I think I have some kind of rootkit. It looks to be installing malware when it wants to after I delete it.
I ran MBAM, but it didn’t detect anything, although it does keep blocking access to ip addresses that I wasn’t trying to visit.
I’ve attached the requested logs, along with some extra info if useful.
The symptoms I’ve seen are:
Avast found rootkit.gen[rtk] or something like that, and said it was removed, haven’t seen it since …
I ran a boot time scan and it found and removed Somoto-J among other things. This morning I ran it again and it removed Malware:Gen and Miner-B
Clicking on search results from Google/Bing within Chrome/IE often gets redirected to ads, etc.
After running MBAM, it is seen periodically blocking IPs, don’t know if it’s getting all of them. I’m assuming the rootkit is still trying to call home for more malware and sometimes it gets blocked. Maybe it tries several IPs and is happy with whichever works.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Then…
Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:
[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );
1. Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
2. Save notepad as fixlist.txt to your Desktop. NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warned you about the outdated version please download and run the updated version.
[*]Close any open browsers
[*]Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool . Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Re-run zoek with this script and attach here fresh zoek log results.
autoclean;
emptyalltemp;
shortcutfix;
emptyclsid;
emptyfolderscheck;delete
resetIEproxy;
netsh int ip reset >> %temp%\log.txt;b
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
Then…
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.
Here’s the ADWcleaner log. I think it’s S1 since this isn’t the first time I’ve run adwcleaner.
I did some experimenting with search result forward and found that for some search topics using google, it will give me a blank page with the google URL in the address, and it will have a little white shield saying the page was trying to execute some unauthorized script.
I think if I refresh the page, it will take me to the original site it was supposed to, but I think it will also run that script, so I haven’t refreshed.
But it looks like something is still interfering with browsing / searching, etc.
Execute TDSSKiller.exe by doubleclicking on it. Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
I found a chrome extension I thought had come with this laptop, but deleted it anyways just in case.
The extension re-appeared after restarting chrome, so I disabled it and then tried to reproduce the usual redirection issues, but didn’t have any.
I then manually tracked down the location of the extension and deleted it, so far no redirects in chrome (crossing fingers).
I then reset IE’s settings just in case (I don’t use IE that much).
Although, during this process, I did get a Malwarebytes message saying it had blocked access to a potentially malicious IP address. Not sure what could be causing that still.
malwarebytes is blocking ingoing and outgoing communications with explorer.exe on port 6881. I think that’s usually used for bittorrent. I don’t have any bittorrent clients running right now, and not sure why explorer.exe would be using it legitimately.
I have run bittorrent in the past, so I can understand why peers would still try and connect from the outside in, but I don’t know why explorer.exe would try and connect from the inside out.
Could explorer.exe be hijacked in some way that’s not currently detectable?