Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JRT Highlights include: [Check for TDL4 Rootkit!]


  • This topic is locked This topic is locked
4 replies to this topic

#1 ZRiCH88

ZRiCH88

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 02 June 2014 - 05:21 PM

Hey! New here, picked up a prayer laptop in a super ghetto pawn store, battery was shot, ran the 2 programs recommended by the admin I saw on an earlier thread. long story short, I'm not super windows knowledgeable. Hope this is the right place, tried a search and found similar topics here. Its playing tv ads through the speakers with no programs running. :( lol
 
-Signed
Paid $250 for an i3 in the Hood
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Owner-1 on Mon 06/02/2014 at 16:54:53.32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-513080366-1847302975-4201117350-1004\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sweetim
 
 
 
~~~ Files
 
Failed to delete [File] C:\windows\svchost.exe  [Check for TDL4 Rootkit!]
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{c4cfc0de-134f-4466-b2a2-ff7c59a8bfad}
Emptied folder: C:\Users\Owner-1\AppData\Roaming\mozilla\firefox\profiles\gdzjy6l8.default\minidumps [1 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 06/02/2014 at 17:52:12.16
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by ZRiCH88, 02 June 2014 - 05:31 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:44 PM

Posted 02 June 2014 - 06:54 PM

Welcome aboard p22002758.gif

 

Download TDSSKiller and save it to your desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 ZRiCH88

ZRiCH88
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 02 June 2014 - 08:00 PM

getting post too long

 

heres a synopsis

 

18:34:52.0036 0x1024  ============================================================
18:34:52.0036 0x1024  Scan finished
18:34:52.0036 0x1024  ============================================================
18:34:52.0064 0x1584  Detected object count: 3
18:34:52.0064 0x1584  Actual detected object count: 3
18:35:07.0583 0x1584  C:\windows\system32\rpcss.dll - copied to quarantine
18:36:12.0372 0x1584  Backup copy found through SCO, using it..
18:36:12.0431 0x1584  C:\windows\system32\rpcss.dll - will be cured on reboot
18:36:12.0431 0x1584  DcomLaunch ( Trojan.Win64.Patched.bj ) - User select action: Cure 
18:36:12.0579 0x1584  C:\windows\system32\rpcss.dll - copied to quarantine
18:36:25.0850 0x1584  Backup copy found through SCO, using it..
18:36:25.0873 0x1584  C:\windows\system32\rpcss.dll - will be cured on reboot
18:36:25.0873 0x1584  RpcSs ( Trojan.Win64.Patched.bj ) - User select action: Cure 
18:36:27.0637 0x1584  \Device\Harddisk0\DR0\# - copied to quarantine
18:36:27.0642 0x1584  \Device\Harddisk0\DR0 - copied to quarantine
18:36:27.0867 0x1584  \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
18:36:28.0002 0x1584  \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
18:37:05.0079 0x1584  \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
18:37:05.0206 0x1584  \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
18:37:05.0423 0x1584  \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
18:37:05.0430 0x1584  \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
18:37:05.0434 0x1584  \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
18:37:05.0440 0x1584  \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
18:37:05.0650 0x1584  \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
18:37:05.0739 0x1584  \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
18:37:05.0744 0x1584  \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
18:37:05.0750 0x1584  \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
18:37:05.0762 0x1584  \Device\Harddisk0\DR0\TDLFS\cmd32.dll - copied to quarantine
18:37:05.0803 0x1584  \Device\Harddisk0\DR0\TDLFS\ua - copied to quarantine
18:37:05.0810 0x1584  \Device\Harddisk0\DR0\TDLFS\ns - copied to quarantine
18:37:05.0972 0x1584  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
18:37:05.0976 0x1584  \Device\Harddisk0\DR0 - ok
18:37:06.0158 0x1584  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure 
18:37:06.0294 0x1584  KLMD registered as C:\windows\system32\drivers\19209419.sys
18:37:12.0636 0x1340  Deinitialize success


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:44 PM

Posted 02 June 2014 - 08:08 PM

There is not only TDL rootkit present but also Zekos malware, possibly more.

That will require elevated help.

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 ZRiCH88

ZRiCH88
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 02 June 2014 - 10:56 PM

done:

 

http://www.bleepingcomputer.com/forums/t/536426/pawnshop-laptop-in-the-hood-contd/


Edited by Platypus, 02 June 2014 - 11:08 PM.
Fixed problem with link





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users