Possible rootkit infection?

Page 5 of 7 FirstFirst ... 34567 LastLast

  1. Posts : 146
    Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
    Thread Starter
       #41

    Thank you both for your suggestions ...

    @Callender
    The ones you mentioned chrome and firefox prefer files .. are deleted. and about Conduit Toolbar .. I don't remember installing any such software and nor can I find it in uninstall list or in any browsers .. how do I remove it?

    What about the other files .. such as anchor free from hotspot shield and other ones .. that's mentioned checked?

    Key: @MARUF\Software\ej-technologies
    Key: HKLM32\SOFTWARE\ej-technologies
    * what is this? assuming its a sfotware .. I don't remember installing anything with such names, nor I have similar named installation listed on my uninstall list.

    Key: @SYSTEM\Software\AskPartnerNetwork
    * I uninstalled ask .. a while ago .. not sure but I think its just some remaining fragment perhaps?

    Key: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}
    Key: HKLM32\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}
    Folder: C:\Users\MARUF\AppData\Roaming\Tencent
    * What is this/whats its use? should it be removed?

    Folder: C:\Program Files (x86)\Mozilla Firefox\Extensions\afurladvisor@anchorfree.com
    Folder: C:\Program Files (x86)\Mozilla Firefox\browser\Extensions\afproxy@anchorfree.com
    * I messed up the and uninstalled hotspot shield a while back .. I think they are fragments .. should I remove them?

    Folder: C:\Users\MARUF\AppData\Roaming\ExpressFiles
    * I used this express files software (its like torrent with better speed, better ui) like 2/3 years back .. and removed it after a few months .. should i remove it?


    Also one out of context question .. I use firefox as primary browser and after deleting the user preferance file it seem it have lost my previous sync account connection, and everytime I tried to reconnent, it wouldn't accept my old account .. it seems I had older sync account .. so I had to create mozilla account ... what I'm wondering is .. this mozilla account after signing in just have 3 buttons ...
    "change password"
    "delete account"
    "signout"

    previous one had management/increase quota etc options ... this new page seems rather empty and also I have lots of data in bookmarks etc ... but my sync took only like 2sec and I couldn't figureout anyway to see if it actually synced my data .. is this how its supposed to be? anyway to check if my data actually synced?


    Update on the firefox thing ...

    I followed up this article and https://support.mozilla.org/en-US/questions/917119 and as per their suggestion I enabled sysn success logging ... strangely afer I press sync .. it took like 1sec for the success log to appear or in other words .. it took 1sec for the sync process ... how how's that possible when I have huge amount of data there? just wondering ..
    Last edited by gabe22; 14 Mar 2015 at 04:17.
      My Computer


  2. Posts : 146
    Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
    Thread Starter
       #42

    @Borg 386
    did you mean this add-on? https://addons.mozilla.org/en-us/fir...ddon/noscript/ would it effect browsing or anything by any chance?
      My Computer


  3. Posts : 7,781
    Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
       #43

    gabe22 said:
    @Borg 386
    did you mean this add-on? https://addons.mozilla.org/en-us/fir...ddon/noscript/ would it effect browsing or anything by any chance?
    That's it. What happens is when you go to a page, if there are any hidden commands to d/l malware automatically, they will get blocked. When you go to a page, such as youtube, the play screen it will be blank with the snake logo over it. You will have to click it to allow it, or if you have it on the browser bar, it will bring up a list of all things blocked & you can allow them.

    The trade off is sometimes you have to allow multiple things for the page to function properly. However, you don't have to worry about drive-by malware or some malicious script running something without your knowledge. It's a trade off & not everyone likes it, but it's an added safety measure & I'm used to it. Take it for a test drive & see if you like it.

    Key: @SYSTEM\Software\AskPartnerNetwork
    * I uninstalled ask .. a while ago .. not sure but I think its just some remaining fragment perhaps?
    Perhaps. D/L CCLeaner (the free version) & run it to clean out temp/junk files & then the run the reg cleaner it has. When you clean the registry, it will give you the option to back up the reg files in case you need to re-install them should something not function. Back them up & place them on the desktop or somewhere you can access them easily.

    Suggest you run RKill (do not reboot after running it) & run the programs listed by Callander & me. After running full system scan with them, run CCleaner & clean all the temp files & the leftover reg keys.

