Jump to content

Potential Rootkit problem


Recommended Posts

Hi,

I have Malwarebytes Premium 3.0.6 as well as a paid Norton Security. I have noticed for the last few weeks that my computer has been rather sluggish, and has exhibited a few strange behaviors: Connectivity issues with the internet, where my connection goes to crap for no reason, issues using skype to the point where I've had almost the entire computer freeze up, where I can't move my mouse. My google chrome app keeps coming unpinned from the taskbar, and most noticeably, my disk has been running at 100% or near that a lot of the time. That is especially true when I am actively try to use malwarebytes or norton, or if it seems either is doing a background task. One question would be, is it normal for malwarebytes/norton to use up that much disk space while running? Admittedly, I do go to sketchy websites here and there. I've run norton and malwarebytes multiple times, and used the Norton Power Eraser feature, which is a boot scan sort of thing, but nothing has come up. At first, I thought maybe my computer is just junky and can't handle too much going on at once. Today, though, something happened that made me wonder a  bit more. I tried running my newly updated Malwarebytes while the computer was in 100% disk use. Malwyrebytes basically got stuck running a scan, without moving from the number of files scanned, so I closed it down, and tried to open it up again. It informed me that the anti-rootkit drives were not able to load, and that this was possibly due to a rootkit. It recommended rebooting to try and fix the problem, which I did, and then something happened that has never happened before: When it finally rebooted and attempted to load the desktop task bar, it just kept loading. I finally opened task manager up, and saw that malwarebytes was basically using up all of my cpu and disk. It stayed stuck that way for a good while, so I forced the system off with the power button, and restarted. It loaded up fine that time, and malwarebytes was able to run a scan, but I noticed that the "Scan for Rootkits" was indeed off. Any ideas if this all sounds suspicious, or if, perhaps, my computer is just crap? (I have a middle of the road 1.5 year old hp laptop). Thanks!

P.S. I do have a suspicion that my Skype may be infected or something. Every once in a while, malwarebytes has blocked an outgoing malware or something originating from skype. Some months ago, I definitely opened up a link from a contact that I think was taken over, which brought me to a super sketchy site. I've tried re-installing skype, as well, but that didn't seem to help. 

Edited by Diskdumby
minor brushup to make more readable; additional skype details
Link to post
Share on other sites

Hello Diskdumby and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Next,

Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image

Let me see those logs in your reply...

Thank you,

Kevin..
Link to post
Share on other sites

Hi Kevin,

Thanks for replying to my request for help. Busy day at work, so I just go around to doing what you requested, now, and will be headed to bed shortly. Attached to this message, please find the requested files. Note that I just ***'d out the places where my name appears, as I didn't think it was important. I'm already aware of the soundcloud PUP, which I installed. Not sure if you would recommend getting rid of that or not, but so far I haven't had any problems with it. I also noticed that in one of the logs, it says that I have a problem with some of my hardware. I'm not sure whether or not that might be related to my problems. Other than that, it seems like the scanner didn't find anything. I"m not sure if that's a good thing or an indication that if there is a problem, it is really deep. I'm somewhat surprised that it didn't pick anything up related to skype, at least, as I have seen malwarebytes stop outgoing signals that it thinks are malicious from it, many times. 

 

 

Addition.txt

FRST.txt

RK.txt

Edited by Diskdumby
Link to post
Share on other sites

It is counterproductive to hide user names, if a line containing a user name is required in the FRST fix it will fail due to the name being hidden... Fortunately no such lines were needed this time....

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Please download Gmer from Here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    Sections
    IAT/EAT
    Show All
    ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.


Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…

Let me see those two logs in your reply....

Next,


Regarding the hardware issue you mention:

 
Quote

==================== Faulty Device Manager Devices =============

Name: Intel(R) Dynamic Platform and Thermal Framework Manager
Description: Intel(R) Dynamic Platform and Thermal Framework Manager
Class Guid: {c3077fcd-9c3c-482f-9317-460712f23efd}
Manufacturer: Intel
Service: esif_lf
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.



Can you check in device manager and see if a driver update is required....

Thank you,

Kevin....

