Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Tracks of a rootkit in ntbtlog.txt


Recommended Posts

Hello fighters of the good fight,

I just ran a Malwarebytes scan and it found 87 threat objects in the first pass and 2 additional objects in the second pass.  One of the two things it found on the second pass was:

Rootkit.Komodia.PUA   C:\Windows\System32\drivers\bsdriver.sys

I had Malwarebytes go ahead and remove all those objects.

Before I ran Malwarebytes I had these two entries in my ntbtlog.txt file:

Loaded driver \??\C:\Windows\system32\drivers\avgtpx64.sys
Loaded driver \??\C:\Windows\system32\drivers\bsdriver.sys

After I instructed Malwarebytes to remove the threats it found the next boot produced an ntbtlog.txt file with these two lines:

Loaded driver \??\C:\Windows\system32\drivers\avgtpx64.sys
Did not load driver \??\C:\Windows\SysWow64\drivers\bsdriver.sys

I have three questions about this:

1. Malwarebytes appears to have done something to prevent the loading of bsdriver.sys.  But something else wants to load it.  How do I find that something else?  Malwarebytes apparently has not found it.  it is still out there trying to load bsdriver.sys?

2. What does that \??\ figure mean?  I am very suspicious of that.  It looks like some shenanigans are going on.  Is that the signature of a virus?

3. The fact of avgtpx64.sys carrying the \??\ signature also makes me suspicious of that also.  Ought Malwarebytes have flagged that one also?

I have a clean bill of health from Malwarebytes at this point, but I also have a cold boot time of over 8 minutes.  Something bad is going on during that boot, but I don't know what it is.  Any help would be very much appreciated.

Thank you.

DudgeonousTweet


 

Link to post
Share on other sites

Hi:

Welcome.:)

Thanks for the detailed description.

We're probably going to need to refer you to a different area of the forum for a bit of deeper work, but it would help for starters to see the actual MBAM Scan log, as well as a bit of basic system diagnostic information.

First, please export to a *.TXT file, save to your desktop and then ATTACH to your next reply here in this thread the MBAM Scan log showing the detections. More info HERE.

Also, it would help if you would please read the following and attach to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are FRST.txt, Addition.txt and CheckResults.txt)

Thank you,

Link to post
Share on other sites

Thank you very much for your help and attention.

Per your instructions, I have attached three Malwarebytes log files, and the FRST64.txt, Addition.txt, and CheckResults.txt files.  The Malwarebytes log files are named according to date and time.  The two earlier ones are the same ones that I referenced in my original post.  The third one is the result of a Malwarebytes scan that it had scheduled.  The third Malwarebytes scan was waiting for me the next morning with news that it had indeed found tracks of BSDRIVER on my computer and wanted to delete them.  The subsequent ntbtlog.txt file listed no remaining evidence of bsdriver.sys.

The FRST.txt file attached is very enlightening.  And frightening.  It contains 54,620 lines that look like this:

C:\Users\...Me...\AppData\Local\Temp\10.tmp.exe

C:\Users\...Me...\AppData\Local\Temp\FFFF.tmp.exe

 

That seems mighty suspicious.

 

Thank you for your help.

 

 

Addition.txt

CheckResults.txt

FRST.txt

mbamLog042616at0500PM.txt

mbamLog042616at0808PM.txt

mbamLog042816at0210AM.txt

Link to post
Share on other sites

Hi:

As I suspected, the logs show evidence of quite a lot of recent malware infections and many, many PUPs in MBAM quarantine.
There are likely malware remnants and other damage on the system.

Deeper diagnostic and cleanup work will be needed.
Such work is conducted in another area of the forum reserved for that activity.

I will ask a forum moderator to move this thread to the malware removal section for further assistance by one of the trained malware experts.
However, it may be more efficient for you to just start a new, separate post over there, attaching these same logs to that new post.
Then, please wait for an expert to pick up your thread.
While you are waiting for help there, this pinned topic explains how the malware removal process works: Available Assistance for Possibly Infected Computers

Thank you,

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.