Over 1 million tech questions and answers.

GMER finds rootkit modifications. How to fix?

Q: GMER finds rootkit modifications. How to fix?

[I cannot write or attach anything substantial - I keep getting 'the connection to the server was reset' after copying and pasting the HJT, dds, and GMER files.]

How do I post...?

Read other answers
RELEVANCY SCORE 200
Preferred Solution: GMER finds rootkit modifications. How to fix?

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 94.4

Hi all,
 
After running GMER, I am being notified that there are "rootkit modifications" detected. I'm very concerned, and I'd be grateful if someone could help me out in disinfecting my computer. I can attach or copy&paste logs if required.
 
TDSSKiller and MalwareBytes have not detected anything, but it seems that GMER and RogueKiller do.
 
I am very new to malware detection and removal, so I apologise for any incompetencies.
 
Thank you.
 
Edit: I think I posted this topic in the wrong forum, and that it should have been in the Virus and Malweare Removal forum.
 
Moderator Edit: Moved from Windows 8 to a more appropriate forum.
Roger

A:GMER detects rootkit modifications

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/530827 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 2 answers
RELEVANCY SCORE 82.4

Hi guys I've been having problems with a next door neighbour who says he has hacked my pc. My wifi is always secured with an encrypted WPA2 password and I don't use WPS. I use windows firewall and eset nod32 antivirus.
Also I don't use any file sharing or anything like that and I don't open any weird emails yet I am convinced he is telling the truth and some how he has managed to "get in" to my pc through very clever means. According to another neighbor he has been to prison before for cyber crime activity yet he is allowed a pc.
 
Interestingly before the scan starts I get the message: C:\Windows\system32\config\system: the process cannot access the file because it is being used by another process
 
And then at the end of the scan I get this message: C:\Users\Garypc\ntuser.dat: the process cannot access the file because it is being used by another process
 
 
Here's the results
 
 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-06-11 17:13:23
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000034  rev. 0.00MB
Running: tnsyxj5d.exe; Driver: C:\Users\Garypc\AppData\Local\Temp\fwloqpow.sys
 
 
---- User code sections - GMER 2.1 ----
 
.text   C:\Windows\system32\atiesrxx.exe[840] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                               000007fc1ed7177a 4 bytes [D7, 1E, FC, 07]
.text ... Read more

A:GMER finds rootkit-like behavior and unknown MBR code

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Scan with FRSTTo run FRST on Vista and Windows7:For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.Plug the flashdrive into the infecte... Read more

Read other 2 answers
RELEVANCY SCORE 64
A:It says Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

Hello my name is Sempai and welcome to Bleeping Computer.*We apologize for the delay. Forum have been busy.*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.*You must reply within 5 days otherwise this topic will be closed.1. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE2. We Need to check for Rootkits with RootRepealDownload RootRepeal from the following ... Read more

Read other 21 answers
RELEVANCY SCORE 63.2

DDSDDS (Ver_10-03-17.01) - NTFSX64 Run by PC at 15:43:25.94 on Mon 04/26/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4525 [GMT -4:00]SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Program Files (x86)\AVG\AVG9\avgchsva.exeC:\Program Files (x86)\AVG\AVG9\avgrsa.exeC:\Windows\system32\lsm.exeC:\Program Files (x86)\AVG\AVG9\avgcsrva.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\AVG\AVG9\avgwdsvc.exeC:\Program Files (x86)\AVG\AVG9\avgemc.exeC:\Program Files (x86)\AVG\AVG9\avgnsa.exeC:\Program Files (x86)\AVG\AVG9\avgcsrvx.exeC:\Windows\system32\WUDFHost.exeC:\Program Files (x86)\SUPERAntiSpywa... Read more

A:Possible Hijack but GMER finds nothing

I Utilized Sophos Anti-Root kit and it discovered the following files:C:\hp\documentation\OPS_Shortcut.exeC:\Users\PC\Runes_of_Magic_2.1.0.1871\ROMSetup.exeD:\hp\Apps\APP26370\src\ForHDX\setup.exeD:\hp\Apps\APP26370\src\ForPavilion\setup.exeD:\hp\Apps\APP26370\src\ForPresario\setup.exeD:\hp\Apps\APP26370\src\ForTouchSmart\setup.exeIt recommended to leave them be.

Read other 5 answers
RELEVANCY SCORE 62

My computer will regularly crash [Everything stops responding and I get the little circle saying it's working on it] and I seem to have semi-fixed it. It works sometimes, other times it doesn't. I can start in safe mode and it will normally run perfectly fine, though explorer crashed on me once and I couldn't figure out how to restart or anything [win+r wasn't bringing up the run window] but Firefox and Chrome were still running fine.When I tried to run Gmer I couldn't check all of the boxes [see attached picture] or not...it appears it won't let me attach anything..edit: or not it's working now...*so confused*DDS Log:DDS (Ver_09-12-01.01) - NTFSX64 NETWORK Run by Marco_2 at 17:15:44.45 on Tue 02/16/2010Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17Microsoft? Windows Vista??????? Home Premium 6.0.6002.2.1252.1.1033.18.8125.6973 [GMT -6:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Users\Marco_2\AppData\Local\Google\Chrome\Application\chrome.exeC:\Progr... Read more

A:Not sure if I have a virus honestly--Gmer finds malware

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 60

Hello, long time no see...I have tried to get rid of the search redirect virus for a few days...without success.
The problem is with the Toshiba laptop with Vista Home. I have run Antivir, Superantivirus and Malwarebytes...all came clean. Proceeded to rootkit tools with following results:

F-Secure: Clean
Kaspersky: Clean
Stinger: Found two issues, did not delete redirect
Sophos: Found several hidden objects + randomly named applications crashed (could this indite a rootkit?) I have not deleted any of the hidden items.

GMER (added: run in SAFE MODE):
Run IAT/EAT box checked first, got following detections (nothing shown in red color though):

Kernel code sections
.text C:\Windows\system32\DRIVERS\tos_sps32.sys
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys

Devices
AttachedDevice \Driver\kbdclass \DeviceKeyboardclass0
AttachedDevice \Driver\kbdclass \DeviceKeyboardclass1

Then run the IAT/EAT box unckecd, the above detections followed by a bluescreen. I am running the programs the box uncked again...so far no bluescreen, the above detections shown with little different text.

Now...does the above indicate the computer has a rootkit? What I should do next? Is it safe to remove/clean the above detections? Why the other tools either crashed or didn';t find anything?

I have NOT reset the cablemodem/wireless router (Linksys WCG200)...is this necessary? My desktop hooked to the router with cable seems to work OK, the laptop with wireless connection is the one that has the... Read more

A:Search redirect virus...Kasperky shows clean, GMER finds something etc..please help.

I was reading Combofix probably would be the next step so I downloaded it from bleebingcomputer and run it from the desktop, the log is below. I have not done anything else except uninstalled Combofix after running it, should I do something else here? Thanks again to anyone who can get into my issue.
-----------------------------------------

ComboFix 11-03-12.01 - JS 03/13/2011 19:22:03.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1172 [GMT -4:00]
Running from: c:\users\JS\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\xp
c:\users\JS\AppData\Local\{AABE77CA-5ECE-42BE-9C2C-E28F9E90F9FB}
c:\users\JS\AppData\Local\{AABE77CA-5ECE-42BE-9C2C-E28F9E90F9FB}\chrome.manifest
c:\users\JS\AppData\Local\{AABE77CA-5ECE-42BE-9C2C-E28F9E90F9FB}\chrome\content\_cfg.js
c:\users\JS\AppData\Local\{AABE77CA-5ECE-42BE-9C2C-E28F9E90F9FB}\chrome\content\overlay.xul
c:\users\JS\AppData\Local\{AABE77CA-5ECE-42BE-9C2C-E28F9E90F9FB}\install.rdf
c:\windows\system32\bszip.dll
.
.
(((((((((((((((((((... Read more

Read other 1 answers
RELEVANCY SCORE 59.2

First off, Hello! I am new here, and want to give all the staff a great big THANK YOU for volunteering your time helping folks.
I myself have learned a TON from reading the topics here, and hope to learn a great deal more.

I have included the information asked for by Rimmer in my signature to help with identifying my system specs, etc.

A while back, I was using Norton 360 and got infected with some malware, mainly Alureon.BC and Alureon.BJ.
That prompted me to switch to WindowsLive OneCare and also supplement with Mbam, which has been working great.

My Mbam scans and OneCare scans are coming back clean, but...

From time to time as I research more on malware removal techniques, I download and test out scanning tools to
make sure my protection software isnt missing things. My system seems to be running ok, but I have scanned
with Rootkit Revealer, as well as Gmer and found some odd looking stuff...

Mainly, I noticed a slew of entries in the scan that were similar to the following:

Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1

I followed the steps in Grinler's preparation post, and downloaded and ran DDS. That seemed to work fine.
I will post the DDS log as well as attach my attach.txt below.

I tried running RootRepeal, and upon selecting Report, and clicking Scan, and selecting the items and drives,
the program said "Initializing, please wait..." and ... Read more

A:Mbam Scans clean, but gmer finds odd stuff and rootrepeal locks up my system

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 36 answers
RELEVANCY SCORE 55.2

**close please**
 

A:avast! finds rootkit-gen

Just bumping. avast! full scan didn't find anything
 

Read other 1 answers
RELEVANCY SCORE 55.2

We have (2) Win XP hard wired to a router. During some, but not all startups of the XP computers Avast warns that it has found a Rootkit. It lists it as FileName:c:\windows\system32\Drivers\ATWPKT2.sys
Avast suggest delete or ignore. We have tried both choices but, neither choice works. When I run Registry Mechanic, it identifies the file as a problem, but it will not delete it. Avast will not delete it. Spy Bot nor Ad aware see the problem.

Any ideas appreciated.
Verne
 

Read other answers
RELEVANCY SCORE 54.4

I have a computer and it had a rootkit virus, but ComboFix seemed to get rid of it. I removed a bunch of programs, ran chkdsk /r, ran Trend Micro antivirus, HijackThis (to clean up the registry), malwarebytes & Sophos Anti-rootkit. However, I have run ComboFix after every one of these and it still reboots with "rootkit activity". Can you help with this?

computer is Dell Latitude X1, WinXP Pro SP3.

A:ComboFix always finds "rootkit activity",

Please follow the instructions in ==>This Guide<==.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Once you have created the new topic, please reply back here with a link to the new topic.

Read other 3 answers
RELEVANCY SCORE 54.4

Hi--

Thanks for being here.

I ran AVG and got this wierd log:
The "Whole computer scan" was stopped before completion.
Rootkits;"10";"0";"10"
Folders selected for scanning:;"Whole computer scan"
Scan started:;"Friday, August 17, 2012, 7:26:13 PM"
Scan finished:;"Friday, August 17, 2012, 7:35:20 PM (9 minute(s) 6 second(s))"
Total object scanned:;"1873182"
User who launched the scan:;"Coleen"
Rootkits
;"File";"Infection";"Result"
;"C:\Windows\system32\drivers\dwprot.sys";"Service function NtUserPostThreadMessage hook -> dwprot.sys +0x15B98";"Object is hidden"
;"C:\Windows\system32\drivers\dwprot.sys";"Service function NtUserQueryWindow hook -> dwprot.sys +0x15AAC";"Object is hidden"
;"C:\Windows\system32\drivers\dwprot.sys";"Service function NtUserSendInput hook -> dwprot.sys +0x16B88";"Object is hidden"
;"C:\Windows\system32\drivers\dwprot.sys";"Service function NtUserSwitchDesktop hook -> dwprot.sys +0x15996";"Object is hidden"
;"C:\Windows\system32\drivers\dwprot.sys";"Service function NtAllocateVirtualMemory hook -> dwprot.sys +0x162D2";"Object is hidden"
;"C:\Windows\system32\drivers\dwprot.sys";"Service function NtCreateThread hook -> dwprot.sys +0x17904";"Objec... Read more

A:AVG finds rootkit, calls for dwprot.sys

I forgot to say....HELLLPPP!

(This is a follow-up only tangentially related to my virus problem--but it occurred to me that perhaps something questionable was going on and you people should know. I was googling for my issue today, and found one other post at CNet (which didn't help me)--and then this link--where someone else had copied my entire post to you and put it up at their website. Here's the link: http://arabtube.in/showthread.php?t=11341

Do you KNOW about that other site and whatever they are doing?)
 

Read other 2 answers
RELEVANCY SCORE 54.4

Vista 64 bit PC has rogue antivirus. Ran Kaspersky rescue disk and Microsoft Defender Offline 64 bit from disk. Both programs found large numbers of trojans of various kinds. MS Defender Offline also found that services.exe was infected. A lot of files were hidden and there is a new B: partition listed in Windows Explorer.

Booted to safe mode with networking, ran Combofix. It got to Stage 50 and came up with a message stating that a system file was infected and it was trying to restore it. System file is c:\windows\system32\Services.exe. Then combofix gets no further. I note in taskmgr that pev.3xe gradually ups its RAM commitment to around 21MB then apparently restarts itself and RAM commitment goes back to 2 or 3MB. This cycle continues ad infinitum.

I have tried lots of rootkit and bootkit tools. GMER indicated that a bunch of registry keys were infected, but nothing else found anything.

I am on the verge of wiping and reinstalling Windows unless you can help me.

A:Combofix finds rootkit, hangs

Do not run combofix.It should not be run without an expert guidance.DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive)DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

Read other 24 answers
RELEVANCY SCORE 54.4

Hi Guys
 
I have an Acer laptop with windows 8 OS. I have Avast anti virus free. as security.
 
The laptop is seldom used and I switched on to update and thought I'd run a scan. Avast came up with several rootkit infections that it would not let me delete. It then told me that it had an important update and said it needed to do a boot scan. I allowed it to do that and then it updated.
 
I have since run another scan  and it has found nothing apart from it being unable to scan a google toolbar.
 
Any thoughts
 
Cluey

A:Avast finds several rootkit infections

can you post the logs?

Read other 4 answers
RELEVANCY SCORE 54

hi. every single boot when i run a scan with unhackme to scan the system startup, i get an unknown file which it says may be a threat. when i click delete it, it reboots but the file will not delete on the bootup, it says the file is not found.  even after it finds it, it says the file is not there on the reboot/delete process. 
 
the file names are always ad2k2sr.sys   or some random variation of letters and numbers and every time i reboot it is renamed something new, and also invisible, undeletable.  unhackme is the only program that seems to be able to find it, yet it cannot delete it.  I don't know what else is left to do?  aswMBR finds an atapi.sys threat which says IRP_MJ_CREATE , but after the scan there is no option to fix it.  
 
On the regular scans with unhackme it finds about 7 unreadable files which are inaccessible but i cannot scan them or upload them because after it finds them, it says they do not exist.
 
ive run scans with everything just about.  this possible virus/file appears every time i boot with a new filename so i think it renames itself every boot to hide.  how can i fix this?  i posted before and ran thru a series of tests with various programs but then I was told to post again.  I don't know why... I've done all the normal procedures prior to posting, I believe. 
 
how can i remove this? i did a format and it didn't seem to fix my issue since i instantly have become re... Read more

A:Can't delete malware (rootkit?) with UnHackMe even though it finds it...?

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Up... Read more

Read other 26 answers
RELEVANCY SCORE 53.2

Hello all, I have a computer that locks up every now and then.  Ran Malwarebytes, it came back clean.  Ran Tdsskiller, it came back clean.  Ran Malwarebytes Rootkit scanner, it came back clean.  Ran Norton Power eraser, it came back clean.  Combofix detects rootkit activity and says it finds the zero access rootkit but never removes it.  I ran Security Check, Adwcleaner and roguekiller and attached the logs.  Any help is appreciated.  Results of screen317's Security Check version 0.99.61  Windows XP Service Pack 3 x86   Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! Windows Firewall Enabled!  WMI entry may not exist for antivirus; attempting automatic update.`````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.70.0.1100  CCleaner     Adobe Reader 10.1.6 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent````````  Malwarebytes Anti-Malware mbamservice.exe  Malwarebytes Anti-Malware mbamgui.exe  Malwarebytes' Anti-Malware mbamscheduler.exe  `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 0%````````````````````End of Log`````````````````````` 

 ... Read more

A:Combofix finds rootkit zero access but doesn't clean it

I've attached the combofix log.  It stills says I'm infected with Rootkit.ZeroAccess! and that it has inserted itself into the tcp/ip stack.  Any help is appreciated.
 
ComboFix 13-03-28.01 - glenn 03/29/2013   8:19.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1013.420 [GMT -7:00]
Running from: c:\documents and settings\glenn.DORNINGTRACTOR\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-28 to 2013-03-29  )))))))))))))))))))))))))))))))
.
.
2013-03-29 14:36 . 2013-03-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2013-03-29 14:35 . 2013-03-29 14:35 73728 ----a-r- c:\documents and settings\glenn.DORNINGTRACTOR\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-03-29 14:35 . 2013-03-29 14:35 73728 ----a-r- c:\documents and settings\glenn.DORNINGTRACTOR\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-03-29 14:35 . 2013-03-29 14:35 73728 ----a-r- c:\documents and settings\glenn.DORNINGTRACTOR\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-03-29 14:35 . 2013-03-29 14:35 -------- d-----w- c:\program files\Sophos
2013-03-29 14:26 . 2013-03-29 14:26 ----... Read more

Read other 3 answers
RELEVANCY SCORE 53.2

Malware has seized my computer - very slow, and Sophos Anti-Rootkit issued a warning that I may not have access to all of my registry, and found a hidden registry key (HKEY_LOCAL_MACHINE\Sam)

After the last lockup, my computer (Windows XP service pack 3) did reboot, but now I cannot enable the Windows firewall. I notice an installation of Java that I didn't perform or authorize. Thank you for any help!

Carla

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 15:40:04 on 2013-01-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.621 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: AVG Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Norton AntiVirus\Engine\18.7.1.3\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysd... Read more

A:Malware - Rootkit? Sophos finds hidden registry key

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/481756 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 41 answers
RELEVANCY SCORE 53.2

System particulars: Win 7 Professional, SP1, 64 bit, 4GB ram, MicroElectronics
 
I am helping a friend with his computer.  It started with a virus that appeared.  After booting up and logging in, things would seem to startup normally and then the screen would get taken over by a large splash screen.  The taskbar and desktop were gone.  The screen had a lot of official text about national security and gave his IP address and quoted a lot of threatening legalese.  It provided a link to go to in order to pay money to unlock the computer.  I switched user to another account on his system with admin privs and this account did not have this problem.  His main account also has admin privs  I used Norton (which was already installed) to scan his computer and it found no problems.
 
I then installed and ran Spybot.  It found and removed a few things but they didn't appear to be very serious.
 
I then installed and ran Malwarebytes and it found some serious things which I removed.
 
I then installed and ran AVG (whole system scan) and it found many serious things... 73. some of which it seemed to be able to handle and fix (green check marks) but others remained as threats and had X instead of checkmarks.  The nature of these threats  were Object name : idle  and all were identified by Anti-rootkit.  I clicked the button to 'remove all' and it said this required a reboot. 
 
After rebooting an... Read more

A:AVG finds 59 threats detected by auto-rootkit; can't remove them

Hello wordplay and Welcome -
Do you recall the exact wording of the screen "FAKE" ransomware problem.
Although 99% can be fixed the same way, some are a bit altered -
 
http://www.bleepingcomputer.com/virus-removal/remove-your-browser-has-been-locked-ransomware
The above is only 1 version that includes FBI / Police / Porn / and others.
 
If you do recall the name I can link specific directions for you -
 
Thank You -

Read other 32 answers
RELEVANCY SCORE 53.2

Had some nasty stuff including Vundo infection... think I got rid of most of it but something is still there. MBAM, SAS, Kaspersky, Eset come up clean. Have not tried all of these in Safemode. House call on the other hand finds D:\WINDOWS\system32\drivers\mshcmd.sys and its categorized as a rootkit. After attempted clean and reboot it is still there. I have a dual boot system with Vista on C: and Win Xp on D: . I wonder if this is why House call can't seem to clean what it found. Somehow it isn't able to continue cleaning after reboot? Just a guess.Here is my HJThis Log...please advise...and thnx in advance!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:19:33 PM, on 2/8/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:D:\WINDOWS\System32\smss.exeD:\WINDOWS\system32\csrss.exeD:\WINDOWS\system32\winlogon.exeD:\WINDOWS\system32\services.exeD:\WINDOWS\system32\lsass.exeD:\WINDOWS\system32\Ati2evxx.exeD:\WINDOWS\system32\svchost.exeD:\WINDOWS\system32\svchost.exeD:\WINDOWS\System32\svchost.exeD:\WINDOWS\System32\svchost.exeD:\WINDOWS\System32\svchost.exeD:\WINDOWS\system32\Ati2evxx.exeD:\WINDOWS\system32\spoolsv.exeD:\WINDOWS\Explorer.EXED:\Program Files... Read more

A:House call finds Mshcmd.sys (rootkit) but cant clean

Please download The Comedian.exe by Rorschach112 to your desktopPlease disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..Double click the program to run it. It will only take around several minutes to run.It will do a series of tasks and tell you when each one is finished.You will be prompted to press any key after each stepWhen it is done it will close and exit itself automatically.You can delete The_Comedian.exe once it is finishedSTOP! if you can't complete this step.. Tell me more about it..NEXTPlease download OTS by OldTimer and unzip it to your Desktop..Note: You must be logged on to the system with an account that has Administrator privileges to run this program.Close ALL OTHER PROGRAMS.Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).At the top, tick on Scan All Users sectionAt File Age set it to 90 DaysIn the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.In the Files Created Within and Files Modified Within section, set it to File AgeAt the bottom, tick on all Safe List and Use Company Name WhiteList optionUnder Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:Reg - Disabled MS Config ItemsReg - Drivers32Reg - ExtReg - IE Explorer BarReg - NetSvcsReg - Safeboot MinimalReg - Safeboot NetworkFile - Lop CheckFile - Purity Sca... Read more

Read other 1 answers
RELEVANCY SCORE 53.2

Running XP SP3
Picked up some scareware from a Reddit link (hence the username)
Gives a bogus windows security screen... got rid of that by searching for the process and deleting:
dvp.exe
apoint
apntex

Reinstalled apoint (my touchpad).

virus killed symantec, malwarebytes.

various malware filters find various trojans. (malwarebytes after reinstall), adaware, superantispyware.

SUPERAntiSpyware in safe mode:
1st run: trojan.agent/gen-zaccess[xs]
2nd run: trojan.agent/gen-krpytik (but in restore point)

ran rkill,found this on the second or third time:
C:\WINDOWS\system32\wuauclt.exe
also, rkill always kills adaware.

Followed instructions in the prep guide:
----------------------------------------
defogger: nothing

ran dds, (log below) noticed one of you guys say not to attach files so I'll paste.

Tried GMER. Seemed to be working the first time until my machine froze.
Now I get the same grayed out problem some others have reported (all but bottom three entries in top right grayed out). On start, GMER pops up an error that says:
"LoadDriver (..\Temp\pwlyipog.sys) error: Cannot create a stable subkey under a volatile parent key."
So I tried deleting the files in temp but the error repeats.

I noticed one of you requested RKUnhooker so I ran that and it looks like it found something so I'll paste it first:
---------------------------------------
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
O... Read more

A:IE/Google redirect; tdsskiller finds rootkit.win.32.zaccess.aml

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

Read other 26 answers
RELEVANCY SCORE 53.2

I believe I may have a rootkit problem. My machine started freezing up when coming out of screensaver. I was able to check the services, and found 374039819:4103779561.exe running. On reboot, although it is just 4++ bytes, it hung up for awhile before allowing the rest of the services to load.

My antivirus progs were 'inaccessible,' and could not be deleted (for a clean install). I ended up with Opencloud Security, but was able to download and run malwarebytes, which removed it (I believe). mbam worked for awhile before suffering the same fate as the other progs, but not until I realized it was blocking 'something' from accessing websites. I am assuming this is how Opencloud reached my 'puter.

I cannot run any helper programs in a normal boot. I can, however, boot to safe mode and/or w/networking, although I was having problems for awhile (the boot hung at mup.sys - this seems corrected). I ran dds and gmer while on safe mode. dds logs are below, but there was no way to save the gmer log without copying it explicitly. I am rerunning the scan to get the full log. The problem was that there was no 'copy' or 'save' button on my screen. I would assume that this is because safe mode puts me at 600x800, and the gmer display is larger than that. If not, I have no idea.

In normal boot, there is a svchost error at the user screen.

I normally don't run more than one antivirus, but you may see more than that in the logs.

This i... Read more

A:rootkit (gmer) --

Hi,Please do the following:Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\C... Read more

Read other 19 answers
RELEVANCY SCORE 53.2

Hello. My computer was acting weird and i did a reinstall of windows because i thought i could have a rootkit. I deleted partitions and installed windows 7 with the CD.
So, I directly installed Gmer to check if its removed.
Here's the log. Please Help me guys.. I am so sad..
Are those false positives? is my system clear or am i still infected after reinstall of windows?
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-10-29 19:46:31
Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC56 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\IsaUhr\AppData\Local\Temp\ffdiqpog.sys
---- Threads - GMER 2.1 ----
Thread C:\Windows\system32\svchost.exe [964:2596] 000007fefad31ebc
Thread C:\Windows\system32\svchost.exe [964:776] 000007feeb7fb1b0
---- EOF - GMER 2.1 ----

A:GMER ROOTKIT

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that....     Let's get going!!  
----------
 
Since you reinstalled your operating system you are more than likely ok.  When you do that, the entire hard drive is wiped and all new information is install... Read more

Read other 6 answers
RELEVANCY SCORE 53.2

Hi,

Just before my recent move my PC began acting funny. I had just updated my program version of Zone Alarm Pro and their forum showed a lot of people having difficulties. As clearing this up involved a lot of time I left it until after my move. However the problems became worse. Using Norton System Works I discovered my CPU, RAM and Cache Memory were always at 100%. Even in Safe Mode, with only Microsoft's Malicious Software Removal Tool ( MMSRT) running, Task Manager still showed CPU at 100%. This got me thinking perhaps it's not ZAP - either I need more power or... I may have a rootkit.

I'll briefly describe a) the PC behavior, b) the steps I've taken and c) the results of the GMER scan below and hopefully someone will be able to help me.

PC Behaviour: Would freeze on Blue Screen after Boot Screen when I restarted but worked if I turned it off and then on/ Two system crashes, after which it rebooted and Microsoft Error Reporting reported one due two a device driver and the other as a corrupted error report. / A new printer icon under Printers in Control Panel ( which I deleted but don't think it uninstalled the driver) / IE, Windows Explorer, and other Win Apps "encountering problems and having to close down." / Blue Screen on some Startups and not others even if I turned it completely on and off. / Spyware Doctor not loading at Startup even though set to, plus it's sys tray icon sometimes not displaying even while Task Manager s... Read more

A:GMER says ROOTKIT - HELP PLEASE

Read other 10 answers
RELEVANCY SCORE 53.2

http://sagearchetype.blogspot.in/2013/12/my-rootkit.html
 
Above are screen shots from gmer.
Do  I have a rootkit ?
 
Have Ran the following
Spybot,Malwarebytes,Microsoft Essentials,Avast Antivirus
haven't found any bugs.Have run ccleaner.
 
After running CHKDSK and again running gmer,the
alerts in the two screen shots than disappeared ??
My PC is awfully slow.Though I have only 1 GB RAM.
But the PC has become slower than before. 
 
Also ran other Anti Rootkit, Tdskiller and Rootkit Revealer,
and some others.
 
screen shots in above link.
 
 

A:Gmer log Do I have a rootkit ?

Can you post the logs for the tools you have ran?

Read other 16 answers
RELEVANCY SCORE 52.8

I believe my computer has a virus.  Every time I do a malwarebytes scan it finds rootkit.fileless.mtgen and every time I delete it but it doesn't go away.  Is there any way to fix this without formatting my computer?  Can anyone help?

A:Every time malwarebytes does a scan it finds rootkit.fileless.mtgen

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the LogFile button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Check off the element(s) you wish to keep.Click on the Clean button follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleanerCx.txt (x is a number).===Download the version of this tool for your operating system.Farbar Recovery Scan Tool (64 bit)Farbar Recovery Scan Tool (32 bit)and save it to a folder on your computer's Desktop.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first ti... Read more

Read other 0 answers
RELEVANCY SCORE 52.4

Can you take a look at these logs please and let me know if I should just burn this computer? Thanks
 
GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-08-22 07:12:46
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\0000002d ST1000LM024_HN-M101MBB rev.2BA30001 931.51GB
Running: gmer.exe; Driver: C:\Users\Freedom\AppData\Local\Temp\agndipod.sys
---- Threads - GMER 2.2 ----
Thread   C:\WINDOWS\system32\csrss.exe [7812:8120]                                                                                                    fffffc6505056c20
---- Services - GMER 2.2 ----
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )                                                        ... Read more

A:GMER says rootkit all over the its log file

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01
Ran by Freedom (administrator) on DESKTOP-3BKBK04 (22-08-2016 09:26:08)
Running from C:\Users\Freedom\Desktop
Loaded Profiles: Freedom (Available Profiles: Freedom)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security\Norton Security\Engine\22.7.1.32\ns.exe
() C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security\Norton Security\Engine\22.7.1.32\ns.exe
(Dashlane, Inc.) C:\Users\Freedom\AppData\Roaming\Dashlane\Dashlane.exe
() C:\Users\Freedom\AppData\Roaming\Dashlane\DashlanePlugin.exe
(AVAST Software) C:\Program Files\AVAST Software\SecureLine\SecureLine.... Read more

Read other 1 answers
RELEVANCY SCORE 52.4

Avg tells me that this is the root kit culprit that is killing my processing
"C:\WINDOWS\System32\Drivers\akqmesdq.SYS";"Hidden driver";"Object is hidden"

And I can see the thing on Gmer! and the many many bits of it, but I have no idea how to get rid of it.

Any help would be great..I just reformatted this computer too
 

Read other answers
RELEVANCY SCORE 52.4

These definitely doesn't seem like normal output to me. Been having some connection problems recently as well.HJT log follows the GMER log -GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-27 11:15:29
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250320AS rev.DE06
Running: oyo9f5n9.exe; Driver: C:\Users\Damon\AppData\Local\Temp\pxldapog.sys
---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A473C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A80D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2660] ntdll.dll!LdrGetProcedureAddress + 26 77422239 7 Bytes JMP 69B10C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2660] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D ... Read more

A:I think I have a rootkit/trojan (GMER log)

Hi DamonToo, to Bleeping Computer.My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.Some things to remember while we are working together.Do not run any other tool untill instructed to do so!Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can also help.Do not run anything while running a fix.If you don't understand a step, please ask for clarification before continuing with any future steps.Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum. Please take note:If you have since resolved the original problem you were having, I would appreciate you letting me know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and I will guide you.Please tell me if you have your original Window... Read more

Read other 7 answers
RELEVANCY SCORE 52.4

closed

A:GMER found rootkit

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/438680 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 2 answers
RELEVANCY SCORE 52.4

Below is a log from GMER.  I am looking for a rootkit on a users system.  One may be there, one may not.  Please help! GMER 2.1.19163 - http://www.gmer.netRootkit scan 2013-08-31 14:12:58Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.CXM0 238.47GBRunning: upuwyqeu.exe; Driver: C:\Users\JOEVAN~1\AppData\Local\Temp\kwpirpob.sys---- Kernel code sections - GMER 2.1 ----INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544                                                                            fffff800031f2000 45 bytes [24, B8, 00, 00, 00, 48, 89, ...]INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 590                                                               &... Read more

A:Rootkit - GMER - Log reading

I do understand that:
 
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                                         0000000073ce1a22 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                                         0000000073ce1ad0 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                                         0000000073ce1b08 2 bytes [CE, 73]
.text &#... Read more

Read other 1 answers
RELEVANCY SCORE 52.4

Everytime I try and run the GMER Rootkit Scanner, it freezes on \Device\RKSAMPLE0 and the computer freezes, after 15-20 minutes I unplugged the computer to start it up again and tried it again but it's the same thing each time. Is there another program I can run to have you guys read the report to see why my computer is running sooo slow?

Paul Miller

A:Can't use GMER Rootkit Scanner

I hope someone can see something here that I can remove to get things working normal again, sometimes it takes 3-5 minutes for anything to open, my home page, outlook express, even just a folder.
Thank you for any help you can provide.

Paul


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-25 23:58:02
Windows 5.1.2600 Service Pack 3
Running: new program from techsupportforum.com; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwwcafow.sys


---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF8B2B300]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-... Read more

Read other 1 answers
RELEVANCY SCORE 52.4

Only thing I can post here is this initial log when gmer opens when I attempt to run gmer or dds scan computer hangs and I have to reset it.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-07-30 15:45:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 ST3802110A rev.3.AAJ
Running: iexplorer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxadqaod.sys
---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEE786BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEE786A5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEE7DE398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem ... Read more

A:Nasty Rootkit won't let me run dds,gmer

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these stepsDownload and run OTLDownload OTL by Old Timer and save it to your Desktop.Double click on OTL.exe to run it.Under Output, ensure that Minimal Output is selected.Under Extra Registry section, select Use SafeList.Click the Scan All Users checkbox.Under the Custom Scan box paste this in

%TEMP%\smtmp&... Read more

Read other 24 answers
RELEVANCY SCORE 52.4

Hello

I did a check on my system with GMER and it says that I have a rootkit-like behaviour on sector 63 and on some other sectors. Am I infected with something? I mention that I have TrueCrypt installed on this system, but this is still very strange. Here is the GMER log. Thanks !

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-10 08:40:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD5000BEVT-22ZAT0 rev.01.01A01
Running: gmer.exe; Driver: C:\DOCUME~1\DANUT0~1\LOCALS~1\Temp\aftiikow.sys
---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 976772912 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xA3B587BC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xA3B58A12]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B955AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B955AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP... Read more

A:GMER rootkit-like behavior ?

