I’m during the thorough scan of C:\ drive with GMER 1.0.15.15641 and saw that there’s listed file named ssuhop.sys – which is driver, moreover, this file can’t be found on hard disk. Did someone ever dealt with that driver? Google found nothing about this driver, so i suspect this file, to be unknown rootkit driver.
can you post the gmer log?
So it looks like this:
After scan went to end, GMER found two files that were suspicious - probably rootkit. I made dump of these two and uploaded to Comodo using uplod manager in CIS. Also scanned these two, using Jotti’s scanner, VirusTotal and VirScan.org but files were treated as clean.
Also Comodo scan didn’t found nothing, nor Malware Byte’s Anti-Malware nor PrevX Free scan. Hitman Pro also didn’t found anything, but after completing scan i get BSOD – triggered by pxrts.sys which is driver of PrevX. So because of BSOD i didn’t saved scan log.
I’m scanning one more time now…
Did you try CCE - Autorun Analyzer - Check the Driver section if it is shown there & any info there.
Repeated scan with GMER and it found nothing at this time.
Yes, but it didn’t found a thing. But thanks for help – going to try again and find the problem.
please try boot cd’s like dr web or kaspersky etc to scan your system ‘offline’
Yeah, i know, i’ve used already Kasperky Rescue Disk 10 (through usb key) and found nothing. So if these two files i’ve found earlier were just false-positives, my PC may be clean. But i will repeat searching few times more, just have to combine more tools. But thanks for help.
Today i found, that someone hacked my hosting FTP. He/she used exact login and password as i used. I didn’t saw any phishing attacks on my own, so i now for sure, i have some malware on my pc. Sysadmin of hosting provider i’m using emailed me today, that someone hacked my FTP.
I’ve used:
- CIS Premium,
- Comodo Cleaning Essentials,
- Hitman Pro,
- Malware Bytes Anti-Malware,
- TDSSkiller,
- GMER (only tool that found something suspicious),
- PrevX 3.0,
- Trend Micro Rootkit Buster;
Although i dumped two files that GMER found as rootkit and uploaded to VirusTotal - it found nothing. Also CIS didn’t found these two suspicious.
Now i’m confused, what now use to find this. Dump i made from my BIOS 2 weeks ago, also seems clean (scanned by VirusTotal and CIS).
What now?
Did you dump the files with GMER on an online system?
Try to find those files while using a boot disk and then copy them to a USB drive or something, or upload to VT.
It might be that if it’s a rootkit you will get a ‘clean’ copy of the file showing nothing on VT.
Where did you ‘cache’ that FTP account password? on your system in a FTP program?
I’ve already changed FTP password, but i was using FileZilla Client to logint to FTP - almost no security on my side although i’m logging to SSH. I bet that rootkit is hiding (or was) keylogger.
I already uploaded those two files to Comodo Valkyrie, hope someone will find something.
Another way to go about this is to upload any suspicious samples to all anti-malware companies, using my article. Then, in a while, you can recheck Virustotal and see if any detect it now. This is yet another way to find out if there’s anything wrong with the files.
Please let me know if you have any questions.
Thanks.
Yeah, i will experiment with set of proposed tools. Thanks for helping anyway 
Uploading files only makes sense if you do that from a boot CD/DVD.
If it’s a bit of a rootkit it will feed your ‘copy’ of that file a ‘clean’ version so you won’t find the malicious code unless you boot from a CD/DVD and then copy the file + upload.
Yeah, i’m gonna retry with Kaspersky Rescue Disk and try with SARDU. Emsisoft HiJackFree found that i may be infected with WinCrash - TCP 3024 port is opened. Also 1098 TCP is seen as malware (RAT) but this port is used by Dropbox.exe service – C:\Documents and Settings\User\Dane aplikacji\Dropbox\bin\Dropbox.exe (Process ID: 2576)
So i must proceed with Kaspersky and Sardu.
Scanned again with GMER but this time it didn’t found a thing: LOG.
Kaspersky Rescue Disk also didn’t found a thing, nor CIS full scan so i must now use SARDU.