so Im not sure if you guys deal with rootkits or just malware, but Ive been battling with a persistent rootkit that is super well-hidden
I got a trojan not too long ago, and even after multiple (slow) formats, it’s modifications are still there not sure not sure if the actual executable is still there, some of the symptoms I notice:
-my User profile folder in my C drive is shared with everyone
-some .dll files are corupted (oleaut32.dll) and possibly others
-I’ve been finding unknown .sys drivers in my system32 aswell with no registration or signature
so my main issue now: is when I try and run most anti-rootkit programs I get a BSOD each program with a different code
I tried downloading vba32 antirootkit, but my browser wouldnt download from an FTP website so I had to download from a mirrored version off Softpedia.com (which I really didnt want to do)
I tried running the program after download, and as soon as the program starts I get a BSOD with the following error:
Stop: 0x0000008E (0XC0000005, 0x8D47E466, 0x9611AC78, 0x000000..)
Win32k.sys – Address 8D47E466 base at 8D400000
Ive read that updating windows and bios should solve the problem, so I updated windows but for the bios I couldnt find a windows 7 compatible file, I ran the windows8.1 and windows10 compatible ones but they didnt work.
GMER seems to work fine, but I’m not really good with it. It keeps throwing this modification:
.text | ntkrnlpa.exe!KiDispatchInterrupt
I forgot what the value was but I tried restoring the code for it and it keeps coming back. must some file that I need to delete from my system then restore.
So if there’s any analysts that are good with rootkits, your help would be of great assistance thanks in Advance