Jump to content

Search the Community

Showing results for tags 'gmer'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 7 results

  1. Posted Yesterday, 01:59 PM I'm a completely novice computer user. Recently, I have been having some malware issues on my PC which is Windows 10. I already have an antivirus, Quick Heal Total Security, and recently, it detected a Coinhive mining malware on my computer, plus, it keeps showing pop up windows that it has blocked access to multiple harmful websites even when I'm accessing reliable websites like Amazon and others. I researched a bit on the Coinhive virus and found out some serious things, and so I'm currently scanning my computer for all kinds of malware, spyware, adware, rootkits using a variety of tools just to be safe. I know I'm being paranoid, but better be paranoid than have my personal data compromised. So far, I've used Malwarebytes to run a full system scan, TDSSKiller for rootkits, and a full system scan by my installed antivirus. All three of them came up clean after that one Coinhive virus was removed. I'm also planning to use more scanners like AdW, ESET, Rkill, as many as I have found to be on the safe side. Now, I started running a scan with GMER for rootkits today, in safe mode, however, the first time, mid-scan, the window just disappeared off the screen. I ran it a second time, and it only showed two entries in the log list before a message was displayed that my system had run into an error and needed to restart. I booted the computer into safe mode once again and started GMER for the third time, and same thing happened. Two logs, then mid-scan, same error message and restart. So, now I'm thinking I do have a rootkit that is stopping GMER from running a scan. I really don't know what to do right now. I also know that GMER is supposed to be for advanced users only, but my plan was to just get the results, save them and then show them to an expert, either here or if not possible, then to someone I know. However, given the fact that the scan won't even get halfway through, I don't know what to do. Would be grateful if someone could point me in the right direction. GMER not being able to complete the scan does mean that I have some kind of rootkit stopping it from working, right? Or could there be any other reasons for that? Thank you very much. P.S. I know I need to backup my data before I run any tools recommended by experts here, but I'm actually worried about infecting my backup as well. As I have already mentioned before, my computer was infected by a coinhive mining virus before, and even though it's removed now, I haven't deleted any old system restore points or registry files so it's possible the virus still persists. Plus, since my computer may have other kinds of malware right now including rootkits, if I try to back up my data now, isn't there a good possibility that I'm also infecting my back up? I back up all my data on an external hard drive, and they are even more susceptible to infection, just by plugging it in to my computer right now could transmit the malware. So, if in the end of the malware removal process, I lose some of my data and have to restore it from my backup, am I facing a chance of re-infection and also damage to my external hard drive? If so, then could you please suggest a safe way to backup all of my data? My data does not contain any applications or program files, it's only composed of documents, videos, music and images which are all stored in D and E drives, I'm not going to be backing up anything from C drive. Is there no way to safely backup, or backup in a way so that when I restore it back on the clean PC, it does not reinfect? Because I currently have some important files on my computer that I can't lose, I know there is no 100% guaranteed way that if I backup it won't be infected, but how should I reduce the risks? I don't want to lose any files by running scans with the anti-malware tools, so please point me in the right direction of backing up my files relatively safely before I can use the suggested tools and post the logs. Please suggest a safe backup method so I can proceed with the removal process.
