8c-SetupMode 59d1c24f-50f1-401a-b101-f33e0daed443-CustomSecurity 8be4df61-93ca-11d2-aa0d-00e098032b8c-OsIndications 8be4df61-93ca-11d2-aa0d-00e098032b8c-ConOut a56074db-65fe-45f7-bd21-2d2bdd8e9652-LegacyDevOrder 382af2bb-ffff-abcd-aaee-cce099338877-SecureFlashInfo 382af2bb-ffff-abcd-aaee-cce099338877-FlashINISettings eaec226f-c9a3-477a-a826-ddc716cdc0e3-OfflineUniqueIDRandomSeedCRC eaec226f-c9a3-477a-a826-ddc716cdc0e3-OfflineUniqueIDRandomSeed eaec226f-c9a3-477a-a826-ddc716cdc0e3-UnlockIDCopy c4975200-64f1-4fb6-9773-f6a9f89d985e-SaPegData a04a27f4-df00-4d42-b552-39511302113d-Custom 77fa9abd-0359-4d32-bd60-28f4e78f784b-CurrentPolicy 70a9c11d-f710-42f8-89c1-bde841dc9b45-SpdData 14ef381c-9721-434e-be09-192ab97e781f-MrcS3RestoreVariable 9669e125-fedf-43f7-891a-5af85efcdefc-L05OkrData 30c7c508-7bd9-43c9-809a-c7f065483f3e-SystemStatusData 86bbf7e3-b772-4d22-80a9-e7c58c3c7ff0-SaveHddPassword c2873663-b2cb-4f7a-8548-a60411f5ec86-lvar 8be4df61-93ca-11d2-aa0d-00e098032b8c-PBRDevicePath 59d1c24f-50f1-401a-b101-f33e0daed443-AdministerSecureBoot 515fa686-b06e-4550-9112-382bf1067bfb-AuthVarKeyDatabase 64448f46-6e23-4288-9349-fdd887c40de1-lvar 8be4df61-93ca-11d2-aa0d-00e098032b8c-ConIn 59d1c24f-50f1-401a-b101-f33e0daed443-SkipLoadDxeCore fd21bf2b-f5d1-46c5-aee3-c60158339239-MsdmAddress 1bad711c-d451-4241-b1f3-8537812e0c70-MeBiosExtensionSetup c020489e-6db2-4ef2-9aa5-ca06fc11d36a-AcpiGlobalVariable 59d1c24f-50f1-401a-b101-f33e0daed443-BackupPlatformLang 8be4df61-93ca-11d2-aa0d-00e098032b8c-PlatformLang e6c2f70a-b604-4877-85ba-deec89e117eb-PchInit 41a3ee4e-6d57-418b-8f8e-c366a5b70c4b-SmbiosPolicy eb704011-1402-11d3-8e77-00a0c969723b-MTC f2f2d9a4-2a67-0361-b349-ada7e588f971-PlatformConfigurationVariable d719b2cb-3d3a-4596-a3bc-dad00e67656f-db 8be4df61-93ca-11d2-aa0d-00e098032b8c-KEK 8be4df61-93ca-11d2-aa0d-00e098032b8c-PK One I can say here, that vars like MsdmAddress, lvar, L050krData and some more are DEFINITELY non-standard! Also, I made some changes between different OS installations (I have tried Ubuntu, Fedora, Windows 7 - 10, OpenSuse, Kali and some old Kubuntu and Ubuntu distros that I found in a box) today. Some of them appear between OS installations, but none of them vanished (excepted those created by a firmware itself). A lot of feedback gives me an OpenSuse installation. Here is a mapping of a subvolume, that is mapped only to system partition (and I can't remove or bypass these mapping at the install process): Of course, you can say that this BTRFS filesystem, as other modern filesystems provides an encryption solutions! Sure, than mapping is made this way: Cool! 😜 But now we know at least, what is mapped and where 🤗 I also tried to modify a startup command in GRUB command line, but with no luck. Probably I don't know how to do it properly or maybe it's impossible. I never do things like these before. But GRUB gives me some more informations: If we add another informations from a Lenovo UEFI Diagnostic Tool (unfortunetly, I didn't take any photo) we know, that we have two fake USB devices. The most probably scenario IMHO, is that infected EFI boot files from OS get some bug and create another one USB device. Another scenario is that one device provide some configs before a bootloader, and another one after it. One thing I am 100% sure, that everything happen on a boot process. Period. Some good news... During all those installations I have found a solution to bypass all these changes in Linux systems (at least in Ubuntu installed on a HDD). After installation of a system we need to boot again, but from an USB/CD to a live session. Than we need to install an alternative bootloader (rEFInd or Clover, probably any that is not a GRUB). After that we need to uninstall GRUB, remove all GRUB related configurations from a HDD, next we need to install GRUB x64 EFI only package and generate new efi boot files (grubx64.efi) in a location other than default. At the end we need to update a path of an Ubuntu entry in a configuration .plist file of our new bootloader. It must point to our newly created grubx64.efi file. After reboot we should see our new bootloader. After choosing an OS to boot, we should get a clean (Ubuntu in this example) system ready to work. But it not remove an infection... Yes it's not. Also I can't get this to work for a Windows. Until I find a solution how to reset all the settings in efivars, another solution worth trying is to set a bootloader to boot a system from a VHD. (U)EFI allows that and much much more, but probably if you know how to do that, you probably know how to reset all the efivars settings 😜 P.S. I found some more, but I will write about it in a PM @AdvancedSetup Ron! 😎 Link to post Share on other sites More sharing options...
Recommended Posts