Author Topic: Rootkit of some kind? (Read 17525 times)

thurstone · « **Reply #15 on:** December 30, 2013, 11:17:39 PM »

OK, here is the TDSS log.

TwinHeadedEagle · « **Reply #16 on:** December 30, 2013, 11:50:00 PM »

System seems clean, do you still have a problem? Have you tried reseting your router?

thurstone · « **Reply #17 on:** December 30, 2013, 11:59:22 PM »

Yeah, router seems OK, and the other machines on my network aren't getting redirects.

But the infected machine is still have search results links get redirected. If I click "back" I get to where I was trying to go.

In Chrome, both google and bing search results are sometimes redirected (usually the first time on a key word).

In IE, google.com seems oK, but if I try and use bing, it crashes the browser.

thurstone · « **Reply #18 on:** December 31, 2013, 12:44:02 AM »

I found a chrome extension I thought had come with this laptop, but deleted it anyways just in case.

The extension re-appeared after restarting chrome, so I disabled it and then tried to reproduce the usual redirection issues, but didn't have any.

I then manually tracked down the location of the extension and deleted it, so far no redirects in chrome (crossing fingers).

I then reset IE's settings just in case (I don't use IE that much).

Although, during this process, I did get a Malwarebytes message saying it had blocked access to a potentially malicious IP address. Not sure what could be causing that still.

thurstone · « **Reply #19 on:** December 31, 2013, 07:11:52 AM »

malwarebytes is blocking ingoing and outgoing communications with explorer.exe on port 6881. I think that's usually used for bittorrent. I don't have any bittorrent clients running right now, and not sure why explorer.exe would be using it legitimately.

I have run bittorrent in the past, so I can understand why peers would still try and connect from the outside in, but I don't know why explorer.exe would try and connect from the inside out.

Could explorer.exe be hijacked in some way that's not currently detectable?

TwinHeadedEagle · « **Reply #20 on:** December 31, 2013, 09:36:52 AM »

Does malwarebytes warns all the time or only when you browse internet?

thurstone · « **Reply #21 on:** January 01, 2014, 08:27:13 PM »

All the time. It happens when I have the browsers closed as well.

TwinHeadedEagle · « **Reply #22 on:** January 01, 2014, 11:14:19 PM »

Please download zoek.zip or zoek.rar by smeenk (

) from here or here and save it to your Desktop.
Unpack the archive...

Close any open browsers
Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

createsrpoint;
StandardSearch;
installer-list;
installedprogs;
uninstall-list;

Click on button.
Please wait until a logreport will open (this can be after reboot)
Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"

thurstone · « **Reply #23 on:** January 03, 2014, 08:06:53 PM »

OK, here are the results of that scan.

thurstone · « **Reply #24 on:** January 03, 2014, 08:21:26 PM »

Also, for some reason, I can't print anything to my network printer anymore.

Worked fine before.

Now, it shows the printer as online and Ready, but everything fails to print to it. It bring sup the printer queue and says it's empty.

I can print fine to the same printer from other devices on my network, and I used to be able to print to it from this device as well.

TwinHeadedEagle · « **Reply #25 on:** January 03, 2014, 08:32:00 PM »

Re-run zoek with this script

Code: [Select]

cfhdojbkjhnklbpkdaibdccddilifddb;chr
fbangkleohkafngihneedemihgfeikcl;chr
fbangkleohkafngihneedemihgfeikcl;chr
autoclean;
emptyalltemp;
emptyclsid;
shortcutfix;
resetIEproxy; 
netsh int ip reset >> %temp%\log.txt;b 
ipconfig /flushdns >> %temp%\log.txt;b 
resethosts;

thurstone · « **Reply #26 on:** January 04, 2014, 12:42:45 AM »

Here's the log from that command.

Also, Malwarebytes blocked an IP as soon as I opened IE to post this. Not sure if that was related to the browser opening, or just to me logging in.

thurstone · « **Reply #27 on:** January 04, 2014, 12:44:33 AM »

The IPs are all blocked on port 6881 (usually bittorrent?), maybe there's a dll in explorer.exe that is still trying to torrent?

TwinHeadedEagle · « **Reply #28 on:** January 04, 2014, 10:28:33 AM »

One more check...

Update MalwareBytes, press Quick Scan and attach report...

Then, re-run FRST and attach fresh report...

thurstone · « **Reply #29 on:** January 04, 2014, 08:20:45 PM »

OK, here you go.

Note: I did allow Malwarebytes to remove the trojans it found.

I guess these are also new since 12/29, although I haven't installed anything knowingly that should have tojans in it. So I'm assuming whatever is causing these ipblocks is also grabbing various trojans.

Author Topic: Rootkit of some kind? (Read 17525 times)

thurstone

Re: Rootkit of some kind?

TwinHeadedEagle

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?

TwinHeadedEagle

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?

TwinHeadedEagle

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?

TwinHeadedEagle

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?

TwinHeadedEagle

Re: Rootkit of some kind?

thurstone

Re: Rootkit of some kind?