Jump to content

Rootkit installed on one machine, wondering if it spread to this one.


Recommended Posts

Last week, I noticed my computer slowing down gradually.  Eventually, the cursor would lock up and the disk light would stay on continuously.  Figured there was an infection, so decided to re-image (Macrium Reflect) but got the ol BSOD because I'd switched to Win10 without updating the recovery disk.  But I can deal with that later.

In the meanwhile, two other Win 7 machines (as well as one of NASs seem to be infected both Linux boxes).  This particular machine seems to be running normally, but when I try do down load the Malwarebytes Rootkit remover, I get an error window stating: "Could not create file "C:\Users\[use your imagination]Desktop\mbar\mbar.exe".  Which seems very suspicious.  Or is it?  Previously, I've installed it and have never seen this error window pop-up before.

I also use Malwarebytes as well as  ESET Internet Security, as well as Spybot and the scans have turned up nothing. 

So how can I tell I've been infected or not?  

Link to post
Share on other sites

Hi,    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

We can check this machine by running a few different scans.   Be sure you know that I can only just help you on One machine on this case here.

One machine only.

 

You did say 

Quote

Malwarebytes as well as  ESET Internet Security, as well as Spybot and the scans have turned up nothing. 

and that is very good to know.  It is a good indicator.

 

Infections do not spread unless perhaps you have a local network that has all your machines connected.  BUT in any event, we can run  a  few different scans.

You mention that MBAR showed a exception message.   We start first by getting a report that I can use for review.

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:

"Download link for 32-Bit version Windows"



"Download link for 64-Bit Version Windows"



Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Run report with FRST

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.
 

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.




The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

 

NOTE:   By the way, please do not do any changes, adjustments, or fixes on your own without first checking with me here.

 

Thank you.

Link to post
Share on other sites

Thank you for the FRST reports.   Let me know what first name you prefer to go by.

You had said 

Quote

I also use Malwarebytes as well as  ESET Internet Security, as well as Spybot and the scans have turned up nothing. 

By the way, I see the use of TDSSKILLER on this machine.  Please do not do any more self-medication on this machine.

I have listed below one custom min-cleanup and then 2 scans.   Please do all of them, as much as possible.  and keep going down the list.

[  1  ]

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for   User_Hostile   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

image.png.483bc9f31abd65c0ef4822dc5f67bdad.png

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

[   2   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

[  3   ]

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.


Let it remove what it has detected.

 

 

 

 

Fixlist.txt

Link to post
Share on other sites

The MS Safety Scanner found & removed items related to "Cleaner Pro".   Malwarebytes did not find any rootkit.  The latter results are very good.

 

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

 

 

 

Link to post
Share on other sites

Per your request. 

  • Screwed up and left the browser open.  It found six objects in the meanwhile, and they were quarantined.  Closed the browser and rescanned with AdwCleaner; hence the second file.  mea culpa.  
  • I note AdwCleaner is requesting me to 'Run Basic Repair'; should I?
  • I ran ESET (see attached file).  Surprised to see it find a piece of 'Conduit' herpesware.  This first got added to the machine when I downloaded a media player seven or eight years ago.  Pernicious little bugger.  Tried removing it; finally had to go into the registry and kill it like HAL 9000.  Even then, I had to configure my gateway router to block the beast from trying to sneak in.   

AdwCleaner[C00].txt AdwCleaner[S01].txt ESET Scan (2020.02.09.103650).txt

Link to post
Share on other sites

Thanks for the reports.  As to Adwcleaner, No, you do not need to do any "basic repair".  Close the Adwcleaner.

 

What is on F drive ?   Is that a removable external drive ?   what is on it ?

My goal on the ESET scan was just to scan the one drive that has the Windows operating system.   That normally should be the C drive.

 

 

Link to post
Share on other sites

OK.  Thanks.  We can disregard the F drive for our main purpose here.

Malwarebytes did not find any rootkit.   There is no rootkit here.   We can wrap up this case.

 

Let me know if you need anything else at this point.

To remove the FRST64 tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.

Then run that ( double click on it)  to begin the cleanup process.

 

.

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

Sincerely

 

Link to post
Share on other sites

You are welcome.   I am marking this case for closure.  If you have a different machine that you need help on, Open a new case for it  and be sure you attach the FRST reports in it.

It is all listed in the pinned topic at the very top of this sun-forum.

One machine / per topic please.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.