Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need Help with removing more complicated Rootkits detected by GMER

  • Please log in to reply
No replies to this topic

#1 Lobas


  • Members
  • 11 posts
  • Local time:04:57 PM

Posted 06 May 2018 - 02:45 PM

The concrete story of my actual problem is the following:
I'm working as a IT-representative and System Administrator in a small medical company. In the complete Network, which also include private PC's and other electronic ware, there are approximately around 20 Network-using PC's, Smartphones, Tablets and so on, not including other Network equipment, using one of the four important or a few other divided up Internet connections. There are also, like in most Networks, a lot of other Network equipment. But eventually all Network objects are more or fewer in touch with themselves:
Not so long ago I detected Rootkit Networks on two PC's and one external hard drive. It were rather simple Rootkits, but with a great number.
The external drive had 37 pieces, the two PC's had 3.735 and 7.559 Rootkits. I have to say these RK's were detected by Comodo, a portable program which obviously just detects RK's with lower dangerousness. 
Comodo isn't able to remove this RK's (Types: RK.HiddenFile and RK.HiddenDir), so I manually collected up all of them, using the Comodo "Threats found"-Report, and shred them with a special program, (Deleting and then overwriting them 256 times) so I could be sure they aren't able to restore themselves on any way. 
But on a brand new PC we got, Comodo detected instantly 8534 RK's of the already named Types, which made this case suspicious. The next day I came up with the idea traditional Rootkit-Programs letting me know more.
Kaspersky TDSS Killer did only found one not signed file, which is with high probability not a Rootkit, Malwarebytes Anti-Rootkit BETA produced exactly the time I hit the "Scan" button a OS crash. When I tried GMER, the constellation is getting interesting, GMER .exe downloads have random names, you surely know.
At first I was able to run GMER (but only for a limited time, I think the time the Malware needed to identify the program with random name as GMER. So I had always only short times to do the single parts of the complete Scan. Later I had a idea, and downloaded on another PC 12x times GMER each with new random names.
So I was able to do most of the component Scans GMER lets you make by using every time a new GMER file and with each one I tried one Scan part. Most of the scanning sections were clean, at least with GMER's opinion. Only on the "Services" part I discovered a Rootkit and were able to save the scanning report. The scanning part of Trace I/O wasn't practicable because exact the time I tried to scan this part of the GMER Scanning sections, the OS crashed down. Surely because of this Rootkit Network.
I'm convinced there are at least two Rootkit Networks, because I think the Network of simple RK's, detected by Comodo has nothing or not much to be with the much more complicated RK's, from which I could document one in the Services and I think the center of them is at the Trace I/O section, because when I tried to scan this instanly the OS Crash came out, presumably to hide more highly dangerous RK's.
I will attach the GMER Report that documents the one RK proven by GMER.
I hope somebody here is able to help me with this problem, at one hand to remove this RK, and on the other hand get more information about the possible RK hideout at the Trace I/O section.
At the moment this PC isn't just cut off from the Internet, further it is shut down and disconnected from any power source, so that the problem can't grow and the (brand new) PC can't get damaged more as he already is, primarily through the really much provoked OS Crashs and eventually further through other negative activity of the small but dangerous RK-Network.
Maybe I should also mention the other Malware, I did not spoke about up to now, I found on this one: 
 - 10 PUM's (normal with a new or relaunched PC)
 - 2 Trojan.Injector Siggen (both were already on the PC before we got it)
 - 7 Trojan.Dropper Muldrop (one was already on the PC when we got it, the six others came through the Internet I think, over a time of not more than 24 hours)
 - 4 Suspicious Processes
 - 4 Suspicious Registry Changes (all in Registry parts, which have to do with Services, maybe a correlation with the RK in the Services area?)
I really hope somebody is willing to take care of my problem, and is able to help me! :)

Attached Files

Edited by hamluis, 06 May 2018 - 02:54 PM.
Moved from MRL to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users