Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant identify or get rid ofthis rootkit/ransomware


  • This topic is locked This topic is locked
12 replies to this topic

#1 GarethCrawford

GarethCrawford

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 11 April 2017 - 02:51 PM

Hi there, 

 

I have posted on countless other forums, learned a lot, but have never found a solution to this. Everytime I do a fresh install this issue pops up right early on in the process. I thought it was maybe coming from cloud storage but it has just been a huge detriment to my workflows I hope to get rid of it for good.

 

There are definite signs of rootkits but there is always "access denied" when I try to fully clean it. Whatever the problem is it starts right in the system 32, hijacks processes and starts to encrypt my files and registry.There are suspicious user names and system permissions. the "NT USER" seems to be a common theme but I really don't know.  I have tried many types of rootkit removers and ransomware scanners but I have never found where it starts. 

 

This is on a fresh system reset and heres the FRST logs, I REALLY appreciate any help. 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Bean (administrator) on DESKTOP-IMBBJLH (11-04-2017 12:14:02)
Running from C:\Users\Bean\Downloads
Loaded Profiles: Bean (Available Profiles: Bean)
Platform: Windows 10 Home Version 1703 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SecurityHealthService.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
==================== Registry (Whitelisted) ====================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629288 2017-03-11] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8822016 2016-06-02] (Realtek Semiconductor)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 64.59.160.13 64.59.161.68
Tcpip\..\Interfaces\{623f33ed-f2a7-43b0-a45e-37e1d5080f5a}: [DhcpNameServer] 64.59.160.13 64.59.161.68
Internet Explorer:
==================
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 DevicesFlowUserSvc; C:\Windows\System32\DevicesFlowBroker.dll [689152 2017-03-11] (Microsoft Corporation)
S3 DevicesFlowUserSvc_d21b2; C:\Windows\system32\svchost.exe [47816 2017-03-11] (Microsoft Corporation)
S3 DevicesFlowUserSvc_d21b2; C:\Windows\SysWOW64\svchost.exe [41056 2017-03-11] (Microsoft Corporation)
R2 DusmSvc; C:\Windows\System32\dusmsvc.dll [302592 2017-03-11] (Microsoft Corporation)
S3 IpxlatCfgSvc; C:\Windows\System32\IpxlatCfg.dll [64000 2017-03-11] (Microsoft Corporation)
S3 NaturalAuthentication; C:\Windows\System32\NaturalAuth.dll [723456 2017-03-11] (Microsoft Corporation)
R2 SecurityHealthService; C:\Windows\system32\SecurityHealthService.exe [335960 2017-03-11] (Microsoft Corporation)
S3 SEMgrSvc; C:\Windows\system32\SEMgrSvc.dll [1191424 2017-03-11] (Microsoft Corporation)
S3 spectrum; C:\Windows\system32\spectrum.exe [891904 2017-03-11] (Microsoft Corporation)
R3 TokenBroker; C:\Windows\System32\TokenBroker.dll [1054720 2017-03-11] (Microsoft Corporation)
R3 TokenBroker; C:\Windows\SysWOW64\TokenBroker.dll [799232 2017-03-11] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [332816 2017-03-11] (Microsoft Corporation)
S3 WFDSConMgrSvc; C:\Windows\System32\wfdsconmgrsvc.dll [555008 2017-03-11] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [94728 2017-03-11] (Microsoft Corporation)
S3 wlpasvc; C:\Windows\System32\lpasvc.dll [1295360 2017-03-11] (Microsoft Corporation)
S3 xbgm; C:\Windows\System32\xbgmsvc.dll [301368 2017-03-11] (Microsoft Corporation)
S3 XboxGipSvc; C:\Windows\System32\XboxGipSvc.dll [18944 2017-03-11] (Microsoft Corporation)
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\Microsoft.Bluetooth.Legacy.LEEnumerator.sys [96768 2017-03-11] (Microsoft Corporation)
S3 CAD; C:\Windows\System32\drivers\CAD.sys [53792 2017-03-11] (Microsoft Corporation)
S2 CldFlt; C:\Windows\System32\drivers\cldflt.sys [12288 2017-03-11] (Microsoft Corporation)
S3 iaLPSS2i_GPIO2_BXT_P; C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys [85504 2017-03-11] (Intel Corporation)
S3 iaLPSS2i_I2C_BXT_P; C:\Windows\System32\drivers\iaLPSS2i_I2C_BXT_P.sys [168448 2017-03-11] (Intel Corporation)
S3 mausbhost; C:\Windows\System32\drivers\mausbhost.sys [405544 2017-03-11] (Microsoft Corporation)
S3 mausbip; C:\Windows\System32\drivers\mausbip.sys [51240 2017-03-11] (Microsoft Corporation)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [122368 2017-03-11] (Microsoft Corporation)
S3 nvdimmn; C:\Windows\System32\drivers\nvdimmn.sys [80896 2017-03-11] (Microsoft Corporation)
S3 pmem; C:\Windows\System32\drivers\pmem.sys [101376 2017-03-11] (Microsoft Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [604160 2017-03-11] (Realtek                                            )
R3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [607488 2016-02-25] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\Windows\System32\drivers\rtwlane.sys [6320640 2017-03-11] (Realtek Semiconductor Corporation                           )
S3 SDFRd; C:\Windows\System32\drivers\SDFRd.sys [31272 2017-03-11] ()
S3 SpatialGraphFilter; C:\Windows\System32\drivers\SpatialGraphFilter.sys [40488 2017-03-11] (Microsoft Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [45144 2017-03-11] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [294944 2017-03-11] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [121384 2017-03-11] (Microsoft Corporation)
S3 WinNat; C:\Windows\System32\drivers\winnat.sys [217088 2017-03-11] (Microsoft Corporation)
S3 nvlddmkm; \SystemRoot\System32\DriverStore\FileRepository\nvak.inf_amd64_791beb67a268df58\nvlddmkm.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
NETSVC: NaturalAuthentication -> C:\Windows\System32\NaturalAuth.dll (Microsoft Corporation)
NETSVC: xbgm -> C:\Windows\System32\xbgmsvc.dll (Microsoft Corporation)
NETSVC: TokenBroker -> C:\Windows\System32\TokenBroker.dll (Microsoft Corporation)
NETSVC: XboxGipSvc -> C:\Windows\System32\XboxGipSvc.dll (Microsoft Corporation)
NETSVCx32: TokenBroker -> C:\Windows\SysWOW64\TokenBroker.dll (Microsoft Corporation)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-04-11 12:14 - 2017-04-11 12:14 - 00009083 _____ C:\Users\Bean\Downloads\FRST.txt
2017-04-11 12:13 - 2017-04-11 12:14 - 00000000 ____D C:\FRST
2017-04-11 12:12 - 2017-04-11 12:12 - 02424832 _____ (Farbar) C:\Users\Bean\Downloads\FRST64.exe
2017-04-11 12:08 - 2017-04-11 12:08 - 00228140 _____ C:\Users\Bean\Downloads\WMIExplorer_2.0.0.0.zip
2017-04-11 12:07 - 2017-04-11 12:07 - 00003574 _____ C:\Users\Bean\Desktop\Rkill.txt
2017-04-11 12:03 - 2017-04-11 12:03 - 00000000 ____D C:\Windows\LastGood
2017-04-11 12:01 - 2017-04-11 12:01 - 00000000 ___HD C:\$WINDOWS.~BT
2017-04-11 11:52 - 2017-04-11 12:04 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2017-04-11 11:52 - 2017-04-11 11:52 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2017-04-11 11:52 - 2017-04-11 11:52 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2017-04-11 11:52 - 2016-11-11 06:54 - 00224304 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2017-04-11 11:52 - 2016-11-11 06:54 - 00212024 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2017-04-11 11:45 - 2017-04-11 11:45 - 00000000 ____H C:\ProgramData\DP45977C.lfl
2017-04-11 11:45 - 2017-04-11 11:45 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2017-04-11 11:45 - 2017-04-11 11:45 - 00000000 ____D C:\Windows\system32\DAX2
2017-04-11 11:45 - 2017-04-11 11:45 - 00000000 ____D C:\Program Files\Realtek
2017-04-11 11:41 - 2017-04-11 12:03 - 00000000 ____D C:\Users\Bean\AppData\Local\MicrosoftEdge
2017-04-11 03:57 - 2017-04-11 12:01 - 00000000 ____D C:\Windows\Panther
2017-04-11 03:28 - 2017-04-11 03:28 - 00000000 ____D C:\Users\Bean\AppData\Local\Comms
2017-04-11 03:13 - 2017-04-11 03:13 - 00003288 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2017-04-11 03:13 - 2017-04-11 03:13 - 00002364 _____ C:\Users\Bean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-04-11 03:13 - 2017-04-11 03:13 - 00000000 ___RD C:\Users\Bean\OneDrive
2017-04-11 03:13 - 2017-04-11 03:13 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2017-04-11 03:12 - 2017-04-11 12:04 - 00000000 ____D C:\Users\Bean\AppData\Local\Packages
2017-04-11 03:12 - 2017-04-11 03:12 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-04-11 03:12 - 2017-04-11 03:12 - 00000000 ____D C:\Users\Bean\AppData\Roaming\Adobe
