Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Possible rootkit infection?

02 Mar 2015   #11
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

If you still suspect a rootkit, then you need to look at it with GParted. This is a bootable partition manager that will allow you to see the contents of your drive, including any hidden partitions.

Rootkits generally cloak themselves from Windows disk management. This application will show the entire contents of the disk.

GParted -- A free application for graphically managing disk device partitions

D/L GParted, select the boot medium you wish to use & run it at boot time. Any rootkit will show up, usually at the end of the drive, as a hidden boot partition between 1 to 10 MB depending on the variant.

You might want to d/l & run RKill, then run your malware scanners again. After running RKill, do NOT reboot.

RKill Download

Quote:
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.


As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.



My System SpecsSystem Spec
.
02 Mar 2015   #12
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

I Understand and I'll try what you suggested but from my previous scans ... this virus keeps creating files within public directory ... good thing is avast can detect the infected autogenerated files .. however avast+malewarebytes+supertin .. none of these found anything on my system while the virus or rootkit(i'm suspecting rootkit as traditional AV's cant detect it) .. I'm saying this cause "after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed." ... it seems the like this suggests as if the antivirus can detect the program .. but in my case it doesn't ... should I still run AV scan after Rkill?

With "GParted" ... how would I know which one is the virus or rootkit(to be sure, I don't want to mess up the system if possible)? I mean what should I look for? does the program creates scan log or should I post screenshots?
My System SpecsSystem Spec
02 Mar 2015   #13
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

Yes, run an AV Scan after running RKill. And the other Malware scanners.

RKill works by trying to identify known malware processes & shutting them down. In some instances, malware can't be removed while it's active. Being shut down gives your malware scanner a better chance of isolating it.

Another option you have is to boot into Safe Mode & then do a scan with your malware scanners.

GParted will show you a graphical interface of the partitions on your drive. Rootkits are usually located at the end of the drive, generally between 1 - 10MB, set as a hidden boot partition.

GParted -- Screenshots

Have a look with GParted to see if the partition is there.

The fact you keep getting reinfected suggests that something is reintroducing the infection to the system, or it hasn't properly been weeded out.
My System SpecsSystem Spec
.

02 Mar 2015   #14
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

In addition: Update Avast virus definitions and rescan. Post any detections.

On another note: I've used a few rootkit scanners in the past and they've all suffered from false positive detections. It's best to scan only and post the log.

I've used MBAR too and it's the only one I've use that didn't give false positive detections. Perhaps you could scan and post results. (without removing anything)

Instructions and download link:

https://blog.malwarebytes.org/news/2...-anti-rootkit/
My System SpecsSystem Spec
03 Mar 2015   #15
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

I follow both your suggestions and nothing detected in MBAR or rkill or GParted ... so does it means its probably gone (assuming it being removed probably has something to do with UKV @Callender suggestion)

Thanks!
BTW is there any aditional security measures that I can take to prevent this sort of things from happening in future? Ffrom my guess ... I think it came from one of my clients pc when they emailed me a .zip file (although I have AV+MBAM running .. still didn't detect the core virus/rootkit for some reason)
My System SpecsSystem Spec
03 Mar 2015   #16
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Additional security measures? Usually there's a sacrifice to be made regarding system performance and usability. You can take additional measures but do you mind being bothered by pop ups?

You can change UAC to maximum level. See Option One - Always Notify in the tutorial here:

User Account Control - UAC - Change Notification Settings

You can add additional anti-executable solutions if you like:

See:

VoodooShield free blocks exploits and more

VS can be tricky to configure though. Personally I use the Pro version. Just my preference and not a recommendation.

A decent free alternative:

https://secureaplus.secureage.com/Ma...s_download.php - need free (offline installer) no AV version.

Some more info and screenshots from my machine:

http://www.sevenforums.com/2932674-post21.html

Basically it blocks any unsigned executable that's not in the whitelist from running and scans the file on VirusTotal. You then get the option to either allow the file to run or you can block it.

Other than that just keep all third party software patched an up to date. Browsers and plugins, Java, Flash Player etc.

You can also check all running processes using Tookeri's tutorial here:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)
My System SpecsSystem Spec
04 Mar 2015   #17
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

Alright thank you both!
My System SpecsSystem Spec
04 Mar 2015   #18
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

You might want to add AdwCleaner to the list of Malware scanners you run on a regular basis. Run Malwarebytes & other malware scanners once a week to be sure your system hasn't been compromised. This is called a layered approach. Since no program catches/finds everything 100%, you need to utilize other scanners to find anything your AV may have missed.

AdwCleaner Download
My System SpecsSystem Spec
04 Mar 2015   #19
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Other Scanners?

Some good advice in the above post. If you kept UVK installed you can just auto-update and run scans with MBAM and ADWcleaner from within UVK's GUI. It will update to the latest versions for you then launch the scan.

You find the third party scanners in the "System Repair" section and if you want to you can add more of your own choices.

Possible rootkit infection?-uvk-scans.jpg

On another note the latest version includes Ultra Adware Killer which in my opinion detects and removes more stuff than ADWcleaner but Ultra Adware Killer is a new release just out of Beta so caution is needed.

Possible rootkit infection?-ultra-adware-killer.jpg


My System SpecsSystem Spec
12 Mar 2015   #20
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

I hate to open up the thread again but it seems same issue is back into play .. yet again.

Since I last posted here .. no detections so far up untill now, Just moments ago avast started detecting same files thats mentioned before.
Although I think .. it could be because I downloaded a zip pack from the same client just hours ago (the one who's zip pack started this in the first place .. this is just a guess though) .. however what I'm wondering is .. I haven't opened the zip pack .. so how can my system be infected yet again?

Please advise how to remove this, thanks!
My System SpecsSystem Spec
Reply

 Possible rootkit infection?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Malware or Rootkit infection?
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's (http://www.sevenforums.com/bsod-help-support/286676-blue-screens-pop-ups-galore-ntoskrnl-exe.html#post2367597) Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
System Security
W7 64-bit possible rootkit infection Error Code 0x80070424 on Firewall
Hi there I've been experiencing some weird problems where a 'System64' folder has been created in my Windows folder, when I am running Windows 7 64-Bit, I am led to believe that there should be no folder called 'System64' - instead there's just system32 & SysWOW64 (am I correct in that?) ...
System Security
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter. Introduction: Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence. Presentation: Installed a 2nd HDD (Exclusively for daily...
System Security
HD plus Motherboard rootkit infection
If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it? But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and...
System Security
Possible rootkit infection - Error Code 0x80070424 with Windows
I cannot open Firewall, Defender or any security functions within windows without this error message popping up. However, I have run Anti-rootkit utility TDSSKiller as well as Sophos anti-rootkit, but they both say that my machine is clean. I am running Win 7 64 bit. I read this in another...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 18:15.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App