Hi, around a month ago I got a new Lenovo Thinkpad T530 running Windows 7 Pro 64-bit. Well, a couple days back I noticed four rundll32.exe processes running in the task manager. One of them also displays no information in the description columns, and when I try to open the file location nothing happens. I also started looking through my System32 and SysWOW64 folders to scope out suspicious-looking files. Well, inside both folders I found two sets of files, called kanji_1.uce and kanji_2.uce. I googled these and nearly every site I visited claimed that these files are related to some kind of rootkit, or may be rootkits themselves.
I ran some rootkit scans, which I later on realized was a stupid idea, and I ended up deleting a couple things with UnHackMe. Just mentioning this incase this is an important detail. Well after the UnHackMe scan, I rebooted out of safe mode into the regular Windows 7 OS, and 3/4 of the rundll32.exe processes were not showing up in task manager, but the suspicious 'kanji' files remained in my System32 and SysWOW64 folders. This morning, however, the four rundll32.exe processes were up and running again in my task manager.
PS (additional info that may be relevent): I've wanted to try out Linux for a long time, so about a week after getting my Thinkpad I partitioned my hard drive and dual-booted my machine with Ubuntu 13.04. For some reason, I was unable to connect to the main campus wifi while logged into Ubuntu, so I just started connecting to the secondary wifi router when unable to use my ethernet cord. Well, after about two weeks of using Ubuntu my computer began to restart every single time I'd shut down. I got very suspicious, but also confused, because I was under the impression that viruses are extremely rare on Linux. I then found out that people can and do get hacked remotely on Linux, and trying to figure out whether or not I was indeed hacked proved to be far too difficult.
In doing some research on it, I realized that Ubuntu's firewall is disabled by default. I figured this is too much to handle so I deleted the Ubuntu partition and reclaimed the space for Windows 7. It wasn't till later that I realized that the alternative campus wifi router I was using with Ubuntu was a WEP network, while the one I wasn't able to connect to was a WPA2 network...
Any amount of help with this dilemma would be hugely beneficial, thanks in advance!
EDIT: I should add that my trial version of Malwarebytes Pro just expired today, but for the past 2 weeks I've been getting constant notifications that MBAM is blocking a connection to a potentially malicious IP address, and the process would always be svchost.exe.
EDIT 2: Many times when I shut down Windows 7, I receive a brief flash of a notification saying something along the lines of "Background procesesses are still running." Is this an indication of a compromised system?
Also, I remember that a visual display setting, something to do withwindow transparency or something, had been altered after uninstalling Ubuntu. I ran a scan with Malwarebytes and nothing was found.
Is it possible that, say if a rootkit installed itself on my old Ubuntu partition, that it would have infected my Windows 7 partition after reclaiming the space?
Edited by RupertPupkin, 04 November 2013 - 03:30 PM.
via Bleeping Computer Last 20 Posts http://www.bleepingcomputer.com/forums/t/512999/think-i-have-rootkit-suspicious-processes-and-files-please-help/
Aucun commentaire:
Enregistrer un commentaire