Jump to content

ROOTKIT autochk.exe *

Scr1ptk1d
 Share

Recommended Posts

Scr1ptk1d

Scr1ptk1d

Posted
Posted

So I am going to start off by saying I’m typing from my phone currently because two laptops and two pieces are in a state which is a in unbootable no OS, I read a thread here were you just seem to call the guy paranoid because you said it looks completely normal but I have everything saved on a USB some logs and how this rootkit works, after weeks of trying to remove this I’m still not managed to completely remove it since it infects the BIOS.. if you reinstall windows and you put sysinternal tools on a USB.. you can see that the first time you boot up you have autochk * autochk.exe in autoruns.. this make accounts on your computer which is not visible by me, it works by making a shadow volume and taking over svchost.exe PID 86 and then kernel.. you can verify this by running CMD.. and writing 

vssadmin list shadows /for=%systemdrive%

and I get something like…

Contents of shadow copy set ID: {b746358f-acf1-474d-9e1d-dcf15cf08b1d} 

   Contained 1 shadow copies at creation time: 7/17/2021 7:15:01 PM 

      Shadow Copy ID: {b4080b4c-a7b0-499d-91f0-783b12d4bf74} 

         Original Volume: (C:)\\?\Volume{67a32b23-68ff-4388-8e65-67aa24d7e244}\ 

         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

Or

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

To delete this I run.. CMD —>

vssadmin delete shadows /for=C:\Windows\System32 /quiet

thrn I take control back of the recovery files by running..

icacls C:Winsows\system32\config\*.* /inheritance:e

But that’s how far about I get.. My system can’t find anything with no scanner everything is signed I’ve tried rescues disk from eset I’ve tried Kaspersky.. Name it I’ve tried it the reason I linked this guy thread that is locked is because that’s the folders I have to..

 

 

@AppHelpToast

@AudioToastIcon

@BackgroundAccessToastIcon

@bitlockertoastimage

@edptoastimage

@EnrollmentToastIcon

@language_notification_icon

@optionalfeatures

@VpnToastIcon

@WiFiNotificationIcon

@WindowsHelloFaceToastIcon

@windows-hello-V4.1

@WindowsUpdateToastIcon.contrast-black

@WindowsUpdateToastIcon.contrast-white

@WindowsUpdateToastIcon

@WirelessDisplayToast

@WwanNotificationIcon

@WwanSimLockIcon

 

some research showed me these tools are actually netstat and so on.. However I’m going to format my pc one more time and show you the logs but I’ve tried and everything looks normal since they hook in to the kernel and are signed… But I can’t Update and I get a ton of bloatware that helps the rootkit more as soon as internet is up…  

What should I do what amazes me is I had a pic that hasn’t been plugged in to the internet at all so I figured I’m gonna make my image from there but no I boot it up no wireless no internet cable and it was infected too..

Some different sources because it’s a mix of them.. And it’s stuck in my UEFI..

 

https://repnz.github.io/posts/autochk-rootkit-analysis/

https://www.bleepingcomputer.com/news/microsoft/new-windows-10-vulnerability-allows-anyone-to-get-admin-privileges/
 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

 

https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5

 

My question would be how so I take control of the system again since it’s rooted in the UEFI and no antivirus can find it…  I’ve spent litterly days deleting file by file with afar at and sysinternsls but I can’t update my system and as soon as I connect back up to internet it’s the same.. So no that guy wasn’t crazy or paranoid.. I’ve switched router password ssd, laptops pc’s everything gets REJT with safe boot. OK that’s about it that’s how much I can type from my phone I will update from my PC if anyone could help that would be great assistance thanks

 

AND PS next time don’t wave off people like they are paranoid.. because trust me he was not…

Link to post
Share on other sites
1PW

1PW

Posted
Posted (edited)

Hello @Scr1ptk1d and :welcome:

In as much as this is a Mac sub-forum, I have asked forum management to consider moving this topic to the Windows Malware Removal Help & Support sub-forum. In the meantime, please read the https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ topic.

Thank you.

Edited by 1PW
  • Thanks 1
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Hiya Scr1ptk1d and welcome to Malwarebytes,

After you have reinstalled windows and your system is set up please do the following:

Reset your router, that is take it back to factory default settings: http://setuprouter.com/networking/how-to-reset-your-router

Next,

Disable smart screen if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....

Run the following scan, lets see if anything shows up:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Thank you,

Kevin
Link to post
Share on other sites
Scr1ptk1d

Scr1ptk1d

Posted
  • Author
Posted

Thank you for your assistance and trying to help, but I’ve already completed the steps in the list multiple times without results so what I’m doing now is I am reinstalling and trying to catch every handle DLL and file of this route kit so I can upload it to multiple AV companies and Microsoft himself I’m doing Analysis with this internals and dissecting.. I have came to a certain acceptance that I’m not getting rid of this without help I’ve scanned everything in for Buer I got help on other forms I deleted everything in the end the system gets overtaken by this route kit again and it doesn’t matter what I install with I have made the image at a friends house with a completely clean PC.. This is a combo made of the latest CVE’s so I’m just waiting for patches or maybe try windows 11.. Or actually I’ve heard that if you go cube OS then from there you can clean your system and install fresh, anyone that has any knowledge about CubeOS

Link to post
Share on other sites
Scr1ptk1d

Scr1ptk1d

Posted
  • Author
Posted

I’m working on that right now I’m making bootable windows from phone since this rootkit made 2 laptops and 3 PCs unusable it just filled the the ssd caused blue screen and then it was empty blue screen no is… I’ll post the logs as soon as I get one of the computers running.. I have them some files on a usb maybe I can transfer them to the phone somehow.. I’m doing everything I can.. I’ll update as soon as I I get something POSTing

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

When you have a system up and running can you try TDSSKiller, it has the ability to check UEFI BIOS and other rootkit activity....

https://firmwaresecurity.com/2018/12/01/kaspersky-tdss-killer-now-with-uefi-support-and-kaspersky-anti-virus-for-uefi-kuefi/

Tool available here:

https://usa.kaspersky.com/downloads/tdsskiller

Link to post
Share on other sites
  • 2 weeks later...
kevinf80

kevinf80

Posted
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.