Hidden files - root kit

I believe I have some form of root kit malware that is hidden from most programs and is extermely difficult to remove. Anti virus programs don’t see it. Only one root kit removal program has detected it (avast- aswmbr) but it can’t seem to remove it.

I have tried the following root kit removal programs: sophos (saw no problems); bit defender (saw nothing); and others I can’t tell you about right now because I can’t minimize the browser window to look for it (another feature of this malware).

When the problem first manifested I reinstalled windows from the backup drive in windows which didn’t work so i reinstalled windows from disk, which also, surprisingly, didn’t work.

I am using an HP desktop running windows 7 quad core with 4 meg of ram and a terabyte hard drive. I am using firefox to write this and also use chrome browsers.

I have attached a log file of the avast scan.

They are Kaspersky files that it is detecting as locked

And the AVtmp files suggest definition updates

The other files are in firefox and chrome, do you know all the extensions/addons that you are using

I can’t open the settings in chrome to check the extensions and reinstalling it doesn’t seem to help. Don’t know about Firefox just started using it when chrome went wacky. Haven’t installed any extensions i know of.

OK lets take a look see

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Here is the scan result. Also both browsers are not handling downloads normally. Firefox won’t show download content at all and chrome shows it on the bottom left as usual but won’t open it. I have to go to “all downloads” to find and open them.

It looks like only one file went thru so here is the other if u didn’t get it

Nothing that I can see would cause these problems however, it would probably be best to reset both Chrome and Firefox… Details at the end

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File CHR HomePage: Default -> 9A93874570FFB0CEB8D5949E68688214F8B50FBB11892F9FA2C3FE392ABA469B CHR DefaultSearchKeyword: Default -> 9F33B6EB6002E9D3D906FE7806EA3198D3A08C9591EB8C9C072399E43A314E68 CHR DefaultSearchURL: Default -> 61824906A2A7F370DE2DC6DE305CBCB45B16AFEE7DFF1F61AC596E143F8C2E5E EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Reset Chrome : https://support.google.com/chrome/answer/3296214?hl=en-GB

Reset Firefox : https://support.mozilla.org/en-US/kb/reset-preferences-fix-problems

I can’t find first.exe just the txt file and farbar

FRST (farbar ) should be on your desktop so could you copy it from here C:\Users\ian\Downloads to the desktop then run the fixlist

I hope this is what u asked for ;D

Here is the adwcleaner file. After reboot the browsers are still goofy and the notepad window won’t be moved on the desktop by click and drag.

Is this an infection or a technical thing with the software? Or unclear? I am reluctant to use this device for sensitive work if it is infected.

Could you run the fixlist again please as it did not appear to take

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File CHR HomePage: Default -> 9A93874570FFB0CEB8D5949E68688214F8B50FBB11892F9FA2C3FE392ABA469B CHR DefaultSearchKeyword: Default -> 9F33B6EB6002E9D3D906FE7806EA3198D3A08C9591EB8C9C072399E43A314E68 CHR DefaultSearchURL: Default -> 61824906A2A7F370DE2DC6DE305CBCB45B16AFEE7DFF1F61AC596E143F8C2E5E EmptyTemp: CMD: bitsadmin /reset /allusers EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that