Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection still present after resets


  • This topic is locked This topic is locked
16 replies to this topic

#1 cljm

cljm

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 16 June 2017 - 04:02 AM

Yesterday I noticed the command prompt pop up and disappear soon after. I was using Netflix at the time and the sounds became distorted and the videos were lagging. So I used Avast to scan, but nothing was found. Then I downloaded Malwarebytes, where the same thing happened. Both scans took a lot longer than normal. All links in Windows Explorer turned blue, and there was an additional F drive, which has now disappeared. I downloaded RogueKiller and GMER, and after using both, and scanning with GMER, the GMER tool couldn't disable two processes which showed rootkit activity. So then I used a complete reset twice to try and get rid of it but this didn't work either.

 

Then I followed most of the processes used in this thread:

 

https://www.bleepingcomputer.com/forums/t/597188/recurring-rootkit/

 

where AdwCleaner found three issues and removed them.

 

​All scans with different products at this poin​t are coming back clean but links in Windows Explorer are still blue, I'm pretty sure I'm still infected. I'm unable to paste the FRST logs so I have attached them.

 

Thanks in advance if anyone can help!

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 18 June 2017 - 08:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.


Run this Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Windows XP:
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

Let me know what present issues you are having with this computer.

#3 cljm

cljm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 18 June 2017 - 01:14 PM

Hi, thanks for replying. Before I started the scan, Windows had to update. I did as you said but the scan revealed no issues. The laptop is just generally being slow to start up and all links in Windows Explorer are still blue rather than the normal black. The local F disk has reappeared.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 19 June 2017 - 06:56 AM



Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.
<<<>>>

Navigate to this page.
http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector

Download and run the Flexera Software Personal Software Inspector.

Update all the 3rd party divers that are old.
===

Keep me posted on the issue.

#5 cljm

cljm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 19 June 2017 - 01:28 PM

The system files scan revealed no issues. Neither did the Flexera inspector. I'm unable to access the local F disk and it keeps disappearing/reappearing. Not sure how to update 3rd party drivers.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 20 June 2017 - 07:45 AM

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.

    p.s.
    Is the F:\ drive external?


#7 cljm

cljm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 20 June 2017 - 11:34 AM

The first scan revealed no issues. My first attempt at the second scan caused the computer to crash with a APC_INDEX_MISMATCH error. The second attempt revealed no issues. The F:\ drive only appeared 6 days ago, when I first noticed other issues. I can't currently see it. Have attached the two logs from the second scan.

 

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2017-06-21 08:37:42
-----------------------------
08:37:42.118    OS Version: Windows x64 6.2.9200
08:37:42.118    Number of processors: 2 586 0x3708
08:37:42.134    ComputerName: DESKTOP-F1USBO6  UserName: cpod
08:37:42.243    Initialize success
08:37:42.368    VM: initialized successfully
08:37:42.368    VM: Intel CPU BiosDisabled
08:37:47.743    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000028
08:37:47.759    Disk 0 Vendor: VID:45 0.1 Size: 29820MB BusType: 12
08:37:47.775    Disk 0 MBR read successfully
08:37:47.775    Disk 0 MBR scan
08:37:47.775    Disk 0 unknown MBR code
08:37:47.775    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
08:37:47.790    Disk 0 scanning C:\WINDOWS\system32\drivers
08:37:53.025    Service scanning
08:38:01.166    Modules scanning
08:38:01.213    Disk 0 trace - called modules:
08:38:01.244    ntoskrnl.exe CLASSPNP.SYS disk.sys sdstor.sys ACPI.sys sdbus.sys hal.dll
08:38:01.260    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0015fc09060]
08:38:01.260    3 CLASSPNP.SYS[fffff800a8f946c5] -> nt!IofCallDriver -> \Device\00000028[0xffffe0015fbff920]
08:38:01.275    5 sdstor.sys[fffff800a8eb8a14] -> nt!IofCallDriver -> [0xffffe0015fbf7680]
08:38:01.291    7 ACPI.sys[fffff800a8021361] -> nt!IofCallDriver -> \Device\SdBus-0[0xffffe0015fbf8060]
08:38:01.291    Disk 0 statistics 63582/0/0 @ 23.31 MB/s
08:38:01.306    Scan finished successfully
08:40:52.179    Disk 0 MBR has been saved successfully to "C:\MBR.dat"
08:40:52.210    The log file has been saved successfully to "C:\aswMBR.txt"
 
 
 

Attached Files

  • Attached File  MBR.zip   144bytes   1 downloads


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 20 June 2017 - 12:28 PM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#9 cljm

cljm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 20 June 2017 - 12:28 PM

Just now, I turned aiprlane mode on, turned real time protction off and scanned with RogueKiller. 2 threats found, I have pasted the results. I haven't taken any action yet.

 

RogueKiller V12.11.2.0 (x64) [Jun 12 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
 
Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : cpod [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 06/21/2017 09:56:53 (Duration : 00:28:00)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 1 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FE295B9A-7B15-4A2B-8D26-C0B92733B05F} : v2.24|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\cpod\AppData\Local\Temp\HouseCall32\tmase\nmap\bonjour.exe|Name=bonjour4trend|Desc=bonjour4trend|EmbedCtxt=bonjour4trend|Edge=TRUE|Defer=App| [7] -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] C:\Windows\System32\drivers\WUDFPf.sys -> Found
 
¤¤¤ WMI : 0 ¤¤¤



#10 cljm

cljm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 20 June 2017 - 12:38 PM

I accidentally missed the last few lines of the results - heres the full report

 

RogueKiller V12.11.2.0 (x64) [Jun 12 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
 
Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : cpod [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 06/21/2017 09:56:53 (Duration : 00:28:00)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 1 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FE295B9A-7B15-4A2B-8D26-C0B92733B05F} : v2.24|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\cpod\AppData\Local\Temp\HouseCall32\tmase\nmap\bonjour.exe|Name=bonjour4trend|Desc=bonjour4trend|EmbedCtxt=bonjour4trend|Edge=TRUE|Defer=App| [7] -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] C:\Windows\System32\drivers\WUDFPf.sys -> Found
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SDW32G +++++
--- User ---
[MBR] 399b50e7280023f2a8c8a6aa4a1bd531
[BSP] 939bfd93ef76a347b5a8f12e4069d1c8 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 796672 | Size: 21202 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 44220416 | Size: 804 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 45867008 | Size: 7423 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

Edited by cljm, 20 June 2017 - 12:40 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 20 June 2017 - 12:42 PM


[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FE295B9A-7B15-4A2B-8D26-C0B92733B05F} : v2.24|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\cpod\AppData\Local\Temp\HouseCall32\tmase\nmap\bonjour.exe|Name=bonjour4trend|Desc=bonjour4trend|EmbedCtxt=bonjour4trend|Edge=TRUE|Defer=App| [7] -> Found


This is a remnant item from Trend Micro HouseCall (32-bit) you can remove it.

===

Lets check on this file.
[File.Forged][File] C:\Windows\System32\drivers\WUDFPf.sys -> Found

Submit the file to VirusTotal.


Navigate to this site:
https://www.virustotal.com/

Follow the directives on the page.

Post the results for my review.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 20 June 2017 - 12:42 PM


[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FE295B9A-7B15-4A2B-8D26-C0B92733B05F} : v2.24|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\cpod\AppData\Local\Temp\HouseCall32\tmase\nmap\bonjour.exe|Name=bonjour4trend|Desc=bonjour4trend|EmbedCtxt=bonjour4trend|Edge=TRUE|Defer=App| [7] -> Found


This is a remnant item from Trend Micro HouseCall (32-bit) you can remove it.

===

Lets check on this file.
[File.Forged][File] C:\Windows\System32\drivers\WUDFPf.sys -> Found

Submit the file to VirusTotal.


Navigate to this site:
https://www.virustotal.com/

Follow the directives on the page.

Post the results for my review.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 20 June 2017 - 12:42 PM


[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FE295B9A-7B15-4A2B-8D26-C0B92733B05F} : v2.24|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\cpod\AppData\Local\Temp\HouseCall32\tmase\nmap\bonjour.exe|Name=bonjour4trend|Desc=bonjour4trend|EmbedCtxt=bonjour4trend|Edge=TRUE|Defer=App| [7] -> Found


This is a remnant item from Trend Micro HouseCall (32-bit) you can remove it.

===

Lets check on this file.
[File.Forged][File] C:\Windows\System32\drivers\WUDFPf.sys -> Found

Submit the file to VirusTotal.


Navigate to this site:
https://www.virustotal.com/

Follow the directives on the page.

Post the results for my review.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 20 June 2017 - 12:42 PM


[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FE295B9A-7B15-4A2B-8D26-C0B92733B05F} : v2.24|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\cpod\AppData\Local\Temp\HouseCall32\tmase\nmap\bonjour.exe|Name=bonjour4trend|Desc=bonjour4trend|EmbedCtxt=bonjour4trend|Edge=TRUE|Defer=App| [7] -> Found


This is a remnant item from Trend Micro HouseCall (32-bit) you can remove it.

===

Lets check on this file.
[File.Forged][File] C:\Windows\System32\drivers\WUDFPf.sys -> Found

Submit the file to VirusTotal.


Navigate to this site:
https://www.virustotal.com/

Follow the directives on the page.

Post the results for my review.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:12 PM

Posted 20 June 2017 - 12:43 PM

Sorry for the duplicate posts.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users