Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected with a Rootkit


  • This topic is locked This topic is locked
11 replies to this topic

#1 Arcylus

Arcylus

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 24 April 2016 - 11:05 PM

Hey Guys, I've been struggling with an unknown rootkit on my computer for about a month now, trying everything to remove it but no luck so far, so I just thought i'd ask for help before I damage something. It's persisted through multiple Windows 10 reinstalls, disk zeroerases and it still comes back. 

I have a feeling it might be a hypervisor/VM rootkit as my file paths in some circumstances have changed to: C:\Users\JAYWHI~1\AppData\*. Also when starting up the computer it tries to fix a disk with the path /??//Volume- with what looks like a registry key following it,

It doesn't show up in any normal scans using Avast, RougeKiller, TDSSkiller but GMER picks up on it so I've attached both the requested FRST logs and the one from GMER

 

Please help!

 

Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,861 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:11 AM

Posted 25 April 2016 - 03:07 AM

Hello Arcylus and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Google Chrome is the culprit according to the Gmer log. We have more problems with Chrome than most other things these days and it beats me why anyone uses it.

Apart from that, your system looks fine so we’ll tidy up signs of Chrome and a couple of other bits and see how things are after that.

===================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
2016-04-24 09:53 - 2016-04-25 01:00 - 00000000 ____D C:\Program Files (x86)\Google
2016-04-24 09:53 - 2016-04-24 09:54 - 06871040 _____ C:\Program Files (x86)\GUTEB69.tmp
2016-04-24 09:53 - 2016-04-24 09:54 - 00000000 ____D C:\Program Files (x86)\GUMEB68.tmp
2016-04-24 09:52 - 2016-04-25 00:48 - 00000000 ____D C:\Users\Jay Whitelock\AppData\Local\Google
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Please run Gmer again and post the new log.

Logs to include with next post:

Fixlog.txt
New Gmer log


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Arcylus

Arcylus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 26 April 2016 - 02:51 AM

Hi Satchfan!

Cheers for your response, i've run FRST and here are the new logs

 

Kind Regards,

 

Jay

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,861 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:11 AM

Posted 26 April 2016 - 03:22 AM

That looks better.

Let’s run a couple of other scans to be sure there’s nothing else lurking.


Download Malwarebytes-Anti-Malware

Click here.

  • double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7, 8, 10 users, please right-click and select “Run as Administrator”)
  • select the “Scan” tab at the top
  • there are three scan types; choose Threat Scan, then click on Scan
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

===================================================

Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan


  • click the Run Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.


    Note - if ESET doesn't find any threats, no report will be created.
     

  • push the back button.
  • push Finish

When the scan is complete:

If no threats were found:


o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found.
 

If threats were found:


o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here.
 

Logs to include with the next post:

Mbam.txt
Eset results, (if there are any)


Can you tell me if there are any outstanding problems.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Arcylus

Arcylus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 26 April 2016 - 05:54 AM

Have run Mbam and found no issues but I can't get ESET to finish downloading the Virus Signature Database, ran it locally at first and it couldn't get past 4% and then asked if I had incorrectly configured the proxy (not running a proxy), then running it through internet explorer it jumped straight to 50% recognising it had been run before, but can't get past 55% with the same error and my internet connection hasn't gone down at all.

 

I've attached Mbam.txt, please let me know if there is anything I can do about ESET

 

Attached Files



#6 Arcylus

Arcylus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 26 April 2016 - 06:12 AM

Also, I just looked at the user permissions for the local ESET installer I tried first and found 2 random users, i've attached a screenshot of the properties- I come from a Linux background so seeing stuff like this wierds the heck out of me haha

Attached Files



#7 satchfan

satchfan

  • Malware Response Team
  • 2,861 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:11 AM

Posted 26 April 2016 - 06:25 AM

Those are "built-in" accounts that MS, in their wisdom, decided didn't need to be named.

 

Ok let's do a shorter scan and see if we can get you through it.

Do an online scan with BitDefender QuickScan.

Please be patient as scanning may take some time. If you have problem running the scan, you might want to disable any real time protection that you have.

  • click here to go to BitDefender QuickScan page.

For Firefox and Chrome users:


o    Click on Scan Now. You will be prompted to install a plug-in: allow it. (In case you get stuck, refresh the page to try again).
o    A Software Installation window will appear. Click Install Now and the plugin will be installed as an Add-on.
o    Restart Firefox when done. Go back to the BitDefender QuickScan page again and click on Free Scan Now and proceed accordingly.
 

For Internet Explorer users:


o    Click on Scan Now. You will be prompted to install an ActiveX control. Please install.
o    The page will refresh. Click on Scan Now again and proceed accordingly.

  • when the scan has completed, click on View report and a Notepad log will open.
  • if there are any infections found, you will get a warning and the link to the report will be displayed as the number of infections. Click on it.

Post back the contents of this report. It can also be found at C:\Documents and Settings\<username>\Application Data\QuickScan, (“username” is the Windows log-in name).
 

