Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Offline and Online Rookit/Malware in Windows 10


  • Please log in to reply
9 replies to this topic

#1 t1t2t3

t1t2t3

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 08 December 2017 - 03:16 AM

Hi, I need help  on how to remove the following (see attached file). It seems to be recurring after wiping hard drive (using DBAN) and even use clean install from dvd (downloaded windows 10 iso from Microsoft website).
I noticed 2 folders in quick access (please see attached) that I didn't pin. My internet speed has been dragging. I have to delete temp files from both %tmp% and "temp" windows folders, and it seems to temporarliy speed up the internet webpage loading. There are also alot of window 10 game apps that seems to be downloaded. I have seen my email being changed on Facebook, when I go to my profile. Webpages that are in process of loading are suddenly stopped. Emails deleted from Gmail. My google account was previously hacked, and I every time I change my password, emails once again would be missing or spam is sent into my inbox (with spam filter on). In Google Chrome, I notice extensions google drive, google docs being re-installed when I already removed it. 
So, I have exhausted most options on finding a solution to what is the issue with my computer, and I would really like some positive insight and solutions. Please let me know? Thanks.

Attached Files


Edited by Platypus, 08 December 2017 - 03:29 AM.
Moved from Logs forum, no logs posted


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:36 AM

Posted 11 December 2017 - 07:52 AM

If you think your Gmail is compromised I suggest you not only change your password but other identifiers such as other email addresses

and phone numbers. Anything that is used by Google to replace a lost or forgotten password.

 

Reformatting the hdd would have removed any malware from it. That leaves peripherals such as external drives and your router as possible

source of reinfection. If you have not reset and resecured your router....I suggest you do that if you suspect your computer is infected with

malware or is being remotely controlled. Resecure by especially changing the default password, disabling remote control, check for updates

for the router's firmware and making sure the router's firewall is active.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 t1t2t3

t1t2t3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 11 December 2017 - 01:12 PM

I have changed Gmail password every few months and  I am shocked to notice that emails moved from one label different label, or the contents of one gmail label was completely deleted. I have several gmails that used to be linked together. I have recently deleted one of the google accounts that was definitely hacked. I would like to be sure that logging into a google account could download malicious code into computer?

 

For the router, I have changed router password, resetted gateway, and the pin to physical reset using the suggested 30-30-30 seconds rule. But what I noticed is the router settings are not changeable as ATT router was a technician's router. So, there are no changeable settings (e.g. DNS Servers) and no firewall. Another observation was that DNS Servers would sometimes change from the ISP DNS Servers to 0.0.0.0 or 10.x.x.x. Router settings were not touched, but when I reset the router, all default settings were changed (default checked settings became unchecked - e.g. 

Disable automatic searching for additional VPI/VCI Bypass Firewall Filter

 

Router security settings were never changed and appears and disappears at no notice.

For router firewall, there are no settings avalable for users to tweak. The router was updated many years ago and is set to update automatically. I checked that router remote access settings is unchecked. Please understand I try to convince my parents to change this router but to no avail. By the way, I am not able to upload pictures or files after my initial start of this topic. Please let me know what to do to resolve?

 

I have also noticed on any well-known websites I visited, there are ads in several webpage (not pop-up ads) saying "download windows 10 drivers", "remove malware - download". Another note, I see in the task manager several dllhost.exe with com surrogate entries.

 

I have been previously infected while usb and dvd was connected. I have a lot of contents that I use for one particular usb drive. So is there a way to safely transfer contents to a clean usb drive? Or are the files permanently infected and can't be restored to clean health? How could I check for USB peripherals malware?

 

For saving CCleaner startup log files, it asked me to save it to System32 folder. This seems to frequently occur for any files that I save.

I have copied and pasted the 3 CCleaner startup log files to desktop and it is attached below.

 

Startup-Context Menu

==============================================================================

Yes Directory File ownership
Yes Directory Open PowerShell window here powershell.exe -noexit -command Set-Location -literalPath '%V'
Yes Drive Open PowerShell window here powershell.exe -noexit -command Set-Location -literalPath '%V'
Yes File McCtxMenuFrmWrk McAfee, Inc. c:\Program Files\McAfee\MSC\McCtxMenuFrmWrk.dll
Yes Folder McCtxMenuFrmWrk McAfee, Inc. c:\Program Files\McAfee\MSC\McCtxMenuFrmWrk.dll
 

Startup-Scheduled Tasks

==============================================================================

Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)

Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task IHSelfDeleteTASK CMD /C DEL C:\WINDOWS\TEMP\IHUA151.tmp.exe
Yes Task IHUninstallTrackingTASK CMD /C DEL C:\WINDOWS\TEMP\IHU9913.tmp.exe
Yes Task McAfee DAT Built in test McAfee, LLC. C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\1.0.4.222\mcdatrep.exe /hcmode=periodic /periodicruncount=5
Yes Task McAfee Remediation (Prepare) McAfee, Inc. C:\Program Files\Common Files\AV\McAfee VirusScan\upgrade.exe /prepare
Yes Task McAfeeLogon McAfee, Inc. C:\PROGRA~1\COMMON~1\McAfee\Platform\McUICnt.exe /platui /runkey
Yes Task OneDrive Standalone Update Task-S-1-5-21-4057986710-2119159447-59569340-1001 Microsoft Corporation %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
 
Startup-Windows
=====================================================================================
Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKLM:Run SecurityHealth Microsoft Corporation %ProgramFiles%\Windows Defender\MSASCuiL.exe
 

AdwCleaner Log

=====================================================================================

# AdwCleaner 7.0.5.0 - Logfile created on Mon Dec 11 18:51:45 2017
# Updated on 2017/29/11 by Malwarebytes 
# Database: 12-11-2017.1
# Running on Windows 10 Pro (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
PUP.Optional.Legacy, IHSelfDeleteTASK
PUP.Optional.Legacy, IHUninstallTrackingTASK
PUP.Optional.Legacy, ihuninstalltrackingtask
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [1131 B] - [2017/12/11 17:26:57]
C:/AdwCleaner/AdwCleaner[S0].txt - [944 B] - [2017/12/11 17:24:28]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########

Edited by t1t2t3, 11 December 2017 - 04:24 PM.


#4 buddy215

buddy215

  • Moderator
  • 13,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:36 AM

Posted 11 December 2017 - 04:36 PM

I don't see the list of installed programs. The Startup list appears to be too short. Check using the instructions I gave

for posting the three lists.

 

Rerun AdwCleaner and when scan finishes be sure to click on Clean. Post the new scan log.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 t1t2t3

t1t2t3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 11 December 2017 - 06:39 PM

# AdwCleaner 7.0.5.0 - Logfile created on Mon Dec 11 23:42:53 2017
# Updated on 2017/29/11 by Malwarebytes 
# Running on Windows 10 Pro (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
No malicious folders deleted.
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
aa <=note: this came with the logfile; didn't type this.
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
Deleted: IHSelfDeleteTASK
Deleted: IHUninstallTrackingTASK
Deleted: ihuninstalltrackingtask
 
 
***** [ Registry ] *****
 
No malicious registry entries deleted.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [1131 B] - [2017/12/11 17:26:57]
C:/AdwCleaner/AdwCleaner[S0].txt - [944 B] - [2017/12/11 17:24:28]
C:/AdwCleaner/AdwCleaner[S1].txt - [1187 B] - [2017/12/11 18:51:45]
C:/AdwCleaner/AdwCleaner[S2].txt - [1256 B] - [2017/12/11 18:54:55]
C:/AdwCleaner/AdwCleaner[S3].txt - [1325 B] - [2017/12/11 23:42:28]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt ##########
 
CCleaner-Installed Programs
=====================================================================================
Alarms & Clock Microsoft Corporation 12/7/2017 10.1706.2401.0
App Installer Microsoft Corporation 12/7/2017 1.0.12161.0
Calculator Microsoft Corporation 12/7/2017 10.1706.2406.0
Camera Microsoft Corporation 12/7/2017 2017.727.20.0
CCleaner Piriform 12/11/2017 5.37
Feedback Hub Microsoft Corporation 12/7/2017 1.1705.2121.0
Get Help Microsoft Corporation 12/7/2017 10.1706.1811.0
Google Chrome Google Inc. 12/7/2017 63.0.3239.84
Groove Music Microsoft Corporation 12/7/2017 10.17063.24021.0
Mail and Calendar Microsoft Corporation 12/7/2017 17.8241.41275.0
Maps Microsoft Corporation 12/7/2017 5.1706.2261.0
McAfee WebAdvisor McAfee, Inc. 12/8/2017 4.0.141
Messaging Microsoft Corporation 12/7/2017 3.32.15001.0
Microsoft OneDrive Microsoft Corporation 12/8/2017 100 MB 17.3.7131.1115
Microsoft Sticky Notes Microsoft Corporation 12/7/2017 1.8.2.0
Movies & TV Microsoft Corporation 12/7/2017 10.17063.24021.0
Paint 3D Microsoft Corporation 12/7/2017 2.1709.4027.0
People Microsoft Corporation 12/7/2017 10.2.2351.0
Phone Microsoft Corporation 12/7/2017 1.10.15000.0
Photos Microsoft Corporation 12/7/2017 2017.37071.16410.0
Print 3D Microsoft Corporation 12/7/2017 1.0.2422.0
SecurityCenter McAfee, Inc. 12/8/2017 498 MB 16.0.5
Store Microsoft Corporation 12/7/2017 11706.1002.9.0
Store Purchase App Microsoft Corporation 12/7/2017 11706.1707.7010.0
View 3D Microsoft Corporation 12/7/2017 1.1707.26019.0
Voice Recorder Microsoft Corporation 12/7/2017 10.1706.1561.0
Wallet Microsoft Corporation 12/7/2017 1.0.16328.0
Xbox Microsoft Corporation 12/7/2017 31.32.16002.0
Xbox Game bar Microsoft Corporation 12/7/2017 1.20.25002.0
Xbox Game Speech Window Microsoft Corporation 12/7/2017 1.17.29001.0
Xbox Identity Provider Microsoft Corporation 12/7/2017 12.30.5001.0
Xbox Live Microsoft Corporation 12/7/2017 1.8.24001.0

Edited by t1t2t3, 11 December 2017 - 06:47 PM.


#6 buddy215

buddy215

  • Moderator
  • 13,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:36 AM

Posted 11 December 2017 - 08:49 PM

Looks good...just uninstall McAfee WebAdvisor McAfee, Inc. 12/8/2017 4.0.141

 

Disable these Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

Yes Task OneDrive Standalone Update Task-S-1-5-21-4057986710-2119159447-59569340-1001 Microsoft Corporation %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
 
Disable this Windows Startup: Use CCleaner by clicking on it and choosing Disable on the right.
Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
 
If you want to you plug in your flash drive containing backups, etc. and scan using the free Eset online scanner.
 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 t1t2t3

t1t2t3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 11 December 2017 - 10:56 PM

Below is the result Eset Online Scanner. 

 

C:\Users\DELL\Desktop\ccsetup537.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

Edited by t1t2t3, 11 December 2017 - 10:59 PM.


#8 buddy215

buddy215

  • Moderator
  • 13,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:36 AM

Posted 12 December 2017 - 07:30 AM

No reason to suspect malware is on the computer. Other questions you may have concerning Windows or programs

should be asked in the appropriate forum here at BC.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 t1t2t3

t1t2t3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 AM

Posted 12 December 2017 - 01:05 PM

I appreciate your help. Thanks.



#10 buddy215

buddy215

  • Moderator
  • 13,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:36 AM

Posted 12 December 2017 - 03:15 PM

You're welcome....happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users