Malware that even UnHackme and OsArmor could not prevent

Discussion in 'malware problems & news' started by LOCKit, May 12, 2018.

  1. LOCKit

    LOCKit Registered Member

    Joined:
    May 7, 2018
    Posts:
    9
    Location:
    Slovenia
    Hi,
    I have observed this malware files in bootexecute for several years on my computers and there is nothing i can do to prevent them, even with top security software like UnHackme, OsArmor and ESET antivirus.
    Files will normaly not show up only if i use UnHackme to modify BootExecuteReg value. After that i start to refresh scanning with Autoruns from Comodo. After refresh files appear. I cannot disable this autorun i can only delete them but malware files are back.

    Like i said there is nothing i can do and could not prevent them. Developer of UnHackme said this is trash in the registry but its clearly not. These are real files and some have text in chinese language and i think malware is making fun of security software!

    What is your opinion about this files?

    See the sttachments!

    Thank you so much!
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      129.5 KB
      Views:
      40
    • 2.JPG
      2.JPG
      File size:
      128.3 KB
      Views:
      38
    • 3.JPG
      3.JPG
      File size:
      167.4 KB
      Views:
      41
    • 4.JPG
      4.JPG
      File size:
      142.1 KB
      Views:
      39
    • 5.JPG
      5.JPG
      File size:
      251.5 KB
      Views:
      35
    • 6.JPG
      6.JPG
      File size:
      218 KB
      Views:
      36
    • 7.JPG
      7.JPG
      File size:
      193 KB
      Views:
      34
    • 8.JPG
      8.JPG
      File size:
      235 KB
      Views:
      35
    • 9.JPG
      9.JPG
      File size:
      278.3 KB
      Views:
      35
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Of note is Administrator and above level have full control over this registry key, HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager

    For starters, make sure you have UAC set to maximum level. Next check the permissions for the registry key for any suspicious entries. Do likewise for this key, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager, since anything in ControlSet001 is copied to CurrentControlSet at boot time.

    Finally, verify in Session Manager that BootExecute value only contains "autocheck autochk *" and BootShell value contains "%SystemRoot%\system32\bootim.exe" assuming your running Win 10. Also SETUPEXECUTE value should be blank. Make sure you verify these values in both ControlSet001 and CurrentControlSet.
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Interesting in picture 3 it has a filename rdpclip.exe which is for copy pasting to a remote computer via terminal services.
    Looks like the filename is an abbreviation for RemoteDesktoP Clip.
     
  4. LOCKit

    LOCKit Registered Member

    Joined:
    May 7, 2018
    Posts:
    9
    Location:
    Slovenia
    Sorry, but i have messed up my system. Anyway there was no important info on that machine just a test pc for OS Armor.
    Could you please explain step by step what to do for my future installation. I had no restore points, sorry.
    Even if i reformat that pc again i am sure that files will be back soon. Thanks.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    How do you think you got infected? Was you testing malware on your machine, surfing the internet, installing software that might have had a trojan in it, or some other way?
     
  6. LOCKit

    LOCKit Registered Member

    Joined:
    May 7, 2018
    Posts:
    9
    Location:
    Slovenia
    Hard to say, i am no malware tester, nothing special in that pc usage. It is a Intel Compute stick with HDMI connector.
    But like i said its been a long time not detected. I doubt the files can be removed. Once you get a rootkit infection your OS will always lie to you. Also RATtrap firewall blocked outgoing attempt on port 123 destined to Hangzhou, China. But i dont know if that pc triggered that block.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If you reformat that disk and re install everything from the original installers, then something is inadequate in your security and also where you are going. Otherwise how can that file come back?
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The only way you're going to "get to the bottom of this" is to employ a security solution that can monitor(block) and log what process is modifying the BootExecute reg value.

    Since you mentioned Eset NOD32, just create block and ask HIPS rules with logging and alert user enabled for the following:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\*
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\*

    Enable the ask rule and disable(uncheck) the block rule when you want to modify values/subordinate reg. keys associated with the above noted keys. Then disable the ask and enable the block run. A block rule is required to catch anything modifying these keys at boot time since ask rules will auto allow if not responded to within the default rule response period.
    Important - only keep the block rule active while diagnosing this problem since it could block app or system necessary update activities to these reg. keys. Either delete the block/ask rules once the problem has been resolved or keep the ask rule enabled and the block rule disabled; or delete the block rule.

    The HIPS rules are as follows. Remember the following needs to be done twice; one with an "Ask" action and one for a "Block" action:

    HIPS rule settings:
    Operations affecting - Registry settings
    Enabled
    Logging severity - Diagnostic
    Notify User - Enabled
    Source applications - All applications

    Registry operations - Modify registry

    Registry entries - Specific entries
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\*
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\*
    Click on Finish button to save the rule. Click on OK button when existing each subsequent screen to save your settings.​
     
    Last edited: May 13, 2018
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I will also add that this type of activity can also be traced back to a malicious device driver.

    A few years back, I had a similar incident. I was running Win 7 at the time and was desperate for a fix for the Realtek network adapter problems I was having at the time. I went to their Taiwanese web site and was rummaging around on their site. Found something that looked good but only available via FTP download. A very bad move on my part.

    If the "culprit" is a malicious kernel mode device driver which is a likely possibility if your running a pre-Win 8.1 OS, nothing is going to help other than finding and removing that driver. A clean OS install might be the easiest option. Make sure you use a bootable hard drive "wipe" utility prior to reinstalling the OS or replace the hard drive.

    If the issue persists after a clean OS install and the hard drive was not replaced, then you can assume it is device firmware related; possibly within the hard drive itself. Also if your PC is a Lenovo, they are notorious for installing "imbedded" utilities that are nothing more than backdoors.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.