Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Possible rootkit infection?

13 Mar 2015   #31
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

@ derekimo Sorry I wasn't aware of the method .. I had those on server so I just uploaded direct url(as ziped by the client who created them) and yes those are somewhat junks etc .. but that zip pack is sent by my client .. which I think is possibly a rootkit host/carrier. becaues two times I downloaded zip from the same client and .. we'll 2 times my AV's gone berserk crazy .. they keep detecting this/that every 2min and on full system scan .. avast/malewarebytes/rkill/tdskiller/superanti spyware etc finds nothing .. but the sadly detections continue and regreatfully but I still have to continue working with this client ..

Also something interesting ... I deleted the zip pack after few hours of reopening this thread and I have been monitoring since then ... so far I haven't noticed any avast detections (although I wasn't sitting behind the pc all this time but still .. no detections on 4/5hours that I was on) ... and still monitoring ...
However I'm not an expert but based on these facts I'm quite convinced its the zip thats the culprit. Also I totally agree with what Borg 386 said

"I say supposedly due to the fact that there are people out there looking for new ways to infect PC's constantly, so it wouldn't surprise me). Also, someone could possibly make it look like a zip file & it could in fact be a self executing program file. "

@ Callender I ran both scrips again and they removed some files/registry etc .. after reboot scanned and log attached.




Attached Files
File Type: txt UVK - Ultra Virus Killer Log.txt (337.6 KB, 2 views)
My System SpecsSystem Spec
.
13 Mar 2015   #32
derekimo

Microsoft Community Contributor Award Recipient

 
 

No problem, the URL's just had a spammy name and it's preferred to upload using the method I posted.

What was the reason for attaching those zip files?
My System SpecsSystem Spec
13 Mar 2015   #33
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

Callender requested the files ..
My System SpecsSystem Spec
.

13 Mar 2015   #34
derekimo

Microsoft Community Contributor Award Recipient

 
 

OK, I was just wondering if it was requested or not, I'll leave you in their hands now.
My System SpecsSystem Spec
13 Mar 2015   #35
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

I don't know which browser you are using, but if you are running Firefox, you can get an add-on called no script which effectively blocks most drive by downloads from websites. Also, r click on the zip file & bring up the properties & see if it's named something like file.zip.exe. Or perhaps just going to the clients website is what triggers the d/l of malware via hidden macro command as stated above (drive by malware).
My System SpecsSystem Spec
13 Mar 2015   #36
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
UAK Results

Quote   Quote: Originally Posted by gabe22 View Post
the zip pack urls: [REMOVED URL LINKS]

About UKV adware remover, should I remove registry/chore/firefox etc detections too or file objects only?
Well actually don't use Ultra Adware Killer to remove anything just yet. I was tired when I posted and have noticed that it also wants to remove Hotspot Shield drivers. Don't panic if you already used it to remove the files. It just means that you'd need to fully remove Hotspot Shield then reinstall it.

I will be busy until I've finished work but will look at this thread again later.

In the meantime will you just post the UAK logs as it's easier to digest than looking at screenshots?

You will find them here:

C:\ProgramData\UVK\Ultra Adware Killer

File name will be something like uakscan(number).txt

As for removed URL's you could just PM them so that I could see if there's any problem.
My System SpecsSystem Spec
13 Mar 2015   #37
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Zip files are okay. No problem and nothing attempts to run. Maybe a problem with the download URL's?
My System SpecsSystem Spec
13 Mar 2015   #38
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

@Callender

Could be but I'm no expert .. as I have mentioned so far I'm just deducting that based on simple facts but no actual proof that the files are causing the issue or in other words file file d/l + pc infection took place about the same time so ... I was pointing my figures at the zip, you guys are the experts, you know better ..... well here is the scan logs that you requested


Attached Files
File Type: txt uakScan130706435961960000.txt (8.5 KB, 3 views)
File Type: txt uakScan130707210240550000.txt (8.0 KB, 3 views)
File Type: txt uakScan130707215000810000.txt (8.0 KB, 2 views)
My System SpecsSystem Spec
13 Mar 2015   #39
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

Quote:
Key: @SYSTEM\Software\AskPartnerNetwork
Pretty sure that's the Ask toolbar.

Ask Toolbar Removal, How To Uninstall - gHacks Tech News

Quote:
Folder: C:\Program Files (x86)\Mozilla Firefox\browser\Extensions\afproxy@anchorfree.com

Item state: Checked
Quote:
AnchorFree malware changes internet browser settings including the homepage (start up page) and default search engine, as well as modifies registry entries in order to cause popular internet browsers such as Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer to redirect to search.anchorfree.net, search.anchorfree.com, anchorfree.us, ask.com, search.conduit.com, and other websites especially associated with their browser hijacker identified as Hotspot Shield Toolbar. AnchorFree also causes internet browsers to target unwanted search engines upon start-up.
How to remove AnchorFree malware - Search Anchorfree redirect virus removal | Malware Removal - Software & Tutorials

I think it would be a good idea to run RKill to attempt to stop the processes & then run the tools Callender & I suggested.
My System SpecsSystem Spec
13 Mar 2015   #40
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Okay so your UAK scan results seem to show that you installed Utorrent but also installed Conduit Toolbar along with it.

Here's the stuff that's safe to remove:

uakScan.txt

Re: Hotspot Shield. I know it's popular but unless you really need it I'd suggest removing it. Possibly take a look at Spotflux if you need a VPN.


My System SpecsSystem Spec
Reply

 Possible rootkit infection?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Malware or Rootkit infection?
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's (http://www.sevenforums.com/bsod-help-support/286676-blue-screens-pop-ups-galore-ntoskrnl-exe.html#post2367597) Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
System Security
W7 64-bit possible rootkit infection Error Code 0x80070424 on Firewall
Hi there I've been experiencing some weird problems where a 'System64' folder has been created in my Windows folder, when I am running Windows 7 64-Bit, I am led to believe that there should be no folder called 'System64' - instead there's just system32 & SysWOW64 (am I correct in that?) ...
System Security
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter. Introduction: Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence. Presentation: Installed a 2nd HDD (Exclusively for daily...
System Security
HD plus Motherboard rootkit infection
If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it? But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and...
System Security
Possible rootkit infection - Error Code 0x80070424 with Windows
I cannot open Firewall, Defender or any security functions within windows without this error message popping up. However, I have run Anti-rootkit utility TDSSKiller as well as Sophos anti-rootkit, but they both say that my machine is clean. I am running Win 7 64 bit. I read this in another...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 00:09.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App