complex infection, need help

[dsv695]

Good afternoon.
I ask for help in diagnosing and removing malicious software.
1. A week ago I bought a smartphone (Galaxy A32 model) with Android 11 OS in the official Samsung store.
The very first activation with a cellular connection and initialization of the smartphone led to infection of the smartphone with malware, and this software:
- prescribes its modules as system, non-removable and non-disconnected;
- the process of resetting the smartphone to factory settings does not remove malware;
- controls network access to Google Play services, sites of VPN service providers and antivirus software (substituting their fake counterparts).
Thus, I am not able to install the original software to fix the situation, and the fake software does not diagnose any problems.
The ability to update the firmware via Samsung proprietary software for Windows is also not available yet, because:

2. My HP Laptop 15s-eq0039ur computer with Windows 10 Home OC is also infected and has the same signs of network access control.
The complexity of the situation lies in the fact that:
- the computer is filled with malware during the installation/reinstallation of Windows OS;
- with subsequent reboots, it turns into a hidden terminal server;
- runs almost all 64-bit applications in 32-bit WOW64 mode (including installing and running proprietary drivers in an incorrect/restricted environment);
- and a bunch of other things that make a computer vulnerable and dependent on fake cloud infrastructure.
Like on a smartphone, I have problems with access to proprietary antivirus software.
I have great hope for the possibility of using offline malware search and removal utilities on my laptop.
I believe that if there is an opportunity to at least fix problems on a laptop, then this will then solve the problem with flashing my new smartphone.

P.s.
I do not yet have the ability to safely use high-speed communication channels (WiFi, wired Ethernet).
I am currently using cellular communication and mobile Internet, a VPN client (NordVPN) to access the network.
I am a senior architect for one of the major Russian IT companies, attempts to independently solve problems that suddenly arose for me did not lead to success (everything turned into a fake overnight).

Taking into account all the above, I am not sure that my letter of appeal will reach the correct (genuine) addressee, but there is still hope.
 

[AdvancedSetup]

Hello @dsv695

As you well may know. If you are some type of target of a State-sanctioned operation you may not be able to do much about it. They would have the resources to continue an ongoing assault regardless of what we cleaned up or removed.

Start out doing a Factory reset of your router

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Next, purchase a NEW USB thumb drive and perform a clean installation of Windows 10

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

[dsv695]

It is clearly not official state institutions that are hurting me, I have consulted about this. But clearly people with connections.
I noticed 3 years ago the strange behavior of my home computers and since then I have not been left behind.
And yet, I want regular antiviruses to detect this outrage and, if possible, treat it.
The very first thing to do is to get out of isolation, and I think you will help me. After all, good people should help each other))

[AdvancedSetup]

Please follow the directions above.

Do a factory reset on your router

Backup your personal data to an external drive.

Then follow the directions on how to do a CLEAN install of Windows 10 as linked to above.

Thank you

 

[dsv695]

Greetings.
1. You probably misunderstood me. I wrote that I was experiencing difficulties in network access to the original software.
This means that the MITM attack is ongoing. Moreover, the original site may be available, but when it comes to key functions, such as downloading the original distribution kit, online installation or product registration, then some suspicious errors arise. For example, downloaded from the personal account on the site https://my.malwarebytes.com / and the Malwarebytes Premiunm+Privacy installed on my laptop gives an error when registering: Installation_token not found (Error code MB404101).

2. The steps for resetting and reinstalling that you describe have already been performed and repeatedly. Everything repeats from time to time: the infection occurs during the installation process (I believe at the initialization stage of drivers and services) and then everything continues to degrade as reboots are performed (using group policies, etc.). So I don't see any point in repeating these steps yet.
First you need to learn how to identify anomalies and try to neutralize them so that they do not interfere with a clean installation.

3. I attach the scan log of the AVZ antivirus utility (an old incomplete version, which I could get).

avz_log.txt

[AdvancedSetup]

Use of a VPN would prevent MITM attacks. They are certificate based encrypted tunnels.

 

 

[dsv695]

Good afternoon.
With vpn, everything is not bad as long as the password of the vpn tunnel user is unknown to the attacker, and he learns it through spyware infection.
I have a question, will we somehow move on or will we continue to discuss theoretical issues?
I kind of sent the text of a specific error, as well as the diagnostic log of the AVZ antivirus utility with specific warnings about the presence of rootkits.

