Help! Rootkit Kicking My Butt

Something was installed on one of my home computers on 2017/06/30 at about 10 am. None of the typical users have admitted responsibility. At about 11 am it was noticeably malfunctioning and I was called to "fix" it.

It had what appeared a BSOD with a stop code of "DRIVER IRQL NOT LESS OR EQUAL" and a "What failed" of "ndistpr64.sys". After a short while, it auto rebooted into a slightly older looking blue screen that appeared to be for an NT-era install. It wanted me to choose from a drop-down of countries (USA), and "type" which let me choose from [desktop|laptop|tablet|phone], or something similar. I chose desktop, ignored the other (forgotten) fields that already had default values, and clicked on the only button on the screen, next. This took me to a second install-related blue screen that was asking me for my 25 digit product key for windows, and helpfully had an 800 # in the upper right corner: 1-877-436-7487. As I was unable to ctrl-alt-del or ctrl-shift-esc to a taskmanager. And as I couldn't al-tab to other windows, or access the task bar or start menu, I gave them a call. My phone reported that I had reached Atelier Canada, Inc., in Toronto, ON.

Overall, I spent about 61 minutes on the phone with them. Initially, they seemed friendly enough, albeit with strong Indian-ish accents and abnormally high line noise, they walked me thru finding my windows 7 home product key (eventually upgraded to windows 10) and typing it into the field. However, when this failed, they had me grant them access via LogMeIn, apparently built into the "windows 10 install" interface by clicking the windows 10 logo, and when they took control of the mouse/keyboard, they entered their own product key, referring to it as a universal temporary use number. I was starting to get suspicious by this time and started taking photos of things he was doing, including snarking a shot of his keycode.

After refusing to admit responsibility for being the one to have installed the malware, and apparently asking too many questions, the first guy grew weary of me and a "level 3 technician" came on the line. Coincidentally, he had an identical name, Mike Kessson, as the first technician. He had to re-use their universal temporary use windows key code several times as the "virus kept kicking" him out. He managed to open a taskmgr, cmd prompt, and control panel. In a date sorted Program-and-Features section, he grilled me about the most recently installed programs. Besides LogMeIn (rebranded as GoToAssist) and several Steam games, the only items that had been updated that day were Dropbox and s5m. I had no idea what s5m was. Since then, it's inexplicably disappered on its own. I later removed Dropbox, for good measure.

In one of his multiple cmd windows, he executed a dos command that I couldn't see but later learned was just "tree". After this went on for several minutes, there appeared a message saying that rootkit conficker! was detected. I tried to ask him what command he had run to discover that conficker! was installed. He said that these were technician only commands and he wasn't permitted to tell me.

Shortly after this conversation, a "Senior Technician" was brought on the line, who detailed how, despite my running windows defender and firewall, I must have granted some malware permission to run. That to fix it would take skilled employees much time (at least two hours), and that they could fix it for the nominal fee of $50/hour. I asked him which command the 2nd Mike Kessen had used to detect this conficker! rootkit and he also told me that these were secret technician only commands and that if I wanted to learn then I would have to get a Microsoft certification. I asked him about the "Atelier Canada" information appearing on my phone and he hung up on me. About 30 seconds later, I saw that the LogMeIn connection had been severed. From that point onward, my internet stopped working.

Fortunately, I had another internet connected computer nearby. Windows tried to notify me to Turn On Windows Security Center service. However, it could not be started. Neither windows defender nor the firewall were operating nor several other core & essential services. After a bit of internet searching, I came across a bleepingcomputer entry on ndistpr64.sys, which basically instructed to run, in order, rkill, SpyHunter, Zemena Explorer, ADWCleaner, and HitmanPro. I downloaded all these to a usb drive and plugged it into the infected machine.

From my experience, the system they had managed to install effectively blocked access to everything, but when I entered their keycode, 7wc17-12kde-hfd1u-kds77-19can, I temporarily regained access to the explorer, et al. From this window of opportunity, I was able to attempt to run the 5 cleaning programs.

Rkill seemed to succeed at stopping all the running malware processes. It also noted that several important sounding services were missing.

Each of these was not running & disabled
* Base Filtering Engine (BFE)
* DHCP Client (Dhcp)
* DNS Client (Dnscache)
* COM+ Event System (EventSystem)
* Windows Firewall Authorization Driver (mpsdrv)
* Windows Firewall (MpsSvc)
* Network Store Interface Service (nsi)
* Plug and Play (PlugPlay)
* Plug and Play (RpcSs)
* Windows Management Instrumentation (Winmgmt)
* Security Center (wscsvc)

"service missing" for each of these
* agp440, DcpSvc, gagp30kx, IEEtwCollectorService,
* IoQos, nv_agp, TimeBroker [Missing Service],
* uagp35, uliagpkx, WcsPlugInService, wpcfltr,
* WSService

Counterfeit files seemed to exist
* AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
* RetailDemo => %SystemRoot%\System32\svchost.exe -k rdxgroup [Incorrect ImagePath]
* WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
* vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
* vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Under normal circumstances, I can re-start services. I don't know what to do about either the missing services or more notably, those 5 with wrong paths or dll-s.

SpyHunter failed to install, reporting "Setup Failed! Setup configuration scripting error."

Zemena installed, but failed to run. After I learned the secret of renaming the executable, I discovered that it would not run unless the computer was conected to the internet.

Finally, HitManPro, too, refused to work without an internet connection.

On reboot, Zemana explorer, having done more than I'd realized, reported that the system was infected with "Rootit:WinNT/AdClicker!", Driver: ndistpr64.sys, and told me to click OK to reboot and start the cleaning. I eagerly did this, hoping for the best, but it just rebooted, abnormally slowly, into its re-contaminated state with Zemena still reporting that the rootkit was there and still asking to be rebooted. But at least the computer booted into windows and I didn't have to keep entering the universal temporary use number anymore. However, the inbuilt security had become disabled, most of the services were off, and the internet still was unavailable.

Thinking that this virus was something that could be snuck up on, I rebooted and tried all 5 programs again. There wasn't a change. Same result on the 5th and 8th attempts. Eventually, paying attention to the RKill log, I saw that new items for that day had been created in a few directions, including %appdata%, and several other locations. I located them and, where I was permitted, I renamed the files or the directories to have an AAA prefix. Shockingly, this didn't fix anything.

I'm pleased that I can access my desktop and applications, but, I've come to the point that without the net, this thing is broken to me. And this repair seems to be beyond me. In the past, I would typically just re-install windows, wiping the disk, maybe doing a pre-emptive diskpart.

At this point, I'm facing 3 problems:
* archiving data (trickier w/o communications)
* will a partition/reformat wipe out rootkit?
* how will i re-install windows when i started as win 7 home, did the auto-upgrade to win 10, and have neither the media nor the win 10 product keys?

Any constructive feedback you guys can muster is appreciated.


2017/07/01 19:40-ish
Thank you to all who responded.


Bruger:
Re Linux switch: I've considered this in the past, but, dependent as I am on adobe, dev, music, and game software that, as far as I know, is only operable in windows, and, not fully trusting my ability to master greps, groks, etc. of the linux/unix world, I think I may be better off in windows at present.

Regarding the fix-software: I downloaded and ran the 4 programs, from the links you suggested: comodo, rkill, unhackme, and combofix.

comodo's killswitch.exe failed to run, reporting that the requested resource is in use. The same result with the other .exe-s in its package: Autoruns.exe & CCE.exe.

rkill: I had previously been running a 64bit version of rkill from a bleepingcomputer link, but I downloaded the 64 bit version, with a slightly different name, rkill_2.8.4.0.exe, from your link. For some reason, now neither version works, with a dialog reporting back that "The requested resource is in use."

UnHackMe seemed to have greater success -- it ran, repeatedly finding the culprit files, granted permission to delete using its preferred method, rebooting, sometimes in safe mode, sometimes to work prior to windows loading, only to find the malware back in place. This ran several times, all the way through.

Combofix was one that I had used for a previous infection. Completely forgot about it. I got the latest version from your link, but apparently, it is not intended to run in 8 and above. On attempting, it declined to proceed. Of note, it downloaded as combofox_17.5.24.14.exe.

I have searched and learned that the "the requested resource is in use" message is the result of the malware deliberately preventing the anti-malware software from running. RKill (like killswitch) was promoted as a tool designed to kill all running malware processes, and, I thought, would be able to run despite the virus/rootkit. don't know why it worked for me initially but then stopped.


_hill
I was suspicious of the company name appearing on my phone but have become accepting of Indian-accented tech-support phone help and poor line quality. Also, I was a bit confused initially and mildly, perhaps wildly, hoping that this was going to be a solution.


CaptainChaos:
I think that re-installing windows may be my only alternative at this point. 20+ unproductive fixing hours is approaching my threshold for pain. This machine initially had win7 home, but I had upgraded to win10. At the moment, I've built an installer for win10 onto a thumbdrive.


Cobra92fs:
Yes, I think a fresh install is in order. As to getting the data off the machine,,,just back from Costco with a 2TB USB3 external portable. Not looking forward to the time it will take to transfer the data, but I've heard that usb3 is reasonably fast.


To All:
I was uncertain of how to extract proof of my valid microsoft win 10 product key (upgraded from 7) from my marginally running system.

I had been told that belarcAdvisor was a tool for this, but couldn't get it to run from windows. I was able to invoke it from PowerShell, but the html page it produced didn't seem to have any keys in it.

Later, I found that, on 2016/10/16, Go_Fish (not a respondent on this page) had published a vb script that accomplished this. I ran and came up with what looks like a legit 25 digit key. I hope it works.

Question:
* When I eventually do attempt to install windows from my usb, what manner of install will I need to do?
* Will any install remove a rootkit or do I need to take special steps?

Thank you in advance.


2017 07 04


Thank you to all who responded.

Unbelievably, until now, I have been attempting, barely successfully, to save my data but hampered in copying it elsewhere. I have disconnected the cat5 so it hasn't been further connecting out.

With regards to linux usb boot, I know that most here are knowledgable about linux. Sadly, I am not. What no doubt would have been more efficient/safer, would probably have just further confused me at an already confusing time. Hopefully, I will learn soon.

I think I have saved (and reduced) all/most of my data to a manageable 1.3Tb. Now, I want to be able to verify which physical drive is my C: before I attempt to wipe/fresh-install. However, driver manager no longer works because the virtual disk service cannot be started. From the command prompt, I am unable to run either chkntfs or diskpart.

When I look at the properties, of the 3 2Tb drives, I don't know how to determine which letter goes with which hardware name:

  • seagate ultra slim mt scsi disk device (this is my new one that has received most of the data)

one of these 2 is my C and the other my older data drive:
* Hitachi HDS722020ala330
* ST2000dl003-9vt166

Questions:
1. How do I best determine which drive is which?
2. How do I perform a wipe when diskpart is unavailable?

Would initially just recommend switching over to Linux.

Now back to topic

You could try out killswitch to see if it helps:

If not check out this selection:

Hope it helps, good luck

1 Like

Im going to state the obvious ask. Why in the world did you call them in the first place and after the different company name and thick accents not hang up.

Whenever your Windows PC is infected, don't bother trying to fix it as the virus almost always carries extra payloads.

Just do a fresh install. Not a refresh, not a system restore, a complete install.
Use a Linux live stick if you need to back up your data first, but don't boot from that Windows install anymore.

Use a different PC to create a Windows installer. Win10 can be downloaded using Microsoft's Media Creation Tool
If you download a Win7 .iso, you can use Rufus to make a Win7 installer. Win7 .isos can be found here. It's not an official link, but I verified the integrity of some of their Win7 .iso files and the checksums match my official downloads, so I'm fairly confident that they are the real deal.

10 Likes

I agree with CaptainChaos, do a fresh install. The time and effort spent trying to clean malware is usually not worth it, and far from a sure thing. Get your important data off the machine and nuke that Windows install.

I would also check other systems on your network, it is possible they may become infected as well.

5 Likes

As a help-desk technician i have to agree with the previous posters. Alot of malware can be cleaned off with regular tools, but if you granted unknown users access to your PC there is no telling what they ran or installed. My recommendation is to cancel all your credit/debit cards, change passwords to paypal, gmail, everything. Alot of this information is stored in cookies and it's very likely it was harvested while they were in your computer. Boot a live-usb version of linux, backup data you don't want to lose, and nuke the damn hard drive. I recommend once you have cleared off all your important data using the shred command to completely erase any and all data on the drive, including whatever they installed.

5 Likes

First of: Change all your passwords and lock your credit cards.

Kaspersky Rescue Disc 10 might be able to do something here. In most cases, booting from the disc/usb drive and then running the scan cleans most things.
After doing that, start backing up data. Leave installs you have the key or installation media for behind to keep it stream lined.
Then nuke the whole machine via Linux disc/usb drive. Use the shred command to overwrite all internal drives in the machine.
Then do a clean install of windows and move your data back over.

See if you can get this to run on the machine in question, and then print out the results. Belarc will generate a list of any software licenses on the machine including the windows key.

However, with Win10 the activation should "just work" when you install from fresh media on a machine that has already been activated on Win10.

+1000

+1000000000

dd if=/dev/zeros of=/dev/sda bs=1M

much faster and effective than shred.

Truer words were never spoken. +10000**35

It's a shame that these things happen now a day's

1 Like

Indeed. If the Win10 install was activated, Microsoft has your PC's hardware ID stored in their servers. The first time your new install contacts Microsoft, they will automatically recognize the PC and activate your new install. The windows key won't matter.

1 Like

In any case, it doesn't matter. Win10 won't lock you out or anything if you don't have a key at all. I think it disables changing the wallpaper or something, but other than that, nothing happens.