Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advanced rootkit


  • This topic is locked This topic is locked
26 replies to this topic

#1 Nelles93

Nelles93

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 04 July 2016 - 12:25 AM

Hi guys,
first of all, a friend of mine already had run FRST and Gmer and checked the logs. He told me that I definitely got a rootkit but he couldnt help me further(cause he had to go on montage for the next 3 months), and since I need that pc for professional purposes and online banking, id appreciate to get help from experts.
I am kind of scared connecting it to the network again because alot of passwords already got stolen and I dont want to plug in any device. I already created a bootable flash drive with hbcd on a clean pc but I will need a safe way to share the logs with you. Also I am willing to wipe my full harddrive, if thats easiest solution because theres no needed data on it! thanks in advance and excuse my bad english please

Edited by Nelles93, 04 July 2016 - 02:01 AM.


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:39 PM

Posted 04 July 2016 - 03:15 AM

Hello Nelles93 and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Please connect your computer to the Internet and run these two scans as I won’t be able to help clean your computer effectively if I don’t know what I’m dealing with. Unless your friend is trained in virus removal, it is not certain what is on your PC without seeing some current scans.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • make sure there is a checkmark next to "Addition.txt" before you press the Scan button
  • it will produce two logs called Frst.txt and Addition.txt in the same directory the tool is run from
  • please copy and paste both logs back here.

 

===================================================

Run aswMBR

  • download aswMBR.exe to your desktop
  • double click the aswMBR.exe to run it
  • if asked, accept the AVAST virus definition download
  • click the "Scan" button to start scan
  • on completion of the scan click Save log, save it to your desktop and post in your next reply. Note - do NOT attempt any Fix yet.

Logs to include with next post:

Frst.txt
Addition.txt
aswMBR log


Thanks

Satchfan


Edited by satchfan, 04 July 2016 - 03:29 AM.
Amendment

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Nelles93

Nelles93
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 04 July 2016 - 06:48 AM

Hello satchfan and thanks for your assistance,

here are the logs youve asked for:
 

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:39 PM

Posted 04 July 2016 - 10:16 AM

There is absolutely no sign of infection and to be honest I’d be really surprised if there was sign of a rootkit on a Windows 10 machine. aswMBR showed nothing and neither did FRST and at least one of them would have given signs.

There were, however, a few bits that need tidied up.

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <======= ACHTUNG
SearchScopes: HKLM -> {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3511f006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-613950301-1579437796-718574838-1001 -> DefaultScope {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3511f006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-613950301-1579437796-718574838-1001 -> {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3511f006&q={searchTerms}
U4 klkbdflt2; \SystemRoot\system32\DRIVERS\klkbdflt2.sys [X]
C:\Users\Shaddi\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\Shaddi\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Shaddi\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Shaddi\AppData\Local\Temp\nvStInst.exe
C:\Users\Shaddi\AppData\Local\Temp\proxy_vole2513864294508359422.dll
C:\Users\Shaddi\AppData\Local\Temp\proxy_vole7726065351589403665.dll
C:\Users\Shaddi\AppData\Local\Temp\proxy_vole950035637209726342.dll
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

Could you please copy/paste logs into the post.

As well as the FRST fix log, could you also locate this and include it:

C:\TDSSKiller.3.1.0.9_14.06.2016_20.27.58_log.txt

Logs to include with next post:

Fixlog.txt
C:\TDSSKiller.3.1.0.9_14.06.2016_20.27.58_log.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Nelles93

Nelles93
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 04 July 2016 - 12:00 PM

Hm thats really weird because my pc has imense perfomance problems(i7 6700k cpu, gtx 980 ti gpu) and as I said, some of my passwords already got changed :S

I have added the old Gmer log as well, if that could help in any way

Thanks

 

 

Attached Files



#6 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:39 PM

Posted 04 July 2016 - 03:13 PM

There’s no sign of rootkits in either log. Let's run some more scans and if there's no improvement, as there's no sign of infection, I'll refer you to our Windows forum.

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Security Check

Download Security Check by screen317 from here.

  • save it to your Desktop.
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!, try rebooting the system and then run SecurityCheck again.

Logs to include with next post:

AdwCleaner log
JRT.txt
checkup.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 Nelles93

Nelles93
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 04 July 2016 - 04:19 PM

Here we go, thanks in advance

Attached Files



#8 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:39 PM

Posted 04 July 2016 - 05:33 PM

Still looking pretty normal but we’ll run two final scans to be certain before I give instructions to tidy up here and point you to the other forum. That way they can be sure it’s not malware-related.

Run Malwarebytes’ Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here:

  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the “History” tab, the “Application Logs”
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

===================================================

Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

  • click the Run Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats
     

  • ESET will then download updates, install itself, and begin scanning your computer, (lease be patient as this can take some time)
  • when the scan completes, push List of found threats
  • when the scan is done, click List threats (only available if ESET Online Scanner found something)
  • click Export, then save the file to your desktop
  • click Back, then Finish to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!

Logs to include with the next post:

Mbam.txt
Eset result, (if anything was found).


I won't reply again tonight as it's 11.30pm here and the Mbam & Eset scans won't complete before I have to get some beauty sleep.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 Nelles93

Nelles93
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 04 July 2016 - 10:18 PM

Good morning, here are the requested results.