[AdvancedSetup]

Well I'm sorry. I've provided you the means and methods that we believe would overcome this but you say it doesn't work so it would seem unfortunate that we are unable to assist you.

I wish you good luck but I don't know how else to help you at this point.

 

 

[dsv695]

You surprise me unpleasantly with your attitude to my problem. You didn't even try to help me diagnose the problem. You have a whole toolset for this, which I don't have free access to. And you didn't even respond to the diagnostics I sent. Is erasing everything really good advice? It feels like I'm in the wrong place. Can you introduce yourself, who are you and what position do you hold?

[AdvancedSetup]

You have presented saying that you are, or should be more than capable of doing this type of work on your own. Anyone that is a Senior Architect would probably have even more experience in networking than I do. I have a working knowledge and certification for networking but designing networks and infrastructure is well beyond the scope of work that I could perform on my own.

On 12/28/2021 at 4:05 PM, dsv695 said:

I am a senior architect for one of the major Russian IT companies, attempts to independently solve problems that suddenly arose for me did not lead to success (everything turned into a fake overnight).

 

You present that you've done everything but it turned out to be "fake" as you call it.

You present what I believe is extremely unlikely. You say

Quote

the computer is filled with malware during the installation/reinstallation of Windows OS;

I've cleaned thousands of machines in my thirty years in the computer support industry. I've personally installed windows over a thousand times as well and I have never once seen a computer filled with Malware from clean media booted from USB. It it possible? Perhaps within a lab environment by some extremely experienced computer technicians but is in the realm of unrealistic.

You say that you've already done what I ask many times.

Quote

The steps for resetting and reinstalling that you describe have already been performed and repeatedly

 

If the computer has some type of unknown UEFI rootkit then to my knowledge there is no way to remove that infection without possibly doing a firmware update. The very few cases reported today though indicate that doing a firmware update doesn't work. At that point replacing the entire computer is the only known method of fixing this issue.

 

We can do general scanning but you've also said you've had this issue now for three years and it continues today.

 

I want to help, I really do but computers are not magical. If you follow the directions 100% as stated I've not seen a single user claim it did not work and I have over 95K posts where I've been helping people here with detecting and removing malware.

 

MITM  - gone by CLEAN install via hash verified Microsoft installation media created on a new or formatted USB thumb drive.
Router Factory reset. - gone. No access. Now, granted there are exploits in many routers that if someone were live daily monitoring your router they might be able to regain control, but again that is highly dependent on the router and as a Senior IT Architect you should already know that more than I do and have/use a router not susceptible to such exploit attack. Also, just because someone is on your network does not mean they automatically have access to your operating system. A new clean, fresh, up to date installation of Windows 10 would be very difficult to attack and a user would need to know of an undisclosed exploit. All of this takes a VERY experienced person and a LOT of time. Why would anyone spend that amount of time on your computer if you were not some STATE level target? Again, time, money, ROI makes no sense.

Running all the antivirus scans in the world would not find, detect, remove, cure someting that removing all partitions, formatting the drive, installing a new copy of Windows 10 would not have already fixed as you say you've done that.

 

I'm open to suggestions but what you're telling me doesn't add up so I'm not sure how else you expect me to help you. Please help me to help you

Thank you again

 

 

[dsv695]

