Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit


  • This topic is locked This topic is locked
18 replies to this topic

#1 EvaEva

EvaEva

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 28 January 2017 - 09:37 AM

Would you help me please someone? I have long lasting problems with my computer. I ran FRST and GMER for detecting rootkits. Also Windows Defender detected HackTool.win32/AutoKMS, that I wanted to delete, but I was blocked and could not do it.

I am attaching results of FRST and GMER scans.

I am nobody and completely uninteresting to hackers, so I do not understand why they would be interested in my computer. Thank you for your help in advance.

 

If it helps, I am also attaching more detailed today's scan of the notebook plus scan of personal computer.

Attached Files


Edited by EvaEva, 29 January 2017 - 05:23 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:26 PM

Posted 29 January 2017 - 09:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )
Pokki (HKU\S-1-5-21-1686735569-3662740752-822740202-1001\...\Pokki) (Version: 0.269.2.471 - Pokki)
---

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


(@ByELDI) C:\Program Files\KMSpico\Service_KMS.exe
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  -> No File
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  -> No File
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
FF Extension: (WebTran) - C:\Users\Eva\AppData\Roaming\Mozilla\Firefox\Profiles\ehfqwohq.default\Extensions\{003D3EDC-99B9-4a34-9C20-60CB94F7E829}.xpi [2015-10-22] [not signed]
CHR Extension: (Platby Internetového obchodu Chrome) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-23]
CHR Extension: (Chrome Media Router) - C:\Users\Eva\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [971968 2015-02-02] (@ByELDI) [File not signed]
Task: {0C0DABF9-2ACA-4F77-9E1C-0DB32F3C577C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {2D0710D9-9F3E-4D6E-9A75-EC2369B3A9BB} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {33EF1F92-51C0-48F7-99FF-A446465FFE4F} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {3404E6A4-2F1F-475B-8060-23B40F607E55} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2015-02-02] (@ByELDI)
Task: {487197FE-D1E1-4F26-A9B8-88D8E0AB88D5} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {4CDB6ED8-A4F0-4F50-B7E2-06CBB5F2A5DE} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {4EEFE027-303F-4668-9F39-147A5D0F041B} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {6045C5DD-EF99-43BF-B7E7-B4318F575753} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {7C81E4FA-CC3B-4B2E-8A12-24C75D9C0E57} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8DE74EDC-8652-4D28-BC34-1E4275A17153} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {A96F2F76-97E7-4382-90FD-3DAE1FAACEA4} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {AAF2930B-AC39-4FBB-BD6E-B17C2CDFE964} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {BE1F5A18-9528-4A11-A088-AF667BF26FD7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {E211E898-BBCC-4A23-9B05-5117C9E45BB3} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {FD1AB3D1-1AA1-405D-A15C-27DEA9EFB536} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
C:\Program Files\KMSpico

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know what problem persists with this computer.

#3 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 29 January 2017 - 10:48 AM

Thank you very much for your help, Nasdaq. I will try to follow your instructions and post the logs.



#4 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 31 January 2017 - 05:53 AM

I am not sure where I was supposed to save fixlist.txt file, if in Windows folder I was not allowed to. I am attaching asked files plus GMER scan that I ran on my notebook at the end.

Is it possible that my email address is infected? If so, is it possible to fix it?

If it matters... while browsing on the Internet on my PC I can see a message "treater detecting". 

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-01-31 11:46:33
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000026 WDC_WD5000LPCX-24C6HT0 rev.02.01A02 465,76GB
Running: 8h5h2is1.exe; Driver: C:\Users\Eva\AppData\Local\Temp\fxlyrpod.sys
 
 
---- Disk sectors - GMER 2.2 ----
 
Disk    \Device\Harddisk0\DR0                      unknown MBR code
 
---- Threads - GMER 2.2 ----
 
Thread  C:\WINDOWS\system32\csrss.exe [4628:6868]  fffff961e69d4030
 
---- EOF - GMER 2.2 ----
 
 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:26 PM

Posted 31 January 2017 - 09:53 AM


Quoted from my suggest fix.

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.


Since Farbar is located in the folder in bold.
Running from C:\Users\Eva\Downloads

Move the Fixlix.txt into the folder.

Run the Fix as suggested.
Post the Fixlog.txt for my review.

Let me know what problem persists.
Will take it from there.

#6 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 01 February 2017 - 03:46 AM

I hope it is all what you asked me to post, if not please let me know.

 

I got the message "host detecting" after I connected to to Mobile Internet on notebook today again. I get the same message when I connect to my WIFI internet on PC. I do not know if this info is important. Once in the past I silly clicked on the file with attachment from unknown person on Skype. From time to time in the past while browsing the Internet or working on PC, Skype opened with no my action. I uninstalled the Skype.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:26 PM

Posted 01 February 2017 - 09:15 AM

Please download the fixlist.txt file attached.

Place the file in the folder in bold C:\Users\Eva\Downloads

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
---
 

I got the message "host detecting" after I connected to to Mobile Internet on notebook today again. I get the same message when I connect to my WIFI internet on PC.

A running program or a program you removed is trying to connect as a server.

You have removed Spyke but I found this Skypehost.exe running in the Loaded program section of your log.
It will be removed with the fix I have suggested.

===

If the problem persists please download and run this tool.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======


Post both logs for my review.
Let me know what problem persists.

Attached Files



#8 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 02 February 2017 - 02:57 AM

Thanks a lot for your time and help.

 

"A running program or a program you removed is trying to connect as a server."

I am sorry I do not understand, when I see the message "host detecting" is it o or not?

 

It looks like KMSpico was there again after i removed it.

Attached Files



#9 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 02 February 2017 - 02:58 AM

I forgot to attach the other log.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:26 PM

Posted 02 February 2017 - 08:29 AM

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.


#11 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 03 February 2017 - 02:00 AM

Thank you, I will try to do that, if the hacker will allow me to. I have no control over neither my notebook nor my computer. I could not sign in this forum earlier today.

I ran GMER scan on notebook in the morning and got warning that GMER has found system modification caused by ROOTKIT activity, I am attaching the log.

Also I noticed an icon of external removable disk "fat32" attached to my PC, no my own USB was attached to the computer, I wanted to turn off the disk, but I got message "it is in use", I turned the PC off.

Attached Files



#12 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 03 February 2017 - 03:27 AM

Before MBR scan I got message " This comuper supports virtualization technology, would you like to use it for rootkit detection?"
First scan of notebook was interrupted - message- " Your PC ran into problem and needs to restart".
Second scan was interrupted - error " IRQL-NOT_LESS_OR_EQUAL
Third scan was finished.

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:26 PM

Posted 03 February 2017 - 09:05 AM

Second scan was interrupted - error " IRQL-NOT_LESS_OR_EQUAL

Lets check this error.

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • List last 10 Event Viewer log
  • Click Go and copy/paste the log (MTB.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#14 EvaEva

EvaEva
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 03 February 2017 - 09:58 AM

You meant List last 10 Event Viewer errors?

Attached Files

  • Attached File  MTB.txt   12.21KB   2 downloads


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:26 PM

Posted 03 February 2017 - 10:52 AM


Error: (02/03/2017 03:45:13 PM) (Source: DCOM) (User: Lenovo-PC)
Description: "C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe" -ServerName:SkypeHost.ServerServer2App.AppXtjcey7sh4wvcw7hy21b0nmp0bq18dyzd.mcaUnavailableUnavailable


Disable SkypeHost.exe as per the instructions here.
https://community.skype.com/t5/Preview-on-Windows-10/Close-Kill-Turn-Off-SkypeHost-exe/td-p/4298432


Restart the computer normally.

Let me know what problem persists.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users