Possible Rootkit

[JiNCs]

Hey gang !

I suspect my laptop is infected by a rootkit from a home networked 1TB external drive. My current HP 6530b computer running Windows 7 SP1 and BitDefender Business Client is the infected laptop. This laptop has PLC programming software that I use in my work. I think the rootkit infected this laptop when installing the software used to access the TB external drive and disabled my programming software. I believe it has also prevented the external drive software from being displayed in Programs and Features.

The external hard drive and another desktop are both connected via hardwire to a wireless router. I suspect both external hard drive and desktop are infected. Plan is to get laptop square and then clean up the external hard drive. Of course those will be addressed separately. I have removed power from both external drive and desktop and will let that remain throughout the laptop clean up. The desktop is much older and format C/reload windows is a clear option unless suggested otherwise.

Obviously this may take a bit to do. Need to determine if rootkit is indeed the issue.

Request assistance from a forum expert, to get back to normal on the laptop and later the external hard drive.

 

Thanks in advance

Needing assistance badly

JiNCs

[AdvancedSetup]

Hello @JiNCs

Someone from our Support Team will be in touch with you shortly to assist you.

Thank you

 

[gringo_pr]

I would like to welcome you to Malwarebytes support, my name is William and I will be helping you out today.

.

In order for us to get started on your problem, I will need to get a couple of diagnostic reports from the computer to help me see where the problem could be and help me decide the best way to start.

Please download " Farbar Recovery Scan Tool (FRST)" from one of the following links, and save it to your Desktop (please note that some web browsers will automatically save all downloads in your Downloads folder, so in those cases please move them to the desktop.)
.

Note: You need to run the version compatible with your computer. If you are not sure which version applies to your computer, then download both of them and try to run them. Only one of them will run on your computer, and that will be the right version.

.
For 32-bit (x86) editions of Windows: >> FRST.exe <<

For 64-bit (x64) editions of Windows: >> FRST64.exe <<

.

1. Run the “FRST” download that works on your computer
2. When the tool opens click “Yes” for the disclaimer in order to continue using “FRST”.
3. Under the section called “Whitelist” make sure all boxes are checked
4. Under the section called “Optional Scan” I would like you to have a check mark next to “Addition.txt”
5. Press the “Scan” button.
6. When the scan is done, it will save the reports to the same location as FRST (if you had saved “FRST” on your desktop, then the reports will be saved on the desktop).
7. Please attach the “FRST.txt” and the “Addition.txt” log file to your next reply to me (it is best if you do not copy and paste it into an e-mail).

.

.
It would be better for you and for me if you can attach the reports to the email instead of copying and pasting them, the email system changes the format of them and makes them very hard to read.
.

If you are not used to attaching files to e-mails, then just look for a button in the toolbar above where you write your message that has a paperclip icon, and that should be the attachment button. You can also get the idea on how to attach files to an email from watching this video – >> How to attach files <<

.
When you reply back to me you should have Two reports for me
FRST.txt
Addition.txt

.

Regards,

William Rowland – “Gringo_pr”
Customer Success Specialist & Malware Removal Specialist

[gringo_pr]

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

.

Gringo

 

[JiNCs]

Thanks WIlliam.

Appologies for the slow response. Had some personal things that had me out of reach for a few days. Also was expecting to notification through my personal email but no issue. This venue is fine.

 

I am only now seeing your response but will get on this immediately. I will download and do the scans today.

Thanks for the needed assistance. JiNCs

[gringo_pr]

no problem and I will check on you later and see how things are doing

[JiNCs]

Hi WIlliam.

When starting FRST, no option for 'whitelist' appeared so kept going. However, noticed that whitelist data appeared in documents after scan. 'Additional txt' was preselected. . Attached are the two files you asked for. If need more info from 'whitelist' please advise.

 

JiNCs

Addition.txt

FRST.txt

[JiNCs]

Also, should I create a restore point before more scans/cleanup ?

[gringo_pr]

Hello JiNCs

 

Why do you think this is a rootkit? you explain how you think you got infected but you do not explain what the computer is doing to make you think it is infected.

 

 

Run Rootkit Scan:

1. Restart the computer to clear out any programs running in the background
2. Turn off your antivirus and any other security program
3. Open “Malwarebytes Anti-Malware”
4. While on the dashboard click on “Update Now”
5. Once the update is complete click on “Settings” at the top
6. On the left go to “Detection and Protection”
7. Put the check mark In the Box next to “Scan for rootkits”
8. Click on “scan” at the top of Malwarebytes screen
9. Verify that “Threat Scan” is selected and click on “Start Scan”
10. When the scan is complete, if there have been detections, verify that everything has been selected (All boxes on left have a check mark)
    • if they are many to check you can put a check mark in the very top box and this will select them all
11. In most cases, a restart will be required.
12. Wait for the prompt to restart the computer to appear, then click on Yes.

