Gmer cause BSOD on scan

[Erik95]

I've recently tried running a file from a friends hard drive and got a trojan warning so I used a factory restore to remove the infection. I now used Gmer to make sure I don't have any rootkits an it'll cause a BSOD with the report being fwddifog.sys and ntoskrnl.exe marked in red

092018-26359-01.dmp    20/09/2018 09:27:33    DRIVER_IRQL_NOT_LESS_OR_EQUAL    0x000000d1    ffffa601`11d11010    00000000`000000ff    00000000`000000d5    fffff800`ea298bc8    fwddifog.sys    fwddifog.sys+8bc8                    x64    ntoskrnl.exe+1a9380                    C:\Windows\Minidump\092018-26359-01.dmp    4    15    17134    1,211,316    20/09/2018 09:29:46    
 

Rogue killer gives me 4 possible positives ive attached all the requested logs

FRST.txt

Addition.txt

changelog.txt

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

You logs are clean.

Take care of this.

ATTENTION: System Restore is disabled
Turn System Restore ON for Drives in Windows 10 - Immediately.
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html

===

Why did you have to run GMER?

If all is well you can delete these two files in bold.
2018-09-20 09:29 - 2018-09-20 09:37 - 728531743 _____ C:\Windows\MEMORY.DMP
2018-09-20 09:29 - 2018-09-20 09:29 - 001211316 _____ C:\Windows\Minidump\092018-26359-01.dmp

[Erik95]

Well I was worried I may have something serious and I wanted to be sure it wouldn't avoid detection. A quick google search told me the best tool is GMER so I used it.

Thank you I will remove the files and follow the steps in the tutorial.

[Erik95]

EDIT: the Rogue finder log I posted doesn't seem to show it's findings. I'm running the tool now, it's found 2 Suspicious paths and 2 Pum.DNS will update with the log

 

 

[Erik95]

Quote

 

Only one Suspicious path on this scan...

roguefinder.txt

[Erik95]

I found the original report

txt.txt

[nasdaq]

Hi,

Delete this one. It's a remnant entriy that was set by Windowd Defender.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpKsl54cf560b (\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{522A4F40-D2C0-4295-821A-22D3C5464206}\MpKsl54cf560b.sys) -> Found

If these return you can delete them also.
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpKsl87303f92 (\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F0B05286-4966-4D55-92F2-B53D94E7EFD3}\MpKsl87303f92.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpKsl8c3e1ff6 (\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F0B05286-4966-4D55-92F2-B53D94E7EFD3}\MpKsl8c3e1ff6.sys) -> Found

The othe two are you local computer LAN setting.

p.s.
GMER is not compatible wth the new Partition table.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 5431A73C)

Partition: GPT.

========================================================
Disk: 1 (Size: 119.2 GB) (Disk ID: 3D20BFB2)

Partition: GPT.

==================== End of Addition.txt ============================

[Erik95]

Okay thankyou

I've just done a windows defender offline scan and the log says this

Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
     Old value: N/A\Scan\OfflineScanRun = 
     New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0

Is that something to worry about?

[nasdaq]

Hi,

That means that you cannot run Windows Defender off line.

I can change the value so that it's possible.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
OfflineScanRun
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply

===

[Erik95]

Farbar Recovery Scan Tool (x64) Version: 23.09.2018
Ran by Tarzan (23-09-2018 14:53:22)
Running from C:\Users\Tarzan\Downloads
Boot Mode: Normal

================== Search Files: "OfflineScanRun" =============

====== End of Search ======

[nasdaq]

Hi,

Sorry I gave you the wrong search information.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
OfflineScanRun
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

[Erik95]

Farbar Recovery Scan Tool (x64) Version: 23.09.2018
Ran by Tarzan (24-09-2018 13:24:46)
Running from C:\Users\Tarzan\Downloads
Boot Mode: Normal

================== Search Registry: "OfflineScanRun" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"OfflineScanRun"="1"

====== End of Search ======

[nasdaq]

Hi.

The Registry is showing the correct value.

All should be well.

Can you please confirm.

 

 

Edited September 26, 2018 by nasdaq

[Erik95]

Is it not showing the correct value or is it showing it? if yes then okay

thank you for your help

 

 

[nasdaq]

Sorry I edited my previous reply.

1 is OK, it's active.

0x0 would have prevented it to run offline.

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks