Several Weird Things Happening, Possible Virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jrasicmark, Jan 14, 2018.

Tags:
  1. jrasicmark

    jrasicmark Private First Class

    My PC has been running very slow and I got an error message that said there was not enough memory to run Windows Explorer. I hadn't opened any software yet, so I opened Task Manager to see if I had any suspicious processes running, but I don't really know enough to know what to look for. But I stopped some Adobe and Amazon music processes I didn't think I needed and then my wallpaper disappeared and the system rebooted to a blue screen (I wasn't able to read the message before it rebooted again). So I rebooted to safe mode and ran the READ ME FIRST virus checks.

    Also I'm not sure if these might be connected to any virus, but it's weird so:
    My speaker has been randomly emitting ear-piercing beeps
    When I visit YouTube using Chrome or Firefox sound will sometimes not work even though it works in other software
    I've had to discontinue my subscription to Adobe Creative Cloud to save money, but I'm having trouble uninstalling 2 apps in the suite. I keep getting a message that the Creative Cloud app needs repair, but selecting repair doesn't seem to help. I've tried uninstalling from Windows' Control Panel as well as from the Creative Cloud app, and I can't uninstall Dreamweaver or Flash.

    I couldn't see an option or button to export the Hitman report, so I took a screenshot of the results it found which I will upload with the other reports.
     

    Attached Files:

    jrasicmark, Jan 14, 2018
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    First, reopen RogueKiller and remove these items:

    ¤¤¤ Registry : 6 ¤¤¤
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswArKrn (\??\C:\Users\dispatch\AppData\Local\Temp\aswArKrn.sys) -> Found
    [Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Partizan (system32\drivers\Partizan.sys) -> Found
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswArKrn (\??\C:\Users\dispatch\AppData\Local\Temp\aswArKrn.sys) -> Found
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswArKrn (\??\C:\Users\dispatch\AppData\Local\Temp\aswArKrn.sys) -> Found

    ¤¤¤ Tasks : 1 ¤¤¤
    [Suspicious.Path] \Amazon Music Helper -- C:\Users\dispatch\AppData\Local\Amazon Music\Amazon Music Helper.exe -> Found

    ¤¤¤ Antirootkit : 47 (Driver: Loaded) ¤¤¤
    [SSDT:Addr(Hook.SSDT)] ZwAlertResumeThread[13] : Unknown @ 0xffffffff879943d8
    [SSDT:Addr(Hook.SSDT)] ZwAlertThread[14] : Unknown @ 0xffffffff87994470
    [SSDT:Addr(Hook.SSDT)] ZwAllocateVirtualMemory[19] : Unknown @ 0xffffffff872c6290
    [SSDT:Addr(Hook.SSDT)] ZwAlpcConnectPort[22] : Unknown @ 0xffffffff870772e8
    [SSDT:Addr(Hook.SSDT)] ZwAssignProcessToJobObject[43] : Unknown @ 0xffffffff87a1a600
    [SSDT:Addr(Hook.SSDT)] ZwCreateMutant[74] : Unknown @ 0xffffffff87994200
    [SSDT:Addr(Hook.SSDT)] ZwCreateSymbolicLinkObject[86] : Unknown @ 0xffffffff87a1a3f8
    [SSDT:Addr(Hook.SSDT)] ZwCreateThread[87] : Unknown @ 0xffffffff872c52c8
    [SSDT:Addr(Hook.SSDT)] ZwCreateThreadEx[88] : Unknown @ 0xffffffff87a1a4a0
    [SSDT:Addr(Hook.SSDT)] ZwDebugActiveProcess[96] : Unknown @ 0xffffffff87a1a698
    [SSDT:Inl(Hook.SSDT)] ZwDeleteAtom[99] : C:\Windows\System32\win32k.sys @ 0xffffffffa1ef8340 (call dword [0x8316fd14])
    [SSDT:Addr(Hook.SSDT)] ZwDuplicateObject[111] : Unknown @ 0xffffffff872c63b0
    [SSDT:Inl(Hook.SSDT)] ZwFlushWriteBuffer[129] : C:\Windows\System32\halmacpi.dll @ 0xffffffff83019468 (call dword [0x830450b4])
    [SSDT:Addr(Hook.SSDT)] ZwFreeVirtualMemory[131] : Unknown @ 0xffffffff872c5b08
    [SSDT:Addr(Hook.SSDT)] ZwImpersonateAnonymousToken[145] : Unknown @ 0xffffffff879942a8
    [SSDT:Addr(Hook.SSDT)] ZwImpersonateThread[147] : Unknown @ 0xffffffff87994340
    [SSDT:Addr(Hook.SSDT)] ZwLoadDriver[155] : Unknown @ 0xffffffff870e4698
    [SSDT:Addr(Hook.SSDT)] ZwMapViewOfSection[168] : Unknown @ 0xffffffff872c5a50
    [SSDT:Addr(Hook.SSDT)] ZwOpenEvent[177] : Unknown @ 0xffffffff87994168
    [SSDT:Addr(Hook.SSDT)] ZwOpenProcess[190] : Unknown @ 0xffffffff872c5200
    [SSDT:Addr(Hook.SSDT)] ZwOpenProcessToken[191] : Unknown @ 0xffffffff872c6338
    [SSDT:Addr(Hook.SSDT)] ZwOpenSection[194] : Unknown @ 0xffffffff87994038
    [SSDT:Addr(Hook.SSDT)] ZwOpenThread[198] : Unknown @ 0xffffffff87408170
    [SSDT:Addr(Hook.SSDT)] ZwProtectVirtualMemory[215] : Unknown @ 0xffffffff87a1a558
    [SSDT:Addr(Hook.SSDT)] ZwQueueApcThread[269] : Unknown @ 0xffffffff87a1a350
    [SSDT:Addr(Hook.SSDT)] ZwQueueApcThreadEx[270] : Unknown @ 0xffffffff87a1a2a8
    [SSDT:Addr(Hook.SSDT)] ZwReadVirtualMemory[277] : Unknown @ 0xffffffff87a1a200
    [SSDT:Addr(Hook.SSDT)] ZwResumeThread[304] : Unknown @ 0xffffffff87994508
    [SSDT:Addr(Hook.SSDT)] ZwSetContextThread[316] : Unknown @ 0xffffffff872c5878
    [SSDT:Addr(Hook.SSDT)] ZwSetInformationProcess[333] : Unknown @ 0xffffffff872c5910
    [SSDT:Addr(Hook.SSDT)] ZwSetSystemInformation[350] : Unknown @ 0xffffffff87a1a730
    [SSDT:Addr(Hook.SSDT)] ZwSuspendProcess[366] : Unknown @ 0xffffffff879940d0
    [SSDT:Addr(Hook.SSDT)] ZwSuspendThread[367] : Unknown @ 0xffffffff872c5748
    [SSDT:Addr(Hook.SSDT)] ZwTerminateProcess[370] : Unknown @ 0xffffffff872bfa90
    [SSDT:Addr(Hook.SSDT)] ZwTerminateThread[371] : Unknown @ 0xffffffff872c57e0
    [SSDT:Addr(Hook.SSDT)] ZwUnmapViewOfSection[385] : Unknown @ 0xffffffff872c59b8
    [SSDT:Addr(Hook.SSDT)] ZwWriteVirtualMemory[399] : Unknown @ 0xffffffff872c5bb0
    [ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0xffffffff883a0140
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0xffffffff883d03a0
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0xffffffff8838a240
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0xffffffff883f5098
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0xffffffff883f50d0
    [ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0xffffffff883e8390
    [ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0xffffffff883a2390
    [ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0xffffffff883a2308
    [ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0xffffffff883a0360
    [ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0xffffffff884110b0

    Next, use file explorer to find the two items in Hitman and delete them.

    Reboot into normal mode and rescan with both RogueKiller and Hitman ( once Hitman finishes scanning, click on next).
     
    TimW, Jan 14, 2018
    #2
  3. jrasicmark

    jrasicmark Private First Class

    Thanks very much. One problem, though; Everything listed under AntiRootKit above says they can't be removed when I select in RogueKiller.
     
    jrasicmark, Jan 15, 2018
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download GMER and save it to your desktop:
    • Unzip (extract) it to your desktop.
    • Disconnect from Internet and close all running programs.
    • There is a small chance this application may crash your computer so save any work you have open.
    • Double-click gmer.exe to run it.
    • Let the gmer.sys driver to load if asked.
    • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
    • Click the Rootkit tab.
    • Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
    • Then click the Scan button. Wait for the scan to finish.
    • Once done, click the Copy button.
    • This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Attach this log to your next reply.
    NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.
     
    TimW, Jan 15, 2018
    #4
  5. jrasicmark

    jrasicmark Private First Class

    Thanks. Here is the GMER report.
    Hitman didn't find anything this time.
     

    Attached Files:

    jrasicmark, Jan 16, 2018
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That log looks good. Just to be sure:

    Please download the latest version of FRST the below link.
    Farbar Recovery Scan Tool and save it to your Desktop.


    Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
    TimW, Jan 16, 2018
    #6
  7. jrasicmark

    jrasicmark Private First Class

    Here you go.
     

    Attached Files:

    jrasicmark, Jan 16, 2018
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Clean....what malware issues are you still having, if any?
     
    TimW, Jan 16, 2018
    #8
  9. jrasicmark

    jrasicmark Private First Class

    Really? What about all the rootkits that RogueKiller found but it couldn't delete? Did GMER or Farbar get rid of them?

    As for issues (not sure if it's malware related), it still takes an unusually long time to reboot and when it does reboot, it also seems to take longer for the desktop shortcuts' icons to appear.

    In fact, several of my desktop shortcuts are now missing their icons. I was able to get one back by going to the Control Panel and selecting "repair" instead of "uninstall". But when I double click the rest that have missing icons, it says the programs are missing. I looked in the programs folder, and it's true, the .exe for them are gone. Sometimes, the whole folder is gone.

    The Adobe Creative Cloud app just gives me a blue spinning wheel when I try to load the apps to uninstall them.

    Also, I'm pretty sure 7zip had used to have its own context menu option that seemed to be gone when I tried to use it to unstuff GMER.

    Finally, while looking for missing software in the programs folder, I noticed something suspicious. There's a faded folder in there (so I guess it was meant to be hidden from me) called "InstallJammerRegistry". Is that supposed to be in there?

    That's everything I've noticed so far.
     
    jrasicmark, Jan 16, 2018
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    InstallJammer is a Microsoft Windows-style installer creator written in Tcl which creates self-extracting files that display an installation wizard.

    Since neither Gmer or Farbar found the items from RogueKiller, I have reported the issue to the creators as false positives.

    Your other issues need to be addressed in the software forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Re-enable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 or 10 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Jan 16, 2018
    #10
  11. jrasicmark

    jrasicmark Private First Class

    Okay, thanks.
     
    jrasicmark, Jan 16, 2018
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome. Good luck. :)
     
    TimW, Jan 16, 2018
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds