Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


rootkit or not?

  • This topic is locked This topic is locked
4 replies to this topic

#1 van_alles


  • Members
  • 23 posts
  • Local time:09:06 PM

Posted 23 April 2016 - 06:04 AM

Hi people.


I noticed several daily false logins on our router from a laptop inside our network. So to be on the safe side I tried to figure out where this came from. What i did:

- examined the log-files on the laptop at the time of login

- started systinternals procmon and waited for a new login

- did both online and offline (rescue disks) scans with several virus / malware scanners

  bitdefender, avast, malwarbytes, eset, kasparsky, tdskiller, gmer, NPE, aswmbr


No succes, but every day I got new false logins. I the connection changed from wifi to cable and the false login nicely comes back on the new IP address.


The laptop contains Windows 7 with SP1, avast and peerblock (not for p2p but to be a bit more on the safe side).


I was thinking of creating a dualboot with linux, but in the transition process the necesarry nfsmove failed in the middle.

Yes I had a backup :-)


No the false login still returns.


Anybody any ideas?


Kind regards,


BC AdBot (Login to Remove)


#2 ranchhand_


  • Members
  • 1,710 posts
  • Gender:Male
  • Location:Midwest
  • Local time:01:06 PM

Posted 23 April 2016 - 07:30 AM

If you are not acquainted with malware removal, the best thing you can do is post in BC's malware help forum and follow instructions. They will find any infections you may have.

Help Requests: If there is no reply after 3 days I remove the thread from my answer list. For further help PM me.

#3 Queen-Evie


    Official Bleepin' G.R.I.T.S. (and proud of it)

  • Members
  • 16,485 posts
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:02:06 PM

Posted 23 April 2016 - 09:58 AM

If you are not acquainted with malware removal, the best thing you can do is post in BC's malware help forum and follow instructions.

Am I Infected? is for malware help.
There is no need to start a topic in Malware Removal Logs.
Someone will attempt to help in this topic. IF more advanced tools are needed, the helper will recommend following the prep guide and starting a new topic in MRL.

#4 van_alles

  • Topic Starter

  • Members
  • 23 posts
  • Local time:09:06 PM

Posted 24 April 2016 - 12:35 PM

I did some further investigation (as per request of the owner):

- compared offline and online dir-list of the HD

  => some ETL files are completely invisible online

  => BootPerformanceDiagnostics_SystemData.bin has another size online than it has offline.


I ran win32kdiag which confirmed the etl issue.


windows update is not working anymore.


Through ranchand's remark I found the preparation-guide for postings concerning infection.


I followed that and posted it here (as I can't attach files here).


Realy hope someone can help.




#5 Animal


    Bleepin' Animinion

  • Site Admin
  • 35,780 posts
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:12:06 PM

Posted 24 April 2016 - 01:49 PM


Now that you have posted a log at your 'here' link above: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)

A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)

"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)

Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users