My knowledge and opportunities for compression are limited, especially in matters of IT security, otherwise I really would not have approached you. However, after 3 years of observing the behavior of malware, I came to the following conclusions:
1. This is a completely new type of infection, which is kept secret, so my manifestation of interest in it most likely led to such a long inheritance in my address.
2. Malware is not just a single virus. and a whole software package consisting of many modules, each of which has its own purpose, place and place of execution within the framework of the overall architecture of the complex.
3. The features of this software are:
- phasing of infection, when in the early stages it occurs by traditional well-known methods, the purpose of which is to redirect the traffic of the device's regular services to a fake network /cloud infrastructure for further infecting the device with more malware.
- among the more malicious modules, there are input-output multicontroller programmers that flash the flash memory of the controllers and change the initial BIOS boot addresses using the so-called fuse to configure a non-standard boot sequence. Moreover, the updated controller code itself is loaded into the upper memory addresses and thus does not allow the regular update of the BIOS of the device to be installed, thus building its protection against erasure. The microcontroller code also determines the hardware vector for the operating system, which is manifested by the appearance of fake devices as part of the OS configuration, and many bridges connecting various nodes of the system. This is done so that you can control the device based on a stack of logical network protocols (ip, winsocket, ethernet, virtual adapters, wireless monitor, etc.) and standard and non-standard physical protocols (ACPI, serial access protocols over radio communications, electrical networks, etc.).
- remote registration of devices in a cloud malicious network/domain and their management by regular means of administration of this cloud infrastructure. Devices are being virtualized, personal devices seamlessly migrate (turn) into a terminal server, where console login is carried out within a virtual session.
- a wide range of developments in the complex, providing coverage of a large variety of devices and OS.
- and a bunch of other features (I won't go too deep).

Now about what I would like to do:
- try to identify as many anomalies and holes as possible, the correction of which would make it possible not to throw infected equipment into the landfill. To do this, use your diagnostic utilities (toolset) to diagnose those problems that can be fixed now and/or later.
- to get an official conclusion from you about the presence of such anomalies (infection) in order to have grounds to seek help from law enforcement agencies.

[AdvancedSetup]

Okay - let's run some scans and see what we come up with.

STEP 1

Reset your router to factory defaults. Check for firmware updates. Enable a very strong password

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

STEP 2

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

• If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
• Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

• Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

• Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

• The Virus Removal Tool scans the following areas of your computer:
• Memory, including system memory on 32-bit (x86) versions of Windows
• The Windows registry
• All local hard drives, fixed and removable
• Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

 

 

STEP 3

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

I'll check back on you tomorrow

 

Thank you

 

[dsv695]

Good afternoon.
I apologize for the pause, I had to rewire the router for a long time, it is also under the control of malware.
They just interfered with regular update procedures in real time. It took the most time.
The result is as follows:
1. The Keenetic 4G router (KN-2111) provides the ability to access the Internet via a cellular modem (via a Samsung Galaxy A32 smartphone). But there are still traces of reconfiguration at the Linux kernel level in the router log. Moreover, I get access to certain sites, but not to certain ones (for example, the site https://nordvpn.com/ru opens, but an attempt to log in to your account from it leads to a redirect from the address https://account.nordvpn.com/oauth2/login to the page https://portal.nordaccount.com/oauth2/login?nord_countdown=1641500540836&FirstSession=source%3Dnordvpn.com%26campaign%3D%26medium%3Dreferral%26term%3D%26content%3D%26hostname%3Dnordvpn.com%26date%3D20220106%26query%3Dnull&CurrentSession=source%3Dyandex%26campaign%3DRussia+Brand%26medium%3Dcpc%26term%3Dnordvpn%26content%3D%26hostname%3Dnordvpn.com%26date%3D20220106%26query%3Dyclid>18139766578282027701&locale=ru&nextbid=37c01990-8ad0-4a2c-b0ec-e0bcc1ded0fd&cf-product-group=nordvpn - the Opera browser with the VPN installed writes "It is not possible to get access to the site" and offers to check the network settings, etc.)

2. On the forum, following your link, I get to the Sophos Scan & Clean page (https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx) and after a few clicks I get the Access Denied page when I try to download the utility (https://download.sophos.com/tools/SophosScanAndClean_x64.exe ).
So it was not possible to use this utility. But there is most likely a software error on the site itself.

3. Utility from Microsoft (MSERT.exe) downloaded without any problems. But a full scan gave her zero result (a successful scan found nothing). But here I believe the quality of the analysis suffers. Each file is checked separately, and not their combination, configuration and validity in a given context.

Total:
Still, you need to try to scan with a more serious utility. If this is a utility from Sophos, then I ask you to give me a link to an already downloaded and verified distribution, and it is better either in the form of an archive file with a password, or to accompany the distribution with a checksum with the possibility for me to verify it after downloading.

msert.log

[AdvancedSetup]

The Sophos download cannot be downloaded via a direct link like that. You need to fill in a form twice but never mind. We'll use some other scanners.

 

STEP 1

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

STEP 2

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks