Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gmer has found rootkit activity


  • This topic is locked This topic is locked
17 replies to this topic

#1 lucidstorm

lucidstorm

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 05 October 2016 - 08:21 AM

Hello, 

 

I have had 6 rootkit activity logs in gmer (C:\WINDOWS\system32\svchost.exe (*** hidden *** ) so I've run popular bleeping computer scans because I am an active reader and big fan of Bleeping (Malwarebytes Anti-Rootkit and antimalware, Rogue Killer, Eset nod online scanner, JRT, TFC, adwcleaner, sofos antivirus and sofos hitmanpro and Norton power eraser that found a dns problem and solved it). After the scans  - I repaired alot of infections and junk programs, about 7 includng some junk program   -  I've run windows repair all-in-on and repaired everything I could. I can already see an improvement since I am able to start and finish antivirus scans. Ok why I did the scans: laptop behaved as if it was hijacked with pop up windows opening and closing randomly and sometimes very fast, also the touchpad has become unresponsive and the right button stopped working (might be a hardware problem I thought because with mouse it behave better). After all these scans and repairs I can still see the ''gmer has found rootkit activity'' but the number of rootkits is reduced to two:

 

C:\Windows\system32\ikeext.dll (*** hidden ****) [Manual] IKEEXT

C:\Windows\system32\Tabsvc.dll (*** hidden ****) [AUTO] TabletInputService 

 

all the above in red, 

 

now usually I am able to resolve the aforementioned problems alone with the above programs but not this time, these programs are unable to solve the gmer log problem with red messages. I even tried TDSSKILLER but it is unable to install and MBR causes BSOD, can't run combofix because on win 10.

Malwarebytes Anti-Rootkit and antimalware, Rogue Killer, Eset nod online scanner, JRT, TFC, adwcleaner, sofos antivirus and sofos hitmanpro and Norton power eraser show 0 results now, gmer insists on the two red rootkit activities ikeext.dll and Tabsvc.dll

 

my spec: WIN 10, 1 ssd C partition, Dell laptop with all its forced junk, zonealarm and mcafee (today changed with bitdefender free, I hate mcafee because it allowed such mess to happen)

 

as i said it could be false positives and a broken touchpad sending random imputs

 

Best


Edited by lucidstorm, 05 October 2016 - 09:41 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:53 AM

Posted 06 October 2016 - 08:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs and wait for further instructions.

#3 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 06 October 2016 - 01:26 PM

hi, why in attachment only the addition.txt, nevermind consult post below


Edited by lucidstorm, 06 October 2016 - 01:40 PM.


#4 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 06 October 2016 - 01:29 PM

attachment

 

&

 

farbar scan results (please open spoiler):

Spoiler

Attached Files


Edited by lucidstorm, 06 October 2016 - 01:42 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:53 AM

Posted 07 October 2016 - 08:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1263113205-2751753645-2231641529-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\BOZENA\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-21]
S2 HomeNetSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S4 mccspsvc; "C:\Program Files\Common Files\McAfee\CSP\1.9.829.0\\McCSPServiceHost.exe" [X]
U3 awldikod; C:\Users\BOZENA\AppData\Local\Temp\awldikod.sys [56584 2016-10-05] (GMER) [File not signed]
R3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]
Task: {9AB5FE09-01BA-454D-A0EF-FAB5CA7544C7} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\WINDOWS\TEMP\DeleteFolderTask.exe <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===


    Please post the logs for my review.
    Let me know what problem perisists.


#6 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 08 October 2016 - 07:34 AM

Hi there!

 

MBR is immediate BSOD as I mentioned before, I can't complete the process, I can run it if I say no to run virtualization technology for rootkit detection. So yes I did run it in the end without virtu 

 

NOTE IMPORTANT: not that MBR caused bsod and I had to restart PC after roguekiller scan, so maybe the malicious code re-entered process and our efforts are perhaps wasted. 

 

Rogue killer has found DNS pups before MBR scan, nothing in red though.

 

Please advise further.

 

thank you

 

please open to read 

 

Spoiler

Attached Files


Edited by lucidstorm, 08 October 2016 - 07:36 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:53 AM

Posted 08 October 2016 - 09:13 AM




Remove your version of Bitdefender

Download and run the uninstaller for you free version from this site
http://www.bitdefender.com/uninstall/

When completed restart the computer normally.