-

To get the report:

1. After the restart once you are back at your desktop, open MBAM once more.
2. Click on the “History” at the top
3. On the left go to “Application Logs”.
4. Double click on the scan log which shows the Date and time of the scan just performed.
5. Click on Export at the bottom left.
6. Click Text file (.txt)
7. In the “Save File” dialog box, on the left click on “Desktop”.
8. In the “File name” box type “Scan log” as the name.
9. A message box named File Saved should appear stating Your file has been successfully exported.
10. Click Ok
11. Attach that saved log to your next reply.

.

Regards,

William Rowland – “Gringo_pr”
Customer Success Specialist & Malware Removal Specialist
 

 

 

 

[JiNCs]

I metioned in the first post that some of my work programming softare is disabled, (wont srart and run) and the software that allows connection to the external hard drive is not shown in the list of 'Programs and Features.' (in older Windows was Add/Remove Programs).

About a week ago when I installed the external drive software (WD Discovery-Western Digital external hard drive), it did not install smoothly and there was no desktop icon, althought I was able to access the external drive. A day later I was using the work programming software and the computer, without my assistance, rebooted and said it had an issue. I looked and the WD icon was created on the desktop at restart. I was able to open the WD software using the icon but my work programming software, which was up and running before the unassisted reboot, shut down and I have not been able to open since. I suspected a faulty install of the WD software and attempted to uninstall and reinstall. When I looked, that software is not listed in Programs and Features.

Two years ago my older laptop was infected by a rootkit and the external hard drive was operating at that time. Through your help, that laptop was cleaned. I never checked to see if the hard drive was infected. SInce then I never used the WD hard drive. I now have a another laptop and never installed the WD software . . . till now.

I also mentioned in my first post I needed to verify I indeed had a rootkit. Perhaps, a mis-load of WD Discovery bombed my programming software and I am not infected.

 

I will load and run the suggested software.

[JiNCs]

I do not have MalwareBytes Anti-Malware installed on my computer. I have BitDefender Business Client anti virus protection.

Should I download the free latest version of Malwarebytes or do I need to purchase ? If need to purchase, please specify witch version. Any conflict installing MalwareBytes with Bit Defender already installed although disabled ?

[gringo_pr]

1. Download Malwarebytes Anti-Malware by clicking on this link: >> Malwarebytes Anti-Malware <<
2. After downloading, double-click on “MBAM-setup” to get started.
3. Choose “Yes” if the User Account Control dialog appears.
4. The installation wizard will now guide you through the upgrade process.
5. Click on Next.
6. Review and accept the license agreement, then click “Next”.
7. Review the latest changes made to Malwarebytes Anti-Malware, then click “Next”.
8. Choose where to install Malwarebytes Anti-Malware, then click “Next”.
9. Choose whether or not to have a Start Menu entry and its name, then click “Next”.
10. Choose if you want a desktop icon, then click “Next”.
11. Review your installation choices, then click “Install”.
    • The wizard will begin to install the files.

.
At the end of the installation you will be asked if you want to start the trial and if you want to launch the program, Remove the check mark next to start trial

To see a video on how to do this – https://support.malwarebytes.org/customer/en/portal/articles/1835314-how-do-i-install-malwarebytes-anti-malware-?b_id=6438

[JiNCs]

Attached is the Scan Log after running MalwareBytes. There is one trojan and all the rest are PUP's. There was no listing of a rootkit although I will wait for you to view. The files are currently quarantined by MalwareBytes. I will wait for you before deleting all or deleting selected files.

After the reboot I got a message that I needed to scan my C drive and was given the option to do so or bypass. Perhaps this is the issue with my programming software. I opted to bypass and run Scan Disk later.

THe WD external drive software although shown in the Program FIles folder with an exe within is still not shown in Program and Features (Add/Remove programs).

Also my programming software still launches but does not run. I did however find out that it is listed as running under Processes in Task Manager. If it is, it is not visible and unusable.

I wait to hear from you.

JiNCs

Scan Log.txt

[JiNCs]

Noticed this morning that with each reboot, computer asks if disk should be checked.

[gringo_pr]

Hello JiNCs

 

I would like you to rerun “FRST” for me again and send me the new report for me to check over.

If you cannot find where you saved “FRST” the first time then here are the links again for you.
.

Note: You need to run the version compatible with your computer. If you are not sure which version applies to your computer, then download both of them and try to run them. Only one of them will run on your computer, and that will be the right version.

.
For 32-bit (x86) editions of Windows: >> FRST.exe <<

For 64-bit (x64) editions of Windows: >> FRST64.exe <<

.

1. Run the “FRST” download that works on your computer
2. When the tool opens click “Yes” for the disclaimer in order to continue using “FRST”.
3. Under the section called “Whitelist” make sure all boxes are checked
4. Under the section called “Optional Scan” I would like you to have a check mark next to “Addition.txt”
5. Press the “Scan” button.
6. When the scan is done, it will save the reports to the same location as “FRST” (if you had saved “FRST” on your desktop, then the reports will be saved on the desktop).
7. Please attach the “FRST.txt” and the “Addition.txt” log file to your next reply to me (it is best if you do not copy and paste it into an e-mail).