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 Arcylus

Arcylus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 26 April 2016 - 07:10 AM

QuickScan 32-bitv0.9.9.147
--------------------------
Scan date:  Tue Apr 26 21:53:58 2016
Machine ID: C26C2ED2



No infection found.
-------------------



Processes
---------
(unsigned)  SkypeHost.exe                            3712    C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeHost.exe

(verified)  Firefox                                  2076    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(verified)  Firefox                                  3580    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
(verified)  Internet Explorer                        1080    C:\Program Files (x86)\Internet Explorer\iexplore.exe


Network activity
----------------
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 179.60.193.36
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 216.58.199.78
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.192.134.177
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.192.134.177
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.192.134.177
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.192.134.177
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.192.134.177
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 216.58.199.72
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 104.16.40.2
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 104.117.218.156
Process firefox.exe (2076) connected on port 80 (HTTP) --> 202.7.177.10
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 52.35.152.158
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 52.35.152.158
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 202.7.172.183
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 216.58.199.67
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.240.176.68
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.240.176.68
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.240.176.68
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.240.176.68
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.240.176.68
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.192.134.229
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.192.134.229
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.192.134.229
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 54.182.4.65
Process firefox.exe (2076) connected on port 80 (HTTP) --> 179.60.193.7
Process firefox.exe (2076) connected on port 80 (HTTP) --> 66.235.153.36
Process firefox.exe (2076) connected on port 80 (HTTP) --> 14.200.100.33
Process firefox.exe (2076) connected on port 80 (HTTP) --> 192.229.145.72
Process firefox.exe (2076) connected on port 80 (HTTP) --> 66.235.153.36

Process SkypeHost.exe (3712) listens on ports: 34564


Autoruns and critical files
---------------------------
(verified)  Microsoft® Windows® Operating System     c:\Windows\System32\userinit.exe
(verified)  NVIDIA GeForce 3D Vision                 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe


Browser plugins
---------------
(unsigned)  NVIDIA 3D Vision                         C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
(unsigned)  NVIDIA 3D VISION                         C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

(verified)  Adobe Content Decryption Module for Fir  C:\Users\Jay Whitelock\AppData\Roaming\Mozilla\Firefox\Profiles\t1a8rzmj.default\gmp-eme-adobe\15\eme-adobe.dll
(verified)  Bitdefender QuickScan                    C:\Users\Jay Whitelock\AppData\Roaming\Mozilla\Firefox\Profiles\t1a8rzmj.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
(verified)  gmpopenh264.dll                          C:\Users\Jay Whitelock\AppData\Roaming\Mozilla\Firefox\Profiles\t1a8rzmj.default\gmp-gmpopenh264\1.5.3\gmpopenh264.dll
(verified)  Internet Explorer                        C:\Windows\SysWOW64\ieframe.dll
(verified)  Microsoft® Windows® Operating System     C:\Windows\System32\mswsock.dll
(verified)  Microsoft® Windows® Operating System     C:\Windows\System32\NapiNSP.dll
(verified)  Microsoft® Windows® Operating System     C:\Windows\System32\nlaapi.dll
(verified)  Microsoft® Windows® Operating System     C:\Windows\System32\pnrpnsp.dll
(verified)  Microsoft® Windows® Operating System     C:\Windows\System32\winrnr.dll
(verified)  Microsoft® Windows® Operating System     C:\Windows\System32\wshbth.dll


Scan
----
MD5: 69f8eb84db25b26d2440c9bc20626ea6  C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
MD5: ceff4fea2f523d2f3851724ccc8320cb  C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
MD5: c394099f9cde8d3cf83e27dc1b40d9d6  C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll
MD5: bb8e7c63bac1c3856c80ca57da40888d  C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeHost.exe
MD5: 5dfd17d86bad589bfe736fd289d4ee5f  C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkyWrap.dll
MD5: a822b9e6eedf69211013e192967bf523  C:\Users\Jay Whitelock\AppData\Local\Temp\fwndyfog.sys


No file uploaded.

Scan finished - communication took 2 sec
Total traffic - 0.00 MB sent, 0.03 KB recvd
Scanned 282 files and modules - 3 seconds

==============================================================================
 



#9 satchfan

satchfan

  • Malware Response Team
  • 2,861 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:11 AM

Posted 26 April 2016 - 07:18 AM

All looks good. If there are no remaining problems I'll send instructions to tidy up.

 

Please let me know if you're happy with that.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 Arcylus

Arcylus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 27 April 2016 - 02:47 AM

Yeah I am, thank you so much for your help :)



#11 satchfan

satchfan

  • Malware Response Team
  • 2,861 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:11 AM

Posted 27 April 2016 - 02:55 AM

thank you so much for your help

You're welcome.


Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore

  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

======================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

======================

Download WOT

Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:


green if it's safe
yellow for caution
red for unsafe
 

You can download the WOT add-on for Firefox, Chrome, Internet Explorer, Opera, and Safari browsers. It does not slow down your browsing experience, it is easy to use and free. Just click “Download” and you are ready to go!

======================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

======================

Unchecky

Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

Download and install Unchecky .

======================

Download and install CryptoPrevent

Crypto Ransomware Warning

There are particularly nasty “Ransomware” infections out there at the moment that encrypt your files and the only way possible to get them “de-crypted” is to pay a ransome. You can read more about this here.

  • download CryptoPrevent
  • save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish
  • you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No
  • you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to
  • click OK to continue and select your protection level. Go ahead and click OK.
  • click the Apply button to set Default protection
  • you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.

You are now protected.

Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the “Updates” menu then select Check for Updates to see if there are any available.

===================================================

I also recommend that you read the following:

Best Practices for Safe Computing - Prevention of Malware Infection by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 satchfan

satchfan

  • Malware Response Team
  • 2,861 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:11 AM

Posted 28 April 2016 - 02:54 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users