Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER Detected A rootkit...


  • This topic is locked This topic is locked
29 replies to this topic

#1 HYTTIOAOA

HYTTIOAOA

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 02 October 2016 - 06:05 PM

I scanned with GMER Today and found this

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-10-02 19:02:33
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000038 ST1000DM003-1ER162 rev.CC46 931.51GB
Running: gmer.exe; Driver: C:\Users\AJ\AppData\Local\Temp\kwrcrpow.sys
 
 
---- Threads - GMER 2.2 ----
 
Thread   C:\WINDOWS\system32\csrss.exe [7664:8908]                                                                                      fffffb494b596c20
Thread    [6480:5972]                                                                                                                   0000000063d401c7
Thread    [6480:1540]                                                                                                                   0000000063ddc59c
Thread    [6480:5176]                                                                                                                   0000000063ddc59c
Thread    [6480:3784]                                                                                                                   0000000063ddc59c
Thread    [6480:7448]                                                                                                                   00000000778e6020
Thread    [6480:7316]                                                                                                                   00000000778e6020
Thread    [6480:7972]                                                                                                                   0000000063ddc59c
Thread    [6480:10236]                                                                                                                  0000000063ddc59c
 
---- Services - GMER 2.2 ----
 
Service  C:\WINDOWS\System32\qmgr.dll (*** hidden *** )                                                                                 [AUTO] BITS                                                   <-- ROOTKIT !!!
 
---- Registry - GMER 2.2 ----
 
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@LastRun                                     09:26:2016
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@TotalBytesSaved                             0x00 0x20 0x00 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed                                              -925781035
Reg      HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start                                                                              2
Reg      HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName                                                         Global\MMF_BITS7a228015-a86b-486f-8f4f-2ced360bc047
Reg      HKLM\SYSTEM\CurrentControlSet\Services\BITS                                                                                    
Reg      HKLM\SYSTEM\CurrentControlSet\Services\KLIF\Parameters@CheckVersion                                                            44
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch                                                                1843
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch                                                               237
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer                                                         192.168.0.1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1f47f75d-e261-4e68-8188-e9ac2b1ddb0f}@LeaseObtainedTime    1475444899
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1f47f75d-e261-4e68-8188-e9ac2b1ddb0f}@T1                   1475445799
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1f47f75d-e261-4e68-8188-e9ac2b1ddb0f}@T2                   1475446474
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1f47f75d-e261-4e68-8188-e9ac2b1ddb0f}@LeaseTerminatesTime  1475446699
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f2dada3b-4f67-44ce-a835-0be2e5f4619d}@LeaseObtainedTime    1475444901
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f2dada3b-4f67-44ce-a835-0be2e5f4619d}@T1                   1475445801
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f2dada3b-4f67-44ce-a835-0be2e5f4619d}@T2                   1475446476
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f2dada3b-4f67-44ce-a835-0be2e5f4619d}@LeaseTerminatesTime  1475446701
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{188698ff-e1f3-47c7-864b-2db183466583}@Dhcpv6State         1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated                                            0x21 0xE7 0x06 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh                                                 0x21 0x4F 0xCB 0x61 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow                                                  0x21 0x7F 0x42 0x9E ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List                                                        12664 12670 12680 12690 12710 12754 12764 12802 12808 12824
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter                                                       12830
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help                                                          12831
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter                                                      12664
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help                                                         12665
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw                                                                             0x64 0x62 0x03 0x00 ...
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask                                                                         0x64 0x62 0x03 0x00 ...
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome.UserData.Profile1                                    0x3D 0x41 0x11 0xB2 ...
 
---- Disk sectors - GMER 2.2 ----
 
Disk     \Device\Harddisk0\DR0                                                                                                          unknown MBR code
 
---- EOF - GMER 2.2 ----
 
 
Can someone help me with this?


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 02 October 2016 - 06:54 PM

Hi HYTTIOAOA :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

This looks like a false positive from GMER. qmgr.dll is a legitimate Windows file and a component of BITS. Upload the file to VirusTotal and post the report URL here after.

5KB3EXa.pngUpload a file on VirusTotal
  • Open your favorite web browser, and go on virustotal.com;
  • From there, click on the Select a file button and wait for the Windows Explorer to open;
  • Browse to the file below, select it and click on Open;
    C:\WINDOWS\System32\qmgr.dll
    
  • Once done, click on the Analyze button;
  • If you get a message that the file was already analyzed, click on the Re-analyze button;
  • At the end of the analysis, copy and paste the VirusTotal report URL in your next reply;
Also, which version of Windows are you running?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 HYTTIOAOA

HYTTIOAOA
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 02 October 2016 - 09:18 PM

https://www.virustotal.com/en/file/c7511fab014f20fbeca56a9ba5880dfd8f020b8a33a7a30b12dbe961640f3fc9/analysis/1475460799/

 

This is the link to the virustotal

 

I am running Windows 10 Version 10.0.14393 Build 14393

 

Why was this detected as a rootkit in the first place? Is it corrupted?

