Something was installed on one of my home computers on 2017/06/30 at about 10 am. None of the typical users have admitted responsibility. At about 11 am it was noticeably malfunctioning and I was called to "fix" it.
It had what appeared a BSOD with a stop code of "DRIVER IRQL NOT LESS OR EQUAL" and a "What failed" of "ndistpr64.sys". After a short while, it auto rebooted into a slightly older looking blue screen that appeared to be for an NT-era install. It wanted me to choose from a drop-down of countries (USA), and "type" which let me choose from [desktop|laptop|tablet|phone], or something similar. I chose desktop, ignored the other (forgotten) fields that already had default values, and clicked on the only button on the screen, next. This took me to a second install-related blue screen that was asking me for my 25 digit product key for windows, and helpfully had an 800 # in the upper right corner: 1-877-436-7487. As I was unable to ctrl-alt-del or ctrl-shift-esc to a taskmanager. And as I couldn't al-tab to other windows, or access the task bar or start menu, I gave them a call. My phone reported that I had reached Atelier Canada, Inc., in Toronto, ON.
Overall, I spent about 61 minutes on the phone with them. Initially, they seemed friendly enough, albeit with strong Indian-ish accents and abnormally high line noise, they walked me thru finding my windows 7 home product key (eventually upgraded to windows 10) and typing it into the field. However, when this failed, they had me grant them access via LogMeIn, apparently built into the "windows 10 install" interface by clicking the windows 10 logo, and when they took control of the mouse/keyboard, they entered their own product key, referring to it as a universal temporary use number. I was starting to get suspicious by this time and started taking photos of things he was doing, including snarking a shot of his keycode.
After refusing to admit responsibility for being the one to have installed the malware, and apparently asking too many questions, the first guy grew weary of me and a "level 3 technician" came on the line. Coincidentally, he had an identical name, Mike Kessson, as the first technician. He had to re-use their universal temporary use windows key code several times as the "virus kept kicking" him out. He managed to open a taskmgr, cmd prompt, and control panel. In a date sorted Program-and-Features section, he grilled me about the most recently installed programs. Besides LogMeIn (rebranded as GoToAssist) and several Steam games, the only items that had been updated that day were Dropbox and s5m. I had no idea what s5m was. Since then, it's inexplicably disappered on its own. I later removed Dropbox, for good measure.
In one of his multiple cmd windows, he executed a dos command that I couldn't see but later learned was just "tree". After this went on for several minutes, there appeared a message saying that rootkit conficker! was detected. I tried to ask him what command he had run to discover that conficker! was installed. He said that these were technician only commands and he wasn't permitted to tell me.
Shortly after this conversation, a "Senior Technician" was brought on the line, who detailed how, despite my running windows defender and firewall, I must have granted some malware permission to run. That to fix it would take skilled employees much time (at least two hours), and that they could fix it for the nominal fee of $50/hour. I asked him which command the 2nd Mike Kessen had used to detect this conficker! rootkit and he also told me that these were secret technician only commands and that if I wanted to learn then I would have to get a Microsoft certification. I asked him about the "Atelier Canada" information appearing on my phone and he hung up on me. About 30 seconds later, I saw that the LogMeIn connection had been severed. From that point onward, my internet stopped working.
Fortunately, I had another internet connected computer nearby. Windows tried to notify me to Turn On Windows Security Center service. However, it could not be started. Neither windows defender nor the firewall were operating nor several other core & essential services. After a bit of internet searching, I came across a bleepingcomputer entry on ndistpr64.sys, which basically instructed to run, in order, rkill, SpyHunter, Zemena Explorer, ADWCleaner, and HitmanPro. I downloaded all these to a usb drive and plugged it into the infected machine.
From my experience, the system they had managed to install effectively blocked access to everything, but when I entered their keycode, 7wc17-12kde-hfd1u-kds77-19can, I temporarily regained access to the explorer, et al. From this window of opportunity, I was able to attempt to run the 5 cleaning programs.
Rkill seemed to succeed at stopping all the running malware processes. It also noted that several important sounding services were missing.
Each of these was not running & disabled
* Base Filtering Engine (BFE)
* DHCP Client (Dhcp)
* DNS Client (Dnscache)
* COM+ Event System (EventSystem)
* Windows Firewall Authorization Driver (mpsdrv)
* Windows Firewall (MpsSvc)
* Network Store Interface Service (nsi)
* Plug and Play (PlugPlay)
* Plug and Play (RpcSs)
* Windows Management Instrumentation (Winmgmt)
* Security Center (wscsvc)
"service missing" for each of these
* agp440, DcpSvc, gagp30kx, IEEtwCollectorService,
* IoQos, nv_agp, TimeBroker [Missing Service],
* uagp35, uliagpkx, WcsPlugInService, wpcfltr,
* WSService
Counterfeit files seemed to exist
* AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
* RetailDemo => %SystemRoot%\System32\svchost.exe -k rdxgroup [Incorrect ImagePath]
* WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
* vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
* vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
Under normal circumstances, I can re-start services. I don't know what to do about either the missing services or more notably, those 5 with wrong paths or dll-s.
SpyHunter failed to install, reporting "Setup Failed! Setup configuration scripting error."
Zemena installed, but failed to run. After I learned the secret of renaming the executable, I discovered that it would not run unless the computer was conected to the internet.
Finally, HitManPro, too, refused to work without an internet connection.
On reboot, Zemana explorer, having done more than I'd realized, reported that the system was infected with "Rootit:WinNT/AdClicker!", Driver: ndistpr64.sys, and told me to click OK to reboot and start the cleaning. I eagerly did this, hoping for the best, but it just rebooted, abnormally slowly, into its re-contaminated state with Zemena still reporting that the rootkit was there and still asking to be rebooted. But at least the computer booted into windows and I didn't have to keep entering the universal temporary use number anymore. However, the inbuilt security had become disabled, most of the services were off, and the internet still was unavailable.
Thinking that this virus was something that could be snuck up on, I rebooted and tried all 5 programs again. There wasn't a change. Same result on the 5th and 8th attempts. Eventually, paying attention to the RKill log, I saw that new items for that day had been created in a few directions, including %appdata%, and several other locations. I located them and, where I was permitted, I renamed the files or the directories to have an AAA prefix. Shockingly, this didn't fix anything.
I'm pleased that I can access my desktop and applications, but, I've come to the point that without the net, this thing is broken to me. And this repair seems to be beyond me. In the past, I would typically just re-install windows, wiping the disk, maybe doing a pre-emptive diskpart.
At this point, I'm facing 3 problems:
* archiving data (trickier w/o communications)
* will a partition/reformat wipe out rootkit?
* how will i re-install windows when i started as win 7 home, did the auto-upgrade to win 10, and have neither the media nor the win 10 product keys?
Any constructive feedback you guys can muster is appreciated.
2017/07/01 19:40-ish
Thank you to all who responded.
Bruger:
Re Linux switch: I've considered this in the past, but, dependent as I am on adobe, dev, music, and game software that, as far as I know, is only operable in windows, and, not fully trusting my ability to master greps, groks, etc. of the linux/unix world, I think I may be better off in windows at present.
Regarding the fix-software: I downloaded and ran the 4 programs, from the links you suggested: comodo, rkill, unhackme, and combofix.
comodo's killswitch.exe failed to run, reporting that the requested resource is in use. The same result with the other .exe-s in its package: Autoruns.exe & CCE.exe.
rkill: I had previously been running a 64bit version of rkill from a bleepingcomputer link, but I downloaded the 64 bit version, with a slightly different name, rkill_2.8.4.0.exe, from your link. For some reason, now neither version works, with a dialog reporting back that "The requested resource is in use."
UnHackMe seemed to have greater success -- it ran, repeatedly finding the culprit files, granted permission to delete using its preferred method, rebooting, sometimes in safe mode, sometimes to work prior to windows loading, only to find the malware back in place. This ran several times, all the way through.
Combofix was one that I had used for a previous infection. Completely forgot about it. I got the latest version from your link, but apparently, it is not intended to run in 8 and above. On attempting, it declined to proceed. Of note, it downloaded as combofox_17.5.24.14.exe.
I have searched and learned that the "the requested resource is in use" message is the result of the malware deliberately preventing the anti-malware software from running. RKill (like killswitch) was promoted as a tool designed to kill all running malware processes, and, I thought, would be able to run despite the virus/rootkit. don't know why it worked for me initially but then stopped.
_hill
I was suspicious of the company name appearing on my phone but have become accepting of Indian-accented tech-support phone help and poor line quality. Also, I was a bit confused initially and mildly, perhaps wildly, hoping that this was going to be a solution.
CaptainChaos:
I think that re-installing windows may be my only alternative at this point. 20+ unproductive fixing hours is approaching my threshold for pain. This machine initially had win7 home, but I had upgraded to win10. At the moment, I've built an installer for win10 onto a thumbdrive.
Cobra92fs:
Yes, I think a fresh install is in order. As to getting the data off the machine,,,just back from Costco with a 2TB USB3 external portable. Not looking forward to the time it will take to transfer the data, but I've heard that usb3 is reasonably fast.
To All:
I was uncertain of how to extract proof of my valid microsoft win 10 product key (upgraded from 7) from my marginally running system.
I had been told that belarcAdvisor was a tool for this, but couldn't get it to run from windows. I was able to invoke it from PowerShell, but the html page it produced didn't seem to have any keys in it.
Later, I found that, on 2016/10/16, Go_Fish (not a respondent on this page) had published a vb script that accomplished this. I ran and came up with what looks like a legit 25 digit key. I hope it works.
Question:
* When I eventually do attempt to install windows from my usb, what manner of install will I need to do?
* Will any install remove a rootkit or do I need to take special steps?
Thank you in advance.
2017 07 04
Thank you to all who responded.
Unbelievably, until now, I have been attempting, barely successfully, to save my data but hampered in copying it elsewhere. I have disconnected the cat5 so it hasn't been further connecting out.
With regards to linux usb boot, I know that most here are knowledgable about linux. Sadly, I am not. What no doubt would have been more efficient/safer, would probably have just further confused me at an already confusing time. Hopefully, I will learn soon.
I think I have saved (and reduced) all/most of my data to a manageable 1.3Tb. Now, I want to be able to verify which physical drive is my C: before I attempt to wipe/fresh-install. However, driver manager no longer works because the virtual disk service cannot be started. From the command prompt, I am unable to run either chkntfs or diskpart.
When I look at the properties, of the 3 2Tb drives, I don't know how to determine which letter goes with which hardware name:
- seagate ultra slim mt scsi disk device (this is my new one that has received most of the data)
one of these 2 is my C and the other my older data drive:
* Hitachi HDS722020ala330
* ST2000dl003-9vt166
Questions:
1. How do I best determine which drive is which?
2. How do I perform a wipe when diskpart is unavailable?