Jump to content
NintiesAsus

MBAM Detects Downloaded Concealed Malware & Outbound RTP Trojan Through 443

Recommended Posts

Hi everyone,

Several months back, I bought an Asus laptop which came with an internal HDD and a DVD-CD drive. I replaced the DVD-CD drive with an SSD using a Sata to SSD adaptor. I then partitioned my user account from the HDD drive between itself and the SSD drive.

I initially avoided partitioning the account between the two drives, as I initially wanted to remove the original HDD out, and swap it for an SSD. But I'm unfamiliar as how to do so and also heard it's a tedious process of finding the right bios firmware and matching it to a replacement SSD/HDD to replace any stock factory HDD. So for now, the factory HDD is still in there, and an added SSD is now functioning as my primary boot drive.

For the following below write up, I have provided screenshots via my phone of what happened, as I cannot transfer actual images screenshots or text from my laptop to the internet.

(Problem 1 - Is it possible to remove a factory HDD and swap in an SSD with the correct bios?) To the anyone overseeing this post, please suggest what I can do to remove permanently remove out the HDD and swap it for the SSD instead to keep it as the only and primary boot drive, that would be great. Yet as you read on, the bulk of my problem is below, and the above dilemma is one small issue that you may be able to suggest a solution after all of the below is sorted out.

When I first bought the laptop, I tried to completely wipe all data left behind on the HDD. Yet I  found that the previous owner had somehow partially disabled access to the recovery option built into the laptop. That is when F9 was pressed before booting, the laptop sometimes ignored the command of loading the built windows 10 recovery screen and just restarted again and again. This was another reason why I wanted to swap the HDD out for an SSD alone. Even if it sometimes reached the windows 10 recovery screen, the laptop restarted. Sometimes F9 worked where the screen appeared, yet when I wanted progress further than this screen and activate an option such as refreshing windows 10 from the inbuilt HDD partition or with the use of a windows 10 OS media USB, I would select an option and the screen unfortunately disappeared and just restarted. After many attempts of pressing F9, I had one successful attempt where the recovery option worked, and it did so with windows 10 OS media disc. It luckily decided to read and booted the windows 10 OS media disc. Therein, I was just able to refresh windows 10 only once and I swapped in SSD and performed said partitioning.

While reading this, you may have noticed I've elaborate explanation about how the laptop is built and what its current issues are. These points are integral to understand, as you will now know how many constraints I have with what very little tools are left inside the laptop to fix the problems below. (Problem 2 - Can I wipe the partitioned windows account and just use one account instead?) With summation of the above, there is a partitioning of my account over two drives that needs to be wiped clean now, which is not something I'm familiar with how to do. The reason as to what happened very recently and why the laptop needs to be reimaged is elaborated on below. Please remember, there is no ability to reimage with windows 10 OS media USB, yet it can probably be done if I spend time trying with a windows 10 OS media disc; hopefully at least as I did once in the past. I've ordered a USB to Sata adaptor now to arrive in a few hours, so I can plug in my DVD-CD drive into the pc and most likely boot a windows 10 OS media disc.

(Problem 3 - Malware) After a few months more into its use, I tried to locate and download an important codec/driver package integral to my work, which turned out being big mistake soon after. I was in a huge rush and did the craziest thing of not checking the file with Virustotal and instead downloaded concealed malware. First time in many years I carelessly made a mistake, all under duress of a work timeframe. Upon clicking download, an automated program launcher appeared without any header to denote what it is was that was now installing. Within the first few seconds my instincts kicked in, and I cut the Wi-Fi out when this happened and immediately tried to use task manager to cut its processes off. The automated launcher began showing an install progress status bar. Even after cutting out the Wi-Fi and trying to close it down, it started loading from a small percentage onwards. It unfortunately force executed and installed a program, delivering its payload.

I immediately checked for any newly installed applications in add or remove programs, and found Avast was downloaded without my permission. Avast then popped up in the next few seconds, which I looked into at the time, was most likely a fake imitation antivirus install. It force ran and then did a "scan," saying my PC was infected. I knew if I reconnected, and if by chance this malware was something more than just fake adware, and could be an imitation antivirus concealed trojan. It could even deliver more damage if it was concealed spyware 'calling home' after watching my keystrokes over time if left untouched. At this point, my knowledge of malware left me to manually run into the file directory and delete everything I could in the Avast folder. I had no choice herein, and I had to reconnect to Wi-Fi to promptly downloaded Malwarebytes. Malwarebytes searched and isolated via quarantine all findings. I kept the original source file that delivered the payload, and threw it into virus total for checking after Malwarebytes quarantined threats. 13 of 72 antivirus programs used by Virustotal found it to be malicious.

The following notable antivirus programs in Virustotal found the file to be of the following nature:

1) Avira found = Heaursitics/Agen 1046068

2) Fortinet = W32/Ulise.988!tr

3) Sophos AV = Innomod (PUA)

4) DrWeb = Trojan Installcore

5) F-Secure = Heuristics

6) Microsoft = Win32 Installcore

7) Sophos = Heuristics

I ran into Regkeys and program services and removed and possible traces. I ran into command and checked any possible residual or hidden files the virus may have left according Google search showing the malwares behavior. Even some temp files. My worry is I might not have been thorough enough.

(Problem 4 - Final Issue) After learning about what virus I was dealing with, I then ended up searching for a holistic approach to remove the virus. I searched for heuristics and Installcore via Google. I researched this to properly identify symptoms that occur on a victims PC and to see view screenshot images that may be synonymous with my laptop. Upon searching in Google images, it was just my luck, a rare occurrence came about, where an damn image executable virus hit my laptop. All I simply did was click on the image preview in Google images from some pr*cks website which had an annotation of "remove malware tips" with a random screenshot above that in Google images. Without even visiting the website, and only by clicking on the image preview, out of nowhere, it threw out a payload of some sort on my laptop, and Malwarebytes responded stating 'RTP Detection' was found. I don't get what kind of luck this is, but I ended up with two viruses' at that point by trying to clean up one in the first place.

Within seconds Malwarebytes found the website known as 'diderstevens' to be sending an outbound trojan through our 443 port in our modem. Malwarebytes seized it as an RTP detection through our 443 port, calling it an outbaound trojan. It reappeared another 10 minutes later. I then downloaded Kaspery's TDSS Killer and Hitman Pro, Wireshark to see if any packages were being sent out. I wasn't able to go any further beyond analyzing that it connected via MBAM as some of the programs required internet connection. At this point downloaded Regassassin, Kaspery, Kvrt, GMER (which when opened, states your reg keys are affected, but when scan runs, a blue screen kicks in) and temp file cleaner. I don't think it's cleaned as the trojan kept hitting through when Malwarebytes was connected to the internet.

After all this happened, I disconnected the Wi-Fi, removed the Wlan card from my laptop (and so for my other laptop connected to the Wi-Fi) and then removed all means of access to the laptop. There was not any important files on this laptop, but if it spread to all devices, I couldn't take that chance. I should have posted here first, but I found the forum's recently. 2 attempts were made from the webpage that was sending the outbound trojan, and I need to know what to do here on in.

Should I try to burn a specialized set of programs into the laptop (any other malware removing programs other than the ones I mentioned I used earlier). I'd use an external USB to Sata CD drive adaptor so I can read discs and push programs in the affected laptop and wipe the drives using an antivirus that doesn't require an internet connection. Otherwise I can try running the disc multiple times with the F9 boot option to see if I can wipe it completely. Only worry is with this option is that I've heard malware and infections can be really concealed into windows despite anti-malware programs saying your PC is clean and despite to refreshing or reinstalling windows. I also see my windows is functioning really slow on that affected laptop. I know that viruses' can hide amongst registration keys and I've even heard bios viruses being able to survive hard drive wiping, rendering PC's useless when they choose to or intrude into any means of privacy you think you have.  

Really appreciate your time, hope to hear soon!

1.png

2.png

3.png

4.png

5.png

6.png

7.png

8.png

9.png

10.png

11.png

12.png

13.png

Share this post


Link to post
Share on other sites

Ps, it might be better to burn any necessary files onto a disc, such as farbar or any other necessary rootkit removing and virus cleaning tools, as i did a little quick reading after posting this, and found Installcore (HKU S-1-5-21 by Innomod) has an ability to specifically hide in the system once windows is prompted to refresh. I think therein I'll refresh windows. Thanks once again, hope to hear soon!

Share this post


Link to post
Share on other sites

Hello @NintiesAsus and :welcome:

Let me have you run the steps below and post back the requested logs.

Please do not post screenshot unless asked for.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.