Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Possible rootkit infection?

01 Mar 2015   #1
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 
Possible rootkit infection?

Hi

My system was detecting some strange virus etc yesterday for a brief period of time ... but fortunately avast free version(latest update) .. detected and quarintined all of them. Most their paths were like:

C:\user\public\documents\DELL.exe
C:\user\public\documents\documents.exe
C:\user\public\documents\downloads\downloads.exe


Then I scaned with avast+malewarebytes+supertin ... and all results nothing found.
After google'ing a bit .. I found this article that suggested it could be a possible rootkit infection, so I downloaded .. GMER and with its quick scan it found the following(screenshot attached)

Although it stopped after a while ... I mean the avast detection but GMER still detects something (I'm quite clueless here though) .. however I would like to know if the thing virus or rootkit is still there within my system .. because from what I recall .. i just scanned with the above mentioned security tools and they found nothing ang GMER found something .. that I cant delete (delete button deactive) but perhaps its because the file it detects is part of the OS .. I'm wondering if I didn't delete the file then .. how did it stop and just to be on the safe side .. is there anyway to know if its still within my system.

Finally if anyone knows any security tools that can prevent rootkits or whatever(I'm pretty much guessing here) from entering the system .. would save me from lots of trouble.

Thanks in advance!




Attached Thumbnails
Possible rootkit infection?-possible-rootkit.jpg  
My System SpecsSystem Spec
.
01 Mar 2015   #2
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

There are several rootkit scanners you can use. TDSSKiller is the one normally recommended. The link below will give you 4 additional scanners you can use with results that are easier to decode.

Five free portable rootkit removers - TechRepublic

Quote:
GMER is another top pick that can easily outperform all other tools in its class. The one caveat to this software is that it does require a bit of knowledge to interpret the results. This tool isn't one you simply click and disinfect. You let the tool scan, you pour through the results, and you decide what should be repaired/removed.
My System SpecsSystem Spec
01 Mar 2015   #3
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

thank you but the avast is detecting threats again .. the detections are about the same as yesterday ... would scanning with TDSSKiller help with finding and possibly removing the actual virus/rootkit thats trying to infect other files?

new detection:

C:\users\public\public.exe
C:\users\public\documents\dell\musicstage\MusicStage.scr

any idea on how to resolve this issue?
My System SpecsSystem Spec
.

01 Mar 2015   #4
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

Yes, d/l & run TDSSKiller.

Note: When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.

I see someone is having a similar problem here:

C:\Users\Public Folders keeps getting .exe files - Am I infected? What do I do?
My System SpecsSystem Spec
01 Mar 2015   #5
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Suggestion

Well if you like you could run a scan with UVK. It will create a log and it might be possible to figure out what's going on.

UVK - Ultra Virus Killer

If you download and install UVK - once installed right click the desktop icon and choose "Run as admin"

On the welcome screen choose "Scan & Create Log" and use the following settings.

Possible rootkit infection?-uvk.jpg

Choose to save the log to your desktop and then upload it here. It will take a few minutes to scan.


My System SpecsSystem Spec
01 Mar 2015   #6
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

I just ran scan with TDSSKiller and in normal search it found nothing .. so I changed its parameters to "Loaded Modules" and after restart it found couple of items in next scan with all options selected.

I've attached screenshot with suspicious detections(as I couldn't identify them) tabs enlarged ... any ideas?

Also attached the VK scan log


Attached Thumbnails
Possible rootkit infection?-tdskiller.jpg  
Attached Files
File Type: txt UVK - Ultra Virus Killer Log.txt (587.1 KB, 8 views)
My System SpecsSystem Spec
01 Mar 2015   #7
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Re: TDSS Killer. I wouln't worry about those results. It shows files that are hidden from Windows but that doesn't mean that they're dodgy. Will llok at your uploaded log.
My System SpecsSystem Spec
01 Mar 2015   #8
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Suggested fix

Okay so try this:

Download and save this file to your desktop:

UVK Fix List.txt

Once you've downloaded it - right click the file and rename it to UVK Fix List.uvk

In other words replace .txt with .uvk in the file name.

Run UVK (run as admin) and on the Welcome Screen choose "Run Scripts"

Then choose "Import Commands From File"

Browse to the UVK Fix List.uvk file on your desktop and import it.

Choose "Run / Fix Listed"

When complete - reboot.

Edit: See my post below for another folder that needs removal.


My System SpecsSystem Spec
01 Mar 2015   #9
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

More action required:

Looked at your log in more detail and see the following suspicious entry:

ContentsCommonAppData> | 34BE82C4-E596-4e99-A191-52C6199EBF69

Would you also run the following fix like you did before?

UVK - Fix List 2.txt


My System SpecsSystem Spec
02 Mar 2015   #10
gabe22

Windows 7 Home Premium, Version 6.1 (Build 7601: Service Pack 1)
 
 

Ran both scripts ... and the UVK removed some files etc ..

Whats the next step? I mean is there anyway to figureout if the issue(virus/rootkit) is actually gone?
My System SpecsSystem Spec
Reply

 Possible rootkit infection?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Malware or Rootkit infection?
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's (http://www.sevenforums.com/bsod-help-support/286676-blue-screens-pop-ups-galore-ntoskrnl-exe.html#post2367597) Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
System Security
W7 64-bit possible rootkit infection Error Code 0x80070424 on Firewall
Hi there I've been experiencing some weird problems where a 'System64' folder has been created in my Windows folder, when I am running Windows 7 64-Bit, I am led to believe that there should be no folder called 'System64' - instead there's just system32 & SysWOW64 (am I correct in that?) ...
System Security
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter. Introduction: Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence. Presentation: Installed a 2nd HDD (Exclusively for daily...
System Security
HD plus Motherboard rootkit infection
If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it? But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and...
System Security
Possible rootkit infection - Error Code 0x80070424 with Windows
I cannot open Firewall, Defender or any security functions within windows without this error message popping up. However, I have run Anti-rootkit utility TDSSKiller as well as Sophos anti-rootkit, but they both say that my machine is clean. I am running Win 7 64 bit. I read this in another...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:32.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App