2017-04-11 03:12 - 2017-04-11 03:12 - 00000000 ____D C:\Users\Bean\AppData\Local\VirtualStore
2017-04-11 03:12 - 2017-04-11 03:12 - 00000000 ____D C:\Users\Bean\AppData\Local\TileDataLayer
2017-04-11 03:12 - 2017-04-11 03:12 - 00000000 ____D C:\Users\Bean\AppData\Local\Publishers
2017-04-11 03:12 - 2017-04-11 03:12 - 00000000 ____D C:\Users\Bean\AppData\Local\ConnectedDevicesPlatform
2017-04-11 03:12 - 2017-04-11 03:12 - 00000000 ____D C:\ProgramData\USOShared
2017-04-11 03:11 - 2017-04-11 03:13 - 00000000 ____D C:\Users\Bean
2017-04-11 03:11 - 2017-04-11 03:11 - 00000020 ___SH C:\Users\Bean\ntuser.ini
2017-04-11 03:11 - 2017-04-11 03:11 - 00000000 _SHDL C:\Users\Bean\My Documents
2017-04-11 03:11 - 2017-04-11 03:11 - 00000000 _SHDL C:\Users\Bean\Documents\My Videos
2017-04-11 03:11 - 2017-04-11 03:11 - 00000000 _SHDL C:\Users\Bean\Documents\My Pictures
2017-04-11 03:11 - 2017-04-11 03:11 - 00000000 _SHDL C:\Users\Bean\Documents\My Music
2017-04-11 03:06 - 2017-04-11 12:08 - 00897976 _____ C:\Windows\system32\PerfStringBackup.INI
2017-04-11 03:04 - 2017-03-11 14:05 - 02233344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Public\Documents\My Videos
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Public\Documents\My Pictures
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Public\Documents\My Music
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Default\My Documents
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Default\Documents\My Videos
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Default\Documents\My Pictures
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Default\Documents\My Music
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Default User\Documents\My Videos
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Default User\Documents\My Pictures
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Users\Default User\Documents\My Music
2017-04-11 03:02 - 2017-04-11 03:02 - 00000000 _SHDL C:\Documents and Settings
2017-04-11 02:59 - 2017-04-11 02:59 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2017-04-11 02:58 - 2017-04-11 11:20 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-04-11 02:58 - 2017-04-11 03:02 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-11 02:58 - 2017-04-11 02:58 - 00217000 _____ C:\Windows\system32\FNTCACHE.DAT
2017-04-11 02:58 - 2017-04-11 02:58 - 00000000 ____D C:\Windows\ServiceProfiles
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-04-11 12:13 - 2017-03-11 14:12 - 00000000 ___HD C:\Program Files\WindowsApps
2017-04-11 12:13 - 2017-03-11 14:12 - 00000000 ____D C:\Windows\AppReadiness
2017-04-11 12:06 - 2017-03-11 14:09 - 00000000 ____D C:\Windows\INF
2017-04-11 03:57 - 2017-03-11 14:12 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2017-04-11 03:12 - 2017-03-11 14:12 - 00000000 ____D C:\ProgramData\USOPrivate
2017-04-11 03:11 - 2017-03-11 14:12 - 00000000 ____D C:\Windows\system32\WinBioDatabase
2017-04-11 03:04 - 2017-03-11 14:12 - 00000000 ____D C:\Windows\system32\spool
2017-04-11 03:04 - 2017-03-11 14:12 - 00000000 ____D C:\Windows\system32\FxsTmp
2017-04-11 03:04 - 2017-03-11 14:12 - 00000000 ____D C:\Windows\rescache
2017-04-11 03:03 - 2017-03-11 14:12 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-04-11 03:01 - 2017-03-11 01:30 - 00524288 _____ C:\Windows\system32\config\BBI
2017-04-11 02:59 - 2017-03-11 18:58 - 00000000 ____D C:\Windows\HoloShell
2017-04-11 02:59 - 2017-03-11 14:12 - 00000000 ___RD C:\Windows\PrintDialog
2017-04-11 02:59 - 2017-03-11 14:12 - 00000000 ___RD C:\Windows\MiracastView
2017-04-11 02:59 - 2017-03-11 14:12 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2017-04-11 02:59 - 2017-03-11 01:30 - 00032768 _____ C:\Windows\system32\config\ELAM
==================== Files in the root of some directories =======
2017-04-11 11:45 - 2017-04-11 11:45 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
==================== BCD ================================
Firmware Boot Manager
---------------------
identifier              {fwbootmgr}
displayorder            {bootmgr}
                        {365254b8-1ea5-11e7-a198-fd5d22cd6944}
