Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Possible rootkit infection?

12 Mar 2015   #21
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

Also I just ran scan with Process Explorer .. Process Explorer + VirusTotal (to check all processes with 50+ AV's) and it found only one ... SuperAnti Spyware ... 1/57 .. https://www.virustotal.com/en/file/c...bc6b/analysis/

Also tried UKV Adrware killer, it detected the following:

Also I just ran GMER again and strange thing is .. last time it found something (referring to my first post screenshot) but now it doesn't detect anything.

Oh and I just created a UKV scan log using Callender's suggestion on page 1




Attached Thumbnails
Possible rootkit infection?-1.jpg   Possible rootkit infection?-2.jpg   Possible rootkit infection?-3.jpg   Possible rootkit infection?-4.jpg   Possible rootkit infection?-5.jpg  

Attached Files
File Type: txt UVK - Ultra Virus Killer Log.txt (361.9 KB, 1 views)
My System SpecsSystem Spec
.
12 Mar 2015   #22
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

On another none, avast is detecting couple of new files:

C:\Users\Public\Favouries\Favourites.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Libraries\Libraries.pif [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Pictures.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\Corporation.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\Vision Experience.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision Preview Pack 1\3D Vision Preview Pack 1.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Recorded TV.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\Temp Rec.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\TemSBE.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\Sample Media\Media.bat [Infection= Win32:RmnDrp]


And previous detections:

C:\user\public\documents\DELL.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\user\public\documents\documents.exe [Infection= Win32:RmnDrp]
C:\user\public\documents\downloads\downloads.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\users\public\public.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\users\public\documents\dell\musicstage\MusicStage.scr [Infection= Win32:RmnDrp]
C:\users\public\Music\Music.scr [Infection= Win32:GenMalicious-BJV[Trj]
My System SpecsSystem Spec
12 Mar 2015   #23
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

I would stay away from d/l ing anything from this client if possible. You've mentioned it before, when you get something from there, the infection apparently shows up.

It's possible something was included in the d/l that you were unaware of. Another possibility is that you are going to sites that have drive-by malware. This would be a hidden macro command embedded in the page set to automatically d/l the malware in the background & you would be unaware of it happening. Right now you need to find out the source of the re-occurring infection.

Follow the steps you did before to remove it. Run RKILL, & then Malwarebytes, AdwCleaner & TDSSKiller.

You may want to consider Sandboxie if you have to deal with this client on a regular basis & if indeed the infection is coming from there.

Callender is more familiar with the software he suggested, so it would be better to let him answer anything concerning that.
My System SpecsSystem Spec
.

12 Mar 2015   #24
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

I totally agree with you but I think .. I mean I think, not sure that is .... its probably not the sites that I visit based on the fact that I visit the usual sites ... and well this pretty much never happened before (rookt kit or whatever it is) and also first time this happened the same day I Downloaded zip pack from this client and again same thing happend when I downloaded another zip from this client .. only difference is first time I actually extracted the zip and this time I didn't ...

However I'll monitor the sites and see if this happens again.

What I'm wondering is .. if this is infact the clients zip pack is the rootkit carrier then after extraction of the zip causing issues is pretty much normal but how would it infect my system again when I only downloaded but didn't extract the zip pack ... can it auto activate from within zip? (just wondering)
My System SpecsSystem Spec
12 Mar 2015   #25
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

You might be d/l ing more then just the zip file (stealth download). It could be coming along silently & you wouldn't know it.

Supposedly you can't get anything from a zip file unless you extract it (I say supposedly due to the fact that there are people out there looking for new ways to infect PC's constantly, so it wouldn't surprise me). Also, someone could possibly make it look like a zip file & it could in fact be a self executing program file.

Most AV's nowadays can scan a zip file before you extract it & let you know if there is anything malicious contained within.

Another alternative is that you never got rid of it all the way in the first place, but since this happened in the same way as the first time, I would tend to think there's a connection there.
My System SpecsSystem Spec
12 Mar 2015   #26
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Java Exploit?

Looks like a Java exploit to me (drive by download maybe?).

As for UAK results:



You can ignore HotspotShield, Wininit.ini but delete the rest.

Post UVK scan log once more.

Also if the zip file you downloaded is publically available post a link to the page where you downloaded it from or PM me the link if you don't wish to post it.

And if you like you can upload the zip file here:

https://hightailspaces.com/

Then PM me with the download link.
My System SpecsSystem Spec
12 Mar 2015   #27
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Also try running those scripts (fix lists) again as it seems that the same entries have re-appeared.
My System SpecsSystem Spec
12 Mar 2015   #28
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Re: Additional protection against executables that attempt to run (especially from Temp directories) - there's little point in installing anything like that unless your system is clean. Those solutions work by whitelisting everything that's already on your machine and then check anything else that gets added in future - so they'd whitelist any problem files.
My System SpecsSystem Spec
13 Mar 2015   #29
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

the zip pack urls: [REMOVED URL LINKS]

About UKV adware remover, should I remove registry/chore/firefox etc detections too or file objects only?


Attached Files
File Type: zip 1.zip (3.10 MB, 1 views)
File Type: zip 2.zip (3.27 MB, 1 views)
File Type: zip 3.zip (3.10 MB, 1 views)
My System SpecsSystem Spec
13 Mar 2015   #30
derekimo

Microsoft Community Contributor Award Recipient

 
 

Are you sure that's what you want to upload?

Those look like a bunch of misc. pictures and files from your computer.

Like pictures of boats and cars, etc.

Use this method when uploading files,

Screenshots and Files - Upload and Post in Seven Forums

I removed the URL links with the questionable names.
My System SpecsSystem Spec
Reply

 Possible rootkit infection?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Malware or Rootkit infection?
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's (http://www.sevenforums.com/bsod-help-support/286676-blue-screens-pop-ups-galore-ntoskrnl-exe.html#post2367597) Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
System Security
W7 64-bit possible rootkit infection Error Code 0x80070424 on Firewall
Hi there I've been experiencing some weird problems where a 'System64' folder has been created in my Windows folder, when I am running Windows 7 64-Bit, I am led to believe that there should be no folder called 'System64' - instead there's just system32 & SysWOW64 (am I correct in that?) ...
System Security
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter. Introduction: Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence. Presentation: Installed a 2nd HDD (Exclusively for daily...
System Security
HD plus Motherboard rootkit infection
If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it? But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and...
System Security
Possible rootkit infection - Error Code 0x80070424 with Windows
I cannot open Firewall, Defender or any security functions within windows without this error message popping up. However, I have run Anti-rootkit utility TDSSKiller as well as Sophos anti-rootkit, but they both say that my machine is clean. I am running Win 7 64 bit. I read this in another...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:01.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App