Sure, here’s the re-scan which I had already run after removing earlier today.

However, just now, after rebooting later in the day, it found another threat through its realtime protection, this is the entry in the protrection log (not a scan log):

2014/01/05 20:29:24 -0800 JOSH-LAPTOP josh DETECTION C:\Users\josh\AppData\Local\Temp\fqldohqz.exe Trojan.Dorkbot.ED QUARANTINE

So even though the re-scan shows clean, somehow, another trojan has gotten in, and this is with only chrome at the gmail and avast sites.

I really do not get what are you doing to get this many viruses…

Is Avast updated, do you have firewall enabled?

Yes, avast is updated and the firewall is up.

I also have CCleaner Pro and Malwarebytes Pro running.

So, yeah, it’s weird that stuff is still getting in.

Which is why I think there’s some currently undetectable or new rootkit / trojan downloading and installing stuff.

We need another scan with GMER, but now upload whole report (here → http://zippyshare.com/)

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );

Attach here Gmer logreports.

I ran the gmer scan.

There were two items it said it said it couldn’t access because they were in use—system folder and ntuser.dat.

Here’s the log.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts C:\export.reg
cmd: del %windir%\temp\*.* /f /s /q
cmd: del %temp%\*.* /f /s /q

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then, upload C:\export.reg file…

I’ve attached the fixlog, but it didn’t make an export.reg.

I saw this:

========= reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts C:\export.reg =========

ERROR: The system was unable to find the specified registry key or value.

Ok, run FRST again, tick Addition.txt and attach both reports…

I have been having the same problem, nothing found by malwarebytes, etc.

However, I’ve had no notifications about port 6881 until a couple of minutes after I started Tune-In Radio. Do you run this too? (Windows 8 application)?

No, no tune in stuff. Just Diablo 3 Reaper of Souls beta.

Blizzard is known to use 6881, so that could be the cause there. But it says explorer.exe does it, not Diablo

Though maybe explorer handles the traffic for some reason?

Anyways, off to run FRST.

Ok, here are the results of the latest frst run.

There is no malware here…there were signs of malware, but it is not active…

We need to remove used tools:

Preuzmi “Xplode”-ov DelFix i saèuvaj ga na Desktop

[*] Dvoklikom pokreni program.

Štikliraj sledeæe opcije:
[] Remove disinfection tools
[] Purge System Restore
[*] Reset system settings

[*] Klikni na dugme “Run” i prièekaj da program završi rad.
Alat ce ukloniti sve koriscene alate u ovoj temi…
[*] Kada alat završi, otvoriæe izvestaj u notepadu.
Napomena: Izvestaj ce takodje biti sacuvan na C:\DelFix.txt

[*] Nije potrebno dostavljati izvestaj.

Pardon my intrusion one last time. I have stopped the outgoing connection attempts from “explorer.exe” on port 6881 now by removing these files

C:\ProgramData\Microsoft\BingDesktop\BingCore\BingDesktopOverlays.dll
C:\ProgramData\Microsoft\BingDesktop\BingCore\BingDesktopCore.dll

As far as I know, I do not have BingDesktop installed, so I don’t know why they were there. I was unable to remove them until I rebooted into recovery mode command prompt (see Advanced Startup Options).

I’ve also had this report from RogueKiller previously:

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\ProgramData\Microsoft\BingDesktop\BingCore\BingDesktopOverlays.dll [x] -> UNLOADED
[SUSP PATH][DLL] explorer.exe -- C:\ProgramData\Microsoft\BingDesktop\BingCore\BingDesktopCore.dll [x] -> UNLOADED

I hope this helps.

Avast just found a Trojan-Gen and a Malware-Gen.

Both down inside “Bing Desktop”

I’m going to delete those Bing Desktop DLLs as well, since you’re probably right.

These detections are False Positive, you can report them here

http://www.avast.com/contact-form.php

I can’t understand why it’s considered a false positive. Here is what I know:

• My laptop has been trying to make 6881 connections from explorer.exe to random sites in Eastern Europe for weeks now
• I did not have Bing Desktop installed (it’s listed in Updates, but not selected for download)
• I have no torrent software installed
• I had DLLs installed that were being held open by some process (presumably explorer.exe - I didn’t check this)
• Since I removed the DLLs, all suspicious 6881 connections have ceased.

Personally I’m convinced those DLLs are malware, yet nothing would detect and remove them. Hence, I contest the false positive classification applied to those DLLs.

Check the files at Virustotal and copy link here

https://www.virustotal.com/

I regret that I didn’t keep the DLLs. Maybe Thurstone (OP) kept them? I will look around though. Thanks for the link.