Possible Rootkit Activity?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by shagschain, Dec 4, 2017.

  1. shagschain

    shagschain Private E-2

    Hi Helpful Geek Pals,

    I've been experiencing slow-down for a few months but figured maybe my PC was just getting older but now it looks as if I've gotten some kind of malware. When trying to update MalwareBytes it kept giving me an error that it couldn't install due to possible rootkit activity and I should reboot to try to force update to install. This never worked. I got bluescreened a couple times too. (Examples attached). Additionally my firewalls would randomly shut off, Windows updates wouldn't process, and McAfee would function improperly (firewall turned off, scanning turned off, etc).

    After running all the scans MB was able to update and scan so I hoped it had solved problems but no such luck. I'm still having massive slow-down, but there are new additions. When attempting to wake my computer back up after it's fallen asleep, it'll often go to a completely black screen and stay there until I force shut-down. It did this again just tonight and when I first turned my computer back on (only turned it off for a few seconds) it went to the same black screen. After 20 minutes with no response I turned it off for a longer period, then upon powering up it went to chkdsk (and did find some damage).

    I'm stumped on where to go from here. Any and all help is greatly appreciated. Thanks.

    (I started running through the scans back in July but then was distracted by life and not seeing nearly as many problems. I've attached both old and new scans for those I have, in case they indicate anything. )
     

    Attached Files:

    shagschain, Dec 4, 2017
    #1
  2. shagschain

    shagschain Private E-2

    More Files.
     

    Attached Files:

    shagschain, Dec 4, 2017
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are all old. Please go back to the Read and Run First instructions.
     
    TimW, Dec 5, 2017
    #3
  4. shagschain

    shagschain Private E-2

    I had a screenshot saved of the rootkit error message I kept getting from mbam but apparently it's been deleted somehow, so alas, no visual.
     
    shagschain, Dec 5, 2017
    #4
  5. shagschain

    shagschain Private E-2

    The newer ones are from 1-2 weeks ago. Is that too old? (As I mentioned, I included old and new logs in case that indicated anything.) I'll start running them again just in case.
     
    shagschain, Dec 5, 2017
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes.
     
    TimW, Dec 5, 2017
    #6
  7. shagschain

    shagschain Private E-2

    Finally got them to all go through again. I'm getting the Anti-Rootkit message from mbam again so I uploaded a screenshot of that as well, in case it's not a commonly known message.
     

    Attached Files:

    shagschain, Dec 5, 2017
    #7
  8. shagschain

    shagschain Private E-2

    I think that should be the last of them.
     

    Attached Files:

    shagschain, Dec 5, 2017
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any evidence of a rootkit. However, do rerun Hitman and delete these items:
    Potential Unwanted Programs _________________________________________________

    HKLM\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\ (Linkey)
    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622\ (Linkey)
    HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622\ (Linkey)
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622\ (Linkey)
    HKU\S-1-5-21-2475549740-2089778623-3011127637-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{54739D49-AC03-4C57-9264-C5195596B3A1} (Linkey)

    Then do the same with RogueKiller and delete these items:
    ¤¤¤ Files : 21 ¤¤¤
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.5_41073\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.5_41162\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.8_42576\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.9_42923\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.9_43295\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.4.9_43388\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.5.0_43580\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.5.0_43804\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.5.0_43916\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exe -> Found
    [PUP.uTorrentAds][File] C:\Users\shagschain\AppData\Roaming\uTorrent\updates\3.5.0_44294\utorrentie.exe -> Found

    Reboot and rescan with both Hitman and RogueKiller and attach the new logs.
     
    TimW, Dec 5, 2017
    #9
  10. shagschain

    shagschain Private E-2

    Sorry this took so long. My computer kept force restarting when I'd try running the scans so it's been quite the process. There's one utorrent pup that continues to show up and refuses to delete no matter how many times roguekiller finds it and says it'll complete removal upon reboot.
     

    Attached Files:

    shagschain, Dec 13, 2017
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Delete what Hitman found then use this to remove the uTorrent file:

    Please download No Virus to your desktop.

    Use the Add Files button to find and add the files you want to delete. The files will be deleted upon reboot.
     
    TimW, Dec 13, 2017
    #11
  12. shagschain

    shagschain Private E-2

    I've tried three separate times to delete the file with no success. It adds to No Virus/Smart File Delete, states it'll delete upon reboot, but then when I reboot (tried a full shut down once) the file is still there.
     
    shagschain, Dec 14, 2017
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The uTorrent application is still running from a registry startup item which needs to be removed first.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
    • Make sure that you scroll all the way to the bottom of the code box to get the whole fix!
    Code:
    :Processes
explorer.exe

:Files
C:\Users\shagschain\AppData\Roaming\uTorrent
C:\Users\shagschain\AppData\Roaming\Enigma Software Group
C:\Users\shagschain\Desktop\SpyHunter.lnk

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\SpyHunter4.exe]

:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now rerun RogueKiller to check if the uTorrent items are gone.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7, Win8 or Win10, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the RogueKiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 15, 2017
    #13
  14. shagschain

    shagschain Private E-2

    That got that last item, hopefully. Still having problems with the computer crashing when I try to run RogueKiller or Hitman Pro, but those may be unrelated issues. Here are most of the requested logs; for some reason I am unable to find any directory leading to OTM. I was able to run the program but unable to locate the log. It didn't populate in notepad on my reboot and I can't find it saved elsewhere.
     

    Attached Files:

    shagschain, Dec 27, 2017
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. If you are still having issues, please post in the software forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Re-enable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 or 10 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Dec 27, 2017
    #15
  16. shagschain

    shagschain Private E-2

    Wonderful. Thank you so much for all your assistance.
     
    shagschain, Dec 27, 2017
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are very welcome.
     
    TimW, Dec 28, 2017
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds