Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 8.1 (64) Rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 hehathledger

hehathledger

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 28 September 2015 - 11:50 AM

Hi there,
Im at my ends trying to figure this out on my own. Here is a list of some of the behavior and things I've tried to do to solve it myself. I've had rootkit infection before so I am familiar with some of the tell-tale signs. So just some basic info first...I've completely removed Adobe Flash off my system -- forawhile I figured I was the victim of some XSS and flash exploits because its so vulnerable. Now that Flash is off my system I know it's not that...I've also ran TFC (quite frequently) which does give me some peace of mind...but not for long. Even if it is getting rid of some temp files that this malware creates It comes back (go figure)

I cannot access my command prompt from control panel > advanced settings (this is a red flag for me) system just gives me a black screen and hangs. I cant run GMER anymore i get this error:

"C:\WINDOWS\system32\config\system: The process cannot access the file because it is being used by another process."

I can click "OK" after and scan anyways, but this never used to happen and i think the rootkits have gotten even better since 2012. Back then (the last time i was infected) i was able to use RKILL and MBAM to clean up the problem on my own. Alas, Im here now because I don't know what else to do and this type of Kernel land infection is too advanced for me to handle alone. I've considered just replacing my hard drive but I have ~ 1 TB of data and trying to transfer it without risking re-infection...Meh.
I have a very fast system, purchased in 2014 and when I got it browsing on the net was lightning quick. Another red flag for me is that everything is super slow and sluggish. I also get random audio "blips"
another "sign" as I see it is, whenever I restart it takes SUPER long -- so usually I just use shutdown option and restart manually -- Furtthermore, when I boot up the login screen is sometimes replaced with the "default" windows 8 login screen and not my custom one. There were a few times when I was trying to get into safemode and right when I'd be about to get something going id get booted out to see this default screen and have to re-log in again. SUPER SUSPICIOUS. I'm like 99.9% sure my system is rooted. I've tried a variety of programs to no avail. All reports are "clean"

PLEASE HELP.



BC AdBot (Login to Remove)

 


#2 hehathledger

hehathledger
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 28 September 2015 - 12:02 PM

Here is a screenshot of the error I get when I try and run GMER, it seems to find something almost instantly anyways..
219qng6.jpg



#3 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:05:12 PM

Posted 28 September 2015 - 08:27 PM

You also posted this issue in Malware Removal Logs forum. Link to that topic http://www.bleepingcomputer.com/forums/t/591919/windows-81-64-rootkit/

Because you have posted in the forum

Please refrain from asking for further help from other members or staff until the Malware Removal Team has checked your posted log. The Malware Removal Team work very hard to investigate a unique solution to your problem and you will receive individual expert assistance. This takes time and effort so we ask you to please be patient while waiting for assistance and NOT to make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member. Any modifications you make on your own can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the team member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

The Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean. If you followed any other advice already, please ensure you inform the Malware Removal Team Team Helper when they respond to assist you with your log. This will help them know what has been done and they probably will ask for an updated log.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

Malware Removal forum trumps Am I Infected. This topic is closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users