Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10 Clean Install


  • Please log in to reply
7 replies to this topic

#1 TheFallenCaptain

TheFallenCaptain

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 25 November 2016 - 05:32 PM

Hello all,

 

I wanted to get your opinions on this problem I had.

 

STORY:

 

A couple of weeks ago, I scanned my computer with AVG free edition and got a notification that there was a rootkit, it was an inline hook rootkit that I could not remove using AVG. I then ran MBAM, but it did not detect anything. Panicked, I did a system restore to an earlier date when I did not have the rootkit. The only thing I installed that week was Windward through Steam and did some light internet browsing (must have gotten it through this). Anyway, doing the system restore made it so AVG did not detect the rootkit anymore. But I did not trust this and performed a clean install of Windows 10 on my computer. I reformatted and cleaned both drives I have with the Windows 10 recovery disk, just in case, and the install worked fine.

 

Currently, I am afraid to use my computer as I do not trust it anymore. I installed Avast over AVG this time and reinstalled MBAM. I also got MBAR just in case and have scanned my computer religiously and nothing comes up, but I still don't trust the scans! Honestly, I need some clarification to put my mind at ease. :unsure:

 

QUESTIONS:

 

1. What type of rookit was this? Ring 0, 1, 2, or 3? I wish I had not been so rash to system restore and documented what the line said instead. You may not be able to answer this unfortunately. I remember it said inline hook - %unknown%, or something close to that.

 

2. What programs can I run to be absolutely sure that this rootkit did not hop over during the clean install?

 

3. I have heard that some rootkits can infect firmware, should I get a new hard drive? I really don't want to...

 

Looking back, I wish I would've come here for help right away, but I heard clean installing the OS would get rid of pretty much all viruses, malware, and rootkits.

 

I appreciate all feedback/suggestions! Thank you!



BC AdBot (Login to Remove)

 


#2 TheFallenCaptain

TheFallenCaptain
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 27 November 2016 - 01:17 PM

I did some scans on my own today:

 

1. Avast --> 0 infected files

2. Malwarebytes Anti-malware --> 0 infected files (in safe mode)

3. Malwarebytes Anti-Rootkit --> 0 infected files

4. Rkill --> No malware to kill, issues with the registry, or missing digital signatures - but there were integrity issues. What's an integrity issue? (I posted it below)

 

Checking Windows Service Integrity:

 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]

 * agp440 [Missing ImagePath]

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

 

5. JRT --> 0 file system, 0 registry

6. Roguekiller --> 0 in every category (in safe mode)

7. ESET online scanner --> 0 infected files

 

Now after all these scans, can I be sure that nothing is hiding on my system? Is there anything else I should scan with? I assume the clean install of Windows was effective. I am also feeling pretty confident that my computer is safe now, I just want a second opinion please! :wink:


Edited by TheFallenCaptain, 27 November 2016 - 07:58 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:26 PM

Posted 03 December 2016 - 10:35 AM

Looks good,, may want to run SFC System File Checker

Now run SFC /Scannow (System File Checker) to Repair System Files.

Open the Command Prompt with Admin rights.
Right-click the Start button and select Command Prompt (Admin).
Type or copy/paste the following command into the Command Prompt window and press Enter to run a full system scan:
sfc /scannow
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 TheFallenCaptain

TheFallenCaptain
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 03 December 2016 - 01:01 PM

Hi! Thanks for responding!

 

I ran it and it said "Windows Resource Protection did not find any integrity violations."

 

Anything else you recommend or am I clean? I run scans every week now, sometimes more than once a week. Guess I am a bit paranoid... :crazy: 



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:26 PM

Posted 03 December 2016 - 06:05 PM

Looks clean and good to go...
You're welcome!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 TheFallenCaptain

TheFallenCaptain
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 04 December 2016 - 12:32 PM

Nice, thank you! I have been at bit scared using my computer, but I don't think anything can survive a reformat so there should have been zero viruses. Just don't want to get my bank stuff stolen.

 

Thanks again! :love4u:



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:26 PM

Posted 04 December 2016 - 01:46 PM

...I scanned my computer with AVG free edition and got a notification that there was a rootkit, it was an inline hook rootkit that I could not remove using AVG...

Keep in mind that not all rootkits/hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

Hooking is one of the techniques used by a rootkit to alter the normal execution path of the operating system. Rootkit hooks are basically installed modules which intercept the principal system services that all programs and the OS rely on. By using a hook, a rootkit can alter the information that the original OS function would have returned. There are many tables in an OS that can be hooked by a rootkit and those hooks are undetectable unless you know exactly what you're looking for.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Most of the time, IRP hooks are made by legit drivers to filter IRPs. Security products with ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be immediately alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 TheFallenCaptain

TheFallenCaptain
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 PM

Posted 05 December 2016 - 06:33 PM

 

...I scanned my computer with AVG free edition and got a notification that there was a rootkit, it was an inline hook rootkit that I could not remove using AVG...

 

...Security products with ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be immediately alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.

 

 

Oh I see, thank you for the information. My computer wasn't acting strange at all so I was surprised that AVG would report an infection, let alone a rootkit one. Unfortunately, I was super scared and did a reformat/reinstall of the OS because I didn't want to take any chances. I even considered flashing the BIOS because some rootkits can get into the BIOS, although it is very rare it would be just my luck! <_< 

 

I reinstalled everything, just still a bit paranoid about entering in my credit card information.

 

Can you really ever be 100% sure that your computer is safe?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users