  2. I’m currently analyzing an endpoint which most likely is compromised and need some help on breaking down what the malware has done. Due to possible more infected endpoints I’m out to identify the root of it – making it possible to determine if other endpoints are compromised. One day the machine (Win10) suddenly started to consume high amounts of CPU resources without any process showing this consumption in the task manager. This persisted for days and survived reboots. To look for techniques for persistence I did try Sysinternals Autoruns and ProcessExp, although there were no obvious/super-suspicious processes, task, services, reg-entries or dlls to make a next move on. Due to suspicion of rootkit-malware I did a scan with GMER. It reported on some interesting findings, listed below(only snippets of the whole list). .text C:\WINDOWS\system32\wbem\wmiprvse.exe[‘removed’] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA [‘removed’] 5 bytes JMP [‘removed’] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[‘removed’] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW [‘removed’] 5 bytes JMP [‘removed’] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[‘removed’] C:\WINDOWS\system32\USER32.dll!SetWindowsHookA [‘removed’] 5 bytes JMP [‘removed’] Although I’m quite new to such analysis my theory is that these are signs of key-logging and/or dll-injection. Next I find these entries interesting (only some examples, full report listed several functions per dll) .text C:\Program Files(x86)\Google\Chrome\Application\chrome.exe[‘removed’] @ C:\WINDOWS\system32\KERNEL32.DLL!CreateRemoteThread [‘removed’] 5 bytes JMP [‘removed’] (...) .text C:\Program Files(x86)\Google\Chrome\Application\chrome.exe[‘removed’] @ C:\WINDOWS\system32\ntdll.dll!NtCreateFile [‘removed’] 16 bytes {MOV RAX ,[‘removed’]; JMP RAX } (...) IAT C:\Program Files(x86)\Google\Chrome\Application\chrome.exe[‘removed’] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [‘removed’] Can anybody give me any clues on how to further analyze this? Any theories on whether or how threads/processes are hidden? And any thoughts on what technique can be utilized for persistence and how to identify it? Thank you!
  3. Hey guys, sorry about necro-ing this thread but I do have the exact same issue as EniNeu A scan with GMER reveals this as well : Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! I am wondering if I should attempt deletion through GMER or if there is a better way. Just in case this might be a false positive I've attached a log of the complete scan. Thank you in advance CHRONOS gmer scan 03.05.17.log
  4. Okay, I think this is probably my first post on the forums, so I apologize for being a noob and doing whatever annoying things noobs do before they get a clue. That said, I am pretty positive I have a rootkit. It's a quiet and crafty sort; from the beginning there were no obvious signs of infection, there wasn't any slowing or memory leaking, no unusual traffic noted. I felt like something was off, but I couldn't pinpoint what until I got the first warning message from MBAM (see Exploit Blocking below). Now I notice that all my desktop icons are rearranged and suddenly there is a bit of dead space at the bottom where I can no longer move any icons, though that's kind of the least of my worries. Please see all the notes below and txt files (assuming I can figure out how to attach them!). I believe the initial infection came from a popup/pop under (can't recall which, sorry!) at http://www (dot) nowvideo (dot) sx/video/11bb079eff255 while using Chrome. Yes, I run AdBlock Plus, Ghostery, and have all my many browsers configured to block popups, and I never have any issues on any other sites, but this one managed to get around all that. I threw everything I could think of at this but I really just feel like I'm chasing it from one corner to another. Any help would be thoroughly appreciated. MBAM: * Initial error message that an exploit was blocked in Powershell (see txt file) * Scans Clean - All Scans * Starts up as normal, except Web Protection is shut off * On first load, Web Protection can be re-enabled * At some point, Web Protection with return to off, and Exploit Protection goes with it * Exploit Protection can be re-enabled, but it will switch off again * On attempting to re-enable Web Protection, it will forever say "Starting..." until next reboot ~~~ MBAR: * Scans clean ~~~ Avast: * Scans clean ~~~ TrendMicro Housecall: * Scans clean ~~~ GMER: * Initially found the following: Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! * Attempted deletion (through GMER) of all three, but WdBoot failed. ~~~ aswMBR: * Ran after GMER. The service below popped up, but aswMBR was unable to fix the issue (see full log). 