Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit and can't remove it


  • This topic is locked This topic is locked
4 replies to this topic

#1 cphill1996

cphill1996

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 19 June 2017 - 02:25 AM

I accidentally infected my computer with something (I'm not entirely sure what), but I attempted to run GMER under a randomly generated name multiple times (it says there is rootkit activity on my laptop), and it continues to crash.  I have posted what I was able to salvage in the Notepads below; they look quite nasty, but as I have no experience in dealing with this sort of thing, I cannot be sure.  I've also tried running Malwarebytes Anti-Rootkit and other such programs, but I cannot restart my laptop in order to complete the removal process (I am running Windows 10).  Every time I try to restart my laptop, it hangs on the "Getting Windows Ready" screen and I am forced to hold the power button for a while to force it to shut off and then reboot it in Safe Mode with Networking.  What should I do now?

UPDATE: Attached required files as specified by guidelines

Attached Files


Edited by cphill1996, 19 June 2017 - 03:02 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:27 PM

Posted 19 June 2017 - 09:30 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
HDWallPaper 1.0 (HKLM-x32\...\HDWallPaper_is1) (Version: 1.0.0.90 - HDWallPaper) <==== ATTENTION
pccleanplus (HKLM\...\pccleanplus) (Version: 4.8 - pccleanplus) <==== ATTENTION
s5m (HKLM-x32\...\s5m) (Version: 2.0.2 - s5m) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
GroupPolicy: Restriction <======= ATTENTION
FF NewTab: Mozilla\Firefox\Profiles\boh9zps8.default-1439767151084 -> hxxp://www-searching.com/?site=shyosffdefault&prd=set_ff&s=H6Jzamobl20603BU,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
CHR HomePage: Default -> hxxp://www-searching.com/?pid=s&s=H6Jzamobl20603BU,7116cec8-0c76-4dc9-b5b9-7024c96aa471,&vp=ch&prd=set_ch
CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=H6Jzamobl20603BU,7116cec8-0c76-4dc9-b5b9-7024c96aa471,&vp=ch&prd=set_ch"
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?site=shyos&prd=set_ch&q={searchTerms}&s=H6Jzamobl20603BU,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Extension: (Chrome Web Store Payments) - C:\Users\Connor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-26]
CHR Extension: (Chrome Media Router) - C:\Users\Connor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-18]
S2 SMUpd; C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe /service [X] <==== ATTENTION
S3 SMUpdd; \??\C:\Program Files\Common Files\Noobzo\GNUpdate\smw.sys [X] <==== ATTENTION
Task: {3F031361-FA1C-4D27-82A8-096ADCF3D191} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe [2017-06-19] () <==== ATTENTION
Task: {42E98050-365B-467C-9933-B6559CA833CD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {45A55925-818F-4FBA-A067-0C7F3F9F8F16} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {49BB6224-B1CA-42BC-B43F-2452613945B6} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {60338604-9059-4564-B4B8-B1F191591102} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {7DD80719-89AE-49EB-9913-C374BE98B815} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {7E9BF518-403B-4921-95C2-DC10F2D80B71} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {90899F46-8795-400A-AA9C-75057A374739} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {9225EFF2-CF25-4DED-8A6E-B0F7CB2B4226} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {93EF7C00-F415-47AB-B4D6-9C9F7244CD53} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {AAEFB85B-94F8-48D1-AFCC-6B13201201FE} - System32\Tasks\HDWallPaper => C:\Program Files (x86)\HDWallPaper\HDWallPaper.exe <==== ATTENTION
Task: {C1799884-6623-4FCF-BE8E-445D7492B647} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {EF780FEB-9D80-4EBF-8754-CB4F3833CE39} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www%2dsearching.com/?prd=set_epf&s=h6jzamobl20603bu,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
ShortcutWithArgument: C:\Users\Connor\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s=h6jzamobl20603bu,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
ShortcutWithArgument: C:\Users\Connor\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www-searching.com/?prd=set_epf&s=h6jzamobl20603bu,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s=h6jzamobl20603bu,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www-searching.com/?prd=set_epf&s=h6jzamobl20603bu,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epf&s=h6jzamobl20603bu,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www-searching.com/?prd=set_epf&s=h6jzamobl20603bu,7116cec8-0c76-4dc9-b5b9-7024c96aa471,
AlternateDataStreams: C:\ProgramData\TEMP:9A78FF1A [334]
C:\ProgramData\smp2.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218071F0}) (Version: 8.0.710.15 - Oracle Corporation)
---

Please let me know what problem persists with this computer.

#3 cphill1996

cphill1996
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 19 June 2017 - 01:35 PM

Hello nasdaq. Thank you so much for your reply. I am currently running the tool you asked me to, and I will post the log file once it's finished. Is it too early to tell if this issue can be fixed or not? I do have an external drive/passport that I can copy my important files to if you think that a fresh install of Windows/complete wiping of my laptop would be a better option. What are your thoughts on something like that?  I also noticed a suspicious program called Isminer located in my programs and files.  I have thus posted the log file from RKill's removal of Isminer as per BleepingComputer's instruction manual.

Attached Files


Edited by cphill1996, 19 June 2017 - 02:02 PM.


#4 cphill1996

cphill1996
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 19 June 2017 - 01:49 PM

Here is the log file you asked for

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:27 PM

Posted 20 June 2017 - 08:25 AM


Decide if you wish to keep this
C:\Users\Connor\AppData\Roaming\isMiner\qwe.exe
https://www.bleepingcomputer.com/virus-removal/remove-isminer-cryptocoin-miner

To remove it delete the folder in bold.

===

Navigate to this page.
Windows 10: getting Windows ready / Don't turn off your computer despite no update
https://www.tenforums.com/windows-updates-activation/70182-getting-windows-ready-dont-turn-off-your-computer-despite-no-update.html

Look at this Video. How to disable the maintenance.


Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users