Jump to content

Tracks of a rootkit in ntbtlog.txt

Recommended Posts

Hello Malware Byters,

Per the instructions of daledoc1 I am starting a thread here in the hope attracting the attention of an expert malware byter.  daledoc1 has taken me as far as producing the files attached.  His assessment is that my PC is loaded with malware and DUPs (Definitely Unwanted Programs).  The fact of 54,624 lines in the FRST.txt file that look like this:

C:\Users\... Me …\AppData\Local\Temp\10.tmp.exe

C:\Users\... Me …\AppData\Local\Temp\FFFF.tmp.exe


is one thing that leads me to share this opinion.


Please find six log files attached.


Thank you for your help.







Link to post
Share on other sites

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

Hello DudgeonousTweet and welcome to Malwarebytes,

Continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Please open Malwarebytes Anti-Malware.
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.

To get the log from Malwarebytes do the following:
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....

Let me see those logs in your reply, also give an update on any remaining issus or concerns....

Thank you,



Link to post
Share on other sites

Thank you for your fast response.  I would have liked to have been fast to reply but your homework assignment was a substantial one.

That was a substantial homework assignment.  Here are my results.

I downloaded Fixlist.txt and ran FRST64 with it and the FRST.txt file on my desktop.  That produced the 54,715 line FixLog.txt file that is attached.  Mostly it logs the deletion of the long list of FFFF.tmp.exe files in my temp directory.

I next ran Malwarebytes Anti-Malware and produced a log file.  Per your instructions that log file is here:

Malwarebytes Anti-Malware

Scan Date: 4/29/2016
Scan Time: 7:50 AM
Logfile: mbamLog042916at0750AM.txt
Administrator: Yes

Malware Database: v2016.04.29.03
Rootkit Database: v2016.04.17.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jim Eddy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 434291
Time Elapsed: 23 min, 40 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

It found nothing as you see.

I next downloaded AdwCleaner and ran that.  Per your instructions I include the log here:

# AdwCleaner v5.114 - Logfile created 29/04/2016 at 08:56:01
# Updated 27/04/2016 by Xplode
# Database : 2016-04-27.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Jim Eddy - NIGEL
# Running from : C:\Users\Jim Eddy\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\AVG SafeGuard toolbar
[-] Folder Deleted : C:\ProgramData\ParetoLogic
[#] Folder Deleted : C:\ProgramData\Application Data\AVG SafeGuard toolbar
[#] Folder Deleted : C:\ProgramData\Application Data\ParetoLogic
[-] Folder Deleted : C:\Program Files (x86)\Itibiti Soft Phone
[-] Folder Deleted : C:\Program Files (x86)\PC Cleaner Pro
[-] Folder Deleted : C:\Users\Jim Eddy\AppData\Roaming\DriverCure
[-] Folder Deleted : C:\Users\Jim Eddy\AppData\Roaming\ParetoLogic

***** [ Files ] *****

[-] File Deleted : C:\Windows\Reimage.ini

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{08ACFB57-8187-47F0-AF93-56360D03634A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{03AE1B7B-A9E7-4D5A-9D34-89999C31B659}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : HKCU\Software\ParetoLogic
[-] Key Deleted : HKCU\Software\Softonic
[-] Key Deleted : HKCU\Software\osTip
[-] Key Deleted : HKLM\SOFTWARE\ParetoLogic
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Itibiti_is1
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{EF5E0B45-2930-446A-878C-4B75FDFAC383}]
[-] Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{0D6DE0AD-2E22-4DB5-ACDF-2C8656CBC086}]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\land.pckeeper.software
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pckeeper.software
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\tv
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\WLrt1

***** [ Web browsers ] *****


:: "Tracing" keys deleted
:: Winsock settings cleared


C:\AdwCleaner\AdwCleaner[C1].txt - [3297 bytes] - [29/04/2016 08:56:01]
C:\AdwCleaner\AdwCleaner[R1].txt - [782 bytes] - [23/08/2013 11:32:21]
C:\AdwCleaner\AdwCleaner[R2].txt - [965 bytes] - [23/08/2013 12:39:28]
C:\AdwCleaner\AdwCleaner[R3].txt - [887 bytes] - [23/08/2013 12:53:25]
C:\AdwCleaner\AdwCleaner[S1].txt - [4674 bytes] - [23/08/2013 11:32:44]
C:\AdwCleaner\AdwCleaner[S2].txt - [980 bytes] - [23/08/2013 12:39:45]
C:\AdwCleaner\AdwCleaner[S3].txt - [947 bytes] - [23/08/2013 12:53:49]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3803 bytes] ##########

It found some things.  I selected Cleaning to clean them up.  Rather than do a Restart at this point I did a full shutdown and then a boot.  The biggest symptom I have on this PC is that a restart takes about 1 minute 15 seconds while a cold boot takes 8  minutes 15 seconds.  That was the time taken by this cold boot so no improvement there.

