Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit detected through GMER.


  • This topic is locked This topic is locked
20 replies to this topic

#1 helloseven

helloseven

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 08 November 2016 - 09:05 AM

Hi bleepingcomputer,

I  had suspicions that my pc can be infected for some time.
Possibly by someone i know/ came in contact with.
After mindlessly wondering and searching for adware and spyware using progs like RogueKiller, TCPView, Process Explorer etc
and trying to monitor my outgoing/incoming traffic, i  scanned my machine with GMER,  and to my surprise it told me that there is a system modification caused by ROOTKIT.
Here are some pics.
1. http://imgur.com/JwrMlma
2. http://imgur.com/JEiisrn

Here are some images from TCPView, regarding [system processes] and Remote Adresses to constantly changing hosts/IP's.
http://imgur.com/a/HyyxQ
http://imgur.com/a/6Ta9h

http://imgur.com/a/0oauz

I will appreciate any advice and idea regarding what this means and what to do.
Have logs from GMER regarding that matter.

I'm on Win10.

Thank you in advance.


7

Edit. After running subsequent GMER checks, more infected files popup, but shortly after the beginning of the scan i get BSOD with KERNEL SECURITY CHECK FAILURE.
http://imgur.com/K3nmnkf
Edit 2: Got past the BSOD to get this on the next scan
http://imgur.com/5eU3k61

Attached Files


Edited by helloseven, 08 November 2016 - 11:30 AM.


BC AdBot (Login to Remove)

 


#2 polskamachina

polskamachina

  • Malware Response Team
  • 3,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 11 November 2016 - 05:20 PM

Hi helloseven :)
 
My name is polskamachina and I would like to welcome you the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions.
 
In the meantime can you tell me if your system is showing other symptoms such as:

  • Browser redirects
  • Slow performance
  • Programs won't load
  • System crashes
  • Popup advertisements

polskamachina



#3 polskamachina

polskamachina

  • Malware Response Team
  • 3,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 14 November 2016 - 11:57 AM

Hi helloseven :)

I will appreciate any advice and idea regarding what this means and what to do.

Sometimes GMER will flag files in a rootkit scan but it's not all that easy to interpret the results. What follows will give us more clues as to what is going on.
 
I noticed you have System Restore disabled. Please enable it while we're troubleshooting your system. Directions are here.
 
Next:
 
Going over your logs I noticed that you have qBittorrent installed

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs as this is by far the most likely reason you were infected!
  • Files that are downloaded from these website are most likely infected, and even though they may appear to be what you wanted, they may infect your computer at the same time! Do not download files from your p2p client and if you do always scan the file with your anti-virus before executing them!
  • Websites that contain links to download are also highly likely to try and infect your computer! Please avoid them as much as possible and if pop-up boxes appear, always try and close them by clicking the cross at the top right of the window or terminating the browser!
  • The best way to eliminate the risk of infection from p2p applications are to avoid these types of web sites and not use any P2P applications.
  • It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall qBittorrent, however that choice is up to you. If you choose to remove this program, the directions are below.

  • Press and hold the Windows flag key while pressing the "R" key to quickly launch the run box
  • Type, appwiz.cpl in the box and hit enter
  • Click on the entry for qBittorrent
  • Click on the Uninstall button to see the confirmation dialog
  • Select OK if asked to confirm your choice
  • The uninstall process should begin
  • When the uninstall process has completed, restart your computer if asked to do so by the system

If you wish to keep it, please do not use it and remove all files downloaded from it until your computer is cleaned!
 
Next:
 
I noticed you have Pando Media Booster installed on your system. That could be causing some of your random connection issues. I would suggest you uninstall it. Follow the same uninstall directions above only this time search for the program, Pando Media Booster in the list of installed programs then double-click it to begin the removal process.
 
Let's do some other scans to see what's going on..
 
Next:
 
We need to run a Fix with FRST.

