instapccare.com malware root kit

  • Thread starter Thread starter Davej
  • Start date Start date
D

Davej

A week or so ago a friend reported that her Dell Inspiron desktop had a popup on the screen saying she should call a phone number for problems that were detected on her PC. This popup was www.instapccare.com (India) in the IEbrowser.

Another symptom was that the computer would not wake up from sleep-mode i.e.. pressing the keyboard would not wake up the computer. The power button had to be pressed and held. On powerup "Resuming Windows" is then seen. MSE and Malwarebytes couldn't detect anything so we removed MSE and installed Avast, and Avast saw something and did a boot-scan and reported that it had found and removed a root-kit. Hmmm...

However, the popup was seen again the next morning. Now I have the PC and have re-installed Win 7 (Home premium), but the PC still doesn't wake up from sleep-mode. The USB mouse and keyboard seem to be powered off. Could the malware have changed a bios setting related to the sleep wake-up? Settings within Win 7 look correct. In the bios all I see is...

ACPI Suspend Type: S3 (Power management suspend mode)
Remote wakeup: Enabled (Disable/Enable PCIE PME to generate wake event)
AC Recovery: Power Off (behavior when AC power restored)
Auto Power On: Disabled (Time of day auto power-up)

Any ideas?
 
A week or so ago a friend reported that her Dell Inspiron desktop had a popup on the screen saying she should call a phone number for problems that were detected on her PC. This popup was www.instapccare.com (India) in the IE browser.

Another symptom was that the computer would not wake up from sleep-mode i..e. pressing the keyboard would not wake up the computer. The power button had to be pressed and held. On powerup "Resuming Windows" is then seen. MSEand Malwarebytes couldn't detect anything so we removed MSE and installed Avast, and Avast saw something and did a boot-scan and reported that it hadfound and removed a root-kit. Hmmm...

However, the popup was seen again the next morning. Now I have the PC andhave re-installed Win 7 (Home premium), but the PC still doesn't wake up from sleep-mode. The USB mouse and keyboard seem to be powered off. Could the malware have changed a bios setting related to the sleep wake-up? Settings within Win 7 look correct. In the bios all I see is...

ACPI Suspend Type: S3 (Power management suspend mode)
Remote wakeup: Enabled (Disable/Enable PCIE PME to generate wake event)
AC Recovery: Power Off (behavior when AC power restored)
Auto Power On: Disabled (Time of day auto power-up)

Any ideas?
Click to expand...


I realize it could just be a memory failure, but Memtest86 doesn't show anything and Prime95 runs.

I am wondering if I should have formatted the Dell Recovery partition and that small system partition?
 
Davej said:
A week or so ago a friend reported that her Dell Inspiron desktop had a popup on the screen saying she should call a phone number for problems that were detected on her PC. This popup was www.instapccare.com (India) in the IE browser.

Another symptom was that the computer would not wake up from sleep-mode i.e. pressing the keyboard would not wake up the computer. The power button had to be pressed and held. On powerup "Resuming Windows" is then seen. MSE and Malwarebytes couldn't detect anything so we removed MSE and installed Avast, and Avast saw something and did a boot-scan and reported that it had found and removed a root-kit. Hmmm...

However, the popup was seen again the next morning. Now I have the PC and have re-installed Win 7 (Home premium), but the PC still doesn't wake up from sleep-mode. The USB mouse and keyboard seem to be powered off. Could the malware have changed a bios setting related to the sleep wake-up? Settings within Win 7 look correct. In the bios all I see is...

ACPI Suspend Type: S3 (Power management suspend mode)
Remote wakeup: Enabled (Disable/Enable PCIE PME to generate wake event)
AC Recovery: Power Off (behavior when AC power restored)
Auto Power On: Disabled (Time of day auto power-up)

Any ideas?
Click to expand...

You want BIOS level PME generally to be enabled, as both PCI and PCI Express
subsystems have some notion of Power Management Event. The USB ports,
the logic block for USB could be connected to the PCI Express bus.

In Device Manager, look for the mouse and keyboard, and there should
be an option in the Properties for

"Allow this device to bring the computer out of Standby"

My PS/2 keyboard has only that one. I also have to set a jumper
in hardware, to make that keyboard be powered from +5VSB. On modern
hardware, there is no longer a jumper, and the hardware is always
powered from +5VSB. Specifically so all the USB ports can function as
wake devices. USB is fuse protected, and overloading the fuse on
a port, will prevent waking. The fuse is Polyfuse type, and when it
cools off, recrystallizes and makes electrical contact again.

My mouse has two entries.

"Allow the computer to turn off this device to save power" (Unticked, grey)
"Allow this device to bring the computer out of Standby" (Ticked, adjustable)

So my mouse is also ready to wake the computer.

I have the general PME thing turned on in Power Options
in the BIOS, as without it, the OS Device Manager setting
would be useless. And the power jumpers are set properly for
it to happen. The BIOS enables PME, makes sure any switchable
power is left running. For example, if you set the NIC WOL
on in Device Manager, the BIOS has to make sure the NIC
remains powered from power derived from +5VSB.

Your ACPI S3 is good for sleep. Some machine BIOS label that
"S1 & S3", which covers Standby and Standby Suspend To RAM.
And the latter one is the one where the blue power LED flashes
once a second, the fans are off, the screen is off, the CPU
is not powered. Only the RAM is powered in S3, and consumes
a watt or two. Sleep state won't last forever, as eventually
that will drain the main battery pack.

You can use the "powercfg" utility as administrator, to query
stuff. There is also the downloadable "dumppo" utility, but I
have to wonder whether it works properly on the modern OSes.
A test the other day suggested it doesn't. Maybe the value of
that one, stops with WinXP.

http://www.hanselman.com/blog/PowerCfgTheHiddenEnergyAndBatteryToolForWindowsYoureNotUsing.aspx

*******

As for BIOS, I generally trust the Legacy BIOS design. But with
UEFI, the newer BIOS type, it looks like a giant Swiss Cheese,
with both white hats and black hats discovering new things about
it as time passes. I think it allows adjustment from the OS,
and has that "recipe for disaster" look about it. I have one
motherboard now with UEFI, and it just ignores my boot choice
instructions, like it knows best :-(

Paul
 
[...]
Your ACPI S3 is good for sleep. Some machine BIOS label that
"S1 & S3", which covers Standby and Standby Suspend To RAM.
And the latter one is the one where the blue power LED flashes
once a second, the fans are off, the screen is off, the CPU
is not powered. Only the RAM is powered in S3, and consumes
a watt or two. Sleep state won't last forever, as eventually
that will drain the main battery pack.
[...]
Click to expand...

If I change the bios setting from S3 to S1 (the only two choices) then the unit seems to wake up successfully.
 
Davej said:
[...]
Your ACPI S3 is good for sleep. Some machine BIOS label that
"S1 & S3", which covers Standby and Standby Suspend To RAM.
And the latter one is the one where the blue power LED flashes
once a second, the fans are off, the screen is off, the CPU
is not powered. Only the RAM is powered in S3, and consumes
a watt or two. Sleep state won't last forever, as eventually
that will drain the main battery pack.
[...]
Click to expand...

If I change the bios setting from S3 to S1 (the only two choices) then the unit seems to wake up successfully.
Click to expand...

On the older OSes, if you switch the BIOS to S1 only,
it affects OS operation after that. When the BIOS
is switched back to S1 & S3 or just S3, you need to
"override" ACPI policy to get S3 sleep state back.
Dumppo.exe does this on the older OSes. I don't
know if Powercfg has an option for this, or whether the
OS automatically notes the increased capability (S3
available). Powercfg is built-in. Dumppo is a download
and is an ancient utility.

You may need to do something, to get it running S3
again, and not getting stuck in S1. A laptop would
rapidly run down the battery in S1, whereas S3
could last a day or days (at maybe 1W of consumption
in S3).

There is no guarantee S3 is stable. Just as there is
no guarantee your RAM sticks are good. Some of this
must be determined by testing. I think memtest86+
has some "storage" test, which would be an attempt
to store a pattern in RAM, wait a while, and read it
back. That's sorta what S3 sleep amounts to, a long
period of time doing AutoRefresh.

I think I've had at least one desktop computer here, that
would not Sleep properly, so I just didn't set it
that way and worked around the issue. Laptops, you
really want that to be functional if at all possible.

Paul
 
Davej said:
[...]
Click to expand...

There is no guarantee S3 is stable. Just as there is
no guarantee your RAM sticks are good. Some of this
must be determined by testing. I think memtest86+
has some "storage" test, which would be an attempt
to store a pattern in RAM, wait a while, and read it
back. That's sorta what S3 sleep amounts to, a long
period of time doing AutoRefresh.

I think I've had at least one desktop computer here, that
would not Sleep properly, so I just didn't set it
that way and worked around the issue....
Click to expand...


This is a desktop so the power usage is not a worry. It just seems strange that this wakeup problem appeared at the same time the malware was noticed.
 
This
Click to expand...
is a desktop so the power usage is not a worry. It just seems strange
that this wakeup problem appeared at the same time the malware was
noticed.

-
I lost my desktop to wake-up, too. Had the monitor nicely settled
into sleep mode. Really old 32" LCD, one of the first sub-$1000
units. Sure as hell don't like that, finding the damn thing on,
running for hours unattended, when last I looked it had powered down.
Screw Winderz and all the rest of that. I leave the remote next to me
and turn it off via IR so the power button doesn't wear out. Thing's
a work of beauty, going on like 12 years over and tru and connected to
a lot of updates running 24/7.
 
Back
Top