I also have added the results of the previous scan of mbam, which was made 3 weeks ago (I didnt turn on the pc meanwhile)

If everythings fine so far, I really need to think about why my pc is performing so bad from one day to the next because I cant evenrun the common Minecraft properly anymore and that with a 1,6k$ pc. How high is the chance that there is still undetected Malware on my pc and will I be able to do online transfers with higher sums of money again?

Thank you for your help and support

Attached Files


Edited by Nelles93, 04 July 2016 - 11:22 PM.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:39 PM

Posted 05 July 2016 - 02:20 AM

What you have had on your computer is a nasty trojan and I'm not sure that it has all gone because some of it is stubborn. What I do believe now that this is the result of the trojan infection and not Windows-related.

A lot has been dealt with but we'll get rid of what Eset found then I'd like a look with a different tool.

Please copy all text in the code box below and paste it into Notepad:
 

@echo off
del /f /s /q "C:\Games\Cheat Engine 6.5.1\standalonephase1.dat”
del /f /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\C9C207CD-0288-C4E6-D1CD-4FA4A49D2D3A_1d1c716d7343b16”
del /f /s /q "C:\Users\All Users\Microsoft\Windows Defender\Scans\FilesStash\C9C207CD-0288-C4E6-D1CD-4FA4A49D2D3A_1d1c716d7343b16”
del /f /s /q "C:\Users\Shaddi\Downloads\System Explorer - CHIP-Installer.exe”
del %0
  • save the Notepad file to your desktop and name it delfiles.bat
  • save type as "All Files"
  • on your desktop, double-click on delfiles.bat to run it, (a black CMD window will flash, then disappear - this is normal).

The files/folders, if found, will have been deleted and the "delfile.bat" file will also be deleted.

===================================================

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7/8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    recentlycreated;
    firefoxlook;
    chromelook;
    firefoxdefaults;
    resetchrome;
    shortcut Fix
    iedefaults;
    autoclean
    ipconfig /flushdns;b
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Please copy/paste the log into your next post.

 


Edited by satchfan, 05 July 2016 - 02:25 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 Nelles93

Nelles93
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 05 July 2016 - 02:41 AM

Alright I ran the .bat and zoek, but I need to ask if SafenSoft SysWatch interferes with zoek, because I cant turn it off manually without uninstalling it. But here is the log already

Attached Files



#12 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:39 PM

Posted 05 July 2016 - 03:38 AM

I'll have to check back later as I'll be busy and unable to reply for a few hours.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:39 PM

Posted 05 July 2016 - 10:03 AM

I’ve had a good look back through all your logs for any signs and noticed a couple of entries that I missed which were Chrome-related as are most of the other “bad” entries.

Chrome is a total nuisance and we have countless problems with it. I think that uninstalling the wretched program may the best answer. You cannot remove some Chrome problems except with an uninstall/re-install of Chrome, (even though Google have been aware of this since 2008 and haven't bothered to do anything about it).

Uninstall/Reinstall Google Chrome

First save all your bookmarks/favourites.

  • open Chrome, click on the 3 bars in the top right hand corner, select Bookmarks and then Bookmarks Manager
  • click on Organise and then select Export Bookmarks to HTML file, then choose Desktop to save it
  • again, click on the three bars in the top right hand corner and select Settings
  • in the list of Settings under “Sign in” click on Disconnect your Google Account – (if “Disconnect your Google Account” is not there, you will have to sign in using your Chrome username and password first to make it visible)
  • in the text of the next window click on “Google Dashboard” then, at the “Chrome sync” screen, click on Stop and Clear at the bottom
  • a box will open and ask for confirmation, click on OK (wait for this to complete before doing the next step)
  • when confirmation appears close that page and then click on Disconnect account
  • shut Google Chrome, click on Start > Control Panel > Programs and Features (or Add/Remove Programs in XP) and uninstall Google Chrome. Select Everything for removal if asked.

Reboot the system and then reinstall Google Chrome from here

Repeat the process to reinstate your bookmarks by going to Bookmarks > Bookmarks Manager > Organise and select Import Bookmarks.

Let me know if the computer is behaving any better..

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 Nelles93

Nelles93
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 05 July 2016 - 01:21 PM

Everythings done except the reinstall, cause Ive decided to use firefox from now. (not downloaded yet)
My pcs running smoother but I get bluescreens after running any java-related programs/games and sometimes my pc is just struggling and dont let me close anything or even let me restart

#15 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:39 PM

Posted 05 July 2016 - 05:48 PM

This may be down to Firewall settings.

 

Please uninstall ALL versions of Java via the control panel, then reboot.

Install the latest version of Java

NOTE – when you install it, before clicking on Install, be sure to Uncheck “Install the Ask Toolbar and make Ask my default search provider”

 

Next

Check your Firewall settings to set permissions for Java:

  • open Windows Firewall by clicking Start > Control Panel > Security and then Windows Firewall
  • in the left pane, click Allow a program through Windows Firewall
  • make sure there is a checkmark in the box next to the latest version of Java that was just installed
  • click OK
  • reboot.

Let me know if there is any improvement.


Edited by satchfan, 05 July 2016 - 05:49 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users