I suspect I am infected with a nasty Rootkit or a stealthy Trojan Horse about hijackthis HOT 12 CLOSED

Thank you for the log.
We'll return to you as soon, as we have a free time.

Please, note that only members of VIRUSNET-Association are allowed to respond in PC cure topics.
Ignore any recommendations given by other users, including PM !!!

from hijackthis.

dragokas,

Sure thing. Thank you for your response.

from hijackthis.

Hello,
lets concentrate on this PC where you got the CollectionLog. (About other PC we'll talk a bit later).
You have Malwarebytes version 3.5.1.2522 installed.
Please do a whole scan, do not delete anything by yourself, save the results by pressing "Save in text file" button and attach the result file.

from hijackthis.

Hello Sandor,

I am very sorry for my delayed response but the good news is I know why it happened (due to a misconfiguration within my Email Notifications) and I will make sure I check this Issue at least once per day.

Yes, I do have Malwarebytes installed and although I'm not sure if this matters, I just upgraded to their latest version: v3.6.1 (I have a legal, licensed copy). I have Malwarebytes scheduled to scan my computer every 24 hours (I have enabled for it to detect rootkits) so I am confident it will not detect anything, but then again it never has been able to do so from the start.

However, of course I will happily follow your instructions. After I submit this post, I am going to close my browser (as well as any other running programs and do a Full Threat Scan. Once it's finished, I will return and post the log file.

Thanks in advance!

from hijackthis.

Hello Sandar,

Here is the Malwarebytes log. Considering Malwarebytes came back with no detections, I'm going to paste about 40 lines of hidden directories/files below that came from log of the program Show Hidden that I downloaded from Bleeping Computer. I'm in no way suggesting you think I am not infected, but unless I have some pretty advanced/stealthy malware on my computer, everyone knows Malwarebytes should have detected something. So I'm pasting these lines so you'll see that although Malwarebytes cannot and has not been able to detect anything from the time of the initial infection, there is some type of malware on my computer that can hide itself very well. I'm hoping this will further give you an idea of what I may be infected with (I already have my suspicions).

• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieSiteList
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieUserList
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\3FLHNI0D
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\6K4LGNMK
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\7HWRRNDQ
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\9U3I3CY4
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\9U3I3CY4\1
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\V1NNRZQY
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\YQ4Y0IRH
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History\History.IE5
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache.old
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\MSHist012018091920180920
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Metadata\dmrccache\downloads
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\DOMStore\V91MQYPT
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieBrowserModeList
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieSiteList
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\EmieUserList
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\3FLHNI0D
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\6K4LGNMK
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\7HWRRNDQ
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\9U3I3CY4
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\9U3I3CY4\1
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\V1NNRZQY
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppCache\YQ4Y0IRH
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History\History.IE5
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Temporary Internet Files
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5
• C:\Documents and Settings<Redacted>\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache

The following 8 lines are always removed by Malwarebytes' Junk Removal Tool (I know it is no longer being developed but AdwCleaner doesn't detect and remove these directories so I still run JRT as well). When I say they are always removed when I run JRT, what I mean is I can run JRT right now, they'll be removed, then run it an hour later without restarting, and they'll be present again and be removed.

File System: 8

Successfully deleted: C:\Users<Redacted>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04BO3WIS (Temporary Internet Files Folder)
Successfully deleted: C:\Users<Redacted>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0ZHXXPLX (Temporary Internet Files Folder)
Successfully deleted: C:\Users<Redacted>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JL0LXL2R (Temporary Internet Files Folder)
Successfully deleted: C:\Users<Redacted>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NDDESB2Q (Temporary Internet Files Folder)
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04BO3WIS (Temporary Internet Files Folder)
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0ZHXXPLX (Temporary Internet Files Folder)
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JL0LXL2R (Temporary Internet Files Folder)
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NDDESB2Q (Temporary Internet Files Folder)
Successfully deleted: C:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NDDESB2Q (Temporary Internet Files Folder)

Thanks again!

mwbytes.txt

from hijackthis.

about 40 lines of hidden directories/files

All of them are normal.

following 8 lines are always removed by Malwarebytes' Junk Removal Tool

As you've notice, this tool is no longer supported and as a result - it have a very high level of false positives.
Nothing malicious at all.

from hijackthis.

Hello Sandar,

Thanks for your response. I had no idea so many hidden application folders inside of application folders inside of application folders existed. Thanks for letting me know. However, I'm wondering when you said "Nothing malicious at all," does that mean my case/issue is considered closed?

The reason I ask is because as I stated in my original post, I have a ton of evidence that is far more damning than these hidden lines that I wrongfully suspected were malicious that I can show you on demand...anytime you'd like. I also noticed you didn't ask me to run any further scans or do anything else.

Thanks again, and I will be eagerly awaiting your response.

from hijackthis.

you didn't ask me to run any further scans or do anything else

Autologger collects logs from 4 different tools. Furthermore I asked you to do MBAM scan. None of mentioned didn't find (or show) anything suspicious.
Perhaps your problem is system-depended (not virus-like). If so, @dragokas will move your topic to appropriate location.

from hijackthis.

Hi, joshsprings.
Since your problem is not malware-related, we recommend you to ask help on the forums that provide assistance in resolving general operation system issues, like:

• https://www.sevenforums.com/
• https://answers.microsoft.com/
• http://www.geekstogo.com/forum/forum/41-operating-systems/

from hijackthis.

Hello Sandor and Dragokas,

I am ready to post some additional logs generated while running AutoLogger, but this time I ran it on a different PC which is running Windows 10 Home (64-bit). I also have some screenshots that I think are of great importance. With that said, it is possible that the Windows 7 PC may have not been the best PC to post scan logs of because whatever that I personally believe has infected my computer seems to cause the most damage on Window 10.

So, I'm wondering if I should open an entire new Issue in order to cover this second PC and its logs, or can I post the logs here as well? I think I remember Dragokas saying each PC had to be a separate Issue, although I am unsure. While I wait for an answer to that question, I would like to show you two screenshots. One is a screenshot I took of Autoruns launched on this Windows 10 PC and the other is a screenshot I took from the following link: https://www.dell.com/support/article/us/en/04/sln292746/how-to-identify-and-repair-malware-or-virus-infected-systems?lang=en#Detection

Note: I do not own any Delll computers. It was simply by chance that I found this guide hosted by Dell.com while I was searching the web.

Dell's Autoruns Example:

My Actual Autoruns:

Given that those two screenshots are of course not the exact same, they have enough similarities for me to conclude there is a problem that needs to be cleaned up and I'm sure when I post the AutoLogger logs, this problem will be evident within the logs.

I also wanted to mention that although I'm no professional in this arena, if I am not infected and it's nothing but system issues, why did the four other computers that use/connect to my LAN all of sudden start having these same system issues very shortly after the original PC was (I believe) infected? I'm honestly wondering, I am not being sarcastic. For all I know this is not uncommon.

I will be patiently awaiting a response. Please, take your time. I appreciate everything both of you have done for me thus far. =)

Cheers.

from hijackthis.

Sorry for late reply.
I see only 2 files not passed signature verification for some reason. You can archive them, set password "virus" and send to email: quarantine < at > safezone.cc (provide the link to this topic in the title of email).
All another files are legit.
There are no another signs of infection.

from hijackthis.

I'm wondering if I should open an entire new Issue in order to cover this second PC and its logs

Yes. But, are there some real reason to suspect it is infected?

from hijackthis.