Rootkit of some kind?

Hi folks,

I think I have some kind of rootkit. It looks to be installing malware when it wants to after I delete it.

I ran MBAM, but it didn’t detect anything, although it does keep blocking access to ip addresses that I wasn’t trying to visit.

I’ve attached the requested logs, along with some extra info if useful.

The symptoms I’ve seen are:

  1. Avast found rootkit.gen[rtk] or something like that, and said it was removed, haven’t seen it since …
  2. I ran a boot time scan and it found and removed Somoto-J among other things. This morning I ran it again and it removed Malware:Gen and Miner-B
  3. Clicking on search results from Google/Bing within Chrome/IE often gets redirected to ads, etc.
  4. After running MBAM, it is seen periodically blocking IPs, don’t know if it’s getting all of them. I’m assuming the rootkit is still trying to call home for more malware and sometimes it gets blocked. Maybe it tries several IPs and is happy with whichever works.

Adding a couple of other logs if useful.

bump

Hi,

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Then…

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

I tried to run GMER, but it gave me this error at first:

c:\windows\config\system: The process cannot access the file because it is being used by another process.

and then it crashed during the scan.

Do I need to close / disable, e.g. Malwarebytes or Avast, etc., while I run GMER?

OK, I re-ran GMER and it gave the same error about system and also about ntuser.dat, but the scan completed.

I tried to attach the GMER log here, but avast says it’s too large. The FARBAR logs are in the previous post.

I also tried to insert the gmer scan here as a code block.

So here’s a skydrive link instead:

https://skydrive.live.com/redir?resid=6A84A3EB2405BFE4!1250&authkey=!AJI7ZPSGq4ES-Rs&ithint=file%2C.log

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

HKCU\...\Run: [Oxmics] - regsvr32.exe C:\Users\josh\AppData\Local\\AwcSched.dll <===== ATTENTION
C:\Users\josh\AppData\Local\\AwcSched.dll
C:\Users\josh\AppData\Local\Temp
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Here’s the fixlog.

It says that the system did not reboot, but as far as I could tell, it did reboot.

Or, at least, it went through the motions of a reboot, and it had to prompt me to re-run FRST64 after it booted.

I can also confirm that I am still getting redirects off of search results.

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*]Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:


createsrpoint;
StandardSearch;
installer-list;
installedprogs;
uninstall-list;

[*]Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

OK, here are the results from zoek.

Re-run zoek with this script and attach here fresh zoek log results.

autoclean;
emptyalltemp;
shortcutfix;
emptyclsid;
emptyfolderscheck;delete
resetIEproxy; 
netsh int ip reset >> %temp%\log.txt;b 
ipconfig /flushdns >> %temp%\log.txt;b 
resethosts;

Then…

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

Here’s the new zoek log. Heading off to run adwcleaner.

Here’s the ADWcleaner log. I think it’s S1 since this isn’t the first time I’ve run adwcleaner.

I did some experimenting with search result forward and found that for some search topics using google, it will give me a blank page with the google URL in the address, and it will have a little white shield saying the page was trying to execute some unauthorized script.

I think if I refresh the page, it will take me to the original site it was supposed to, but I think it will also run that script, so I haven’t refreshed.

But it looks like something is still interfering with browsing / searching, etc.

Let’s try one more step

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

OK, here is the TDSS log.

System seems clean, do you still have a problem? Have you tried reseting your router?

Yeah, router seems OK, and the other machines on my network aren’t getting redirects.

But the infected machine is still have search results links get redirected. If I click “back” I get to where I was trying to go.

In Chrome, both google and bing search results are sometimes redirected (usually the first time on a key word).

In IE, google.com seems oK, but if I try and use bing, it crashes the browser.

I found a chrome extension I thought had come with this laptop, but deleted it anyways just in case.

The extension re-appeared after restarting chrome, so I disabled it and then tried to reproduce the usual redirection issues, but didn’t have any.

I then manually tracked down the location of the extension and deleted it, so far no redirects in chrome (crossing fingers).

I then reset IE’s settings just in case (I don’t use IE that much).

Although, during this process, I did get a Malwarebytes message saying it had blocked access to a potentially malicious IP address. Not sure what could be causing that still.

malwarebytes is blocking ingoing and outgoing communications with explorer.exe on port 6881. I think that’s usually used for bittorrent. I don’t have any bittorrent clients running right now, and not sure why explorer.exe would be using it legitimately.

I have run bittorrent in the past, so I can understand why peers would still try and connect from the outside in, but I don’t know why explorer.exe would try and connect from the inside out.

Could explorer.exe be hijacked in some way that’s not currently detectable?