Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit please advise


  • This topic is locked This topic is locked
7 replies to this topic

#1 merv123

merv123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 March 2017 - 06:41 AM

I am getting these 2 strange files appearing in my C:\Temp directory. I delete the files and they reappear on reboot. System performance is not affected. Is this a sign of a rootkit ?

 

InitJsonInSvc.dat

InitJsonOutSvc.dat

 

I have run FRST64 and Adwcleaner - the logs are attached.

 

Any help would be appreciated. Thank-you.

Attached Files



BC AdBot (Login to Remove)

 


#2 merv123

merv123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 March 2017 - 07:07 AM

I note another user posted a similar problem.

 

https://www.bleepingcomputer.com/forums/t/642093/rootkit-reported-by-gmer/

 

I have attached my gmer logfile.

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:14 PM

Posted 26 March 2017 - 07:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll => No File
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} [2011-10-11] [not signed]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} [2012-05-02] [not signed]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Studio7100\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-15]
CHR Extension: (Chrome Media Router) - C:\Users\Studio7100\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-24]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S3 DAUpdaterSvc; C:\Program Files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [X]
S2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [X]
S2 SessionLauncher; c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [X] <==== ATTENTION
S3 cpuz130; \??\C:\Users\STUDIO~1\AppData\Local\Temp\cpuz130\cpuz_x64.sys [X] <==== ATTENTION
S2 MBAMChameleon; \SystemRoot\system32\drivers\MBAMChameleon.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Uptade the ADOBE READER
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
<<<>>>

If still present after the update you can remove the old version via the Control Panel > Programs > Programs and Features.
Adobe Reader X (10.1.9) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.9 - Adobe Systems Incorporated)
===

p.s.

If the problem persists run the E-set scan.

This scan may take an hour or two. Execute it when you know you will not need the comuuter.

Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

Please let me know what problem persists with this computer.

#4 merv123

merv123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 26 March 2017 - 11:46 AM

Thank-you for your reply. I have run the fixlist.txt. Fixlog.txt attached.

 

Updated acrobat reader and uninstalled old acrobat reader.

 

Unfortunately the problem of these 2 files appearing on reboot in C:\Temp persists.

 

I am now running ESET online scanner. Will post result when it finishes.

 

 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:14 PM

Posted 26 March 2017 - 01:08 PM

Run the E-set Scan as I previously suggested.

Check the files at Virus Total.
https://www.virustotal.com/

Follow the instructions on the page.

I suspect that these temporary files are safe.
They are created by a program you use.

#6 merv123

merv123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 26 March 2017 - 02:28 PM

I ran the ESET online scanner. Results txt file attached. I don't think these 2 exe items are related to the problem but they have been deleted.

 

I mentioned another user also reported a problem where these 2 files InitJsonInSvc.dat and InitJsonOutSvc.dat appeared in the c:temp directory. 

 

https://www.bleepingcomputer.com/forums/t/642093/rootkit-reported-by-gmer/

 

Are they results listed by gmer txt false positives ? 

 

 

Attached Files



#7 merv123

merv123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 26 March 2017 - 04:39 PM

Nasdaq.  

 

My last reboot showed no sign of those 2 files reappearing in c:Temp directory.

 

Thank-you so much for helping me. Your assistance is much appreciated. 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:14 PM

Posted 27 March 2017 - 07:22 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users