 

Oh and by the way I found more things detected by GMER

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-10-02 22:17:46
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000038 ST1000DM003-1ER162 rev.CC46 931.51GB
Running: gmer.exe; Driver: C:\Users\AJ\AppData\Local\Temp\kwrcrpow.sys
 
 
---- Disk sectors - GMER 2.2 ----
 
Disk     \Device\Harddisk0\DR0                                        unknown MBR code
 
---- Threads - GMER 2.2 ----
 
Thread   C:\WINDOWS\system32\csrss.exe [10152:1688]                   fffffb494af26c20
 
---- Services - GMER 2.2 ----
 
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )            [AUTO] CDPUserSvc_1cae30                 <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )            [MANUAL] MessagingService_1cae30         <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )            [AUTO] OneSyncSvc_1cae30                 <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )            [MANUAL] PimIndexMaintenanceSvc_1cae30   <-- ROOTKIT !!!
Service  C:\WINDOWS\servicing\TrustedInstaller.exe (*** hidden *** )  [AUTO] TrustedInstaller                  <-- ROOTKIT !!!
Service  C:\WINDOWS\System32\svchost.exe (*** hidden *** )            [MANUAL] UnistoreSvc_1cae30              <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )            [MANUAL] UserDataSvc_1cae30              <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )            [MANUAL] WpnUserService_1cae30           <-- ROOTKIT !!!
 
---- EOF - GMER 2.2 ----
 
 
This is getting strange. I didn't have these before...


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 03 October 2016 - 07:30 AM

Probably because GMER hasn't been updated to support Windows 10 AU (Version 10.0.14393) yet. Looks like these are all false positives. I'll run GMER on my desktop tonight, and I might get similar results. From the GMER website, you can see that support for Windows 10 has been added, but it was for Windows 10 RTM. Windows 10 TH2 and AU (Redstone) aren't the same, so GMER probably hasn't been updated for them.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 HYTTIOAOA

HYTTIOAOA
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 04 October 2016 - 07:04 PM

Hey sorry for the late reply, I thought you were going to reply first, so I just waited.

 

So are they false positives?



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 04 October 2016 - 07:14 PM

I meant to ask, what options did you use when you ran GMER? I'll use the same ones when running the scan on my system.

Also, I still think these are false positives, since the services associated with svchost.exe and TrustedInstaller.exe are legitimate ones. Some of them also seems to be causing issues for some users.

https://social.technet.microsoft.com/Forums/en-US/c165a54a-4a69-441c-94a7-b5712b54385d/what-is-the-cdpusersvc-for-?forum=win10itprogeneral

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 HYTTIOAOA

HYTTIOAOA
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 06 October 2016 - 04:28 PM

The options I ran when I used GMER first was the default startup of GMER scan with all areas to scan checked, and quick scan checked.

Then I did a full scan and only found qmgr.

 

The next results came when I started up GMER and it did it's startup quick scan of all areas.

 

My computer has been running very slow since your reply and the mouse stutters frequently and the disk space is at 100%



#8 HYTTIOAOA

HYTTIOAOA
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 07 October 2016 - 09:05 AM

I am going to try and factory reset. My mouse stutters and the PC is running slow. However, I need you to stay with me in case something survived factory reset.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 07 October 2016 - 09:26 AM

I'll be waiting.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 HYTTIOAOA

HYTTIOAOA
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 07 October 2016 - 04:07 PM

Hey Aura, thanks, I'm back I finished a reinstall of Windows 10 from the reinstall tool provided by MS, and the mouse stutter is gone. When I start up my PC the disk usage is 100% then goes to zero or one after a while, with the proccesses using the 100% were System and Anti-malware Service Excecutable



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 07 October 2016 - 04:23 PM

I've been that before, it isn't unusual on start-up. Are there any other issues, that could be malware-related you would like to me address or?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 HYTTIOAOA

HYTTIOAOA
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 07 October 2016 - 04:54 PM

I guess it's nothing, as GMER isn't even saying that there are rootkits anymore.

 

all I see on GMER is:

 

Disk      \Device\Harddisk0\DR0      unknown MBR code

Thread      C:\WINDOWS\System32\crss.exe[640:4356]      fffff69a7e5b6c20

 

Those are probably normal, so I think there's nothing to worry about anymore, however I'll do a full scan and add a log later today. Thanks for the clarification.



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 07 October 2016 - 05:00 PM

No problem. I've seen the same detection in other GMER logs, it's normal. I'll wait for the log then.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 HYTTIOAOA

HYTTIOAOA
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 07 October 2016 - 05:22 PM

The log is attached because there was an error while copying and pasting saying the post was too long.

Attached Files

  • Attached File  GMER.log   148.75KB   5 downloads


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 07 October 2016 - 05:25 PM

All good. I don't see anything wrong in this log either.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users