                        {365254b6-1ea5-11e7-a198-fd5d22cd6944}
                        {365254b7-1ea5-11e7-a198-fd5d22cd6944}
                        {365254b9-1ea5-11e7-a198-fd5d22cd6944}
                        {365254be-1ea5-11e7-a198-fd5d22cd6944}
                        {365254bf-1ea5-11e7-a198-fd5d22cd6944}
                        {365254c0-1ea5-11e7-a198-fd5d22cd6944}
timeout                 1
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume2
path                    \EFI\MICROSOFT\BOOT\BOOTMGFW.EFI
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
flightsigning           Yes
default                 {current}
resumeobject            {365254ba-1ea5-11e7-a198-fd5d22cd6944}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
Firmware Application (101fffff)
-------------------------------
identifier              {365254b6-1ea5-11e7-a198-fd5d22cd6944}
description             Hard Drive
Firmware Application (101fffff)
-------------------------------
identifier              {365254b7-1ea5-11e7-a198-fd5d22cd6944}
description             CD/DVD Drive
Firmware Application (101fffff)
-------------------------------
identifier              {365254b8-1ea5-11e7-a198-fd5d22cd6944}
device                  unknown
description             UEFI: KingstonDataTraveler 3.0PMAP
Firmware Application (101fffff)
-------------------------------
identifier              {365254b9-1ea5-11e7-a198-fd5d22cd6944}
description             USB
Firmware Application (101fffff)
-------------------------------
identifier              {365254be-1ea5-11e7-a198-fd5d22cd6944}
description             UEFI:CD/DVD Drive
Firmware Application (101fffff)
-------------------------------
identifier              {365254bf-1ea5-11e7-a198-fd5d22cd6944}
description             UEFI:Removable Device
Firmware Application (101fffff)
-------------------------------
identifier              {365254c0-1ea5-11e7-a198-fd5d22cd6944}
description             UEFI:Network Device
Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.efi
description             Windows 10
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {365254bc-1ea5-11e7-a198-fd5d22cd6944}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
flightsigning           Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {365254ba-1ea5-11e7-a198-fd5d22cd6944}
nx                      OptIn
bootmenupolicy          Standard
Windows Boot Loader
-------------------
identifier              {365254bc-1ea5-11e7-a198-fd5d22cd6944}
device                  ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{365254bd-1ea5-11e7-a198-fd5d22cd6944}
path                    \windows\system32\winload.efi
description             Windows Recovery Environment
locale                  en-us
inherit                 {bootloadersettings}
displaymessage          Recovery
osdevice                ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{365254bd-1ea5-11e7-a198-fd5d22cd6944}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes
Resume from Hibernate
---------------------
identifier              {365254ba-1ea5-11e7-a198-fd5d22cd6944}
device                  partition=C:
path                    \Windows\system32\winresume.efi
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
recoverysequence        {365254bc-1ea5-11e7-a198-fd5d22cd6944}
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
filedevice              partition=C:
filepath                \hiberfil.sys
bootmenupolicy          Standard
debugoptionenabled      No
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume2
path                    \EFI\Microsoft\Boot\memtest.efi
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
EMS Settings
------------
identifier              {emssettings}
bootems                 No
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Local
RAM Defects
-----------
identifier              {badmemory}
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
Device options
--------------
identifier              {365254bd-1ea5-11e7-a198-fd5d22cd6944}
description             Windows Recovery
ramdisksdidevice        partition=\Device\HarddiskVolume1
ramdisksdipath          \Recovery\WindowsRE\boot.sdi

LastRegBack: 2017-04-11 02:58
==================== End of FRST.txt ============================

 

 

 

 



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:25 AM

Posted 11 April 2017 - 07:47 PM

Lets try this application.

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 GarethCrawford

GarethCrawford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 11 April 2017 - 09:18 PM

I am familiar with Mbar, before I did this reset there were 6 issues that surfaced but nothing seems to be wrong this time around but there is still suspicious registry entries and other activity . Here are the logs 

 

 

Malwarebytes Anti-Rootkit BETA 1.9.4.1001
www.malwarebytes.org
Database version:
  main:    v2017.04.11.09
  rootkit: v2017.04.02.01
Windows 10 x64 NTFS
Internet Explorer 11.0.15058.0
Bean :: DESKTOP-IMBBJLH [administrator]
2017-04-11 6:16:04 PM
mbar-log-2017-04-11 (18-16-04).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 243919
Time elapsed: 4 minute(s), 38 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)

 

 

 

System log

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.4.1001
© Malwarebytes Corporation 2011-2012
OS version: 10.0.9200 Windows 10 x64
Account is Administrative
Internet Explorer version: 11.0.15058.0
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.408000 GHz
Memory total: 17099984896, free: 14033133568
Downloaded database version: v2017.04.11.09
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     04/11/2017 18:15:59
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\SleepStudyHelper.sys
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\tpm.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\vmbkmclr.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_aa7c78f8c36e4182\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\rtwlane.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\acpipagr.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\system32\DRIVERS\HdAudio.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\system32\DRIVERS\udfs.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\System32\drivers\registry.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\System32\drivers\rassstp.sys
\SystemRoot\System32\DRIVERS\NDProxy.sys
\SystemRoot\System32\drivers\AgileVpn.sys
\SystemRoot\System32\drivers\rasl2tp.sys
\SystemRoot\System32\drivers\raspptp.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\drivers\ndiswan.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\Drivers\WdNisDrv.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\system32\DRIVERS\RtkBtfilter.sys
\SystemRoot\system32\DRIVERS\BTHUSB.sys
\SystemRoot\system32\DRIVERS\bthport.sys
\SystemRoot\system32\DRIVERS\Microsoft.Bluetooth.Legacy.LEEnumerator.sys
\SystemRoot\System32\drivers\rfcomm.sys
\SystemRoot\System32\drivers\BthEnum.sys
\SystemRoot\System32\drivers\bthpan.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\system32\drivers\wimmount.sys
\SystemRoot\system32\DRIVERS\vsdatant.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!
Scan started
Database versions:
  main:    v2017.04.11.09
  rootkit: v2017.04.02.01
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffff89829fb8c060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff89829fa609f0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff89829fb8c060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffff89829f9397a0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffff89829f939e40, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffff89829f93f060, DeviceName: \Device\00000037\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: AFE1F10E
GPT Protective MBR Partition information:
    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
GPT Partition information:
    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 1002590352
    GPT Header CurrentLba = 1 BackupLba 3907029167
    GPT Header FirstUsableLba 34  LastUsableLba 3907029134
    GPT Header Guid 89789d0e-3d3c-4e10-ab7-a6f26e4a15ca
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128
    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 1002590352
    Backup GPT header CurrentLba = 3907029167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 3907029134
    Backup GPT header Guid 89789d0e-3d3c-4e10-ab7-a6f26e4a15ca
    Backup GPT header Contains 128 partition entries starting at LBA 3907029135
    Backup GPT header Partition entry size = 128
    Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 496e1ca6-20a5-477f-a111-81bb774fb75d
    FirstLBA 2048  Last LBA 923647
    Attributes 1
    Partition Name                 Basic data partition
    Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 445bb640-24de-4c97-b9af-81f14e3684d
    FirstLBA 923648  Last LBA 1128447
    Attributes 0
    Partition Name                 EFI system partition
    GPT Partition 1 is bootable
    Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 835fb3bd-21f8-4b5e-a886-4ace239774f
    FirstLBA 1128448  Last LBA 1161215
    Attributes 0
    Partition Name         Microsoft reserved partition
    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID baa01aa8-a27d-41fa-ad95-1c54a253b31a
    FirstLBA 1161216  Last LBA 220628991
    Attributes 0
    Partition Name                 Basic data partition
Disk Size: 2000398934016 bytes
Sector size: 512 bytes
Done!
File "C:\Users\Bean\AppData\Local\Comms\UnistoreDB\store.vol" is sparse (flags = 32768)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-F58866E39CA2A97510C0D3670861335636BAD18A.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-F58866E39CA2A97510C0D3670861335636BAD18A.bin.7C" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-F58866E39CA2A97510C0D3670861335636BAD18A.bin.83" is compressed (flags = 1)
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:25 AM

Posted 12 April 2017 - 06:32 AM

What makes you believe you have a rookit, or Ransomware?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 GarethCrawford

GarethCrawford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 13 April 2017 - 02:03 AM

First off, THANK YOU for being respectful and not treating me like I am crazy, a lot of other forums have been extremely rude about this. Since I made these posts I have had to do a fresh reinstall on my system AGAIN. Now , how I think I have a rootkit..... 

 

I use the sysinternals suite and I have got fairly good at SPOTTING the behaviour, such as hijacked .exes that arent signed, suspicious .dlls and rapidly growing folders that show up and serve no purpose. Lots of processes existing in the memory that when I spot them on autoruns and try to delete, it always says that the process cant be found. There always seems to be a lot of suspicious network activity, and there is a plethora of system users that dont make any sense, like 50 or so sometimes. 

 

As for the ransomware, it usually kicks in once these users start to build up. It starts in the system files and various processes start failing, and the computer stops being able to read the registry and it becomes impossible for me to boot. As I mentioned earlier I am pretty sure that it made it onto my cloud storage, and might possibly be in hidden partitions on my hard drive. I am also suspicious of the windows store apps because the problem always seems to occur when I start to link windows to my microsoft account. Whenever I try to make a fresh windows install disk, the malware actually infects the iso while it is burning onto the usb or disc. The only way around this that I have found is by using sandboxie and a mobile emulator on chrome so that I run chrome sandboxed with the emulator extension so it lets me download the iso. Even when I reinstall with that iso, the problem comesn back very quickly. The easy way I have learned to diagnose the presence of it is when I run Rkill and various services and associations are tampered with. On my fresh install Rkill never reports anything, but once this malware gets in, then it looks like this log.... (keep in mind this is from my laptop, but the log is nearly identical to what it looked like on my desktop computer)

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 04/08/2017 01:55:36 PM in x64 mode.
Windows Version: Windows 10 Home 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 * Windows Firewall Disabled
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
 
Checking Windows Service Integrity: 
 
 * agp440 [Missing Service]
 * DcpSvc [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * RetailDemo => %SystemRoot%\System32\svchost.exe -k rdxgroup [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 04/08/2017 01:56:28 PM

Execution time: 0 hours(s), 0 minute(s), and 51 seconds(s) 

 

 

The source seems to be a rootkit, and that rootkit seems to be so elusive that it either disappears when I try to remove it, or it just recognizes any scanners and forces them to produce false results. Early on with a fresh install I will notice that my antivirus gets turned off, and certain areas of the registry becomes offlimits to me (access denied) . 

 

I've learned how to use the command line through all of this, but this malware runs powershell scripts quicker than I can keep up, so I have just given up trying to fight it and I just run a reinstall or use timefreeze to go back from the last reboot. 

 

I really cant keep going on like this though. I cant trust my data to be safe so my data is nomadic on cloud storage, and software has to constantly be reinstalled. It has killed my productivity and lead to a huge loss of income. I am reinstalling on the desktop right now with my new iso, but if things start showing up again I am just going to buy a new internal hard drive. This laptop also has it, but it seems to have progressed at a slower rate because I have not bothered to try and remove whatever it is that I have. Soon enough though this laptop will also crap out and we will have to start all over again. 

 

No one has been able to solve this problem yet and they always just resort to calling me crazy. I have spent so much time researching this but it is so elusive I cant put a finger on where its coming from exactly. 



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:25 AM

Posted 13 April 2017 - 09:22 AM

Lets work on one computer at a time.

 

On the previous computer run the following command:

 

SFC /ScanNow

 

In addition, take ownership of the drive.

 

Try going to Start/Search and type diskmgmt.msc Right click the diskmgmt icon in the search results and Run As Administrator. In Disk Management, right click the Partition and choose Properties/Security/Advanced/Owner and add your user account as the Owner of the drive.

 

Once finished, please run and post the Rkill log for review. Then later we can start checking on this one.


Edited by JSntgRvr, 13 April 2017 - 09:36 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 GarethCrawford

GarethCrawford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 13 April 2017 - 11:36 PM

I took ownership of the drive but I did not change the permissions or inheritance because I was unsure of what you wanted. Keep in mind this is a fresh install and I did just purchase kaspersky internet security. Do you need another farbar scan? Below is the Rkill log. 

 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 04/13/2017 09:31:40 PM in x64 mode.
Windows Version: Windows 10 Home
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Defender Disabled
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 * Windows Firewall Disabled
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
Checking Windows Service Integrity:
 * agp440 [Missing Service]
 * DcpSvc [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * RetailDemo => %SystemRoot%\System32\svchost.exe -k rdxgroup [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * No issues found.
Program finished at: 04/13/2017 09:32:09 PM
Execution time: 0 hours(s), 0 minute(s), and 28 seconds(s)

 

 

 

looks like the same process as the other computer



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:25 AM

Posted 14 April 2017 - 08:24 AM

I am consulting this issue with the developer of Rkill. I have seen many of these cases online. Standby until I receive a response.


Edited by JSntgRvr, 14 April 2017 - 08:25 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:25 AM

Posted 14 April 2017 - 01:53 PM

The Rkill log is clear. Just a bug on the tool that will be dealt with soon.

 

As far as I am concern, your computer is free of malware.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 GarethCrawford

GarethCrawford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 15 April 2017 - 12:27 AM

Ah see thats the problem. It really isnt. Everyone keeps thinking im crazy but the computer becomes useless after a few days. It uses the NT Service and Powershell scripts that almost completely exist in memory so its almost impossible to catch. If you were on my autoruns you would see. And it seems to have infiltrated my windows store apps because there are a bunch of folders that are not applicable to any apps I own where the app downloads are all stored. 



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:25 AM

Posted 15 April 2017 - 08:24 AM

I'll be here until you are satisfied with you computer.

 

Have that Autorun report posted. In addition, lets scan with FRST as follows:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:25 AM

Posted 19 April 2017 - 06:00 PM

Are you still with us?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:25 AM

Posted 21 April 2017 - 03:00 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users