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

Hi Kevin,

 

So sorry for the very late reply. Been a pretty busy past week for me, and I"m probably going to have a busy weekend, coming up, as well, so my next response will be slow. Should be faster next week. I've attached the files you requested in this reply. As to the driver, I went into device manager, and tried to update the driver. It says that it is already up to date, but there is a little caution sign next to the device. I tried to get my computer to do a troubleshoot on the hardware, but it actually got stuck on "Scan for Hardware changes". Physical damage, maybe? I've bumped my laptop or had it drop from small heights from time to time. Thanks!

Fixlog.txt

ark.txt

Text file.txt

Link to post
Share on other sites

Thanks for the update and logs.... I`ve attached Kill.zip to this reply, download and unzip to your Desktop so you have Kill.bat

Right click on Kill.bat and select "Run as Administrator" agree any alerts...

Next,

Run GMER scan again and post fresh log..

Next,

Go here and click 'SCAN NOW' under 'ESET Online Scanner' save to your Desktop.

Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how

Right click on user posted image and select "Run as Administrator"

In the new Window accept the terms of service

user posted image

In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings"

user posted image

In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan"

user posted image

In the new Window new virus database signatures will download, Do Not Select Stop

user posted image

The Window will progress showing the scan in action....

user posted image

In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply...

user posted image

If threats are found the following Window will open:

user posted image

Click on "Select All" then "Save to Text file" name and save that file, attach to your reply.

Now select "Do not clean" and then close out....
 
Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...
 
Thank you.,
 
Kevin

Kill.zip

Edited by kevinf80
typo
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Hey, just a brief update, Kevin. Managed to run Gmr again last night, but eset was taking a very long time to complete, so I had to go to bed before it had completed. Unfortunately, it seemed like my computer did a restart for some updates, so it's hard to tell if it actually finished the scan or not. But what I did see is that it found 2 infected files, before I went to bed. I"m going to rerun it again, when I get home from work, today, and hopefully be able to post a log with both pieces of information you asked for. You asked if there are any other problems, and the answer is yes, btw. It got to the point where I had neverending loading pages that and an inability to post on facebook or see insta-messages properly. I reinstalled chrome, and that seemed to help, for the moment, but who knows if that was the root of the problem. Thanks for your patience!

Link to post
Share on other sites

  • 2 weeks later...

Hey, just attached that log you asked for, here. No idea if it is really up to date, as it was from a couple weeks ago, when I last ran that. Should I run it again and post a fresh log? Latest issues, as of this night, I had my internet randomly cut out, at the same time my xbox random beeped and shut off, including the power block. Related at all, by chance? You are really awesome for helping all of these people in here, by the way. 

log.txt

Link to post
Share on other sites

Been awhile since you last posted, we need to run FRST again and get some fresh logs...

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin...

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

In general, things are just very slow, my disk usage goes up to 100% pretty easily, and in my browser, when I go to facebook, it won't let me fully load post history, read comments, or read who is logged on. a lot of endlessly loading pages, as well. Also, as I mentioned, there was that point about a week ago where my internet just completely randomly shut out and my xbox, which is connected to internet, shut off (including the power brick) shut off. Also, I occasionally get messages from malwarebytes saying an outgoing signal from skype was blocked. 

Link to post
Share on other sites

Thanks for the reply, regarding browser issues, is that related to one specific browser or more than one...?

Reset your router, instructons available at the following link:

http://setuprouter.com/networking/how-to-reset-your-router/

Follow those instructions very carefully.

Next,

Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper
 
  • Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run.
  • From the left hand pane select "Flush DNS"
  • From the main interface select the dropdown under "Choose a DNS Server"
  • From the list select either "Google Public DNS" or "Open DNS"
  • From the left hand pane select "Apply DNS"



When done re-boot your system.... any improvement...?

 

Link to post
Share on other sites

  • 2 weeks later...

Alright, didn't get to this today, but I *will* do it tomorrow. Make it a priority. I realized something rather scary today, which I think you should know about. You know that Ransomware thing that's been going around the world? Well, Microsoft has a security patch for it. My computer, during its normal update schedule, tried to update my computer with several updates, including this one. But it was the only one that Failed to update. Instead, my computer just got into an infinite "preparing to shut down" thing. I even tried downloading the stuff from microsoft manually, and it wouldn't update. So my computer is basically exposed to this issue....

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.