Page 1 of 2 12 LastLast
Results 1 to 15 of 30
  1. #1
    New Lounger
    Join Date
    Sep 2016
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Smelling a RAT - Syncing and AppData/Roaming

    I'm gonna hafta buy my 4th new computer in a year because of an incredibly sophisticated Remote Access Tool/Trojan infestation. Can the community please help me keep this one for several years?

    I know everyone will want to know all the details, but I just don't have the energy because of a chronic illness. I've generally gotten a "that can't happen" response from local repair shops and all the other help forums where I spent the time to go into detail. Then a few months later I dragged myself to the library, surfed around and found articles re: exactly what I reported. If you can please just take my word for it, that would be a great kindness.

    A few things the RAT did:
    1. Installed a hidden, completely unwipeable OS on the C: drive with a completely different computer name starting with "MiniNT". Could always see that 8-12 GB of HDD space was missing, figured by the 1024 method.
    2. Set my PC up as part of a domain. One time I found 256 Authorized Users running stuff.
    3. Flashed the BIOS and required a setup password unclearable by the manufacturer's CMOS reset procedures
    4. Changed firmware drivers for all devices, including mainboard PCI and USB
    5. Locked itself down more and more tightly as I worked to remove it.
    6. Left a readme.txt on my desktop when I was finally able to set an admin password (I called them a bad word in it using alpha-numer0-symbol syntax) that said, "Catch me!"
    7. Found my new Kindle Fire (a gift) as soon as I activated it at Amazon (which I'd never registered at in any way) - IN ANOTHER STATE, ON A DIFFERENT ISP!
    8. Set alternative folders in my Win7 OS for drivers, temp, appdata, SAM, etc. Somehow always redirected to their folders which were locked even to built-in admin. Basically I was using a spoof of Win7.

    So I admit it - I'm ultra-paranoid now!

    Is there a way to totally do away with syncing and roaming profiles in W7 and 10?

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,188
    Thanks
    47
    Thanked 983 Times in 913 Posts
    I agree with the "that can't happen" brigade. A completely hidden, unwipeable OS on C: isn't possible. Booting from a Windows / Linux live DVD will allow you to clean the hard disk.

    Sorry to be of no help.

    cheers, Paul

  3. #3
    New Lounger
    Join Date
    Sep 2016
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ah! You mean, perhaps, like DBAN or Ubuntu 14? My local shop sent me home with a DBAN-wiped drive that booted to the, shall we call it, virtual MiniNT drive and was missing 7.8 G of capacity. After I rooted around in there awhile, my motherboard suddenly went bad.

    Have time for some reading, Paul?

    http://www.darkreading.com/attacks-b...d/d-id/1139408
    http://news.softpedia.com/news/undet...s-494154.shtml
    http://breakingmalware.com/malware/m...ties/#more-793
    http://www.windowsecurity.com/articl...It-Can-Do.html

    Thanks for acknowledging my post, anyhow. If you can let go of the RAT puzzle, do you have any suggestions about eliminating Sync, roaming profiles and all remote access to my PC in Win7 and 10?

  4. #4
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 576 Times in 479 Posts
    Yup, that Mark Russinovich makes some really nasty software, I just found 121 exe files of his on my PC, including the one from your link.

    MiniNT, eh?
    https://social.technet.microsoft.com...m=winserverNIS
    http://www.symantec.com/connect/arti...-1-client-task
    http://www.tomshardware.co.uk/forum/...42-what-minint

    Sometimes you need to think/look outside the box, check your boundary protection, the router maybe?

  5. #5
    New Lounger
    Join Date
    Sep 2016
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hey, Satrow

    Thanks for the info links. This problem has forced me to learn way more than I ever wanted to know!

    My former ISP had blocks of addresses by geographical area, so I never could get a different one, and they wouldn't allow a static one. I suspect the RAT came in a backdoor the ISP used for "misspelling" redirects. Have a new ISP now, and would like to lock things down as much as possible before I connect my router to the modem, set up my network and go online.

    The RAT did reset BIOS to boot PXE. I was never in a domain before it took over, and PXE boot wasn't an option in the boot menu previously, either. I have to assume the MiniNT was installed maliciously, since neither I nor a legitimate domain did it.

    I don't plan to use syncing, and I don't want a roaming profile. I'd would completely uninstall them AND all remote connection capability if I could. What's the next best way to disable these abilities, please?

  6. #6
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 576 Times in 479 Posts
    Study the links again, it's possible that your PC was setup that way, more likely, perhaps, that a 3rd party recovery/backup software is/was responsible.

  7. #7
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,188
    Thanks
    47
    Thanked 983 Times in 913 Posts
    Quote Originally Posted by AtSea View Post
    Is there a way to totally do away with syncing and roaming profiles in W7 and 10?
    Use a local account to login and there won't be any syncing.
    Roaming profiles only really exist in a local network and have to be set up by the network admin - again, if you use a local login there is no roaming.

    cheers, Paul

  8. #8
    New Lounger
    Join Date
    Sep 2016
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by satrow View Post
    Study the links again, it's possible that your PC was setup that way, more likely, perhaps, that a 3rd party recovery/backup software is/was responsible.
    I wondered if MiniXP I used trying to look at the "lost" capacity area on my HDD did it, but I thought that operated in RAM only. I know the PC wasn't set up that way for the first 18 months I used it.