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 3 answers
RELEVANCY SCORE 52.4

Hi bleepingcomputer,
I  had suspicions that my pc can be infected for some time.
Possibly by someone i know/ came in contact with.
After mindlessly wondering and searching for adware and spyware using progs like RogueKiller, TCPView, Process Explorer etc
and trying to monitor my outgoing/incoming traffic, i  scanned my machine with GMER,  and to my surprise it told me that there is a system modification caused by ROOTKIT.
Here are some pics.
1. http://imgur.com/JwrMlma
2. http://imgur.com/JEiisrn
Here are some images from TCPView, regarding [system processes] and Remote Adresses to constantly changing hosts/IP's.
http://imgur.com/a/HyyxQ
http://imgur.com/a/6Ta9h
http://imgur.com/a/0oauz
I will appreciate any advice and idea regarding what this means and what to do.
Have logs from GMER regarding that matter.
I'm on Win10.
Thank you in advance.
7
Edit. After running subsequent GMER checks, more infected files popup, but shortly after the beginning of the scan i get BSOD with KERNEL SECURITY CHECK FAILURE.http://imgur.com/K3nmnkf
Edit 2: Got past the BSOD to get this on the next scanhttp://imgur.com/5eU3k61

A:Rootkit detected through GMER.

Hi helloseven
 
My name is polskamachina and I would like to welcome you the Malware Removal Forum. I will be helping you with your malware issues.
What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.
Some points for you to keep in mind:
Do NOT run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
Do not attach logs or use code boxes, just copy and paste the text.
I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
NOTE: It is good practice to c... Read more

Read other 20 answers
RELEVANCY SCORE 52.4

Hi bleepingcomputer,
I  had suspicions that my pc can be infected for some time.
Possibly by someone i know/ came in contact with.
After mindlessly wondering and searching for adware and spyware using progs like RogueKiller, TCPView, Process Explorer etc
and trying to monitor my outgoing/incoming traffic, i  scanned my machine with GMER,  and to my surprise it told me that there is a system modification caused by ROOTKIT.
Here are some pics.
1. http://imgur.com/JwrMlma
2. http://imgur.com/JEiisrn
I will appreciate any advice and idea regarding what this means and what to do.
Have logs from GMER regarding that matter.
I'm on Win10.
Thank you in advance.
7
Edit. After running subsequent GMER checks, more infected files popup, but shortly after the beginning of the scan i get BSOD with KERNEL SECURITY CHECK FAILURE.http://imgur.com/K3nmnkf
Edit 2: Got past the BSOD to get this on the next scanhttp://imgur.com/5eU3k61
 

Read other answers
RELEVANCY SCORE 52.4

These are the results I obtained from a Gmer scan in safe mode. None of these were highlighted in red, btw is the red highlighting an indicator of harmful infection?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-25 18:16:38
Windows 6.0.6002 Service Pack 2
Running: 9xibzucq.exe
---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\002186d2c7c5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] 0x0C 0xF1 0xA6 0xAE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186d2c7c5
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x0C 0xF1 0xA6 0xAE ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002186d2c7c5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\S... Read more

A:Is Gmer detecting a rootkit?

Read other 6 answers
RELEVANCY SCORE 52.4

Hello
 
I suspect my entire home network being infected. Currently having problems with another computer aswell. I ran a GMER scan and Farbar scan on this PC and posted the logs below. GMER picked up rootkit activity. Posted two logs, the GMER log and FRST log.
Grateful for your help.
 
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by Priit (administrator) on PRIIDU-SAMSA (07-09-2016 10:48:07)
Running from C:\Users\Priit\Documents\fox
Loaded Profiles: Priit (Available Profiles: Priit & Administrator)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Microsoft Corporation) C:\P... Read more

A:GMER detected a rootkit

Welcome to Bleeping Computer's Malware Removal Logs area. My name is Sintharius. I will assist you with your problem.Please allow me some time to review your logs with my instructor and I will be back with instructions.Can you describe exactly what problems you are having with your computers? Additional details would be greatly appreciated.Also please post the Addition.txt that comes with FRST.txt the first time FRST is run.

Read other 0 answers
RELEVANCY SCORE 52.4

I posted here the other day to get help about "something" that is badly affecting my laptop. I suspect it is the Seneka rootkit thing.

Instructions were given to me in the other thread I made and I have tried to follow them to the letter but whenever I try and run GMER Rootkit Scanner the laptop bluescreens and crashes.

I was able to run dds and get those logs but have now tried to run GMER Rootkit Scanner 5 times with no success.

It has even been an effort to try and post here because my browser keeps wanting to redirect me to ad sites

What do I do next if I can't run GMER Rootkit Scanner?

Bump

I received some advice in a PM that indicated I should post my dds.txt file as a starting point. So here it is.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 18:07:25.05 on Wed 29/09/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.61.1033.18.1015.332 [GMT 10:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k s... Read more

A:Can't run GMER Rootkit Scanner

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------Please download Rootkit Unhooker and save it to your desktop.
Right-click RKUnhookerLE.exe and choose 'Run as administator'.
Click the Report tab, then click Scan
Check Drivers and Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it. Click Close then Yes
Copy the entire contents of the report and paste it in your next reply.
Note: If you get a message 'Rootkit Unhooker has detected parasite inside itself!
It is recommended to remove parasite, okay?', click Okay

------------------------------------------------------

Read other 19 answers
RELEVANCY SCORE 52.4

Greetings!
 
Last night during a routine scan with GMER, in the first minute when GMER initializes, the very first line state possible rootkit.
 
Note that Roguekiller x64 has been flagging a few files/registry entries as orange in the past week or so too.  some disappeared during the last Roguekiller version update, so apparantly were false positives that have been white listed.
 
I have Avast Free installed, Malwarbytes full installed, use various others to keep system clean.
 
Seeking assistance to run other software to identify and fix problem, or feelassured that it is nothing.
 
Thank you,
 
Bill
 
 

A:GMER Identified Possible Rootkit

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery... Read more

Read other 16 answers
RELEVANCY SCORE 52.4

Hello

I did a check on my system with GMER and it says that I have a rootkit-like behaviour on sector 63 and on some other sectors. Am I infected with something? I mention that I have TrueCrypt installed on this system, but this is still very strange. Here is the GMER log. Thanks !

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-10 08:40:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD5000BEVT-22ZAT0 rev.01.01A01
Running: gmer.exe; Driver: C:\DOCUME~1\DANUT0~1\LOCALS~1\Temp\aftiikow.sys
---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 976772912 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xA3B587BC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xA3B58A12]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B955AB... Read more

A:GMER rootkit-like behavior ?

Hello dubteam2000 ,I've read your post, and from the description you give, and the log you posted, I *think* you can relax. BUT......to be sure I'd like to ask if you've had any problems that lead you to believe you have malware anywhere on your computer? I'd like to see a DDS log as well. Directions for it are here: http://www.bleepingcomputer.com/forums/topic34773.htmlThanks,tea

Read other 2 answers
RELEVANCY SCORE 52.4

Hello
 
I suspect my entire home network being infected. Currently having problems with another computer aswell. I ran a GMER scan and Farbar scan on this PC and posted the logs below. GMER picked up rootkit activity. Posted two logs, the GMER log and FRST log.
Grateful for your help.
 
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by Priit (administrator) on PRIIDU-SAMSA (07-09-2016 10:48:07)
Running from C:\Users\Priit\Documents\fox
Loaded Profiles: Priit (Available Profiles: Priit & Administrator)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Microsoft Corporation) C:\P... Read more

Read other answers
RELEVANCY SCORE 52.4

Hi, my computer show me strange errors and blue screen errrors and after scanning my pc by Gmer it tell me that my pc is infected by rootkit.I got sometimes, when i use some program or some antispyware like Superantispayware etc, windows show me a message in the task bar "...the file is corrupted. The file or directory is corrupted or unreadeble. Please run the Chkdsk utility." For example i made a scanning with gmer and it show me the same messge"Gmer.exe is corrupted. Please........"I made a scannin with Combofix and the message tell me "Prev.exe is corrupted. File or directory c:\$mft is corrupted or unreadeble. Please run the Chkdsk utility."and so on....and some times some blue screen error appear.So now i made some scanning and follow i attached the logs:1) Scanning with malawarebytes (it didn't find anything)2) Scanning with random system information tool by random/random3) Scanning with Gmer4) Scanning with DDS5) Scanning with Combofix I will send you the log of combofix and gmer when you tell me beacause at the moment the forum doesn't me allow to upload any other file.I hope to hear you soon.

A:Gmer tell i'm infected by rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 11 answers
RELEVANCY SCORE 52.4

I scanned with GMER Today and found this
 
GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-10-02 19:02:33
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000038 ST1000DM003-1ER162 rev.CC46 931.51GB
Running: gmer.exe; Driver: C:\Users\AJ\AppData\Local\Temp\kwrcrpow.sys
 
 
---- Threads - GMER 2.2 ----
 
Thread   C:\WINDOWS\system32\csrss.exe [7664:8908]                                                                                      fffffb494b596c20
Thread    [6480:5972]                                                                                                                   0000000063d401c7
Thread    [6480:1540]                                                                                      ... Read more

A:GMER Detected A rootkit...

Hi HYTTIOAOA My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;If yo... Read more

Read other 0 answers
RELEVANCY SCORE 52

Dell windows 7 home premium. 64bit Rkill finds several symptoms of zeroaccess rootkit your site has the mcaffe zeroaccess rootkit removal tool, but it scans for trojans and finds nothing. help!

A:Rkill finds zeroaccess rootkit, but scan tool does not find to remove

I thought I'd add the Rkill result page.
 
Rkill 2.6.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 01/13/2014 10:29:54 AM in x64 mode.
Windows Version: Windows 7 Home Premium
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html
 * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\L\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\L\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\L\6715e287 [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7... Read more

Read other 5 answers
RELEVANCY SCORE 52

Hi

I'm using Windows XP Home.

I had an infection a year or so back that I thought had been solved by a combination of AVGfree (which had let something through in the first place!), Avast, Adaware, Spybot S&D and Malwarebytes. Once I thought I was free of viruses, I uninstalled AVG and Malwarebytes so I was just using Avast.

I've been doing regular scans and updating antivirus regularly.

Last month, the Avast Outlook plug-in kept freezing outlook when I was sent any spam email containing a virus - so I had to control/alt/delete to close Outlook and try again, and eventually would receive all the emails.

Yesterday I installed AVGFree 2011 & uninstalled Avast. Today I did my first anti-rootkit scan, and it tells me it finds "0 rootkits" but there are 8 files listed as "object is hidden".

Are these files safe to delete via AVGFree 2011, or could it prevent my computer from working?

Thanks in advance for your assistance.

My AVGFree log is as follows:

"";"\WINDOWS2\System32\Drivers\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_PNP -> PCIIDEX.SYS PciIdeXDebugPrint+0x2D80";"Object is hidden"
"";"\WINDOWS2\System32\Drivers\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"Object is hidden"
"";"\WINDOWS2... Read more

A:AVGfree rootkit scan finds 0 rootkits but 8 "infected" hidden objects?

Those hidden objects all refer to vital Microsoft device drivers for motherboard components:

The first six items refer to the file PCIIDEX.SYS which is the PCI IDE Bus Driver Extension.
The last item refers to the file CLASSPNP.SYS which is the SCSI Class System Dynamic Link Library.

Both files are built in to Windows and are essential - Do not delete!.

Read other 3 answers
RELEVANCY SCORE 52

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
STEP 1
 
 
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the remo... Read more

A:Rkill finds zeroaccess rootkit, but scan tool does not find to remove

Thank you, I am running them now.

Read other 11 answers