Jump to content

unknown rootkit i need help with


Recommended Posts

hey guys i have a problem with a rootkit
and i think i have remote access on my pc too 
i have loots or ownership problems with many folders 
i have dublicated prosses in task manager 
small pup up windows when win start 
and keylogger cuz that how it all started 
i have malware primum and shows nothing
image.thumb.png.f108002e38abc7d533ae60e09a882d3a.png

image.thumb.png.ac71f9b5179b9c9a837e31bebba84a59.png

image.thumb.png.6016fea87904d1c3718b2ae369a022ce.png

what shouold i do 

Link to post
Share on other sites

Hello JusTRun7 and welcome to Malwarebytes,

Continue with the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your native tongue rename FRST to FRSTEnglish.
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Hello JusTRun7,

Can I see scan log from Malwarebytes, also the primary log from FRST "frst.txt" logs are saved here C:\FRST\Logs

Did you personally set the following Firewall rule to block C:\Windows\system32\svchost.exe

FirewallRules: [Microsoft-Windows-Unified-Telemetry-Client] => (Block) C:\Windows\system32\svchost.exe (Microsoft Windows Publisher -> Microsoft Corporation)

The password protected archives list you show indicates that Kaspersky identified those archives but did not scan those entries, quite normal and nothing to be concerned about...

Thank you,

Kevin...

Edited by kevinf80
Link to post
Share on other sites

Hiya JusTRun7,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt


Let me see those logs in your reply..

Thank you,

Kevin..

 

fixlist.txt

Link to post
Share on other sites

i have 1 app running like 3 times in the task manager and some windows fetuer i can not acces and loot of error in my event manager 
and spical log in 
 

An account was successfully logged on.

Subject:
	Security ID:		SYSTEM
	Account Name:		DESKTOP-2JLA3AS$
	Account Domain:		WORKGROUP
	Logon ID:		0x3E7

Logon Information:
	Logon Type:		5
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		SYSTEM
	Account Name:		SYSTEM
	Account Domain:		NT AUTHORITY
	Logon ID:		0x3E7
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x398
	Process Name:		C:\Windows\System32\services.exe

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Advapi  
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

and small pop up screen start on the left said of my windows and go fast and ai do not know what is it 

Link to post
Share on other sites

Run the following for me please;

Please download VEW by Vino Rosso from HERE and save it to your Desktop.
 
  • Double-click VEW.exe. to start, Vista and Windows 7/8/10 users Right Click and select "Run as Administrator"
  • Under 'Select log to query...check the boxes for both Application and System.
  • Under 'Select type to list... select both Error and Critical.
  • Click the radio button for 'Number of events...Type 15 in the 1 to 20 box.
  • Then click the Run button.
  • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.


Please post the Output log in your next reply.
Link to post
Share on other sites

Boot Configuration Data loaded.

Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

General Settings:
	Load Options:		-
	Advanced Options:		No
	Configuration Access Policy:	Default
	System Event Logging:	No
	Kernel Debugging:	No
	VSM Launch Type:	Off

Signature Settings:
	Test Signing:		No
	Flight Signing:		No
	Disable Integrity Checks:	No

HyperVisor Settings:
	HyperVisor Load Options:	-
	HyperVisor Launch Type:	Off
A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x25c
	New Process Name:	C:\Windows\System32\autochk.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x23c
	Creator Process Name:	C:\Windows\System32\smss.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x29c
	New Process Name:	C:\Windows\System32\smss.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x23c
	Creator Process Name:	C:\Windows\System32\smss.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x2dc
	New Process Name:	C:\Windows\System32\csrss.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x29c
	Creator Process Name:	C:\Windows\System32\smss.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x3cc
	New Process Name:	C:\Windows\System32\smss.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x23c
	Creator Process Name:	C:\Windows\System32\smss.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x3e8
	New Process Name:	C:\Windows\System32\wininit.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x29c
	Creator Process Name:	C:\Windows\System32\smss.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x3e4
	New Process Name:	C:\Windows\System32\csrss.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x3cc
	Creator Process Name:	C:\Windows\System32\smss.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x310
	New Process Name:	C:\Windows\System32\services.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x3e8
	Creator Process Name:	C:\Windows\System32\wininit.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x318
	New Process Name:	C:\Windows\System32\lsass.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x3e8
	Creator Process Name:	C:\Windows\System32\wininit.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.

this are from my pc 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.