Jump to content

Persistant undetectable rootkit!


Recommended Posts

So a while ago i somehow acquired this rootkit that ended up slowing down my ssd by a LOT and it caused windows to run at a snails pace, i figured it might be a dying ssd so i waited until i got a new one so i could install windows on that and then just take out the possibly infected/dying ssd, i did so and installed windows with every other hdd/usb drive disconnected and with windows firewall set to block all incoming connections until i had all the windows update and had malwarebytes and microsoft security essentials installed, once everything was up to date i scanned and then connected the drives and of course everything still comes out clean, a couple hours later when im just browsing youtube malwarebytes informs me that website protection has been turned off and it asks me to fix it, the fix it button does nothing and it then informs me that some driver has been disabled possibly by a rootkit (i have some recollection of this happening on the old install too...) it also shut off the skype call i was in (disconnected it as if i had lost connection) and some irc networks shut down, my install is only a DAY OLD so far :( i need to know if there is a way to detect whatever this is and remove it, im fine with formatting my ssd again and reinstalling windows but i /CANT/ format my 2x 2tb hdd's because i simply dont have space to store the valuable data :(

Heres a list of the programs scanned with

MSE

Malwarebytes premium

malwarebytes anti rootkit

tdsskiller

gmer

aswmbr

avira rescue disk (on the old install)

 

and all of them come up with NOTHING (with rootkit scans enabled!)

now when i try to run mbar it tells me that the DDA driver failed or something and it asks me to reboot, i can scan after i reboot but everything is black, but it comes out clean

 

ive attached FRST and addition.txt for you guys.. please help me i cant seem to figure this out :(

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello and welcome,

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Do you have access to another PC to create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.  It can also be run from a CD, just change to that option in the instructions…
It can be created from the PC with issues, but a different clean PC is preferred!

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7/8 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

WD2.png

In the new window accept the agreement:

WD2a.png

In the new window select your USB Flash Drive, then select "Next"

WD3.png

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

WD3a.png

In the new window accept the formatting alert by selecting "Next"

WD3b.png

Files will be Downloaded:

WD4.png

Files will be processed and created

WD5.png

Flash drive will be formatted and prepared

WD6.png

Files will be added to the Flash Drive and the tool will be created.

WD7.png

The procedure is finished and the Tool created, click on "Finish" to complete.

WD8.png

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...
As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
When complete do a full scan, deal with what it finds.
When finished, remove the USB stick then press the Esc key to boot into regular windows.
Navigate to the following file:

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

Open with notepad and copy and paste it into a reply. if the file exceeds forum character limits zip up and attach to your reply....

 

Thanks,

 

Kevin....
 

Link to post
Share on other sites

Later on in the day my netbook also became infected with the same thing.. i ran Farbar on it and got the two text files and i also ran windows defender offline quick AND full scans and they found nothing and i got no log from windows defender, i ran the quick scan on my desktop and got nothing and the full scan will take a day or two possibly since i have over 4tb of data on my pc, the netbook got infected with the same thing and malwarebytes did the same thing on my netbook where suddenly it got disabled, It might be easiest to work on my netbook first as it has less data on it and if they have the same thing it should give us some idea of how my desktop can be fixed, right? i connected a backup of my infected install to my netbook in order to recover some files and then later in the day it got infected so thats likely how it happened if it wasnt over the network, im going to reformat my netbook again and use it for a day and see if it gets infected again (from my network) and if it does we can work from there i suppose.. i would really like to know how i can get rid of this rootkit/whatever it is without having to format my data drives because theres just too much precious data on there :( i can easily format my desktop ssd though

 

Tell me what you would like me to do next, here are the files from my netbook

netbook.zip

Link to post
Share on other sites

Thanks for the update and logs, as we are working the netbook see if you can do the following:

 

Make a clean install of Malwarebytes, ensure that the clean up tool is used; full instructions at the following link:

 

https://forums.malwarebytes.org/index.php?/topic/146017-mbam-clean-removal-process-2x/

 

Post the log from Malwarebytes when complete.... If malware bytes fails to run do the following:

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
  • Post back the report which should also be located here:



C:\Programdata\RogueKiller\Logs <-------- W7/8
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP

 

Thank you,

 

Kevin

Link to post
Share on other sites

netbook had to unfortunately be formatted for use but here are the files from my desktop, first of which is an older RK scan which i did before closign programs, ALSysIO64 is CoreTemp, a temperature monitoring program, also this happened upon restart, it happened when i first got infected too

 

http://puu.sh/iMx4M/7d53b41823.jpg

MBAM log 4 7 2015.txt

RKreport_SCN_07032015_025933.log

RKreport_SCN_07042015_022200.log

post-189490-0-57257000-1435996823_thumb.

Link to post
Share on other sites

So the netbook is formatted and no longer an issue, is that correct...

 

Next,

 

The latest logs are from another PC (Desktop) if that is correct run the following:

 

1.Download Malwarebytes Anti-Rootkit from this link:

 http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the update completes select Next.

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

MBAntiRKcleanA.png

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:

Image6.png

13. Verify that your system is now running normally, making sure that the following items are functional:


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall



14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown

Thanks,

Kevin...
 

Link to post
Share on other sites

Thanks for the logs, no obvious malware or infection. Continue please:

 

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Let me see those logs..

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Thanks for the logs, continue as follows:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 
Next,
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

 

Let me see those logs, also give an update on any remaining issues or concerns....

 

Thank you,

 

Kevin..

Fixlist.txt

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.