Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER finds rootkits and unknown MBR code


  • Please log in to reply
2 replies to this topic

#1 ynottony

ynottony

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 11 December 2016 - 09:59 PM

Hi guys, i've been experiencing some unsual changes in my laptop system this past weeks like having long startup time and a cmd message opens when the desktop loads. after i scan my system with gmer it shows some rootkit activity and an unknown mbr code then i reset my windows without removing my personal files but after it gmer still shows rootkits. 

 

here's the result

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-12-12 10:46:45
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\0000003c HGST_HTS721010A9E630 rev.JB0OA3J0 931.51GB
Running: 727k05mp.exe; Driver: C:\Users\tony\AppData\Local\Temp\pgldrkod.sys
 
 
---- Disk sectors - GMER 2.2 ----
 
Disk     \Device\Harddisk0\DR0                              unknown MBR code
 
---- Threads - GMER 2.2 ----
 
Thread   C:\WINDOWS\system32\csrss.exe [9868:7280]          ffffc1514d5e6c20
Thread   C:\WINDOWS\Explorer.EXE [10816:9388]               00007ffcdf3020e0
Thread   C:\WINDOWS\Explorer.EXE [10816:5732]               00007ffcdf3020e0
Thread   C:\WINDOWS\Explorer.EXE [10816:9156]               00007ffcdf3020e0
Thread   C:\WINDOWS\Explorer.EXE [10816:8620]               00007ffcc41a20e0
Thread   C:\WINDOWS\Explorer.EXE [10816:11184]              00007ffce06d20e0
 
---- Services - GMER 2.2 ----
 
Service  C:\WINDOWS\System32\qmgr.dll (*** hidden *** )     [MANUAL] BITS                           <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [AUTO] CDPUserSvc_58fff                 <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [MANUAL] MessagingService_58fff         <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [AUTO] OneSyncSvc_58fff                 <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [MANUAL] PimIndexMaintenanceSvc_58fff   <-- ROOTKIT !!!
Service  C:\WINDOWS\System32\svchost.exe (*** hidden *** )  [MANUAL] UnistoreSvc_58fff              <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [MANUAL] UserDataSvc_58fff              <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [MANUAL] WpnUserService_58fff           <-- ROOTKIT !!!
 
---- EOF - GMER 2.2 ----
 
i didnt make a full system scan with gmer
 
can anyone help me with these guys thank you
 
 
Mod Edit
 
Moved from Mini guides.
 
NickAu

Edited by NickAu, 11 December 2016 - 10:49 PM.


BC AdBot (Login to Remove)

 


#2 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 11 December 2016 - 10:26 PM

Malware guys on BC might be able to help you with that one, my self id do a full purge with killdisk or something like it  if i saw that and anti-rootkit anti-virus software couldn't remove it, MBR anything is evil too seeing as it a higher level privilege then even ring zero "kernel" code.



#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:58 PM

Posted 11 December 2016 - 11:28 PM

Please follow the instructions here from step 1 and then skip to step 6 . Make sure to include your GMER results as well as your FRST logs in your post.

 

Regards

 

TsVk!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users