  • Copy the following text in its entirety into Notepad
Create RestorePoint:
Close Processes:
HKLM\...\Run: [MsmqIntCert] => "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\System32\mqrt.dll"
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF Extension: (No Name) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\MapShare-status@tomtom.com [not found]
CustomCLSID: HKU\S-1-5-21-3336758301-2159881952-1342346213-1000_Classes\CLSID\{AD51C725-11A3-9918-BB5C-E488DC55F0B3}\InprocServer32 -> no filepath
Task: {1928775E-FF50-467D-8E65-7C32FE25F3EA} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {35C769B1-2368-4E18-B018-79785C346A74} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5C388C2D-1262-40EC-A388-D203ECF2450C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {6016748F-0588-4AE8-9C75-D83390DEC437} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {81800E9A-0976-44D1-8523-7D46C4B485F2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {8C1228B6-F6DD-47EC-A491-7D89C8F9F53D} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {91A88FDE-958B-4827-98DF-BFD4BA3C8E5D} - \GenericSettingsHandler\Windows-Credentials\RetrySyncTask_for_S-1-5-21-3336758301-2159881952-1342346213-1000 -> No File <==== ATTENTION
Task: {B603F017-F9AC-4A22-A413-37847D32F2FA} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {D54886A3-3F08-4B44-AE99-DB1678880318} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {E4ED7055-3EA3-4256-8D0C-52B444D0DAEE} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {F402127C-1E29-4DBB-B834-739406B9E3CE} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {F6CD8CDE-9E04-4744-B235-43A3E818FD6F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {FBD5A4B4-E2DD-498F-B557-B08CF1969057} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
2013-08-05 10:40 - 2013-08-05 10:40 - 0000008 __RSH () C:\ProgramData\B4FF544914.sys
2013-08-05 10:40 - 2013-08-05 10:45 - 0002828 ___SH () C:\ProgramData\KGyGaAvL.sys
C:\Users\Technorama\AppData\Local\Temp\dllnt_dump.dll
  • Save the file to your Desktop as fixlist.txt
  • Note: FRST64 and fixlist.txt must be in the same folder in order for the fix to work.
  • Run FRST64
  • This time click on Fix
  • It should only take a few moments for the fix to complete
  • If you are asked to restart your computer, please do so
  • When the fix has completed, a new file will be created on your Desktop named Fixlog.txt
  • Please copy and paste that log into your next reply to me

In summary I will need from you:

  • Confirmation that you enabled System Restore
  • Whether or not you decided to keep qBittorrent
  • Whether or not you were able to uninstall Pando Media Booster
  • Fixlog.txt
  • How is your computer performing now?

Let me know if you have any questions.
 
polskamachina



#4 helloseven

helloseven
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 15 November 2016 - 12:34 PM

Hi polskamachina,

Thanks for your reply. 


There are no pop-ups, ads or browser redirects.
I am also aware of p2p and torrenting dangers and i do not run, download or follow malicious links( as far as I'm aware).

I did all that you asked, including removing PMB and torrent client, and I've noticed the computer booting up more easily; more smooth, if you will,
after the fix.

Here is the log.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-11-2016
Ran by seven (15-11-2016 19:24:58) Run:1
Running from C:\Users\Technorama\Desktop
Loaded Profiles: seven (Available Profiles: seven)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Create RestorePoint:
Close Processes:
HKLM\...\Run: [MsmqIntCert] => "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\System32\mqrt.dll"
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF Extension: (No Name) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\MapShare-status@tomtom.com [not found]
CustomCLSID: HKU\S-1-5-21-3336758301-2159881952-1342346213-1000_Classes\CLSID\{AD51C725-11A3-9918-BB5C-E488DC55F0B3}\InprocServer32 -> no filepath
Task: {1928775E-FF50-467D-8E65-7C32FE25F3EA} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {35C769B1-2368-4E18-B018-79785C346A74} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5C388C2D-1262-40EC-A388-D203ECF2450C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {6016748F-0588-4AE8-9C75-D83390DEC437} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {81800E9A-0976-44D1-8523-7D46C4B485F2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {8C1228B6-F6DD-47EC-A491-7D89C8F9F53D} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {91A88FDE-958B-4827-98DF-BFD4BA3C8E5D} - \GenericSettingsHandler\Windows-Credentials\RetrySyncTask_for_S-1-5-21-3336758301-2159881952-1342346213-1000 -> No File <==== ATTENTION
Task: {B603F017-F9AC-4A22-A413-37847D32F2FA} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {D54886A3-3F08-4B44-AE99-DB1678880318} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {E4ED7055-3EA3-4256-8D0C-52B444D0DAEE} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {F402127C-1E29-4DBB-B834-739406B9E3CE} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {F6CD8CDE-9E04-4744-B235-43A3E818FD6F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {FBD5A4B4-E2DD-498F-B557-B08CF1969057} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
2013-08-05 10:40 - 2013-08-05 10:40 - 0000008 __RSH () C:\ProgramData\B4FF544914.sys
2013-08-05 10:40 - 2013-08-05 10:45 - 0002828 ___SH () C:\ProgramData\KGyGaAvL.sys
C:\Users\Technorama\AppData\Local\Temp\dllnt_dump.dll
*****************
 