I downloaded Sophos Free Virus Removal Tool and launched it.  It took about 4 hours to run.  It found one threat.  That one threat produces a fairly substantial log file.  It is attached below.

After Sophos had completed I did another cold boot.  This one took 8 minutes 17 seconds.  That is about 6 minutes more than was before these troubles.  By the way, it takes 8 minutes to cold boot with no internet connection and 8 minutes to cold boot into safe mode.  If the extra 6 minutes is illicit activity it all happens before any Windows trace technology kicks in.  I have asked in other forums how to trace a cold boot.  So far I have not discovered how to do it.  Or if it is possible.

Thank you for your help.



Link to post
Share on other sites


That is pretty close to how I have been booting.  In msconfig services the only non-Microsoft things that are checked are:



Power Manager Service (Lenovo)

System Update (Listed as Unknown but apparently belongs to Lenovo)

The only Startup objects checked are:

Microsoft Security Client

ThinkPad Power Manager

With just that much checked it takes 8 minutes 17 seconds.

I will disable these five things and do a cold boot.  I will be back after about 8 minutes.




Link to post
Share on other sites

Thanks for those logs, need to upload a couple to VirusTotal to be checked...

Go to http://www.virustotal.com/
  • Click the Choose file button
  • Navigate to the file C:\Windows\system32\bi.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.
  • Repeat the above steps for the following files



Let me know the outcome.....


Link to post
Share on other sites

Here is the first batch for the file bi.exe.  I copied the result from the two tabs Analysis and File Detail.  I have not included the information from Additional Information, Comments, Votes, or Behavior Information.  If you want that also let me know and I will rerun it.  The results are below.  If you don't need both Analysis and File Detail, let me know that also.

FYI, security problems prohibited my navigating from the web to C:\Windows\System32 to find bi.exe.  I copied it to the desktop and uploaded it from there.  I assume that it is ok to do it that way.

I am working on decred.cl now.

Thank you for your help.




Link to post
Share on other sites

Thanks Dudge,

Yes that one is clean, continue please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Go here: http://cdn10.zemana.com/AntiMalware/ download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab

The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...
Let me see those logs, also give an update on any remaining issues or concerns....
Thank you,




Link to post
Share on other sites

Thank you for your help.  I feel that we are making good progress.

The Fixlog.txt file below shows that several files were "moved successfully".  Among those files were the files was the file bi.exe that you had flagged as malicious.  It is interesting to me that another of the files was avgtpx64.sys.  This was interesting to me because these two lines in my ntbtlog.txt file were in at the very beginning of this hunt:

Loaded driver \??\C:\Windows\system32\drivers\avgtpx64.sys
Loaded driver \??\C:\Windows\system32\drivers\bsdriver.sys

bsdriver.sys was flagged by Malwarebytes Anti Malware, but avgptx64.sys was now.  The fact that bsdriver.sys was flagged and that the only two lines in the entire file that wore the figure \??\ made me suspicious of \??\ and of avgtpx64.sys.  And now the last Fixlist.txt file has "moved successfully" the avgtpx64.sys file.  So now I am double suspicious of \??\.  I notice now that Malwarebytes also uses it.  What does it mean?  I have googled it and all I found are other guys that have not gotten an answer.

I notice that you had asked to clobber avgtpx64.sys in your last Fixlist.txt.  What made your suspicious of that?

The log file from Zemana Antimalware is also attached.  It found and apparently deleted two very ugly certificates.  I had checked Quarantine per your instruction but it lists them as having been deleted in the log file.  I have not gone looking for them.

I am very unhappy to report that my cold boot time is 8 minutes 14 seconds.  We have apparently not yet put a dent in its armor.  I hope you are not discouraged.

I am currently running with one startup item checked (ZAM) and one non-Microsoft service running (ZAM Controller Service).

Thank you for your help.




Link to post
Share on other sites

Hello again Dudge,

avgtpx64.sys and its associated service are not malicious those are remnant driver and service from AVG. Because they were still active and running and serving no purpose i listed for removal. I thought maybe it would help with the boot lethargy...

bi.exe is definitely malicious and may have dropped other unwanted malware on your system..


Obviously as we make no headway there is still issues we need to find and fix... Continue as follows:

user posted imageScan with ZOEK

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

*.exe Mirror http://smeenk.247fixes.com/Tools/zoek.exe

Temporary disable your AntiVirus and AntiSpyware protection - instructions here or here
  • Right-click on user posted image icon and select user posted image Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:

										ipconfig /flushdns >>"%temp%\log.txt";b

  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Please include its content in your next reply. Don't forget to re-enable security software!


Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!

Let me see those logs in your reply..

Thank you,




Link to post
Share on other sites

Hello Kevin,

I have run Zoek and RogueKiller per your instruction.  I don't know what all the SkyDrive stuff is in the zoek report.  I have never knowingly signed up for any of that.  Same for SugarSync.  A lot of stuff.  Nothing jumps out at me.

The RogueKillerRpt is also attached.  The only thing that I see that is funny in there is that it is claiming I have two disk drives.  The only disk drive that I have is divided into two partitions.  The C: drive and one that is a set-aside for factory recovery.  Or something similar.  I don't know what that is all about.

Anyway, here it is.  I hope it makes sense to you.  Or if it does not I hope you have more tricks up your sleeve.

Thank you for looking at this.




Link to post
Share on other sites

Certain Lenova systems do come with 2 hard drives, the second one to help speed up the system. I have absolutely no idea what it actually does or how it works, maybe you should check that at a lenova forum... https://forums.lenovo.com/t5/ThinkPad-11e-Windows-E-and-Edge/E531-M2-SSD-Liteonit-LSS-24L6G/td-p/1154637

Regarding SugarSync, it is a cloud file sharing, file sync and online backup service, i`m sure it is not a free service. If you do not need or want it, UNinstall it, i`m sure it will be resource hungry. The same goes for Skydrive....

The RogueKiller log is clean,

Let me know what happens regarding the 2nd HD, also does removal of SugarSync and Skydrive make any difference to the boot time...

Link to post
Share on other sites

I have Uninstalled first Sugarsync and then Skydrive.  After the first uninstall the cold boot time was 8 minutes 14 seconds.  After the second uninstall the cold boot time was 8 minutes 14 seconds.  Very reproducible.   Sugarsync came with the computer as part of Lenovo's marketing strategy.  I never have used it to my knowledge.  Skydrive came with Windows 7 as part of Microsoft's marketing strategy.  I have never knowingly used that.

Apparently, neither uninstall was complete.  A search of the file system shows 40 hits worth of Sugarsync and 22 hits worth of Skydrive.  Can you take me through the eradication of both of those marketing strategies?  It would help cut down the search space for this virus.

I will take the question of the mysterious second "disc" drive to that other forum as you suggest and report back anything that I find out.

I have asked two forums how to trace a cold boot in Windows 7.  On one of them I got instructions on how to trace restarts and silence.  On the other the guy did seem to understand the question but the only ways that he could suggest were to boot over a virtual machine or to use some kind of in-circuit-emulation technology.  It smells like there is no practical way to do it.  I wonder when the ability to trace a cold boot went away.  And if there was any fanfare at that moment.  It seems like that would have been a major triumph for the people who develop and distribute malware.

Thank you.

Link to post
Share on other sites

I neglected to mention that when I went to uninstall Skydrive it told me that it had already been uninstalled and did I want to remove it from the list.  I said yes and after the boot it was gone.  But the 22 hits were still in the file system.  I don't know why it thought it was uninstalled.  I don't recall having uninstalled it earlier.  It make me suspicious of skydrive.


Link to post
Share on other sites

Let me know the outcome of the 2nd HD, what its purpose is...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt and Shortcut.txt under "Optional scan" Select scan, when done post the new logs....





Link to post
Share on other sites

I just attempted to run FRST64.exe again.  A few seconds after I opened it, it told me that it had updated successfully.  Then I noticed that it had changed languages on me.  If you can tell me what language it is that has skanuj for scan I can tell you what language it is.  I hesitate to run it for fear that it will produce mystery language reports.  Maybe I am paranoid but that seems like suspicious behavior to me.

What do you think?

Thank you.

Link to post
Share on other sites

After searching the web I discover that if I change the name of FRST64.exe to EnglishFRST64.exe and run it, it speaks English.  Wow.  Never have I run into that UI before.  Anyway, it is now speaking English again.  The logs are attached.  In the FRST.txt list there are comments I can make that may or may not be useful.  That LSB.exe listed as a whitelisted file is Lenovo Service Bridge.  It is supposed to make their support better.  I don't know what that means.  Another marketing strategy I suppose.  Does it make sense that it is located in AppData rather than in Program Files?   I have uninstalled it but it lingers on my system.  A file search shows 157 hits.  The LSB executable resides in a folder at the bottom of a big long string that looks more like camouflage than anything else.   That seems to me to be a prime candidate for removal.

I have removed SugarSync but several keys are whitelisted.

There is a tcp/ip address hardcoded in there.

As far as I know I have never used either Chrome or FireFox.

Perhaps you can spot something in one of these.

Thank you.





Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.