Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gmer found system modifications/


  • This topic is locked This topic is locked
7 replies to this topic

#1 aidance

aidance

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 08 October 2018 - 03:09 PM

Hi Dear Bleeping Computer Mods. I am have a suspection that my PC might be infected with rootkit. When I launched my PC today i noticed my fan was working full speed very noisily. Then the computer restarted itself before I entered my password on Windows login screen. I had a suspicion of infection here and downloaded GMER. When I launched GMER it gave me the message "GMER has found system modification, which might have been caused by rootkit activity."

Other imporant notes:

I have a live USB Linux and it automaticly connected to an open WIFI which I never connected before.

In order to launch Linux live USB, I closed Secure Boot in BIOS a few months ago.

Screen blinks after a few seconds of loging to Win10.

I have a AVAST Antivirus on my Windows 10.

The full fan problem also happened in new booted Linux.

image of GMER: https://imgur.com/a/yefaJdb

The logs are following:
Couldn't add the FRST logs because it was too long.

 

EDIT2: After a broken avast scan (stuck at %15) and FRST scan, GMER no longer finds something when launched. Doing a full gmer scan now.


Edited by aidance, 09 October 2018 - 02:53 AM.


BC AdBot (Login to Remove)

 


#2 aidance

aidance
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 08 October 2018 - 03:12 PM

The logs were too long so I attached the files.

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 09 October 2018 - 09:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.
The fix will remove the empty registry entries with No File and delete all the many text files with the following pattern found in your Addition.txt log.
C:\WINDOWS\system32\default_error_stack*.txt
===

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
CloseProcesses:

ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers1_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers4_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers5_.DEFAULT: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
C:\WINDOWS\system32\default_error_stack-*.txt

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

#4 aidance

aidance
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 10 October 2018 - 10:53 AM

It once again says that post is too long so i attach the file...

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 10 October 2018 - 12:49 PM

All clean.

How is the computer running?

#6 aidance

aidance
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 11 October 2018 - 10:37 AM

Computer is running as usual but I'm not sure why did GMER found some modifications and suddenly they disappeared. Maybe because I uninstalled the linux?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 11 October 2018 - 01:13 PM

If your BIOS was corrupted you would have problems with this computer.

Stay safe.

#8 aidance

aidance
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 12 October 2018 - 04:41 AM

Thanks for the help Nasdaq.  :) You may close the topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users