    Folder: C:\Users\MARUF\AppData\Roaming\Tencent
    Tencent is listed as a undesirable program.

    Tencent QQ - Rund1132.exe qq.dll, Rundll32 - Program Information

    Software\ej-technologies
    This looks to be a downloader.

    Manual Removal Guide for JDownloader
      My Computer


  4. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #44

    Re: FF sync. Personally I've never used it. Sorry about your issue with prefs.js as I had no idea that it would mess with FF sync. If you need to recover your original prefs.js file it's possible. I will PM you a link to some software but as it's a direct download link it's better not to post it here.

    Instructions if needed:

    Run the program and in the window that opens choose a recent restore point to mount.

    Then in the window that opens up browse to:

    Users\MARUF\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>

    Locate the file prefs.js in the profile folder and copy it back to your current desktop:

    Close the HardDiskShadowCopy(number) window.

    In the System Restore Explorer window choose Unmount. Close the window.

    Now copy the prefs.js file from your desktop into your current Firefox profile.

    C:\Users\MARUF\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>

    Then if you could move the prefs.js file located on your desktop into a new folder and zip it then upload it - I'll take a look at it and see if there's anything that needs removing manually.

    As for the rest of your questions I will post responses later!
      My Computer


  5. Posts : 146
    Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
    Thread Starter
       #45

    @Callender

    Its alright ... don't worry about it, I ddid some extensive research and found Mozilla updated its systems and I found a way to test and it seems sync is working, besides Mozilla will be discontinuing their older sync services in upcoming days so I suppose we made an obviously necessary change.
    However if you need the prefer js for some testing purpose, let me know.

    @Borg 386
    I think I used this program before ... it was part of "Tor Browser" bundle ... its a very good one, I'll try it out, just one question ... is there anyway to whitelist sites in this add-on so I don't have to manually unblock on pages I visit frequently?

    Also question about ccleaner, I've heard that sometimes registry cleaning can cause blue screen and other issues? what do you think about this?
      My Computer


  6. Posts : 7,781
    Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
       #46

    CCleaner generally removes only leftover reg files & is fairly safe. It gets good reviews. However since you are messing with the registry, it would be a good idea to make a restore point before applying any fixes it recommends. I've never had it pick anything out that caused problems. (Knock on wood....LOL....hey, stuff happens). Make a restore point then run the cleaner to get rid of the temp files & then let it scan the registry. What you will normally see is leftover reg files from removed programs.

    There is a program that is good at removing most everything, including reg files when it comes to software. It's called Revo Uninstaller.

    You can opt to use this, but be sure to read the tutorial & have backups & restore points. While it is good at ferreting out anything related to a program, it can hose your system if used incorrectly.

    Yes, you can whitelist certain functions on NoScript. There is also a "temporarily allow all of this page" on the menu functions.
      My Computer


  7. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #47

    ej-technologies


    Re: ej-technologies. Doesn't look good if you read the available reports here:

    ThreatExpert Reports

    I see that you have Hitman Pro so why don't you run a scan with that if you haven't already done so?

    I don't think you need to upload your FF prefs.js file if you deleted it then sorted out your issue with FF sync.

    You might want to run a scan with ADWcleaner and compare results with those from Ultra Adware Killer. You can update and run ADWcleaner from within UVK. It's in the System Repair section under Third Party built in Apps. Just let it scan and create a report rather than let it remove anything.
      My Computer


  8. Posts : 146
    Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
    Thread Starter
       #48

    I installed hitmanpro .. like years ago I think .. I had a security issue back then and removed it later on, I think what u saw was fragments/leftover files from previous installations ..do you want me to download and try out trail/free version whichever they offer(if it helps)?
    Also no avast detections since my last update (after that zip deletion)
    Last edited by gabe22; 14 Mar 2015 at 11:37.
      My Computer


  9. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #49

    No Avast detections? Well that's good news. It's up to you if you want to run HitmanPro but it's pretty good at detecting and removing remnants of anything dodgy.
      My Computer


  10. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #50

    Just needed to roll back my system due to windows updates issues. Have fixed it but lost your downloaded logs. Will re-download them and try to figure out where I saw that conduit toolbar entry.
      My Computer


 
Page 5 of 7 FirstFirst ... 34567 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:28.
Find Us