.

When you reply back to me you should have Two reports for me and I need you to tell me how things are doing.
FRST.txt
Addition.txt

 

[JiNCs]

Attached are the files you requested.

I still had the originally downloaded FRST.exe file. I moved it back to the desktop to run and when it started to run another folder called "FRST-OlderVersion." was created on the desktop. Next FRST reported that it had updated and was ready to run. This may have only been an update of FRST but I didn’t want to take chances so I downloaded FRST again and moved it to the desktop.

I reviewed your instructions and in addition to checking 'additional.txt,' I selected all other boxes under Optional Scan.

When it started to run, twice it paused and windows reported it was not responding. At the second pause I got a screen shot. Please see pic below. In top of FRST window notice (Not Responding) and that all boxes are checked. Again this 'not responding' pause was the second time this occurred.

FRST did resume and reported it completed scanning. All reports are attached. Please note a strange format in the SHORTCUTS file and its 2.3MB size. I noticed this about the file after FRST completed. Perhaps normal ?

The pause in the running of ‘FRST’ MAY be ‘normal’ because as I use the computer for other things, it has paused and reported this before. Possibly because C drive needs to have scan disk run ?????

Other than pausing and getting the message to scan C at boot, all operations on the computer appear functioning normal.

 

JiNCs

Addition.txt

FRST.txt

Shortcut.txt

[JiNCs]

It just occurred to me that the "PAUSE" may also be caused by WD Discovery trying to locate the 1TB external drive.

When WD Discovery operates normally two maps are created to the external drive partitions and are displayed in Windows Explorer. If these maps are displayed and the computer cannot connect (external drive off), a big pause occurs during the attempt. When operating normally if you delete the mapped shortcuts the pause does not occur. I realized this before when I leave the shortcuts up and go to work where the computer cannot to the external drive at home. Again deleting the mapped shortcuts NORMALLY eliminates the “pause.”

Currently although the shortcuts are not displayed, WD Discovery is installed and works when run, even though it is not displayed as installed in Programs and Features (Add/Remove Programs).

IT may still be searching.

I looked in MSConfig StartUp to see if WD Discovery was running in the background. It was not listed. I recognize all selected to run at startup. Attached is the MSConfig window and the FRST Window showing (Not Responding) that I forgot to attach to the first resonse.

[JiNCs]

5 minutes ago, JiNCs said:

It just occurred to me that the "PAUSE" may also be caused by WD Discovery trying to locate the 1TB external drive.

When WD Discovery operates normally two maps are created to the external drive partitions and are displayed in Windows Explorer. If these maps are displayed and the computer cannot connect (external drive off), a big pause occurs during the attempt. When operating normally if you delete the mapped shortcuts the pause does not occur. I realized this before when I leave the shortcuts up and go to work where the computer cannot connect to the external drive at home. Again deleting the mapped shortcuts NORMALLY eliminates the “pause.”

Currently although the shortcuts are not displayed, WD Discovery is installed and works when run, even though it is not displayed as installed in Programs and Features (Add/Remove Programs).

IT may still be searching.

I looked in MSConfig StartUp to see if WD Discovery was running in the background. It was not listed. I recognize all selected to run at startup. Attached is the MSConfig window and the FRST Window showing (Not Responding) that I forgot to attach to the first resonse.

 

[JiNCs]

I also got this message when downloaded FRST the second time.

[gringo_pr]

The message says that "It is not a commonly download program and MAY harm your computer", This is a generic message because windows does not recognize the program. The program is safe and you can Google search "Farbar Recovery Scan Tool" to see it used.

.

 

[JiNCs]

Did you see anything in the results of the second scan using FRST? The results are attached above at entry Sat 12:39PM. There are other posts as well. Appologies for the double post. Also any thought of why WD Discovery is not shown in Programs and Features?

Should we do anything concerning the Windows recommended scan of C: ?

How do we proceed?

[gringo_pr]

The reports are looking good at this time. never did see any sign of  a rootkit

 

[JiNCs]

Thanks

So how is the following for proceeding:

• Will uninstall Malwayebytes Free Trial. It is currently installed and running with BitDefender
• Will proceed with a scan disk for C drive
• Will use the install CD to try to remove WD Discovery while not connected to my home system.
• Will then attempt to correct the issues with my programming software. Hopefully this will restore me to operational status.

Does this sound like the next correct steps forward?

 

At some point I will contact Malwarebytes soon and scan my external hard drive for issues.

Thanks

JiNCs

Edited August 19, 2016 by JiNCs
diction

[gringo_pr]

Hello JiNCs

 

"I think the rootkit infected this laptop when installing the software used to access the TB external drive and disabled my programming software. I believe it has also prevented the external drive software from being displayed in Programs and Features."

 

I don't think it is a rootkit but here is where I would start - I would go to the harddrives website and see if there is an updated software and if not that is who you should be asking for help with

[JiNCs]

Thanks much Gringo_pr