Possible rootkit infection?

gabe22 · 13 Mar 2015

@ derekimo Sorry I wasn't aware of the method .. I had those on server so I just uploaded direct url(as ziped by the client who created them) and yes those are somewhat junks etc .. but that zip pack is sent by my client .. which I think is possibly a rootkit host/carrier. becaues two times I downloaded zip from the same client and .. we'll 2 times my AV's gone berserk crazy .. they keep detecting this/that every 2min and on full system scan .. avast/malewarebytes/rkill/tdskiller/superanti spyware etc finds nothing .. but the sadly detections continue and regreatfully but I still have to continue working with this client ..

Also something interesting ... I deleted the zip pack after few hours of reopening this thread and I have been monitoring since then ... so far I haven't noticed any avast detections (although I wasn't sitting behind the pc all this time but still .. no detections on 4/5hours that I was on) ... and still monitoring ...
However I'm not an expert but based on these facts I'm quite convinced its the zip thats the culprit. Also I totally agree with what Borg 386 said

"I say supposedly due to the fact that there are people out there looking for new ways to infect PC's constantly, so it wouldn't surprise me). Also, someone could possibly make it look like a zip file & it could in fact be a self executing program file. "

@ Callender I ran both scrips again and they removed some files/registry etc .. after reboot scanned and log attached.

derekimo · 13 Mar 2015

No problem, the URL's just had a spammy name and it's preferred to upload using the method I posted.

What was the reason for attaching those zip files?

gabe22 · 13 Mar 2015

Callender requested the files ..

derekimo · 13 Mar 2015

OK, I was just wondering if it was requested or not, I'll leave you in their hands now. :)

Borg 386 · 13 Mar 2015

I don't know which browser you are using, but if you are running Firefox, you can get an add-on called no script which effectively blocks most drive by downloads from websites. Also, r click on the zip file & bring up the properties & see if it's named something like file.zip.exe. Or perhaps just going to the clients website is what triggers the d/l of malware via hidden macro command as stated above (drive by malware).

Callender · 13 Mar 2015

gabe22 said:

the zip pack urls: [REMOVED URL LINKS]

About UKV adware remover, should I remove registry/chore/firefox etc detections too or file objects only?

Well actually don't use Ultra Adware Killer to remove anything just yet. I was tired when I posted and have noticed that it also wants to remove Hotspot Shield drivers. Don't panic if you already used it to remove the files. It just means that you'd need to fully remove Hotspot Shield then reinstall it.

I will be busy until I've finished work but will look at this thread again later.

In the meantime will you just post the UAK logs as it's easier to digest than looking at screenshots?

You will find them here:

C:\ProgramData\UVK\Ultra Adware Killer

File name will be something like uakscan(number).txt

As for removed URL's you could just PM them so that I could see if there's any problem.

Callender · 13 Mar 2015

Zip files are okay. No problem and nothing attempts to run. Maybe a problem with the download URL's?

gabe22 · 13 Mar 2015

@Callender

Could be but I'm no expert .. as I have mentioned so far I'm just deducting that based on simple facts but no actual proof that the files are causing the issue or in other words file file d/l + pc infection took place about the same time so ... I was pointing my figures at the zip, you guys are the experts, you know better ..... well here is the scan logs that you requested

Borg 386 · 13 Mar 2015

Key: @SYSTEM\Software\AskPartnerNetwork

Pretty sure that's the Ask toolbar.

Ask Toolbar Removal, How To Uninstall - gHacks Tech News

Folder: C:\Program Files (x86)\Mozilla Firefox\browser\Extensions\afproxy@anchorfree.com

Item state: Checked

AnchorFree malware changes internet browser settings including the homepage (start up page) and default search engine, as well as modifies registry entries in order to cause popular internet browsers such as Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer to redirect to search.anchorfree.net, search.anchorfree.com, anchorfree.us, ask.com, search.conduit.com, and other websites especially associated with their browser hijacker identified as Hotspot Shield Toolbar. AnchorFree also causes internet browsers to target unwanted search engines upon start-up.

How to remove AnchorFree malware - Search Anchorfree redirect virus removal | Malware Removal - Software & Tutorials

I think it would be a good idea to run RKill to attempt to stop the processes & then run the tools Callender & I suggested.

Callender · 13 Mar 2015

Okay so your UAK scan results seem to show that you installed Utorrent but also installed Conduit Toolbar along with it.

Here's the stuff that's safe to remove:

uakScan.txt

Re: Hotspot Shield. I know it's popular but unless you really need it I'd suggest removing it. Possibly take a look at Spotflux if you need a VPN.

Possible rootkit infection?

UAK Results