23:05:02.343 Service WdBoot C:\WINDOWS\system32\drivers\WdBoot.sys **LOCKED** * Subsequent attempts to run aswMBR result in BSOD for the reason "Page fault in non-paged area" and then forced restart. ~~~ JRT: * Nothing to report ~~~ HitmanPro: * Found buckets of cookies in all browsers, including Internet Explorer and Edge which I NEVER use. All cookies were deleted. This was the initial confirmation something was up. ~~~ rKill: * A couple of issues popped up, nothing glaring... See txt. ~~~ ADW Cleaner: * No issues found ~~~ FRST: * See txt ~~~ RootKitRemover (McAffee): * Scanned Clean hijackthis 2-14-17.log MBAM - Exploit Blocked.txt Rkill 2-13-17.txt aswMBR 2-14-17.txt FRST 2-14-17.txt GMER Full 2-15-17.log GMER Pert 2-15-17.txt
  5. Good morning/evening I've read many posts here and elsewhere, installed the required/suggested programs and finally thought it would be wise to add my problem to the pile :s It's been a while since the computer is kind of slow, I installed all the updates, windows, java, flash, the malware byte rootkit remover and malware remover, super anti spyware, changed comodo for zone alaram, and now I'm having spyware cease/Avg /adva canced system care, GMER (so far the only one that actually recognizes something and allows me to kill process but they pop randomly) and I know what false positives are, etc,registry cleaners... ...the thing is, all of a sudden Korean and Mandarin characters are popping in GMEr and I've never seen them before. It's brutally annoying, I work for a japanese-owned company and wonder if it's not industrial spying. I'm in North America, with lots of co workers from Asia and this could also be a possibility. It's very frustrating as I did all the search for the corrupt csrss.exe file and obviously won't find it. I'd join screen shots so you can see, some repeating threads but mostly program jacking. I also used panda cloud scanner/rogue killer/ kapersky/eset all to no avail/real result it seems they only look for english characters and they did remove a few PUP and adware but nothing serious. I Tried moving everything to another user (that I just created) and before I report this to my employer as a serious issue I'd like to have some Idea ( are there apps I can use to track the origin of the sender so I can show those smart asses a lesson? This has been burning lots of time I'M working as you all are I suppose and a part time student as well. *update:I've been working with computers for a while so don'T worry and suggest me a straight up solution. The regedit won'T detect the csrss.exe file but the virus keeps emulating it along with .32 processes. I also noticed that gmer mentions a windows without capital w but the other times it has it.Ask for the logs if you'd like but they show nothing. 0, zilch, nada. I guess I could try to ''search for the chinese character meaning'' if it can bebackdoor stuff.txtproblemz.txtRkill.txtshiiiiiiiiit.txt tracked from the photo. I've only seen those kinds of post a few times and I don't mean to be racist but I studied in cyber criminology and was told asian script kiddies&seasonal criminals are fond of unweary american cyber surfer's funds. Thanks in advance!
  6. Yesterday, I noticed that I could not launch my VPN program, Faceless.ME (which uses OpenVPN, I think). It went missing from my PC overnight, and was first noticed when my start menu link referenced a deleted executable. I tried downloading the software, but ALAS! I could not download it! Firefox reported the download contains no data. I then proceeded to download the EXE from my phone successfully. I transfered it to my PC and upon trying to launch it, the EXE was gone! YES gone! Additionally, I tried downloading mediaget at http://mediaget.com/download.php and received a blank page on visiting the URL. PC is running Avast. Malwarebytes found nothing. Attached my GMER log: gmr.log
  7. i have used combofix, malewarebytes and other tools to clean system, but gmer still states something wrong. please advise pasted results below GMER 2.1.19155 - http://www.gmer.netRootkit quick scan 2013-08-13 13:57:31Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST980813AS rev.3.ADB 74.53GBRunning: kziy15r3.exe; Driver: C:\Users\Your\AppData\Local\Temp\kgldrpoc.sys ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys Device \Driver\tdx \Device\Ip OAmon.sysDevice \Driver\tdx \Device\Tcp OAmon.sysDevice \Driver\tdx \Device\Udp OAmon.sysDevice \Driver\tdx \Device\RawIp OAmon.sys ---- EOF - GMER 2.1 ----
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.