With all the programs closed download and reinstall the application from this site.
http://www.bitdefender.com/toolbox/freeapps/desktop/

When installed scan your computer.

Let me know what problem persists.

#8 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 08 October 2016 - 11:10 AM

Hi can't find the free edition to uninstall, choose 2015 internet security because free edition is from 2015, it failed to delete registry leftovers

 

process takes forever and bitdefender's active, the process seems to be in some sort of loop with failing deleting registry and shortcuts

 

rebooted system but bitdefender is impossible to delete, stays active , trying other versions and keep you posted

 

also PC fails to connect to wifi, I need to manually connect to a wifi secure spot

 

EDIT: finished with errors, unable to uninstall bitdefender, please advise further, bitdefender wasn't even touched by the tool

 

windows says its turned off, but I can see bitdefender icon and it's functional. 


Edited by lucidstorm, 08 October 2016 - 11:42 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:53 AM

Posted 08 October 2016 - 12:38 PM


Download and run this RevoUninstaller tool.
http://www.revouninstaller.com/

Remove everything referecing Bitdefender.

Make sure that the Windows defender is enable.

---

Restart the computer normally.

Run the Farbar tool normally.

Post fresh FRST and Addition.txt file for my review.

Let me know of any issues at this time.

l

#10 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 09 October 2016 - 05:52 AM

Hi

 

I did as you asked but not all of it was possible, revo uninstaller pro version (I know that program and use it frequently) did the job just fine, 

 

without rebooting yet, I tried to turn windows defender real time protection but it sent me to windows application tab (to be precise apps and features), and real time protection is greyed out in settings. 

 

What I did is to turn on antivirus by zonealarm , I got that already on my system since it was a substitute for windows firewall but until now turned off. 

 

However I can enable periodic scan by windows defender and I did, also scanned with zonealarm, both found nothing so I made no changes whatsoever

 

I've run scan with farbar and this is what I've got:

 

Spoiler

Edited by lucidstorm, 09 October 2016 - 06:10 AM.


#11 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 09 October 2016 - 05:59 AM

Addition txt in attachment

 

what changed since we first met is that the right button of touchpad works again, however oddly enough it's a left click instead of right. Wifi can't connect automatically which has worked before. I didn't perform any changes but just what u asked of me, for security I am not using this laptop at all, 

Attached Files


Edited by lucidstorm, 09 October 2016 - 06:13 AM.


#12 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 09 October 2016 - 06:18 AM

Sorry my bad scans above are before reboot

 

consider these after reboot:

 

Spoiler

 

 

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:53 AM

Posted 09 October 2016 - 09:34 AM


Nothing suspicious was found on your logs.
===

Remove the temporary files that this tool will find.

Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

Wifi issues.

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (MTB.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
===


Touchpad problem.
Google this string dell touchpad driver windows 10

You may have to get the latest driver. Or possibly the setting can be changed via the control panel.

===

ZoneAlarm Free Firewall Antivirus (Enabled - Up to date) WILL DISABLE THE WINDOWS DEFENDER.
Both of them cannot not work in real life.

The following can work with Windows Defender.
ZoneAlarm Free Firewall Anti-Spyware
and
ZoneAlarm Free Firewall Firewall
===

#14 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 09 October 2016 - 10:14 AM

Hi I can't find these driver, downloaded some synaptics touchpad drivers from unkown site but not solved windowsreinstallationguide.com and dellwindowsreinstallationguide.com (hope they are fine)

 

Synaptics_v19_0_19_1__C__x86-x64__Win10__Signed__MS_Win10_UXUI_PS2_SMbus

 

Ok It downloaded logitech updater (it tricked me to believe I am downloading alp touchpad driver for win 10) that I have hard time removing...from dellwindowsreinstallationguide.com

 

Disappeared on next reboot (weird)

 

 

JRT & MiniTool box as per request (before installing driver touchpad)

 

Spoiler

 

 

Spoiler
Spoiler

 

 

edit: OK Dell touchpad working again I found some driver on dell forums, I gonna run a scan of Farbar last time to check if that install didn't ruin anything (dellwindowsreinstallationguide.com)

 

Farbar:

Spoiler

Edited by lucidstorm, 09 October 2016 - 11:18 AM.


#15 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 09 October 2016 - 11:16 AM

Posting latest scans: see next page


Edited by lucidstorm, 09 October 2016 - 11:45 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users