Author Topic: Rootkit like activity on computer  (Read 2556 times)

Offline MasterMan

  • Newbie
  • *
  • Posts: 6
Rootkit like activity on computer
« on: November 01, 2021, 02:17:27 AM »
Hi
i'm haveing some trouble with this computer
first i had a problem with two unsigned drivers  "detected by tdsskiller" those were stopping vmware authorization service from running deleted those driver did some second opinion scan

then strange alerts from fw started appearing also detected some strange process in gmer

https://ibb.co/G3X3sVz
https://ibb.co/23GTGQ1

did some scans with cce ,hmp,zemana,mbam,emsisoft etc ...

here is the requested logs

thanks in advance

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 922
Re: Rootkit like activity on computer
« Reply #1 on: November 02, 2021, 06:38:07 AM »
Hi MasterMan,

Thank you for reporting, We will check and get back to you.

Thanks
C.O.M.O.D.O RT

Offline MasterMan

  • Newbie
  • *
  • Posts: 6
Re: Rootkit like activity on computer
« Reply #2 on: November 04, 2021, 01:31:19 PM »
The hidden rootkit/malware/ i dont know what it is is there
trying to change browser settings
https://ibb.co/G2ng1nW

one of the strange things
now i can access the admin account files with explorer without admin passwords :)

i updated drivers using iobit driver updater
also did more second opinion scans with tools like NPE,KSVRT,TDSSkiller, no use  just detecting some false positive 

here i attached some new logs
Gmer can't complete a scan so i attached this


Offline MasterMan

  • Newbie
  • *
  • Posts: 6
Re: Rootkit like activity on computer
« Reply #3 on: November 04, 2021, 02:01:47 PM »
this the tdsskiller quarantine  that i deleted that was interfering with the VMware authorization service
could false positive or something controlling them


Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11825
  • Linux is free only if your time is worthless.;-)
Re: Rootkit like activity on computer
« Reply #4 on: November 04, 2021, 05:28:31 PM »
this the tdsskiller quarantine  that i deleted that was interfering with the VMware authorization service
could false positive or something controlling them

The objects you have quarantined are related to btha2dp.sys which is the Windows driver for Bluetooth headsets (using A2DP).

For reasons best known to Microsoft and/or Sony, these are unsigned and there are multiple reports of issues with it.

https://www.google.com.au/search?q=bth2adp&btnK=Google+Search&source=hp&ei=32mnYLts7J7j4Q_7zb64DA&iflsig=AINFCbYAAAAAYKd374psgw5cRhm__xJyiLDDO1aWqb7T&oq=buy+wood+sealer&gs_lcp=Cgdnd3Mtd2l6EAMyAggAMgYIABAWEB46DgguELEDEMcBEKMCEJMCOgsILhCxAxDHARCjAjoICAAQsQMQgwE6BQgAELEDOg4ILhCxAxCDARDHARCjAjoICC4QsQMQgwE6CAguEMcBEKMCOgIILjoICAAQsQMQyQM6BQgAEJIDOgUIABDJAzoJCAAQyQMQFhAeOggIABAWEAoQHlCUDVi0KGC7MWgAcAB4AIABgAKIAZ4UkgEGMC4xMy4ymAEAoAEBqgEHZ3dzLXdpeg&sclient=gws-wiz&ved=0ahUKEwj719y5qNrwAhVszzgGHfumD8cQ4dUDCAk&uact=5

NOTE : Please bear in mind that I'm not saying that your samples aren't modified, malicious versions of the BTHA2DP stack.

Cheers,
Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline MasterMan

  • Newbie
  • *
  • Posts: 6
Re: Rootkit like activity on computer
« Reply #5 on: November 06, 2021, 06:48:35 AM »
i guess the rootkit is taking advantage of the unsigned rootkit

what should i do next ?


Offline MasterMan

  • Newbie
  • *
  • Posts: 6
Re: Rootkit like activity on computer
« Reply #6 on: April 12, 2022, 03:40:21 PM »
after formating computer re installing

a while ago the symptoms re appeared
and firewall rule changed by it self to allow inbound connections
where the origin is home network is this related to update of fw i don't know of
or something changed the setting of fw ????

Offline C.O.M.O.D.O RT

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 922
Re: Rootkit like activity on computer
« Reply #7 on: April 14, 2022, 07:08:56 AM »
after formating computer re installing

a while ago the symptoms re appeared
and firewall rule changed by it self to allow inbound connections
where the origin is home network is this related to update of fw i don't know of
or something changed the setting of fw ????
Hi MasterMan,

Could you please check your inbox for pm and respond?

Thanks
C.O.M.O.D.O RT

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek