Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brand New Windows 10 system shows signs of a rootkit, worm and botnet


  • Please log in to reply
11 replies to this topic

#1 abdec70

abdec70

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 20 April 2017 - 06:07 PM

Hello, I recently built a computer from scratch and installed a purchased in store, Windows 10 Pro version.  After installing the operating system, installing the drivers for my GPU and finally connecting to my home network, I was doing an initial baseline of my system, after running GMER, I had entry points that were off and a suspicious csrss.exe process as well as every .dll in my C:\\Windows\System32\ directory as (**** suspicious ******).  C:\Program_Files\Windows_Defender\MsMpEng.exe is also marked (*** suspicious *****).

 

THIS IS A BRAND NEW SYSTEM HOW CAN THIS BE!?!?!

 

I saved the GMER Logs just in case.


Edited by abdec70, 20 April 2017 - 06:17 PM.


BC AdBot (Login to Remove)

 


#2 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:09:54 AM

Posted 20 April 2017 - 06:37 PM

Are you sure the drivers you installed didn't contain any malicious files?


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#3 abdec70

abdec70
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 20 April 2017 - 06:40 PM

I installed the drivers for the GPU from the disc provided, so I do not think those drivers are malicious.  There is however a possibility other drivers were affected.  How can I go about checking driver integrity?



#4 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:09:54 AM

Posted 20 April 2017 - 06:44 PM

I think that scanning your PC for rootkits will be better than scanning the driver integrity.

 

Download Malwarebytes Anti-Rootkit from the provided link here.

When saving the file, please save it to your desktop. Once the file has been downloaded, right click on the downloaded file and select the Extract menu option. This will start the Windows compressed file extraction wizard. Follow the steps to extract the file and Malwarebytes Anti-Rootkit will be extracted to a folder called mbar-versionnumber on your desktop. For example, Malwarebytes Anti-Rootkit version 1.01.0.1009 will be extracted to a folder named mbar-1.01.0.1009.

Once the file has been extracted, double-click on the folder and when that folder opens, double-click on the mbar folder. You should now see a list of files that are found in the mbar folder. Please double-click on the mbar.exe file to launch the program.

Click through the agreements for the program.

Please click on the Update button to have MBAR download the latest definition updates that will then be used when scanning your computer. When the update has finished, please click on the Next button.

You will now be at the Scan System screen where you can select some basic scanning options.

Make sure the Drivers, Sectors, and System scan targets are selected and then click on the Scan button.

Make sure everything is selected and that there is a check mark in the Create Restore point option. Then click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer. Please click on Yes button to restart your computer. After the computer reboots and you login, you will be back at your normal desktop. It is suggested that you do one last scan using Malwarebytes Anti-Rootkit to make sure all traces have been removed. There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.

Paste both log contents into a post.


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#5 abdec70

abdec70
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 20 April 2017 - 06:55 PM

The download is just a .exe and is not extractable.



#6 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:09:54 AM

Posted 20 April 2017 - 06:56 PM

Run the file and follow the onscreen instructions to extract it to a location of your choosing (your desktop by default)

 

When you run the file, it should look like this.


Edited by iMacg3, 20 April 2017 - 07:01 PM.

Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#7 abdec70

abdec70
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 20 April 2017 - 06:59 PM

as admin or no?



#8 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:09:54 AM

Posted 20 April 2017 - 07:01 PM

As admin.

All anti-malware or anti-rootkit programs should be run as admin.


Edited by iMacg3, 20 April 2017 - 07:03 PM.

Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#9 abdec70

abdec70
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 20 April 2017 - 07:09 PM

No malware found....



#10 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:09:54 AM

Posted 20 April 2017 - 07:20 PM

Download and install RogueKiller from here.  Run a scan with it.  Once the scan is finished, a text report is available by clicking on the Report button (you can export it in HTML, text or json format). Export it in Text format. Copy and paste the log results into a post.


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda

#11 abdec70

abdec70
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 21 April 2017 - 04:40 PM

Nothing...



#12 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:09:54 AM

Posted 22 April 2017 - 07:53 PM

Download Hitman Pro. Right click it and select Run as Administrator.

Once it's open, click Settings, then uncheck Scan for Tracking Cookies. 

Click OK, then click Next.

Select No, I only want to perform a one time scan to check this computer and click Next. HitmanPro will start scanning your system. Once done scanning, HitmanPro will display a screen with any threats found. Important: Click on the drop-down tab next to the infection name and then click Apply to All > Ignore. If not, you could cause damage to your operating system! Make sure you choose to Ignore the files and then click next. You will be at the results window. Click "Save Log" and save it to your desktop. Paste its contents into a post.


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users