Jump to content
DeadBoyHooligan

Rootkit/Malware Assistance Needed

Recommended Posts

Hello, I don't know much about viruses/malware, but I have come to believe I have a rootkit or something of the type taking over my laptop and I'm hoping for some hands on help.

I often cannot delete files due to TrustedInstaller., I am aware it is supposed to be on my computer but I think it is being  used by malware. Every time I  boot, my computer is completely lagged and constantly running the CPU at 100% with nothing open, usually something to do with Service Host/ Controller app or System (ntoskrnl.exe)

 I normally just use Windows Defender for my antivirus, I have tried a few  other options and a few tools with no help. Only thing that showed any progress to finding the problem was running GMER as it showed there was a rootkit present, but in doing so the computer had a problem and was forced to restart. Upon restarting Task Manager is showing CPU ranging from 2% to 10%, although I haven't done anything else otherwise to fix it. So I think my computer is far from clean and the problem is just hiding itself well.

I've searched for information, found similarities but nothing to help remedy my problem. Some direct assistance would be greatly appreciated.

Share this post


Link to post
Share on other sites
Hello DeadBoyHooligan and welcome to malwarebyte....

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

or,

https://downloads.malwarebytes.com/file/mb4_offline

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

Share this post


Link to post
Share on other sites
Posted (edited)

Hello DeadBoyHooligan,

Only Administrators can alter or remove logs, I`ve PM`d you regarding this. Please rest assured there is no need to worry about what shows in your logs...

The FRST logs do not show any Malware or Infection, there is a Group Policy listed, are you aware of that; do you know what the policy is..?

You mention running GMER, can you show that log please. There many certainly safe programs that hook into the kernel and may show as "rootkit" when scanned, unless you fully understand how systems work never remove what may very well be safe.

Regards,

Kevin

 

Edited by kevinf80
typo

Share this post


Link to post
Share on other sites

GMER keeps crashing my laptop, telling me it's collecting error info, then restarts everytime I run a rootkit/malware full scan on my C : drive with it, so I'm not sure how I will post the logs/results. The quick scan upon opening GMER shows rootkits but I won't remove anything without your advisory.

 

Share this post


Link to post
Share on other sites

I do not know what a group policy is, could you explain?

 

I've screen captured a few things I find curious, could I have your opinion? There are two odd symbols showing up in processes on GMER and bright red fonts in Services.

Screenshot (4).png

Screenshot (8).png

Share this post


Link to post
Share on other sites

The first two photos are when GMER loads, the third is before it crashes when its doing a full scan on the C : drive.

Screenshot (2).png

Screenshot (3).png

Screenshot (6).png

Share this post


Link to post
Share on other sites

Thanks for those logs, unfortunately I cannot really make them out, if I enlarge they get worse...

Offline scan for windows 10

Open the search function, type or copy/paste Windows Defender Security Center then select ok to open that option.

In the new window select Virus and Threat Protection then select Scan Options

The scan options window will open, from there select Windows Defender Offline Scan

You will be given the option to save any opened work etc, then select Scan from there when the scan completes Windows will reboot..

To check for found entries:

Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen select Protection history.

If entries are shown as "Found" the time and date will be same as the offline scan just completed.....

Next,

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply


Thanks,

Kevin...

Share this post


Link to post
Share on other sites

Hey Kevin, sorry the pictures went blurry, when I click on them they seem fine but I'm on a  15" laptop. It's too bad I thought we could've gotten some information from them.

 I've ran the offline scan twice now and when I go to look at Protection History, all it says is " No recent actions."

 

Why am I hiding Windows Entries for the autoruns scan? I've attached the zip file from it. Also, when I went to save it said I am not allowed to save on this PC so i clicked C : and saved it there.

Sorry for this late reply this is just making me want to pull my hair out lol.

MSI.zip

Share this post


Link to post
Share on other sites

Did you run Windows Defender Offline scan...?

Share this post


Link to post
Share on other sites

Was anything found with the offline scans..?

Share this post


Link to post
Share on other sites

It won't show me any information as if I never did them. "No recent action"

I'm so confused. 

If I wipe the computer with a factory reset, I've read that there are times where rootkits and malware can rewrite itself on the OS, so it won't help.. Is this true?

I feel like I'm running out of options.

Share this post


Link to post
Share on other sites

You will only see found entries if there are any, if none then you find none...

Run the following:

user posted image
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop.
 
  • The file will be randomly named
  • Reboot to safe mode <<<<<------------ http://www.computerhope.com/issues/chsafe.htm
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning
    user posted image
     
  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats

    user posted image
     
  • Press start scan
  • The scan will now commence

    user posted image

     
  • Once the scan has finished click open report <<<--- Do not miss this step

    user posted image

     
  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop


This log will be excessive, Please attach it to your next reply…

Share this post


Link to post
Share on other sites

Still seems as if nothing was found.. yet for some reason still running at 100% CPU... Still not completely understanding what a group policy is or why it is on my computer either..

cureit.log

Share this post


Link to post
Share on other sites

Hello DeadBoyHooligan,

Nothing sinister showing in the cureit log, run FRST again please and post fresh logs...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"
 
Thanks,
 
Kevin..

 

Share this post


Link to post
Share on other sites

Thanks for those logs DeadBoyHooligan, continue:

Uninstall the following programs:

Emsisoft Anti-Malware Home

McAfee VirusScan

McAfee WebAdvisor

Norton Security Scan


Reboot your system when complete..

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Zip up and attach the following folder:

C:\WINDOWS\Minidump

You will have to copy the folder to your Desktop then zip from there...

Post log from FRST, also let me know if there is any improvement with your system...
 
Thanks,
 
Kevin...

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.