Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Possible rootkit infection?

14 Mar 2015   #41
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

Thank you both for your suggestions ...

@Callender
The ones you mentioned chrome and firefox prefer files .. are deleted. and about Conduit Toolbar .. I don't remember installing any such software and nor can I find it in uninstall list or in any browsers .. how do I remove it?

What about the other files .. such as anchor free from hotspot shield and other ones .. that's mentioned checked?

Key: @MARUF\Software\ej-technologies
Key: HKLM32\SOFTWARE\ej-technologies
* what is this? assuming its a sfotware .. I don't remember installing anything with such names, nor I have similar named installation listed on my uninstall list.

Key: @SYSTEM\Software\AskPartnerNetwork
* I uninstalled ask .. a while ago .. not sure but I think its just some remaining fragment perhaps?

Key: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Key: HKLM32\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Folder: C:\Users\MARUF\AppData\Roaming\Tencent
* What is this/whats its use? should it be removed?

Folder: C:\Program Files (x86)\Mozilla Firefox\Extensions\afurladvisor@anchorfree.com
Folder: C:\Program Files (x86)\Mozilla Firefox\browser\Extensions\afproxy@anchorfree.com
* I messed up the and uninstalled hotspot shield a while back .. I think they are fragments .. should I remove them?

Folder: C:\Users\MARUF\AppData\Roaming\ExpressFiles
* I used this express files software (its like torrent with better speed, better ui) like 2/3 years back .. and removed it after a few months .. should i remove it?


Also one out of context question .. I use firefox as primary browser and after deleting the user preferance file it seem it have lost my previous sync account connection, and everytime I tried to reconnent, it wouldn't accept my old account .. it seems I had older sync account .. so I had to create mozilla account ... what I'm wondering is .. this mozilla account after signing in just have 3 buttons ...
"change password"
"delete account"
"signout"

previous one had management/increase quota etc options ... this new page seems rather empty and also I have lots of data in bookmarks etc ... but my sync took only like 2sec and I couldn't figureout anyway to see if it actually synced my data .. is this how its supposed to be? anyway to check if my data actually synced?


Update on the firefox thing ...

I followed up this article and https://support.mozilla.org/en-US/questions/917119 and as per their suggestion I enabled sysn success logging ... strangely afer I press sync .. it took like 1sec for the success log to appear or in other words .. it took 1sec for the sync process ... how how's that possible when I have huge amount of data there? just wondering ..


My System SpecsSystem Spec
.
14 Mar 2015   #42
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

@Borg 386
did you mean this add-on? https://addons.mozilla.org/en-us/fir...ddon/noscript/ would it effect browsing or anything by any chance?
My System SpecsSystem Spec
14 Mar 2015   #43
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

Quote   Quote: Originally Posted by gabe22 View Post
@Borg 386
did you mean this add-on? https://addons.mozilla.org/en-us/fir...ddon/noscript/ would it effect browsing or anything by any chance?
That's it. What happens is when you go to a page, if there are any hidden commands to d/l malware automatically, they will get blocked. When you go to a page, such as youtube, the play screen it will be blank with the snake logo over it. You will have to click it to allow it, or if you have it on the browser bar, it will bring up a list of all things blocked & you can allow them.

The trade off is sometimes you have to allow multiple things for the page to function properly. However, you don't have to worry about drive-by malware or some malicious script running something without your knowledge. It's a trade off & not everyone likes it, but it's an added safety measure & I'm used to it. Take it for a test drive & see if you like it.

Quote:
Key: @SYSTEM\Software\AskPartnerNetwork
* I uninstalled ask .. a while ago .. not sure but I think its just some remaining fragment perhaps?
Perhaps. D/L CCLeaner (the free version) & run it to clean out temp/junk files & then the run the reg cleaner it has. When you clean the registry, it will give you the option to back up the reg files in case you need to re-install them should something not function. Back them up & place them on the desktop or somewhere you can access them easily.

Suggest you run RKill (do not reboot after running it) & run the programs listed by Callander & me. After running full system scan with them, run CCleaner & clean all the temp files & the leftover reg keys.

Quote:
Folder: C:\Users\MARUF\AppData\Roaming\Tencent
Tencent is listed as a undesirable program.

Tencent QQ - Rund1132.exe qq.dll, Rundll32 - Program Information

Quote:
Software\ej-technologies
This looks to be a downloader.

Manual Removal Guide for JDownloader
My System SpecsSystem Spec
.

14 Mar 2015   #44
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Re: FF sync. Personally I've never used it. Sorry about your issue with prefs.js as I had no idea that it would mess with FF sync. If you need to recover your original prefs.js file it's possible. I will PM you a link to some software but as it's a direct download link it's better not to post it here.

