Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER finds rootkit-like behavior and unknown MBR code


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gary4917

Gary4917

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 11 June 2013 - 11:14 AM

Hi guys I've been having problems with a next door neighbour who says he has hacked my pc. My wifi is always secured with an encrypted WPA2 password and I don't use WPS. I use windows firewall and eset nod32 antivirus.

Also I don't use any file sharing or anything like that and I don't open any weird emails yet I am convinced he is telling the truth and some how he has managed to "get in" to my pc through very clever means. According to another neighbor he has been to prison before for cyber crime activity yet he is allowed a pc.

 

Interestingly before the scan starts I get the message: C:\Windows\system32\config\system: the process cannot access the file because it is being used by another process

 

And then at the end of the scan I get this message: C:\Users\Garypc\ntuser.dat: the process cannot access the file because it is being used by another process

 

 

Here's the results

 

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-06-11 17:13:23
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000034  rev. 0.00MB
Running: tnsyxj5d.exe; Driver: C:\Users\Garypc\AppData\Local\Temp\fwloqpow.sys
 
 
---- User code sections - GMER 2.1 ----
 
.text   C:\Windows\system32\atiesrxx.exe[840] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                               000007fc1ed7177a 4 bytes [D7, 1E, FC, 07]
.text   C:\Windows\system32\atiesrxx.exe[840] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                               000007fc1ed71782 4 bytes [D7, 1E, FC, 07]
.text   C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1244] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690    000007fc124d1532 4 bytes [4D, 12, FC, 07]
.text   C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1244] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698    000007fc124d153a 4 bytes [4D, 12, FC, 07]
.text   C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1244] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246  000007fc124d165a 4 bytes [4D, 12, FC, 07]
.text   C:\Windows\system32\atieclxx.exe[888] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                               000007fc1ed7177a 4 bytes [D7, 1E, FC, 07]
.text   C:\Windows\system32\atieclxx.exe[888] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                               000007fc1ed71782 4 bytes [D7, 1E, FC, 07]
.text   C:\Windows\system32\atieclxx.exe[888] C:\Windows\system32\WSOCK32.dll!recvfrom + 742                                             000007fc1b771b32 4 bytes [77, 1B, FC, 07]
.text   C:\Windows\system32\atieclxx.exe[888] C:\Windows\system32\WSOCK32.dll!recvfrom + 750                                             000007fc1b771b3a 4 bytes [77, 1B, FC, 07]
.text   C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3320] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690                     000007fc124d1532 4 bytes [4D, 12, FC, 07]
.text   C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3320] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698                     000007fc124d153a 4 bytes [4D, 12, FC, 07]
.text   C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3320] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246                   000007fc124d165a 4 bytes [4D, 12, FC, 07]
 
---- Threads - GMER 2.1 ----
 
Thread  C:\Windows\system32\svchost.exe [952:2308]                                                                                       000007fc129551dc
Thread  C:\Windows\system32\svchost.exe [952:2248]                                                                                       000007fc12d11470
Thread  C:\Windows\system32\svchost.exe [952:2244]                                                                                       000007fc12d11470
Thread  C:\Windows\system32\svchost.exe [952:2756]                                                                                       000007fc16f55c38
Thread  C:\Windows\system32\svchost.exe [952:756]                                                                                        000007fc162377b0
Thread  C:\Windows\system32\svchost.exe [952:604]                                                                                        000007fc162377b0
Thread  C:\Windows\system32\svchost.exe [952:4168]                                                                                       000007fc130a1d00
Thread  C:\Windows\system32\svchost.exe [952:2612]                                                                                       000007fc1b4716b0
Thread  C:\Windows\system32\csrss.exe [2472:1196]                                                                                        fffff960008fb5e8
Thread  C:\Windows\system32\mmc.exe [4520:4200]                                                                                          000007fc10eaefe4
Thread  C:\Windows\system32\mmc.exe [4520:4140]                                                                                          000007fc10f609a0
Thread  C:\Windows\system32\mmc.exe [4520:4204]                                                                                          000007fc0907e850
Thread  C:\Windows\system32\mmc.exe [4520:1512]                                                                                          000007fc10f609a0
Thread  C:\Windows\system32\mmc.exe [4520:2888]                                                                                          000007fc10e2d7c4
Thread  C:\Windows\system32\mmc.exe [4520:3844]                                                                                          000007fc10f609a0
Thread  C:\Windows\system32\mmc.exe [4520:4584]                                                                                          000007fc15f71b94
Thread  C:\Windows\system32\mmc.exe [4520:4024]                                                                                          000007fc10f609a0
Thread  C:\Windows\system32\mmc.exe [4520:3556]                                                                                          000007fc10f609a0
Thread  C:\Windows\system32\mmc.exe [4520:1040]                                                                                          000007fc10f609a0
 
---- Disk sectors - GMER 2.1 ----
 
Disk    \Device\Harddisk0\DR0                                                                                                            unknown MBR code
Disk    \Device\Harddisk0\DR0                                                                                                            sector 0: rootkit-like behavior
 
---- EOF - GMER 2.1 ----
 

 


Edited by Gary4917, 11 June 2013 - 11:15 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:02 PM

Posted 11 June 2013 - 01:51 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with FRST


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:02 PM

Posted 14 June 2013 - 03:25 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users