Jump to content

Possible Root Kit ?

Helixreader
 Share

Recommended Posts

Helixreader

Helixreader

Posted
Posted

Having issues with startup and crashing during use.  Previous trouble solved by this forum awhile back.  Malwarebytes detects nothing, intermittently the program has not been able to run the anti root kit.  Had to  download application to desktop and disable Norton for it to run.  Anti rootkit detects nothing.  Crashes are beginning to cause other hardware problems.

Addition.txt

FRST.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello and welome,

 

P2P/Piracy Warning:

 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

When the scan is completed from the main GUI click on History > Application Logs. Find your scan log, the date when run will identify it. Checkmark "select" box > then hit the "view" button. The history log window will open. At the bottom of that window are two options, "Copy to clipboard" and "Export"

Select > "Copy to clipboard" that copies the full log to the windows clipboard, so at your reply you right click into the text field and select "Paste" the log is pasted (copied) to  your reply.

 

Or select "Export" you are given the option to export as a Text file (*.txt) or XML file (*.xml) Choose text file, save the exported file to a place of your choice. That file can be attached to your reply...

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Thanks,

 

Kevin...

 

 

 

 

 

 

 

Fixlist.txt

Link to post
Share on other sites
Helixreader

Helixreader

Posted
  • Author
Posted

Kevin,

 

Thanks for the response.  Please find attached requested log files.  Ran tools out of order as AdwCleaner crashed the first two times. This was the order of the tools, FRST, Malwarebytes, Junkware Removal tool, Malicious Software Tool, and then AdwCleaner.

 

Between the time I have posted and your response the computer has crashed a few times while using Google Chrome.  Only problem since then was the system freezing with AdwCleaner tool.

 

Brian

AdwCleanerS0.txt

Fixlog.txt

JRT.txt

MBAM.txt

mrt.log

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:

 

C:\Programdata\RogueKiller\Logs <-------- W7/8

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP

 

Thanks,

 

Kevin

Link to post
Share on other sites
Helixreader

Helixreader

Posted
  • Author
Posted

A couple of weeks ago I did.  Thought that was my issue but NVIDIA software wasn't letting me rollback to previous driver.  

 

I don't know if I did this correctly for the minidump files, never done that before.  Let me know if this is not what you need.  Windows cradhed again, this was the text saying what occurred.

 

Problem signature:
  Problem Event Name: BlueScreen
  OS Version: 6.1.7601.2.1.0.768.3
  Locale ID: 1033
 
Additional information about the problem:
  BCCode: 7e
  BCP1: FFFFFFFFC0000005
  BCP2: FFFFF800038CB55B
  BCP3: FFFFF880035E7908
  BCP4: FFFFF880035E7160
  OS Version: 6_1_7601
  Service Pack: 1_0
  Product: 768_1
 
Files that help describe the problem:
  C:\Windows\Minidump\011915-36831-01.dmp
  C:\Users\Brian\AppData\Local\Temp\WER-84895-0.sysdata.xml
 
Read our privacy statement online:
 
If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt
 

 

Brian

 

 

Minidump.rar

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello Brian,

 

The minidump folder you attached is empty, yet the log you post does show the presence of one file C:\Windows\Minidump\011915-36831-01.dmp

 

Can you check the folder and see if the file is there, if so zip and attach the file this time...

 

Please download this program Blue Screen Viewer  and unzip "Bluescreen View.exe" to your desktop.
Next, Select Start > Right click on "Computer" and select "Properties" select "Advanced System Settings" then "Advanced" tab. From the "Start up and Recovery" section select "settings" make sure the default folder is "%SystemRoot%\Minidump".
Go back to your desktop and double click on Bluescreen Viewer to run it, if there is any info available the program will grab the most recent. Choose save from the Toolbar and copy paste to your next reply. If there is no information available try and re-create the BSOD and try again with the tool to collect the information.
 

Thanks,

 

Kevin...

Link to post
Share on other sites
Helixreader

Helixreader

Posted
  • Author
Posted

Kevin,

 

Went back to an older version of my video card driver that I know I wasn't having trouble with.  Prior to that I unistalled all Nvidia related stuff and did a clean install of the driver.  After that I tried to run RogueKiller again and it crashed the system again, only moments after starting its scan.  I ran the Blue Screen utility and the log file is attached.

 

This was the Windows message that appeared following a restart:

 

Problem signature:
  Problem Event Name: BlueScreen
  OS Version: 6.1.7601.2.1.0.768.3
  Locale ID: 1033
 
Additional information about the problem:
  BCCode: 3b
  BCP1: 00000000C0000005
  BCP2: FFFFF80003908AEC
  BCP3: FFFFF8800AB27F70
  BCP4: 0000000000000000
  OS Version: 6_1_7601
  Service Pack: 1_0
  Product: 768_1
 
Files that help describe the problem:
  C:\Windows\Minidump\012015-75005-01.dmp
  C:\Users\Brian\AppData\Local\Temp\WER-300691-0.sysdata.xml
 
Brian

BSOD_2.txt

Link to post
Share on other sites
Helixreader

Helixreader

Posted
  • Author
Posted

Kevin,

 

Ran the stress test, not sure what I was looking for, system never crashed, saw some breakup of the pattern, and a low frame rate, but system never crashed.  Do you think this would be of any help? http://support.microsoft.com/kb/2719704

I try to stay up to date with Windows updates so I figure I should have already received and installed already.  

 

Tried RogueKiller again, crashed again.

 

Brian

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I`m still concerned why the system crashes running RogueKiller, although crash details indicate a graphics problem i would still like to be certain there is no Malware/infection on your system.

The scanners we ran successfully do not show a definite infection or similar, rootkit etc. See if the following will run:

 

Please read carefully and follow these steps.

  • Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.
  • Doubleclick on tdssk.jpg to run the application.
  • The "Ready to scan" window will open, Click on "Change parameters"  


    tda.png

  • Place a checkmark next to Verify Driver Digital Signature  and Detect TDLFS file system, (Leave "Service & Drivers" and "Boot Sectors" ticked. Click OK.
     


    td1.png

  • Select "Start Scan"


    tdb.png

  • If an infected file is detected, the default action will be Cure, click on Continue.


    td2.png

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    td3.png

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    td4.png

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 

Next,

 

Please download aswMBR from here: http://files.avast.com/files/rootkit-scanner/aswmbr.exe Save to your desktop.

 


Double click theaswMBR.exe icon, and click Run
There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
Click the Scan button to start the scan once the update has finished downloading
On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

 

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

 

Thanks,

 

Kevin..

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello Brian,

 

Good to see the rootkit scans were clear, at least we have no malware/infection to worry about.

 

The latest BSOD is pointing the finger of blame at memory (RAM) issues, I guess we need to check that out and see what gives...

 

Go here: http://www.sevenforums.com/tutorials/715-memory-diagnostics-tool.html follow those instructions and run a memory check...

 

If those checks come back ok go here: http://www.memtest86.com/ d/l and run MemTest86, ensure to use version 5, it supports 64bit systems.. Support forum at this link: http://www.passmark.com/support/index.htm if you need help/advice...

 

Cheers,

 

Kevin...

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

There is nothing on the logs to indicate malware/infection as the root cause of the BSOD, certainly does look a possible hardware issue.

 

Run the following to clean up tools etc..

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 


   Remove disinfection tools
   Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Any remnant files/logs from tools we have used can be deleted...

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we are ok to close out.....

 

Cheers,

 

Kevin..

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.