Instructions if needed:

Run the program and in the window that opens choose a recent restore point to mount.

Then in the window that opens up browse to:

Users\MARUF\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>

Locate the file prefs.js in the profile folder and copy it back to your current desktop:

Close the HardDiskShadowCopy(number) window.

In the System Restore Explorer window choose Unmount. Close the window.

Now copy the prefs.js file from your desktop into your current Firefox profile.

C:\Users\MARUF\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>

Then if you could move the prefs.js file located on your desktop into a new folder and zip it then upload it - I'll take a look at it and see if there's anything that needs removing manually.

As for the rest of your questions I will post responses later!
My System SpecsSystem Spec
14 Mar 2015   #45
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

@Callender

Its alright ... don't worry about it, I ddid some extensive research and found Mozilla updated its systems and I found a way to test and it seems sync is working, besides Mozilla will be discontinuing their older sync services in upcoming days so I suppose we made an obviously necessary change.
However if you need the prefer js for some testing purpose, let me know.

@Borg 386
I think I used this program before ... it was part of "Tor Browser" bundle ... its a very good one, I'll try it out, just one question ... is there anyway to whitelist sites in this add-on so I don't have to manually unblock on pages I visit frequently?

Also question about ccleaner, I've heard that sometimes registry cleaning can cause blue screen and other issues? what do you think about this?
My System SpecsSystem Spec
14 Mar 2015   #46
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

CCleaner generally removes only leftover reg files & is fairly safe. It gets good reviews. However since you are messing with the registry, it would be a good idea to make a restore point before applying any fixes it recommends. I've never had it pick anything out that caused problems. (Knock on wood....LOL....hey, stuff happens). Make a restore point then run the cleaner to get rid of the temp files & then let it scan the registry. What you will normally see is leftover reg files from removed programs.

There is a program that is good at removing most everything, including reg files when it comes to software. It's called Revo Uninstaller.

You can opt to use this, but be sure to read the tutorial & have backups & restore points. While it is good at ferreting out anything related to a program, it can hose your system if used incorrectly.

Yes, you can whitelist certain functions on NoScript. There is also a "temporarily allow all of this page" on the menu functions.
My System SpecsSystem Spec
14 Mar 2015   #47
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
ej-technologies

Re: ej-technologies. Doesn't look good if you read the available reports here:

ThreatExpert Reports

I see that you have Hitman Pro so why don't you run a scan with that if you haven't already done so?

I don't think you need to upload your FF prefs.js file if you deleted it then sorted out your issue with FF sync.

You might want to run a scan with ADWcleaner and compare results with those from Ultra Adware Killer. You can update and run ADWcleaner from within UVK. It's in the System Repair section under Third Party built in Apps. Just let it scan and create a report rather than let it remove anything.
My System SpecsSystem Spec
14 Mar 2015   #48
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

I installed hitmanpro .. like years ago I think .. I had a security issue back then and removed it later on, I think what u saw was fragments/leftover files from previous installations ..do you want me to download and try out trail/free version whichever they offer(if it helps)?
Also no avast detections since my last update (after that zip deletion)
My System SpecsSystem Spec
14 Mar 2015   #49
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

No Avast detections? Well that's good news. It's up to you if you want to run HitmanPro but it's pretty good at detecting and removing remnants of anything dodgy.
My System SpecsSystem Spec
14 Mar 2015   #50
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Just needed to roll back my system due to windows updates issues. Have fixed it but lost your downloaded logs. Will re-download them and try to figure out where I saw that conduit toolbar entry.
My System SpecsSystem Spec
Reply

 Possible rootkit infection?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Malware or Rootkit infection?
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's (http://www.sevenforums.com/bsod-help-support/286676-blue-screens-pop-ups-galore-ntoskrnl-exe.html#post2367597) Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
System Security
W7 64-bit possible rootkit infection Error Code 0x80070424 on Firewall
Hi there I've been experiencing some weird problems where a 'System64' folder has been created in my Windows folder, when I am running Windows 7 64-Bit, I am led to believe that there should be no folder called 'System64' - instead there's just system32 & SysWOW64 (am I correct in that?) ...
System Security
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter. Introduction: Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence. Presentation: Installed a 2nd HDD (Exclusively for daily...
System Security
HD plus Motherboard rootkit infection
If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it? But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and...
System Security
Possible rootkit infection - Error Code 0x80070424 with Windows
I cannot open Firewall, Defender or any security functions within windows without this error message popping up. However, I have run Anti-rootkit utility TDSSKiller as well as Sophos anti-rootkit, but they both say that my machine is clean. I am running Win 7 64 bit. I read this in another...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 17:06.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App