Jump to content

Possible registry changes made by rootkit?


Recommended Posts

Did a scan with GMER and it said I had registry changes made by a rootkit, already scanned with Norton Security,NPE,MBAM,MBAR,SuperAnti-Spyware,TDSSkiller,KVRT,ADWcleaner, so I'm at a loss. Here Is the log from GMER and attached are FRST logs.

 

-----------------------------------------------------------

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-07-19 19:14:45
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 ST1000DM003-9YN162 rev.CC4D 931.51GB
Running: dhddbrue.exe; Driver: C:\Users\Staind\AppData\Local\Temp\awryqpod.sys


---- Threads - GMER 2.1 ----

Thread   C:\Windows\system32\csrss.exe [760:788]                                                                         fffff960008b92d0
Thread   C:\Windows\Explorer.EXE [1676:4520]                                                                             00007fffdbcd4550
Thread   C:\Windows\Explorer.EXE [1676:4528]                                                                             00007fffdaac9a20
Thread   C:\Windows\Explorer.EXE [1676:1252]                                                                             00007fffe2b99970
Thread   C:\Windows\Explorer.EXE [1676:5800]                                                                             00007fffe2b9e630
Thread   C:\Windows\Explorer.EXE [1676:5340]                                                                             00007fffe2b9e630
Thread   C:\Windows\Explorer.EXE [1676:4156]                                                                             00007fffe2b9e630

---- Services - GMER 2.1 ----

Service  system32\drivers\0EC80205.sys (*** hidden *** )                                                                 [bOOT] 0EC80205                                                                       <-- ROOTKIT !!!

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\0EC80205.sys                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\0EC80205.sys@                                            Driver
Reg      HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\0EC80205.sys                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\0EC80205.sys@                                            Driver
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations                               \??\C:\Users\Staind\AppData\Local\Temp\{D8CC2A55-E6DF-48F7-9698-674918AC6F55}.exe??
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                               848589339
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205                                                                 
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205@Type                                                            1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205@ErrorControl                                                    1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205@Start                                                           0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205@ImagePath                                                       system32\drivers\0EC80205.sys
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205@Group                                                           Boot Bus Extender
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205@RegLoad                                                         1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205@Tag                                                             759
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205\Parameters                                                      
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205\Parameters@arkmon64                                             0x64 0x62 0x0D 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205\Parameters@klbg64                                               0x64 0x62 0x07 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205\Parameters\ArkMon                                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205\Parameters\ArkMon@RestartPath                                   qqq.qqq
Reg      HKLM\SYSTEM\CurrentControlSet\Services\0EC80205                                                                 
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\iexplore@Count  1
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{553891B7-A0D5-4526-BE18-D3CE461D6310}\iexplore@Count  1
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime                                              0x53 0x5B 0x88 0x8E ...

---- EOF - GMER 2.1 ----

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • I volunteer to help you, so please, do not ask for help for your company/business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  warning.gif Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 


 

 

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

 

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware
  • .
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.
Link to post
Share on other sites

Let's make one more check for that file:

FRST.gif FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

  • Copy 0EC80205.sys into the Search: field in FRST then click the Search Files button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.
Link to post
Share on other sites

Hm, let's conduct one more search:

 

 

FRST.gif FRST search

 

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

  • Copy 0EC80205 into the Search: field in FRST then click the Search Registry button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.
Link to post
Share on other sites

wanted to know about GMER and if it could possibly cause system instability or false positives because after running GMER the first time had BSOD and after restart malwarebytes rootkit function stopped working and had to restart again (this was before I posted on here)tried GMER on another comp and it also shutdown the function on mbam, also what about the registry changes? Thanks for the help Eagle

Link to post
Share on other sites

Everything seems to be okay I guess but I still have no idea what happened, I can't find any trace of 0EC80205, might do a hd wipe just to be safe, do you have any thoughts about what could have happened? Anyway thanks again Eagle.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.