How to scan for root kits

[D1117]

How do I get Malware bytes to scan for root kits. I am pretty sure I have been infected with one or more browser modifications that are not showing up. How do I start from the bottom, so to speak, and get my OS scanned for a root kit?

[Porthos]

@D1117

Let's get the info to get the process started. A single scan might not clean up your issue.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply
  
  Then be patient for the next expert to take your case.

Thank you

[Maurice Naggar]

Hello D1117. My name is Maurice. I will guide and help you, going forward. Kindly insure to attach the Zip diagnostic report. It is such a crucial requirement for analysis. Have much patience. We will be doing different procedures. First, the report.

[D1117]

I ran the support tool. Here is the resulting file.

 

mbst-grab-results.zip

[Maurice Naggar]

Thank you. I will review.

[Maurice Naggar]

Just some remarks; a question, then 1 first task.
The Windows build version is Windows 10 Pro Version 21H2 19044.3086 (X64), which is Old. It ought to be on the latest release build 19045.3693. We will cover that at the end.
Is this Windows 10 pc your own Home computer?  Or is it one that is used for company interaction ?

There is also a highly suspicious policy restriction on Windows update. I will eventually get that removed.

There was a I P Block notice on the 6th about "ntnhelp(.)site".  The Malwarebytes is keeping your pc safe from harm.
While some of us may just hypothesize about a "rootkit" presence, it can well be unfounded.
Anyhow, we can start with this run of the Malwarebytes MBAR anti-rootkit tool to just see if 'anything of that sort' is afoot.

First, be sure to do a Windows Restart. Wait for it to settle back in. And do not launch any user-app on your own. Just only what is absolutely necessary. Know that we will do a lot more after this here. Know that MBAR is for a one-time use.

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

• when done, I need the MBAR logs.
• Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply.

This is unrelated. Just some necessary housekeeping.

Please do the following actions, so that Microsoft Defender antivirus runs side-by-side along with Malwarebytes.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

 

Edited December 10, 2023 by Maurice Naggar
amended

[D1117]

I am running the anti-rootkit program. Prior to that, I did discover keyboard logger extensions on Chrome and Edge. I removed these. This is a home PC.
I do have two other PCs on my home network, but these don't seem to be infected. The second one is Win 11. The other is Win 10 Pro. The Win 11 does have Malwarebytes installed. Not sure about the other. The infection was caused by me stupidly clicking on a scam email about Norton Lifelock refund. I will send more info after the root scanner finishes.

 

 

 

[D1117]

I checked the third PC. It has Malwarebytes on it now.

[Maurice Naggar]

I hope the MBAR run has finished. I need the 2 logs from that run.  See my post earlier. 

• Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply.

[Maurice Naggar]

Anticipating getting the 2 MBAR logs. Now then, here is the next thing to do, This is a part of the hunt for potential malware.

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt<- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

[D1117]

Here is the FIXLOG.TXT file. 

BTW, thank you for the assistance.

Dave K

Fixlog.txt

[Maurice Naggar]

I hope the MBAR run has finished. I need the 2 logs from that run.  See my post earlier. 

• From the run of MBAR, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply. I have requested those before. 🙂

[D1117]

I did send you the Fixlog. Txt file yesterday. Did you not get it? 

Dave 

[Maurice Naggar]

I did get the Fixlog.  That is not what I am seeking.  Re-read my last post. I look for the 2 LOGS from the MBAR run  !!  I have repeatedly asked for them so I can review.  Before we go forward to do other steps.

[D1117]

Sorry, I guess I skipped this step.

Regards, 

Dave

system-log.txt mbar-log-2023-12-09 (14-12-33).txt

[Maurice Naggar]

Thank you. The MBAR anti-rootkit found no threats. That is re-assuring.

The custom-run ( Fix run )is good. The Windows System File Checker has made some corrections.

Quote

Windows Resource Protection found corrupt files and successfully repaired them.

The custom-Fixlist run has completed what was intended.

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

If upon launching the Esetonlinescanner, there is a windows-message box displaying

A driver cannot load on this device. Driver ehdrv.sys

then, please, TICK the check-box

"Don't show this message again"

and then, click the Close button on that window-box. The ESET scan will proceed forward.

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[D1117]

I  let it run overnight no threats detected. Does this program do something other than what Malwarebytes or Windows Defender does? 

[Maurice Naggar]

Hi. Malwarebytes has its own sets of definitions for malware, as well as its unique detection engine. It also unique. It is not a traditional antivirus
Yes each scanner can detect different malware than another.
ESET Onlinescanner is top shelf. It can detect malwares not detected by the others.
 

Now a different scan with another security scanner. 

You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open.

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\David\DESKTOP\KVRT.exe will now show in the run box.



add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\David\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



Go slow & careful on this part.  In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and "Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20231212_203000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply
• Have lots of patience, as this will most likely run for many hours.
• Also, be aware I am a volunteer here. 

Edited December 11, 2023 by Maurice Naggar

[D1117]

I followed the directions, added the command line parameter and changed the parameters, then told it to scan. It is showing progress activities. Will let you know how it goes.

[Maurice Naggar]

No sweat. Just let it do its work. It will take many hours till it finishes. We are not in a rush.

[D1117]

Here are the two report files. I just added a .txt suffix to the end of the original file names.

report_2023.12.11_11.52.54.klr.txt report_2023.12.11_17.41.43.klr.txt

[Maurice Naggar]

The 1152 run found some threats. The last run of 17:41 found no threats. I believe the pc is at a point where there are no actual malware.

• about Scan for rootkits: A specific set of rules is used during scans to determine if rootkits are present on your device. Rootkits are malicious software that can modify operating system files and hide their presence. Toggling this setting on will make scans more intensive and effective, but increase the time to complete them. By default, this setting is Off.
• We can turn on ( as a one time / on-demand run) and then do a Threat Scan & be sure to let me know the result
• Launch Malwarebytes. Click the Settings ( gear ) icon.
• Now click the Security Tab.
• Scroll down to Scan options
• Click on Scan for rootkits  so that it shows as Enabled  ( all the way to the right.
• Then do a Threat scan.
• after it has finished, relay a copy of the report on next reply.
• When all done, go back and Disable the Scan for rootkits.  Normally we want it Off so that future scans do not take forever ro finish.

[D1117]

Just for the heck of it, last night, after the Kaspersky scan was completed and it said all was OK, I ran MS Windows Defender. It did find some things. See the attached screen print. 

I need to go out of town soon and hope to be back by 6 pm.

Let me know what other steps I should take.

Thank you, 

Dave K

[Maurice Naggar]

If you look at the displayed set of information on that screen.....the Expanded item at the bottom. That has been dealt with. MS Defender has put it in Quarantine.

For each one of the other lines. if you click a Line so that more detail is shown....IF there is a Actions button, Click on it to see more details and possible Actions to apply.

 Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

DO keep in mind, MS Defender antivirus has its own set of detection rules.

 

[D1117]

Defender completed a scan of all the drives and, other than the ones it showed already. Nothing was found. I had it remove the items it found. 

To change any of the Malwarebytes settings, Tamper Protection seems to be set to ON and it does not want to all me to change anything.. Should I remove that? I think that will require a re-install of the program.

Dave K