  9. #9
    New Lounger
    Join Date
    Sep 2016
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Paul T View Post
    Use a local account to login and there won't be any syncing.
    Roaming profiles only really exist in a local network and have to be set up by the network admin - again, if you use a local login there is no roaming.

    cheers, Paul
    My standard account had to be a local service account (as opposed to a local system account) before I was shanghaied into the RAT domain, then, right? I certainly didn't change it. Any thoughts?

  10. #10
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,188
    Thanks
    47
    Thanked 983 Times in 913 Posts
    Windows 7 only has local accounts initially, W10 has either MS or local. Service and System don't come into it when you first install Windows.

    The suggestion about "miniNT" was that it was an attempt by your machine to boot from the network or a virtual machine firing up. Neither of which is trying to look at your "lost" disk space.

    cheers, Paul

  11. #11
    New Lounger
    Join Date
    Sep 2016
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Paul T View Post
    The suggestion about "miniNT" was that it was an attempt by your machine to boot from the network or a virtual machine firing up. Neither of which is trying to look at your "lost" disk space.

    cheers, Paul
    Ah! Well, it always tried to boot from the RAT network, and I forget what made me think at one time that the hidden OS they installed was a virtual.

    A geek friend suggested using the bootable MiniXP disk management tools to try and see any hidden volumes. Am I right that MiniXP disappears from RAM when the PC is unplugged? I had to unplug every time, or the PC came right back on after "Shut Down" and ran at nearly full CPU usage.

    I was the only person using the PC, at home, no domain, so I guess I was the network admin before Mr. RAT. I never set up any Roaming. Is there a setting I can use before connecting to the internet that would disallow joining a domain or disable creation of a roaming profile?

  12. #12
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,401
    Thanks
    447
    Thanked 404 Times in 376 Posts
    As Satrow said in post #4 above, check your router. In addition to checking your router, you should also deal with your computer. Not only should you clean these two items, but you should also install some protection on them. Here's what I would do if I were in your shoes:

    I would unplug your computer from the router, and then either install a new hard drive, or wipe your current hard drive after booting from a Linux DVD or USB drive. I would then do a fresh install of Windows 7 on your hard drive. Before wiping the drive, make sure that you have your Windows install key, as well as the install keys for any other software you will need to reinstall.

    I would then unplug your router from the internet and then do a factory reset on it, which will wipe out anything that anyone might have done to it.

    I would then plug my computer into the router (do not at this time plug the router into the internet), log into the router, and change the admin password on the router. If it is a wireless router, I would either turn wireless off, or I would set encryption to WPA2 and set a good password on the wireless connection.

    Go to another computer and download a highly-rated antivirus program to DVD or a USB drive, then install it to your computer from the DVD or USB drive.

    Once you have done all of that, you can then plug your router into the internet. You should be good to go after that.
    Last edited by mrjimphelps; 2016-09-08 at 14:20.

  13. #13
    New Lounger
    Join Date
    Sep 2016
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Paul T View Post
    Windows 7 only has local accounts initially, W10 has either MS or local. Service and System don't come into it when you first install Windows.

    cheers, Paul
    That's helpful, Paul, thanks.

  14. #14
    5 Star Lounger Lugh's Avatar
    Join Date
    Jun 2010
    Location
    Indy
    Posts
    620
    Thanks
    166
    Thanked 77 Times in 68 Posts
    I don't know about this, but I do know Mark Russinovich is a totally legit software guru--author of SysInternals, Microsoft honcho, and one of the world's leading Windows experts.

    Does someone else work on your machines before you get them? Could someone be pranking you?
    Lugh.
    ~
    Windows 10 Pro x64 1607; Office 2016 (365 Home) x32; Win Defender, MBAM Pro

    ASRock H97 Anniversary; Xeon E3-1231V3 (like i7)
    Gigabyte GeForce GTX 970; 12GB Crucial DDR3 1600
    Logitech MX Master mouse; Roccat Isku kb

  15. #15
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 576 Times in 479 Posts
    Quote Originally Posted by Lugh View Post
    I don't know about this, but I do know Mark Russinovich is a totally legit software guru--author of SysInternals, Microsoft honcho, and one of the world's leading Windows experts.
    I'm pretty sure Mark would have a laugh at my little joke, I've seen him on a broadcast where the PsExec 'trojan/virus' thing came up and he was all smiles, looked a little pleased that 3 of his little tools had made it onto the 'badware' lists as well

    Seriously, I think the problem could well be down to a legit WinPE-type install (perhaps it was accidentally installed, instead of just being run - like you usually get an option when booting from a Linus Live CD/DVD), probably of a Symantec, or other 'utility' maker's product.

    If not, yes, the router really should be investigated (but I won't do it unless asked to ).

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •