Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit reported by gmer


  • This topic is locked This topic is locked
12 replies to this topic

#1 anova13

anova13

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 15 March 2017 - 05:32 AM

Hello,

 

I run gmer on a routine scan and it reported several hidden svchost instances as rootkits.

Would you be as kind as to check my logs and verify with me whether this is a true positive and if so help me clean the system?

thank you very much in advance -

Attached Files



BC AdBot (Login to Remove)

 


#2 polskamachina

polskamachina

  • Malware Response Team
  • 4,079 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 19 March 2017 - 12:16 PM

Hi anova13 :)

 

My name is polskamachina and I would like to welcome you back to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-7 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions.

 

polskamachina



#3 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 21 March 2017 - 02:30 AM

Hi polskamachina, thank you very much for looking into this.



#4 polskamachina

polskamachina

  • Malware Response Team
  • 4,079 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 22 March 2017 - 10:28 AM

HI anova13 :)
 
You said:

I run gmer on a routine scan and it reported several hidden svchost instances as rootkits.

GMER is an older product and it can produce false positives on Windows 10.
 
Next:
 
Going over your FRST logs, I noticed that you have µTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs as this is by far the most likely reason you were infected!
  • Files that are downloaded from these website are most likely infected, and even though they may appear to be what you wanted, they may infect your computer at the same time! Do not download files from your p2p client and if you do, always scan the file with your anti-virus before executing them!
  • Websites that contain links to download are also highly likely to try and infect your computer! Please avoid them as much as possible and if pop-up boxes appear, always try and close them by clicking the cross at the top right of the window or terminating the browser!
  • The best way to eliminate the risk of infection from p2p applications are to avoid these types of web sites and not use any P2P applications.
  • It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can find directions here.
If you wish to keep it, please do not use it, and remove all files downloaded from it until your computer is cleaned! 
Next:
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Right-click on AdwCleaner.exe to run the tool and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • Review the results...see note below
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

Next:

  • Open Notepad
  • Copy and paste the text below in its entirety into Notepad
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3901921257-939485622-1455548513-1002\...\RunOnce: [Uninstall C:\Users\***\AppData\Local\Microsoft\OneDrive\17.3.6302.0225\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\***\AppData\Local\Microsoft\OneDrive\17.3.6302.0225\amd64"
HKU\S-1-5-21-3901921257-939485622-1455548513-1002\...\MountPoints2: {795d0ef3-08db-11e4-826e-28e34732bce1} - "E:\AutoRun.exe"
Folder: C:\temp
  • Save the file to your \Desktop\System folder as fixlist.txt  Note: FRST64 and fixlist.txt must be in the same folder in order for the fix to work.
  • Run FRST64
  • Click on Fix
  • It should only take a few moments for the fix to complete
  • If you are asked to restart your computer, please do so
  • When the fix has completed, a new file will be created named Fixlog.txt, and it will be saved to your Desktop
  • Please copy and paste that log into your next reply to me

In summary I will need from you:

  • Whether or not you uninstalled µTorrent
  • Fixlog
  • AdwCleaner log
  • How is your computer performing now?

Let me know if you have any questions.
 
polskamachina



#5 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 22 March 2017 - 11:50 AM

Hi again, thanks for your reply.

 

- utorrent uninstalled

 

------------------------------------------------------------------------------------

 

# AdwCleaner v6.044 - Logfile created 22/03/2017 at 18:05:38

# Updated on 28/02/2017 by Malwarebytes

# Database : 2017-03-20.1 [Server]

# Operating System : Windows 10 Home  (X64)

# Username : **** - ****

# Running from : C:\Users\****\Desktop\System\AdwCleaner.exe

# Mode: Scan

# Support : https://www.malwarebytes.com/support

 

 

 

***** [ Services ] *****

 

No malicious services found.

 

 

***** [ Folders ] *****

 

No malicious folders found.

 

 

***** [ Files ] *****

 

No malicious files found.

 

 

***** [ DLL ] *****

 

No malicious DLLs found.

 

 

***** [ WMI ] *****

 

No malicious keys found.

 

 

***** [ Shortcuts ] *****

 

No infected shortcut found.

 

 

***** [ Scheduled Tasks ] *****

 

No malicious task found.

 

 

***** [ Registry ] *****

 

No malicious registry entries found.

 

 

***** [ Web browsers ] *****

 

No malicious Firefox based browser items found.

No malicious Chromium based browser items found.

 

*************************

 

C:\AdwCleaner\AdwCleaner[S0].txt - [995 Bytes] - [22/03/2017 18:05:38]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1067 Bytes] ##########

 
 
-----------------------------------------------------------------------------------------
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by *** (22-03-2017 18:10:10) Run:1
Running from C:\Users\***\Desktop\System
Loaded Profiles: *** (Available Profiles: ***)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3901921257-939485622-1455548513-1002\...\RunOnce: [Uninstall C:\Users\***\AppData\Local\Microsoft\OneDrive\17.3.6302.0225\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\***\AppData\Local\Microsoft\OneDrive\17.3.6302.0225\amd64"
HKU\S-1-5-21-3901921257-939485622-1455548513-1002\...\MountPoints2: {795d0ef3-08db-11e4-826e-28e34732bce1} - "E:\AutoRun.exe"
Folder: C:\temp
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-3901921257-939485622-1455548513-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Uninstall C:\Users\***\AppData\Local\Microsoft\OneDrive\17.3.6302.0225\amd64 => value removed successfully
HKU\S-1-5-21-3901921257-939485622-1455548513-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{795d0ef3-08db-11e4-826e-28e34732bce1} => key removed successfully
HKCR\CLSID\{795d0ef3-08db-11e4-826e-28e34732bce1} => key not found. 
 
========================= Folder: C:\temp ========================
 
2017-03-14 13:33 - 2017-03-16 01:58 - 0000059 _____ () C:\temp\InitJsonInSvc.dat
2017-03-14 13:33 - 2017-03-16 01:58 - 0000100 _____ () C:\temp\InitJsonOutSvc.dat
2015-08-30 11:46 - 2017-02-12 23:24 - 0000000 ____D () C:\temp\NVIDIA
 
====== End of Folder: ======
 
 
 
The system needed a reboot.
 
==== End of Fixlog 18:11:23 ====
 
 
-------------------------
 
 
My computer is performing normally, I never had performance issues, just that indication from Gmer regarding svchost rootkit entries.


#6 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 22 March 2017 - 12:37 PM

1) I understand that gmer is an old product and that I am not supposed to run any tools while getting assistance.

Still, since gmer has been the protagonist of this incident, I launched it briefly (no deep scan) after your proposed fix.

 

Svchost entries that were marked as rootkit have now disappeared and instead I got:

 

GMER 2.2.19882 - http://www.gmer.net

Rootkit scan 2017-03-22 19:26:46

Windows 6.2.9200  x64 

Running: ikv1xwe0.exe

 

 

---- Services - GMER 2.2 ----

 

Service  C:\WINDOWS\servicing\TrustedInstaller.exe (*** hidden *** )  [AUTO] TrustedInstaller   <-- ROOTKIT !!!

 

---- EOF - GMER 2.2 ----

 

 

 

I apologize if the above causes confusion, just mentioning it in case it helps.

 

 

2) I understand that you deleted a key that seemed to have something to do with USB flash drive?

I don't know if this has anything to do with anything, but I own a Sandisk Ultra USB 3.0 64GB flash drive that I use on the affected computer.

At the root of the flash drive there exists a native file with name SanDiskSecuredAccessV2_win.exe .

Is there any chance this native file is launched as autorun when I insert the drive and somehow is related to the svchost entries that were marked as Rootkit initially by Gmer? In which case, this was/is clearly a false positive, although still a troubling one.


Edited by anova13, 22 March 2017 - 12:38 PM.


#7 polskamachina

polskamachina

  • Malware Response Team
  • 4,079 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 23 March 2017 - 03:04 PM

Hi anova13 :)
 
You said:

1) I understand that gmer is an old product and that I am not supposed to run any tools while getting assistance.

You are correct on both points. I will say again that the results from GMER are false positives. Therefore, there is no point in running the tool.
 
You said:

I understand that you deleted a key that seemed to have something to do with USB flash drive?

The key that was deleted was responsible for launching the file, autorun.exe, for your E: drive. Usually when a drive is inserted/mounted, you do not want anything launching automatically without your consent. The file, SanDiskSecure[d]AccessV2_win.exe, is safe though I think you added an extra d when typing the file name. If this is not the case, please let me know.

 

Next:

 

Let's do one more scan to make sure your system is clean.
 
ESET Online Scanner:

Note: You will need to disable your currently installed Anti-Virus, how to do so can be read here.

  • Please go here, download the ESET Smart Installer, and save it to your desktop.
  • Double-click on the esetimage.png you just downloaded.
  • Place a checkmark next to "YES, I accept the Terms of Use" and click the shieldstart.png button.
  • Click "Yes" to the UAC (User Account Control) warning, then ESET will download its components, register itself, and start itself.
  • In the new window that opens, tick the radio button next to Enable detection of potentially unwanted applications.
  • Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Now click on: start.png
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. ...The scan may appear to be finished sometimes...if there is a progress bar visible, it is still scanning!
  • When the scan completes, click List Found Threats (only if anything is found).
  • Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!

 

In summary I will need from you:

  • ESET log if any threats were found.

Let me know if you have any questions.

 

polskamachina



#8 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 24 March 2017 - 01:35 AM

ESET log:

 

C:\Users\***\AppData\Local\Temp\HYDDEE7.tmp.1490198551\HTA\install.1490198551.zip a variant of Win32/FusionCore.K potentially unwanted application deleted

C:\Users\***\AppData\Local\Temp\HYDDEE7.tmp.1490198551\HTA\3rdparty\FS.dll a variant of Win32/FusionCore.K potentially unwanted application cleaned by deleting



#9 polskamachina

polskamachina

  • Malware Response Team
  • 4,079 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 25 March 2017 - 11:09 AM

Hi anova13,
 
Good job with the ESET scan. :thumbup2:
 
Next:
 
Important Note: Your version of Adobe Flash is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to update Adobe flash:

  • Please download the latest version of Adobe Flash from http://get.adobe.com/flashplayer to your Desktop
  • Double click the file to start the installation process

Next:

  • Please download screen317's Security Check to your desktop
  • Double-click it to run the program
  • When the scan has completed, it will create a log named, checkup.txt
  • Please copy and paste that log into your next reply to me (Note: The log isn't saved anywhere so don't close the Notepad window until you've pasted it into your reply)

In summary I will need from you:

  • checkup.txt

Let me know if you have any questions.
 
polskamachina



#10 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 25 March 2017 - 01:17 PM

I updated Flash to version 25.0.0.127.

**Note: I had to perform the update twice (rebooted in between) before I could get confirmation from adobe site that the new Flash version was the one present in my system. After 1st update attempt and reboot, both chrome and firefox (and system 317) still reported the old version.

 

-----------------

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  

   x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:``````````````

 Windows Firewall Enabled!  

Avast Antivirus    

Windows Defender   

 Antivirus up to date!   

`````````Anti-malware/Other Utilities Check:`````````

 Java 8 Update 121  

 Java version 32-bit out of Date!

 Adobe Flash Player 25.0.0.127  

 Mozilla Firefox (52.0) 

 Google Chrome (56.0.2924.87) 

 Google Chrome (SetupMetrics...) 

````````Process Check: objlist.exe by Laurent````````

 Oracle Java javapath AvastSvc.exe -?- 

 AVAST Software SecureLine VpnSvc.exe  

 AVAST Software SecureLine SecureLine.exe  

 AVAST Software Avast AvastUI.exe  

 AVAST Software SZBrowser 3.55.2393.590_0 SZBrowser.exe 

 AVAST Software SZBrowser 3.55.2393.590_0 SZBrowser_crashreporter.exe 

 AVAST Software SZBrowser 3.55.2393.590_0 SZBrowser.exe 

 AVAST Software Avast AvastNM.exe  

 AVAST Software SZBrowser 3.55.2393.590_0 SZBrowser.exe 

`````````````````System Health check`````````````````

 Total Fragmentation on Drive C:  % 

````````````````````End of Log``````````````````````

 

 

**Note: Actually, I am supposedly using Avast Firewall and not Windows firewall. Within Avast UI, the vendor's firewall appears on. Also, in Windows 'Security and Maintenance' panel,  under 'Network Firewall' status [ON]  it says "Avast antivirus (sic) is currently turned on".


Edited by anova13, 25 March 2017 - 01:28 PM.


#11 polskamachina

polskamachina

  • Malware Response Team
  • 4,079 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 27 March 2017 - 11:37 AM

Hi anova13 :)

You said:

I updated Flash to version 25.0.0.127.
**Note: I had to perform the update twice (rebooted in between) before I could get confirmation from adobe site that the new Flash version was the one present in my system. After 1st update attempt and reboot, both chrome and firefox (and system 317) still reported the old version.

I'd say if it took you two times, perhaps there was some glitch the first time. I wouldn't be concerned about it.

**Note: Actually, I am supposedly using Avast Firewall and not Windows firewall. Within Avast UI, the vendor's firewall appears on. Also, in Windows 'Security and Maintenance' panel, under 'Network Firewall' status [ON] it says "Avast antivirus (sic) is currently turned on".

I think the implication is that you have both Windows firewall turned on and Avast firewall. These two firewalls are compatible with each other.

 

Your machine appears to be clean now!

Please continue with the following steps which will remove all the diagnostic tools you used to scan and clean your system.

bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

Below are some security tips to read. Following these guidelines will help you avoid another visit to the Malware Removal Forum. :woot:

Be safe. :hello:

polskamachina



#12 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 27 March 2017 - 02:18 PM

Ok, thank you polskamachina, for your time and your help. Very much appreciated.

 

take care.



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:58 PM

Posted 29 March 2017 - 08:06 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users