Create RestorePoint: => Error: No automatic fix found for this entry.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MsmqIntCert => value removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully
HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found. 
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => key not found. 
HKLM\Software\MozillaPlugins\wacom.com/WacomTabletPlugin => key not found. 
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922 => key not found. 
HKLM\Software\Wow6432Node\MozillaPlugins\wacom.com/WacomTabletPlugin => key not found. 
C:\Program Files (x86)\TomTom HOME 2\xul\extensions\MapShare-status@tomtom.com => path removed successfully
"HKU\S-1-5-21-3336758301-2159881952-1342346213-1000_Classes\CLSID\{AD51C725-11A3-9918-BB5C-E488DC55F0B3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1928775E-FF50-467D-8E65-7C32FE25F3EA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1928775E-FF50-467D-8E65-7C32FE25F3EA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{35C769B1-2368-4E18-B018-79785C346A74}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{35C769B1-2368-4E18-B018-79785C346A74}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5C388C2D-1262-40EC-A388-D203ECF2450C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C388C2D-1262-40EC-A388-D203ECF2450C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6016748F-0588-4AE8-9C75-D83390DEC437}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6016748F-0588-4AE8-9C75-D83390DEC437}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{81800E9A-0976-44D1-8523-7D46C4B485F2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81800E9A-0976-44D1-8523-7D46C4B485F2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8C1228B6-F6DD-47EC-A491-7D89C8F9F53D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8C1228B6-F6DD-47EC-A491-7D89C8F9F53D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{91A88FDE-958B-4827-98DF-BFD4BA3C8E5D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{91A88FDE-958B-4827-98DF-BFD4BA3C8E5D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GenericSettingsHandler\Windows-Credentials\RetrySyncTask_for_S-1-5-21-3336758301-2159881952-1342346213-1000" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B603F017-F9AC-4A22-A413-37847D32F2FA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B603F017-F9AC-4A22-A413-37847D32F2FA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D54886A3-3F08-4B44-AE99-DB1678880318}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D54886A3-3F08-4B44-AE99-DB1678880318}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E4ED7055-3EA3-4256-8D0C-52B444D0DAEE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4ED7055-3EA3-4256-8D0C-52B444D0DAEE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F402127C-1E29-4DBB-B834-739406B9E3CE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F402127C-1E29-4DBB-B834-739406B9E3CE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F6CD8CDE-9E04-4744-B235-43A3E818FD6F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F6CD8CDE-9E04-4744-B235-43A3E818FD6F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FBD5A4B4-E2DD-498F-B557-B08CF1969057}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FBD5A4B4-E2DD-498F-B557-B08CF1969057}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
C:\ProgramData\B4FF544914.sys => moved successfully
C:\ProgramData\KGyGaAvL.sys => moved successfully
C:\Users\Technorama\AppData\Local\Temp\dllnt_dump.dll => moved successfully
 
 
The system needed a reboot.
 
==== End of Fixlog 19:25:06 ====

Edited by helloseven, 15 November 2016 - 12:38 PM.


#5 helloseven

helloseven
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 15 November 2016 - 12:47 PM

Regarding questions- and I apologize for my technical illiteracy:

If the system does not show commong signs of infections, such as malware running on independent executables or unknown executables running and/or unsolicited connections through unknown ports, which i can state after a week of monitoring processes with Taskmanager, Resorce monitor, TCPview, netstat -anob etc and scanning with malware detection tools, such as malware bites-- is a deeper infection possible through, lets say, SSL certificate or through common system files such as svchost.exe, ShellExperienceHost.exe etc. In other words- is a virtual rootkit really a possibility, i.e system files actually being hijacked( someone actually owing SYSTEM account on my computer) and if there is a way to detect it?

For example:
http://imgur.com/a/w1Bfc

While launching as administrator.
 

Thanks in advance

7


Edited by helloseven, 15 November 2016 - 01:08 PM.


#6 polskamachina

polskamachina

  • Malware Response Team
  • 3,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 15 November 2016 - 01:19 PM

Hi 7 :)

Regarding questions- and I apologize for my technical illiteracy:

All the questions you ask are very good questions. We always want to make sure we haven't overlooked anything. I can assure the tools we use do a very good job of uncovering anything that tries to hide.

 

One minor glitch that happened in the first fixlist I sent you was that a restore point was not created. You said you performed all the tasks that were on my list. Just to make sure, did you enable system restore? If not, please do so now.

 

Let's run another one of those good tools.

  • Click here and download Malwarebytes Anti-Rootkit Beta to your desktop
  • Double-click it and extract its contents to a folder
  • Open the folder and double-click on the mbar.exe to start the program
  • Follow the prompts and be sure to update the definitions when it asks
  • If it detects any infections, please allow the program to remove them
  • When the scan has completed, a log will be generated with the following named text file: mbar-log-date (time).txt
  • Please copy and paste that log into your next reply to me

In summary I will need from you:

Malwarebytes-Anti-Rootkit log

Confirmation that you enabled system restore and restore point was created upon doing so

Let me know if you have any questions.

 

polskamachina



#7 helloseven

helloseven
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 15 November 2016 - 01:54 PM

polskamachina,

My system restore is activated, please see image below.
http://imgur.com/a/Dpwti

The mbar log
 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2016.11.15.11
  rootkit: v2016.10.31.01
 
Windows 10 x64 NTFS
Internet Explorer 11.447.14393.0
seven :: SEVEN-PC [administrator]
 
15-11-2016 20:31:58
mbar-log-2016-11-15 (20-31-58).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 326259
Time elapsed: 21 minute(s), 7 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

 



#8 polskamachina

polskamachina

  • Malware Response Team
  • 3,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 16 November 2016 - 10:18 PM

Hi 7 :)

 

After consulting with staff regarding your GMER results, l believe the results of the Malwarebytes Anti-Rootkit  scan are more trustworthy than GMER's report. Therefore I would conclude that GMER was giving you false positives.

 

From an operations standpoint, If you're not experiencing any sluggishness, redirects, programs hanging, or other unusual activity, I think we can rule out rootkits as a problem.

 

Next:

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Right-click AdwCleaner and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • Review the results...see note below
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of AdwCleaner[CX].txt into your next reply to me.
  • A copy of all logfiles are saved to C:\AdwCleaner.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

In summary I will need from you:

 

AdwCleaner log

Verification that your computer performance is OK

 

Let me know if you have any questions.

 

polskamachina



#9 polskamachina

polskamachina

  • Malware Response Team
  • 3,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 19 November 2016 - 11:18 PM

Hi 7 :)

 

It's been a while since you've checked in. Did you need any more help with this? If not, this topic will be closed in 48 hours.
 
Please let me know if you have any questions.
 
polskamachina



#10 helloseven

helloseven
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 21 November 2016 - 04:48 AM

Hi polskamachina,

Sorry for the delay; I've missed the reply mail. 
My computer is running well, thank you for asking!

Also, here is the AdwCleaner log.
 

# AdwCleaner v6.030 - Logfile created 21/11/2016 at 11:45:07
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-20.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : seven - SEVEN-PC
# Running from : C:\Users\Technorama\Downloads\Programs\adwcleaner_6.030.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\WINDOWS\SysNative\Tasks\TweakBit
[#] Folder deleted on reboot: C:\WINDOWS\SysNative\Tasks\TweakBit
[-] Folder deleted: C:\ProgramData\SecTaskMan
[-] Folder deleted: C:\ProgramData\BSD
 
 
***** [ Files ] *****
 
[-] File deleted: C:\WINDOWS\Reimage.ini
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Classes\Applications\iLividSetup_A-r429-t-bi.exe
[-] Key deleted: HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg
[-] Key deleted: HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg.1
[-] Key deleted: HKLM\SOFTWARE\Classes\AniGIFPpg2.AniGIFPpg2
[-] Key deleted: HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
[-] Key deleted: HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\AniGIFPpg2.AniGIFPpg2
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key deleted: HKU\S-1-5-21-3336758301-2159881952-1342346213-1000\Software\Reimage
[-] Key deleted: HKU\S-1-5-21-3336758301-2159881952-1342346213-1000\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[#] Key deleted on reboot: HKCU\Software\Reimage
[#] Key deleted on reboot: HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[#] Key deleted on reboot: [x64] HKCU\Software\Reimage
[#] Key deleted on reboot: [x64] HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[-] Key deleted: [x64] HKLM\SOFTWARE\Reimage
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [3366 Bytes] - [21/11/2016 11:45:07]
C:\AdwCleaner\AdwCleaner[S0].txt - [3426 Bytes] - [21/11/2016 11:42:28]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3512 Bytes] ##########


#11 polskamachina

polskamachina

  • Malware Response Team
  • 3,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 22 November 2016 - 01:13 AM

Hi 7 :)
 
You're making good progress. Let's run an ESET scan next:

ESET Online Scanner:

Note: You will need to disable your currently installed Anti-Virus, how to do so can be read here.

  • Please go here, download the ESET Smart Installer, and save it to your desktop.
  • Double-click on the esetimage.png you just downloaded.
  • Place a checkmark next to "YES, I accept the Terms of Use" and click the shieldstart.png button.
  • Click "Yes" to the UAC (User Account Control) warning, then ESET will download its components, register itself, and start itself.
  • In the new window that opens, tick the radio button next to Enable detection of potentially unwanted applications.
  • Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Now click on: start.png
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. ...The scan may appear to be finished sometimes...if there is a progress bar visible, it is still scanning!
  • When the scan completes, click List Found Threats (only if anything is found).
  • Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!
 
In summary I will need:

  • ESET scan log if applicable
  • Is your computer still running without any problems?

Let me know if you have any questions.
 
polskamachina



#12 helloseven

helloseven
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 23 November 2016 - 03:30 AM

Hi polskamachina,

Computer is running same as before.

Here's the ESET log.
 

C:\Users\All Users\Adobe\AIH.483ad91121d12f6caf604d1e4504eb1090796543\GTB.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\All Users\RogueKiller\Quarantine\2E11F70259DEE385.vir Win64/HackKMS.C potentially unsafe application
C:\ProgramData\Adobe\AIH.483ad91121d12f6caf604d1e4504eb1090796543\GTB.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\ProgramData\RogueKiller\Quarantine\2E11F70259DEE385.vir Win64/HackKMS.C potentially unsafe application cleaned by deleting
C:\Windows\SECOH-QAD.dll Win64/HackKMS.D potentially unsafe application cleaned by deleting

Cheers


#13 polskamachina

polskamachina

  • Malware Response Team
  • 3,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 23 November 2016 - 03:22 PM

Hi 7,

We're almost finished. :)
 
Next:
 
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
- Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
- Microsoft: Unprecedented Wave of Java Exploitation
- Ghosts of Java Haunt Users

Next:

 

Please follow these steps to remove older version Java components and update:

5teD1PQ.png

  • Read the License Agreement, and then check the box that says: "Accept License Agreement"
  • From the list, select  Windows x64: jre-8u112-windows-x64.exe and save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Press and hold the Windows flag key while pressing the "R" key to quickly launch the run box
  • Type, appwiz.cpl in the box and hit enter
  • One at a time, remove all previous version of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name
  • Click on the Uninstall button to see the confirmation dialog
  • Select OK if asked to confirm your choice
  • The uninstall process should begin
  • When the uninstall process has completed, restart your computer if asked to do so by the system
  • Repeat as many times as necessary to remove all older versions of Java
  • If you need more assistance using the uninstall feature, it can be found here .
  • From your desktop, double-click on jre-8u112-windows-x64.exe and install the newest version.
  • If the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button
  • Java is updated frequently. If you want to be automatically notified of future updates, select the choice during the installation process which allows Java to notify you of updates.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it. The McAfee Security Scan Plus may be installed unless you uncheck the McAfee installation box when updating Java

If you were able to update Java without any issues, then proceed to the next section. Otherwise, stop and let me know what happened.

Please continue with the following steps that will remove all the diagnostic tools you used to scan and clean your system.

bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

A log will appear after Delfix has finished removing the tools. You can optionally forward the log to me.
 
Below are some security tips to read. Following these guidelines will help you avoid another visit to the Malware Removal Forum. :woot:

If your computer is still running fine, then please acknowledge that you have completed all the steps in this post successfully and we can close this topic.
 
polskamachina



#14 helloseven

helloseven
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 23 November 2016 - 06:34 PM

polskamachina,

Java updated and machine running smooth.
Used DELFIX as well.

On the side note before closing this;
I saw something when restarting my machine. It's the screen with "A program is preventing Windows from shutting down",
you know the one where some programs tend to take a few secs to shut down when you force a restart or a pc shutdown. There was an entry saying " -keyhash dialogue- " is preventing windows from shooting down, or something like that.  -key**** dialogue- , i can't recall quite well what was the word after key, it was on the screen just for a second. Like i mentioned before i saw it only once before and forgot about it, but today there it was again. Googled it but can't find it. Could you give me a heads up?

Lastly I've done USB bootable  Dr.Web® LiveDisk scan, and it returned the following, if it tells you something.

http://imgur.com/a/Pi26a


Thanks in advance,

 

7



#15 helloseven

helloseven
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 23 November 2016 - 07:46 PM

Some other things that happened from the last post and after I run Dr.Web

After a few resets I decided to run Dr.Web again just in case, but couldn't connect to the internet.
Booted windows normaly, and saw I was connecting to some AndroidAP network (which was set to Connect Automatically), which later disappeared from Wi-Fi list.
My router password was reset to default, and my whole router was reset as it seems. I did not access the router.

Is that normal?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users