Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCHunter Infected?


  • Please log in to reply
5 replies to this topic

#1 bestill

bestill

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S.A.
  • Local time:01:03 AM

Posted 29 October 2017 - 12:48 PM

Hello Everyone,

So gmer found a weird item on the HD0 MBR, however didn't flag it as a rootkit. Since I dual boot and had messed with grub it didn't set off the fire alarms. Just to get a second opinion so to speak, I came here to check the ant-rootkit software.

After perusing a little, I came across PCHunter and decided to give it a go. In hind site it seems to be a huge mistake. The first thing I noticed on this site was no security CRC hash numbers to check the downloaded files against which is very odd, but okay.

I looked at the screen shots of the program running on BleepingComputer to get a sense of what to expect. However when I launched PCHunter I did not get any windows. Only a warning from the o/s stating that "Another program was using this file". Obviously inacurate, I used Process Explorer to shut down everything unneeded and ran a scan with Malwarebytes and scrubbed the downloaded zip file and the extraced directory of PCHunter. Now I have THIS! (see attached)

PCHunter is quote-unquote anti-malware from China. Now after a failed attempt at using/opening PCHunter I have a Chinese symbol in front of a non-existant volume, being run by a non-existant process...

Does anyone actually look at the source code for this software, or run it to make sure its not full of malware? Bleeping Computer seems like a web site rife for planting malware, the place where others go to find fixes and cleaners.

Is this web site going to start using CRC hashes anytime? Clearly it's not a be all end all for security but it might help to keep this web site from passing out malware in an attempt to clean peoples o/s's of malware.

Does anyone know of an effective way to clean this from my system other than a total sector scrub and reinstall of the o/s?

Attached Files



BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:03 AM

Posted 29 October 2017 - 07:43 PM

I would suggest that you post your questions over in the Security forums.

This is the BSOD/Crashes/Hangs forum and we generally don't offer that sort of help here.


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:03 AM

Posted 30 October 2017 - 11:04 AM

To be clear, I personally test every download added to the site, including PC Hunter and it's not an infection.

As for the CRCs, we will look into it.

As to your problem, I tested PC Hunter again using version 1.51 and the newer 1.52 that I just updated the site's download to use.

No problems on my end:

pchunter.jpg

What version of Windows are you using?

When PC Hunter is executed for the first time it installs a driver. This is just like GMER.

As you stated the program never loaded, is it possible this driver was not loaded properly? Or was loaded and remained resident after unloading, which could potentially cause the No Process listing?

Have you rebooted since? Is the same strange process appearing?

#4 bestill

bestill
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S.A.
  • Local time:01:03 AM

Posted 30 October 2017 - 11:25 AM

Hello, and Thank You for the responses.

Whoops on the thread, clearly I read it wrong and just seen the "Help and Support" at the end of the line.

 

So I'm using Windows 8.1 x64, yes I have rebooted a few times. So far that was the only time I have seen the Chinese character and non existent volume mysteries. However now I have HDD noise that was not there previously. I know that is not conclusive but it is another variable. I'll try downloading the new release and see what happens.

 



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:03 AM

Posted 30 October 2017 - 12:24 PM

If I could hazard a guess, I think the issue you ran into was because PC Hunter loaded a driver, the but the program itself never properly loaded, yet the driver persisted.

By rebooting, the PC Hunter driver would have not loaded and thus you would not see that behavior. You can also check the services Registry entries for a driver that starts with PCHunter.

#6 bestill

bestill
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S.A.
  • Local time:01:03 AM

Posted 30 October 2017 - 01:09 PM

It seems this time was the charm as the more recent version ran as expected. So far no odd characters or nonexistent volumes just a very, very detailed report. Kudos to the creator(s) of this software.

 

A few oddities though, in the "Process" tab I see at the end of the list an entry of "Idle" will little to no information about it.

Is this standard for a Microsoft o/s scanned by this software?

 

Also Snort let out a cry when I ran PCHunter x64 with this information...

 

2017-10-30 12:29:12    Auth.Alert    192.168.1.80    Oct 30 12:29:12 snort[76772]: [1:2009867:8] ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible)) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 0.0.0.0:21217 -> 94.23.156.117:80

 

Clearly I changed the WAN address to the 0's, but it's odd for Snort to cry about outgoing connections and while I was running PCHunter. Nothing conclusive, just another variable. So far last on my list of oddities is when I generated an "Examination" report at the end of the list "Scan MBR rootkit" it show a listing of "Unknown MBR!". In and of itself is nothing but coupled with GMER's MBR warning and the other oddities it could be something.

 

Does anyone else dual boot and get that or a similar MBR warnings from multiple versions of rootkit scanning software?

 

Thanks again for your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users