Possible Rootkit Infection

I am running Windows 8.1 Update 1 and have been noticing a number of small glitches that have made me wonder if something is going wrong.

  1. My webcam infrequently turns on and off on random occasions when I have no applications that access the camera open. I originally attributed that to some glitchy anti-theft software I run (Prey Anti-Theft) which has the functionality to take photos of a thief in the background when activated - although I have not activated it.

  2. I run a Samsung 840 Pro SSD - my computer flies and rarely ever has any hickups. Recently simple tasks such as browsing in chrome will freeze up which never happens.

  3. This may be completely unrelated (and probably is) - but I have these really weird font issues, which have just recently “infected” chrome. See http://answers.microsoft.com/en-us/windows/forum/windows8_1-desktop/fonts-squished-and-bold/b3f9c93a-2fb1-4422-bd40-3f9a1601a433 I followed the steps marked in the “Answer” but it still didn’t work. (I never even marked that as the answer).

I run Avast Anti-Virus and have never had any problems. I decided to run a rootkit scan. I ran the Malwarebytes Rootkit Scan - it found nothing. I ran the Sophos Virus Scan and it also found nothing.

Then I decided to try GMER. Upon opening it it gave me the following error message:
“C:\WINDOWS\system32\config\system: The process cannot access the file because it is being used by another process.”. After clicking “OK.” GMER promptly crashes without allowing me to perform a scan.

I tried re-booting my computer. While shutting it down an error message came up on the shutdown screen that said something about an error in address space 0x0000 in Explorer.exe. I have never noticed this before. On subsequent reboots the error message did not reappear.

GMER still crashed after the reboot.

I tried booting into Safe Mode and ran GMER again. It gave me the same error message as above (“The process cannot access the file…”) but did not crash this time. I managed to run a scan and this is what the log contains:

File Attached

I’m not sure if that indicates a clean computer or an infected one, but maybe someone could help me out.

UPDATE: I just tried running GMER out of safe mode. It crashed like normal the first time with the error message. The second time it just displayed the error message but did not crash. I did a new scan and here’s the log for that one:

File Attached

Again if anyone could help me interpret these that would be great.

Thanks tons!

Andrew

https://forum.avast.com/index.php?topic=53253.0

What other logs do you think would help with this?

Andrew

Hello,

The GMER utility is for kernelcode (and usercode) RootKit based Malware only. The primary diagnositic tool is Farbar Recovery Scan Tool or FRST. This is smart and powerfull app that works in usercode level. In short, kernelcode is system core, driver level only. Usercode is the application level.

GMER does not show the malware on board. The Unknows MBR in logs are the reason as Win 8.1.1 does not have configured MBR but GPT.
Use google for terms …

If you wanna system check, I shall need the FRST logs if you wish to check the system for any form of Malware presence. We still need to check is there any BootKit active or any form of Virus, Spaware, Worm, Trojan, Adware … etc

Ok, thanks! Attached are the two files FRST saved.

Andrew

Hello,

I see you have been run aswMBR, ARK tool by avast/gmer. Can you attach that log as well if you have it?

Tell me how is the computer running after these fixes?

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
File: C:\WINDOWS\Setup1.exe
File: C:\WINDOWS\ST6UNST.EXE
HKLM-x32\...\Run: [] => [X]
GroupPolicyUsers\S-1-5-21-2065677315-378812653-3584681572-1001\User: Group Policy restriction detected <======= ATTENTION
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
CHR HomePage: Default -> 0F8ABB0F00404033AFA3C7C9DCB50B1D6535E004838BCD66B35FA13CBC745692
CHR DefaultSearchKeyword: Default -> D1A1BFE6414F24AA50D2089193175661B865563AB6A5549FB1C1FB77A8B715C2
CHR DefaultSearchProvider: Default -> D61B7D33397D52E7EDE641FECB1EF55905E9A4DB5671EE0D1D942078A2EECAE0
CHR DefaultSearchURL: Default -> 6FC521AC12E3D2666C2CB44C9C23C28B59D174E4FB1447AF94B4ABEE0A58BE28
U3 aswMBR; \??\C:\Users\Andrew\AppData\Local\Temp\aswMBR.sys [X]
AlternateDataStreams: C:\Users\Andrew\AppData\Local\qm3iJz6gc4Dkl:UMvJ9pZi5NMpX87LsGqXF
EmptyTemp:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Thanks! I followed the instructions. Everything rebooted and nothing seems to have changed. There wasn’t anything really “wrong” in the first place except chrome would periodically jam and the other issues listed above. The font issue isn’t fixed (although I wouldn’t expect it to be) and the other issues are so infrequent I can’t really say if they are gone or not.

UPDATE: Actually upon opening chrome I got a notification saying something about preferences being corrupted. I don’t recall getting that before.

Also all my taskbar jumplists are purged. (not an issue)

All I really want to know is if I have a Rootkit or not.

Attached it the Fixlog as well as the aswMBR log.

Thanks!

Andrew

Hi,

I do not see any form of any malware. This statement stands for RootKit based malware as well. The FRST tool has clean a lot of junk files, your PC should run faster now.

Anyway, you can use Chrome Settings to reset Chrome back on defaults. The same thing goes for Windows 8.1.1. You can use refresh option in ‘Metro Settings’. Just use google for more info on these …

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Allright, thanks for your help!

Andrew