Rootkit like activity on computer

MasterMan · November 1, 2021, 7:17am

Hi
i’m haveing some trouble with this computer
first i had a problem with two unsigned drivers “detected by tdsskiller” those were stopping vmware authorization service from running deleted those driver did some second opinion scan

then strange alerts from fw started appearing also detected some strange process in gmer

did some scans with cce ,hmp,zemana,mbam,emsisoft etc …

here is the requested logs

thanks in advance

C.O.M.O.D.O_RT · November 2, 2021, 11:38am

Hi MasterMan,

Thank you for reporting, We will check and get back to you.

Thanks
C.O.M.O.D.O RT

MasterMan · November 4, 2021, 6:31pm

The hidden rootkit/malware/ i dont know what it is is there
trying to change browser settings

one of the strange things
now i can access the admin account files with explorer without admin passwords

i updated drivers using iobit driver updater
also did more second opinion scans with tools like NPE,KSVRT,TDSSkiller, no use just detecting some false positive

here i attached some new logs
Gmer can’t complete a scan so i attached this

MasterMan · November 4, 2021, 7:01pm

this the tdsskiller quarantine that i deleted that was interfering with the VMware authorization service
could false positive or something controlling them

panic · November 4, 2021, 10:28pm

The objects you have quarantined are related to btha2dp.sys which is the Windows driver for Bluetooth headsets (using A2DP).

For reasons best known to Microsoft and/or Sony, these are unsigned and there are multiple reports of issues with it.

https://www.google.com.au/search?q=bth2adp&btnK=Google+Search&source=hp&ei=32mnYLts7J7j4Q_7zb64DA&iflsig=AINFCbYAAAAAYKd374psgw5cRhm__xJyiLDDO1aWqb7T&oq=buy+wood+sealer&gs_lcp=Cgdnd3Mtd2l6EAMyAggAMgYIABAWEB46DgguELEDEMcBEKMCEJMCOgsILhCxAxDHARCjAjoICAAQsQMQgwE6BQgAELEDOg4ILhCxAxCDARDHARCjAjoICC4QsQMQgwE6CAguEMcBEKMCOgIILjoICAAQsQMQyQM6BQgAEJIDOgUIABDJAzoJCAAQyQMQFhAeOggIABAWEAoQHlCUDVi0KGC7MWgAcAB4AIABgAKIAZ4UkgEGMC4xMy4ymAEAoAEBqgEHZ3dzLXdpeg&sclient=gws-wiz&ved=0ahUKEwj719y5qNrwAhVszzgGHfumD8cQ4dUDCAk&uact=5

NOTE : Please bear in mind that I’m not saying that your samples aren’t modified, malicious versions of the BTHA2DP stack.

Cheers,
Ewen

MasterMan · November 6, 2021, 11:48am

i guess the rootkit is taking advantage of the unsigned rootkit

what should i do next ?

MasterMan · April 12, 2022, 7:40pm

after formating computer re installing

a while ago the symptoms re appeared
and firewall rule changed by it self to allow inbound connections
where the origin is home network is this related to update of fw i don’t know of
or something changed the setting of fw ???

C.O.M.O.D.O_RT · April 14, 2022, 11:08am

Hi MasterMan,

Could you please check your inbox for pm and respond?

Thanks
C.O.M.O.D.O RT

MasterMan · October 9, 2022, 8:38pm

i just wanted to update you guys with what i found on my pc
after trying a lot of products and scanner

i detected the rootkit on my computer
it’s computrace.a efi rootkit

don’t have a way to remove it though
any way i hope that comodo in the future include a scanner for bios/efi rootkit stuff

regards