Ghost1977 Posted December 11, 2020 ID:1426591 Share Posted December 11, 2020 for 1 month some one hack with rootkit i knew it by scanning with gmer and i format my ssd 128 gb with clean all in cmd + my hdd 500 gb and i tray dban for my hdd and erase+ in my motherboard for my ssd and i stay cheek my pc every time and i don't find any think and today i tray safe mode and i tray gmer nothing but always give me blue screen i trace I/O so i don't check the box every time when i scan i tray just the box of trace I/O but when i scan with gmer in normal mode of windows i find rootkit he is come back the old or is new rootkit and i tray all soft of rootkit no one of them can find only gmer and this is what i find with gmer when i scan with out check the box of trace I/O i hope find some one help me :( pleas ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] AarSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] BcastDVRUserService_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] BluetoothUserService_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] CaptureService_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] cbdhsvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] ConsentUxUserSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\CredentialEnrollmentManager.exe (*** hidden *** ) [MANUAL] CredentialEnrollmentManagerUserSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] DeviceAssociationBrokerSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] DevicePickerUserSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] DevicesFlowUserSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PrintWorkflowUserSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UdkUserSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_32faf <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] WpnUserService_32faf <-- ROOTKIT !!! Link to post Share on other sites More sharing options...
Ghost1977 Posted December 11, 2020 Author ID:1426592 Share Posted December 11, 2020 sorry i want to say it's me not some one and sorry for my bad English Link to post Share on other sites More sharing options...
kevinf80 Posted December 11, 2020 ID:1426618 Share Posted December 11, 2020 Hello Ghost1977 and welcome to Malwarebytes, Run the following: Please download Malwarebytes Anti-Rootkit from here Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable) Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process. When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html When FRST is saved to your Desktop right click, then select "Rename" add "English" so you have FRSTEnglish.exe if not appended with .exe you will have FRSTEnglishNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin Link to post Share on other sites More sharing options...
Ghost1977 Posted December 11, 2020 Author ID:1426624 Share Posted December 11, 2020 when i scan with mbar he find no think i scan with hem 2 time and this is all file u asked Addition.txt FRST.txt mbar-log-2020-12-11 (12-04-31).txt system-log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 11, 2020 ID:1426653 Share Posted December 11, 2020 Hiya Ghost1977, Thanks for those logs, the original log you posted from GMER is deceiving. The files being flagged as a RootKit are not necessarily so as they are running from the System32 folder.. Both files have been exploited in the past but would then have been seen running from a different folder. MBAR scan has confirmed that statement... Am look over your FRST logs, will reply again when analysis is finished... Thank you, Kevin.. Link to post Share on other sites More sharing options...
kevinf80 Posted December 11, 2020 ID:1426680 Share Posted December 11, 2020 Hiya Ghost1977, Continue with the following: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. I`ve had to attach the fixlist file as fixlist.zip Unzip that file so you then have fixlist.txt, save that to the same place as FRSTEnglish.exeNOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply... Thank you, Kevin... fixlist.zip Link to post Share on other sites More sharing options...
Ghost1977 Posted December 12, 2020 Author ID:1426787 Share Posted December 12, 2020 AdwCleaner[C00].txt msert.log Text.txt Link to post Share on other sites More sharing options...
Ghost1977 Posted December 12, 2020 Author ID:1426788 Share Posted December 12, 2020 sorry i can't upload fixlog i get error code 200 so i put it her in rar i hope it's ok not a problem and i have some other question when u finish all this thanks Fixlog.rar Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2020 ID:1426812 Share Posted December 12, 2020 Ghost1977, Thanks for those logs, yes forum software is causing issues when trying to upload files, sure it will get sorted eventually.. What is the current status of your system now, any remaining issues or concerns... Thank you, Kevin.. Link to post Share on other sites More sharing options...
Ghost1977 Posted December 13, 2020 Author ID:1426920 Share Posted December 13, 2020 i'm afraid the rootkit still exists in my pc or effected my bios or my motherboard and i use flash disk in infected pc and the same flash disk on other pc and afraid that rootkit moved to other pc with the flash disk , after i erase my hdd and ssd i'ts about one month now i use my computer and i don't open any think personal in the pc and i don't see any think strange only gmer is gone from my desktop after i do fix with frst , and after month in this day's only when i use gmer to check it my pc i found it this one so i'm concerns is stay existence in my pc or effect my network or my other device without i now the other pc i scanned with gmer nothing found so i use my pc but i don't put the trust in hem when i get hacked first time all file in hdd gone after restart pc i want to confirm my pc is clean and my network and this rootkit not moved with flash disk or in the network or stay in my network Link to post Share on other sites More sharing options...
Ghost1977 Posted December 13, 2020 Author ID:1426923 Share Posted December 13, 2020 and all think u tell me to following i do in normal not safe mode and thanks Link to post Share on other sites More sharing options...
Ghost1977 Posted December 13, 2020 Author ID:1426924 Share Posted December 13, 2020 i mean normal mode and thanks again Link to post Share on other sites More sharing options...
kevinf80 Posted December 13, 2020 ID:1426942 Share Posted December 13, 2020 Hiya Ghost1977, I have not seen any evidence of any rootkit activity, the GMER log is reporting on normal windows system files (which is not unusual) that is why any GMER evidence has to be discounted in your case... As MBAR did not flag anything whatsoever lets try another scan to double check.. Offline scan for windows 10 Open the search function, type or copy/paste Windows Defender Security Center then select ok to open that option. In the new window select Virus and Threat Protection then select Scan Options The scan options window will open, from there select Windows Defender Offline Scan You will be given the option to save any opened work etc, then select Scan from there when the scan completes Windows will reboot.. To check for found entries: Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen select Protection history. If entries are shown as "Found" the time and date will be same as the offline scan just completed..... Thank you, Kevin Link to post Share on other sites More sharing options...
Ghost1977 Posted December 14, 2020 Author ID:1427041 Share Posted December 14, 2020 Nothing found ... - The rootkit can infect system file or note , the first time i get hacked it infected my kernel of system i just want be sure not the kernel of my motherboard or bios the hack tel me it's put it in my hard disk (ssd) i remember first time it's infect the drivers - can be new rootkit !!!! the first time like this i scan with all soft nothing found only with gmer i which the erase it's do hes work for month nothing found and this days found this rootkit maybe gmer he not update yet for the last update of windows 10 20h2 i hope this , and i hope u Understand me and sorry for my bad English Thank you Link to post Share on other sites More sharing options...
Solution kevinf80 Posted December 14, 2020 Solution ID:1427050 Share Posted December 14, 2020 Hiya Ghost1977, I understand you totally, your english is very good. Personally I have not used GMER since Windows XP was in service. Windows Defender Offline scan is very good at identifying Rootkits, as is MBAR. As both have returned no activity I am confident that your system is not infected with any form of rootkit infection... If you are still unsure and want to try another scan go to the following link and use the instructions to run Kaspersky Rescue Disk 18, that tool will check windows offline and can be used from USB or CD. If you want to run that tool please let me know the outcome... https://support.kaspersky.com/14227 When booted back into Windows Navigate > C:\Kaspersky Rescue Disck 10.0 Open that folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply. Thank you, Kevin... Link to post Share on other sites More sharing options...
Ghost1977 Posted December 15, 2020 Author ID:1427232 Share Posted December 15, 2020 i get this like u see in the pic and in the files of reports-Quarantine-legal there is files with format i don't now what is it so what i should upload to u files in reports or Quarantine , and when i scan he get 2 Trojan i delete them Link to post Share on other sites More sharing options...
kevinf80 Posted December 15, 2020 ID:1427247 Share Posted December 15, 2020 Can you zip up the folder KRD_Data and attach to next reply please... Link to post Share on other sites More sharing options...
Ghost1977 Posted December 15, 2020 Author ID:1427254 Share Posted December 15, 2020 KRD2018_Data.rar Link to post Share on other sites More sharing options...
kevinf80 Posted December 15, 2020 ID:1427307 Share Posted December 15, 2020 Can you now run the following please: Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop. Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontcryptsupportinfo Note the space between KVRT.exe and -dontcryptsupportinfo C:\Users\{your user name}\DESKTOP\KVRT.exe -dontcryptsupportinfo should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT_data\Reports and look similar to this report_20200727_103821.klr Right click direct onto that report, select > open with > Notepad. Save that file and attach to your reply. To start the scan select OK in the "Run" box. The Windows Protected your PC window will open, select "More Info" A new Window will open, select "Run anyway" A EULA window will open, tick both confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed.... Link to post Share on other sites More sharing options...
Ghost1977 Posted December 16, 2020 Author ID:1427520 Share Posted December 16, 2020 nothing found in this new scan , before when i scan in safe mode withe gmer nothing found but in normal mode find now after the first scan with krd in safe mode nothing found in normal mode some time find some time not and some time not the same infect when i scan with gmer so i think i'm steal fared from the first time when i get hacked with rootkit and the Trojan kdr he find he infect C:\Windows\System32\drivers\etc\hosts hosts2.gen : hosts.xBAD-hosts.rollback file system : 9cd20c6a-ea30-5Fec-beb5-2ac1dec4c695 report_20201216_083544.logs.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 17, 2020 ID:1427528 Share Posted December 17, 2020 Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Link to post Share on other sites More sharing options...
Ghost1977 Posted December 17, 2020 Author ID:1427530 Share Posted December 17, 2020 Addition.txt FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 17, 2020 ID:1427533 Share Posted December 17, 2020 Run FRST one more time: Copy/paste the following in the edit box after "Search:".svchost.exe;CredentialEnrollmentManager.exe Click Search Files button and post the log (Search.txt) it makes to your reply. Link to post Share on other sites More sharing options...
Ghost1977 Posted December 17, 2020 Author ID:1427534 Share Posted December 17, 2020 Search.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 17, 2020 ID:1427535 Share Posted December 17, 2020 Your logs look ok now, how is your system responding, any issues or concerns...? Link to post Share on other sites More sharing options...
Recommended Posts