Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

suspected Sophisticated Rootkit


  • This topic is locked This topic is locked
24 replies to this topic

#1 cheb

cheb

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 16 August 2016 - 10:17 PM

hello am at end of my tether been fighting with malware/trojan rootkit that keeps returning!
 
i would have formatted everything already only i need the windows 8.1 cd/usb and shops do not have it on sale near me.
 
 
GMER RESULT FOR WINDOWS 8.1 64BIT LAPTOP included 
 
i have been infected by nasty restoring powerful harmful rootkits/malwares
 
 
possibly from multiplayer server of Football Manager 16 some players were very shady suspicious and abusive on a botched game start up.
 
also when i installed 3rd party software for FSX named Gplan it froze my cpu upon installation and my cpu has never been the same!
 
 
i have tried everything
 
restores refreshes resets restores lost everything desktops and files
 
old cpu broke
 
this new laptop now infected and compromised
 
i notice it seems to have also infected my router 
 
it seems to infiltrated bluetooth on android phone and interferes with laptop also
 
TEREDO tunnelling device appears hidden in wireless land in devices
 
also ISATAP tunnel.sys
 
 
have had bsod irqls errors that crash the cpu (i disable and uninstall the bluetooth networks and teredo and isatap pseudo tunneling)
 
they all comeback no matter how i delete them even with avs and tools
 
 
i even turn phone off for security
 
They are foreign networks setup and returning unauthorised and highly suspicious
 
 
originally my cpu slowed down then lots processor usage, strange things. then desktop deleted, games keep uninstalling themselves on steam right after full reinstallation of said games! restores delete break and cpu goes awol
 
also my broadband speed is slower/used considerably
 
it usually returns with high process usage , then non responding programs, then the intruder networks and  bluetooths then my cpu usually freezes or bso or crashed in game
 
this is persistent
 
i am familiar with most avs and tools used here and other sites such as majorgeeks
 
mcafee avg avire kaspersky tds killer etc malwarebytes have all failed to detect whatever is causing all this
 
 
 
i tried the basic command prompts ipconfig/alll catches rogue networks and sfc scan etc my ram and memory and cpu are 100% working otherwise
 
please help i have to keep returning to square 1 and reinstalling everything 5-6 in 3 weeks so far. 
 
there is some rootkits/malware detected in GMER file accompanied here but am not sure which ones to delete or how?

Attached Files



BC AdBot (Login to Remove)

 


#2 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 16 August 2016 - 10:27 PM

also i have Panda Antivirus Pro functioning right now although it had been disabled somehow on 1 restore earlier,

 

the Panda Online Cloud scan found somethings but as i was forced to restore back to a unfroze cpu restore point now the panda cloud scan will not install as if something is blocking it

 

its not the first time all avs and firewalls have been disabled or not functioning properly

 

here also is the panda cloud install error zip

 

all help would be greatly appreciated.

 

Attached Files



#3 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 17 August 2016 - 06:39 PM

should i have made the headline bold?

 

nobody up for the challenge of solving this GMER list?

 

 



#4 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 17 August 2016 - 11:56 PM

Farbar Recovery Scan Tool or FRST

 

Panda blocked that as a virus!

 

hundreds views but NO feedback?

 

can somebody help please?

 

the rootkit or whatever keeps returning it made 4 lan networks again today

 

Teredo tunneling

 

Isatap

 

and other network virtual adapters

 

i don't use bluetooth and never trusted it and it also installs odd bluetooths which i keep disable and uninstall only for it to return again smh



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 18 August 2016 - 09:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Wait for further instructions.

#6 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 18 August 2016 - 01:33 PM

Thank you for your response sir.

 

Am scanning with Rogue Killer right now.

 

The only usbs i have are a joystick and a mouse.

 

I prefer usb mouse to the touchpad mouse.

 

Would it be ok to leave usb mouse in or?



#7 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 18 August 2016 - 02:17 PM

ok after googling usb mouse i disconnected it and restarted scan.

 

Rogue killer found only laptop brand homepage changes and what looks like mcafee uninstall remnants?

 

included roguekiller report.

 

 

 

as i said in previous post Panda Firewall is blocking installation of Farbar-recovery-scan-tool


Edited by cheb, 18 August 2016 - 02:21 PM.


#8 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 18 August 2016 - 02:20 PM

roguekiller report

Attached Files



#9 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 18 August 2016 - 02:33 PM

FRST.txt 

Addition.txt

 

as requested.

 

 

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:48 PM

Posted 19 August 2016 - 07:52 AM

Do you have any problem with the your USB?
Your version of the Lenovo USB Blocker may need to be updated.
https://support.lenovo.com/ca/en/documents/ht104313

===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Chrome Web Store Payments) - C:\Users\cheb\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\cheb\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Task: {229A2CB2-A04A-4393-8386-CB6EC94892D1} - \OFFICE2013ACT -> No File <==== ATTENTION
Task: {4122C014-8581-42F0-A682-61B04D03B4D2} - \Optimize Start Menu Cache Files-S-1-5-21-1967991768-18245369-3399840606-500 -> No File <==== ATTENTION
Task: {84DC3A2B-488E-4261-8DEF-492DFE0BC8EE} - \PDVDServ Task -> No File <==== ATTENTION
Task: {AB1E5EDA-8D86-43E9-B5F5-793FBA5CFBA1} - \Synaptics TouchPad Enhancements -> No File <==== ATTENTION
Task: {B9CB3254-86E5-4068-8AD4-73539B7BF95C} - \DolbySelectorTask -> No File <==== ATTENTION
Task: {D3295C1E-8725-40A9-897E-EA6767F67580} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {EB695EC2-4A2D-4E37-AD5A-C851BEFD9192} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\exefile:  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\.exe:  =>  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\batfile:  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\.bat:  =>  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\comfile:  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\.com:  =>  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\cmdfile:  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\.cmd:  =>  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\regfile:  <===== ATTENTION
HKU\S-1-5-21-1967991768-18245369-3399840606-1002\Software\Classes\.reg:  =>  <===== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists. run these tools.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Posdt the logs.

    Let me know what problem persists.





#11 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 19 August 2016 - 10:18 AM

Hello Nasdaq,

 

 

 

Thank you for your help.

 

ok.

 

am not sure how to get the multi quote on this site working..it qouted entire page...

 

"Do you have any problem with the your USB?"

 

i had no problems except when i disabled bluetooths/tunneling as per rogue pseudo lans and uninstalled them.

 

 

 

I have little faith or trust in much online or offline anymore.

 

Lenovo has had some very poor press regarding privacy and security .

 

Windows updates seemed to cause more instability and i have experienced updates themselves being hijacked in the past also.

 

The more i learn about computers -I've come to conclusion there is no privacy or security and i will not use credit cards etc online.

 

I certainly did not wish for Windows 10 updates hence therefore i disabled most updates! :)

 

However I like classicshell.net startmenus for Windows 8 -makes it tolerable :)

 

btw Edward Snowden is a hero of mine.

 

 

Am about to to TDSKiller.

 

I suspect when i use my android phone - the apps crash and forced to press a suspect "ok screen" or its locked.

Could this be an infection point? as afterwards the Rogue isatap/tunneling was back.

 

i caught bluetooth on my phone couple times and i never use that.

 

also when i reboot after Farbar that time the bad isatap tunneling was back when i check ipconfig/all..

 

 

 

 

 

 

Attached Files



#12 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 19 August 2016 - 10:20 AM

I have updated all the Lenovo stuff including usb blocker now.



#13 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 19 August 2016 - 10:41 AM

TDSKiller Report found nothing no reboot needed.

Attached Files



#14 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 19 August 2016 - 10:52 AM

before i forget again

 

i played FSX Flight Simulator on steam last night

 

and the game controls acted awol as if somebody took controls pitch etc

 

then steam acted weird and went offline even though my net was good for browsers etc

 

aswMBR can now



#15 cheb

cheb
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 19 August 2016 - 11:01 AM

updated ReportRogue.txt

 

irony is not lost on me!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users