GMER causes BSOD

[ayedk]

I suspect I have a rootkit, scanned my system on multiple antivirus and anti-rootkit software (mbam, mbar, hmpro, bitdefender full, roguekiller) and nothing comes up except on GMER, so I assume its a GMER false positive on the quickscan.  GMER quickscan/startup scan works and detected the possible rootkit(s)/altered system files, however blue screens on full scan for both of my drives c: / d: . The file it bluescreens on is named "kfldiuod.sys".

[kevinf80]

Hello ayedk and welcome to Malwarebytes,

Can you post the quick scan log from GMER, also post the produced logs from FRST:

Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin

[ayedk]

GMER stops responding now on quickscan, only the startup scan works now. I attached the FRST logs.

Addition.txt

FRST.txt

[kevinf80]

Your FRST logs do not show any obvious Malware or Infection, there is a private IP address used for internet, is that known to you and trusted: DNS Servers: 172.24.1.1

Why do you suspect your system is infected, is it just because GMER crashes..? GMER will never run if your system security is active, ALL security must be turned off completely before attempting a scan with GMER....

[ayedk]

I exchanged files between my laptop and PC frequently, and recently my PC was 'attacked' by a rootkit virus, so I worried if any files that I transferred that were infected could've infected my laptop as well. Like I said, I scanned my laptop with numerous amounts of antivirus and anti-rootkit programs, and nothing comes up except GMER a couple weeks ago showing, I think it was a bunch of 'svchost' files as altered system files/potential rootkits. Now I can't do any scans on GMER without it crashing besides the startup one, even when I turn off Bitdefender, so I was wondering if I'm actually infected or if it is false positives solely on GMER's part.

[kevinf80]

You have to be careful when reading GMER logs, system files can be flagged as suspicious but may infact have been patched with you Anti-virus program. See if you can run the following:

Download RogueKiller and save it on your desktop, ensure to download correct version.. RogueKiller (X86) RogueKiller (x64)   Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply. Do not use the Remove Selected option until i`ve had a look at the log.. Thanks, Kevin

[ayedk]

Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : TravelLaptop [Administrator]
Started from : C:\Users\TravelLaptop\Downloads\Programs Lite\rkill\RogueKiller_portable64.exe
Mode : Scan -- Date : 10/14/2018 08:03:09 (Duration : 00:40:17)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1805164529-1640971276-3240465228-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1805164529-1640971276-3240465228-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1805164529-1640971276-3240465228-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1805164529-1640971276-3240465228-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.24.1.1 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{01d3ad83-2aa6-4103-9bd6-4025cba79d4f} | DhcpNameServer : 172.24.1.1 ([])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1805164529-1640971276-3240465228-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1805164529-1640971276-3240465228-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.Y2Go][Folder] C:\Users\TravelLaptop\AppData\Local\OneDrive -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10SPZX-75Z10T0 +++++
--- User ---
[MBR] 00b32724bb0ccb2386c2d56df0411c2b
[BSP] cf36a52935617a3da073ca100a75f385 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2048 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 953740 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: NVMe PM961 NVMe SAMSU +++++
--- User ---
[MBR] 2b001468033d6a36b7e3e204e660eaf1
[BSP] e4f2f8f58f09e9a9f6166933056c5a1b : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 227757 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 467736576 | Size: 839 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 469454848 | Size: 13879 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 497881088 | Size: 1092 MB
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!

[kevinf80]

Do you know of and trust this IP address:  172.24.1.1

[ayedk]

Yup, know of and trust that IP and the DNS.

[kevinf80]

Thanks for theupdate, the rest of the log is clean... Do you have any remaining issues or concerns...?

[ayedk]

Should the clean logs be sufficient enough to tell if I have/haven't a rootkit? Like I said I scanned with multiple programs and nothing of the likes ever comes up, just GMER acting weirder and weirder concerns me, especially after having one on my main PC.

[kevinf80]

You could try running GMER from safe mode if you want to try and get a complete log..

[ayedk]

Ran GMER in safe mode (no networking) but quickscan crashes on kfldiuod.sys. 

[kevinf80]

The driver responsible for crashing your system is probably part of GMER, it usually runs from the following Temp folder.

C:\Users\{your user name}\AppData\Local\Temp\kfldiuod.sys

Up to now all of the logs i`ve seen do not show any signs of malware or infection, GMER can be a difficult to run for many different reasons. An active Firewall, active anti-virus programs, other security, CD emulators, sandboxes,..

As it seems GMER will not run and you still believe your system has been compromised try the following ESET scanner, this scanner is very thorough so may take several hours depending on system size, amount of data etc..

Go here and click 'SCAN NOW' under 'ESET Online Scanner' save to your Desktop.   You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location. Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts. Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes Tick the option Enable detection of potentially unwanted applications Click on Advanced settings Make sure that the option Clean threats automatically is unticked. Ensure these options are ticked:   Enable detection of potentially unsafe applications Enable detection of suspicious applications Scan archives Enable Anti-Stealth technology   Click Scan Wait for the scan to finish. When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Please copy/paste the contents of the log in your next reply. To close ESET Online Scanner, select Do not clean then Finish Thank you, Kevin

[ayedk]

C:\Users\TravelLaptop\Downloads\Setups\ccsetup547.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Users\TravelLaptop\Downloads\Setups\rcsetup153.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
 

[kevinf80]

Hello ayedk,

You can safely delete those flagged files, they are not malicious per se, they are installers that com bundled with Google toolbar. No big deal...Do you still have concerns about your system..?

Thank you,

Kevin

[ayedk]

No other concerns, thanks for the help!

[kevinf80]

You`re very welcome, do the following to clean up:

Delete RogueKiller portable from this folder C:\Users\TravelLaptop\Downloads\Programs Lite\rkill, also delete this folder if present: C:\ProgramData\RogueKiller Next, Right click on FRST here: C:\Users\TravelLaptop\Downloads\Programs Lite\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall That action will remove FRST and all created files and folders... Next, Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

 

[kevinf80]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks