Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer playing music and ads in background - Zekos Trofan?


  • This topic is locked This topic is locked
8 replies to this topic

#1 Scott Neslund

Scott Neslund

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 24 June 2014 - 01:39 PM

Computer keeps playing random music and ads in background.  Ran Rogue Killer and found trojan zekos. Having difficulty removing

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 25 June 2014 - 03:54 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
 
 
 
Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt



Please attach this file to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Scott Neslund

Scott Neslund
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 25 June 2014 - 11:14 AM

Yesterday I was able to replace the infected rpcss.dll with a clean copy and then after running roguekiller it looked clean.  I then ran a full malwarebytes scan last evening and it seemed to stop on the desktop.ini file and after 12 hours I killed the process.  I then ran another roguekiller scan and found the following TermThr process.  I cleaned it using roguekiller but still not sure I am totally clean.  I ran the frst and Tdsskiller and am attaching the log files.

 

RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jim Klobuchar [Admin rights]
Mode : Remove -- Date : 06/25/2014  10:52:13

¤¤¤ Bad processes : 1 ¤¤¤
[Hidden]  -- [x] -> KILLED [TermThr]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM0 ST500DM002-1BD14 SCSI Disk Device +++++
--- User ---
[MBR] 4a6b2708fc0b1172a35123e11dd6580f
[BSP] b3fd41745855b6a046f1b98ddb79c657 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 8942 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 18395136 | Size: 467957 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_06232014_174442.log - RKreport_DEL_06232014_181250.log - RKreport_DEL_06242014_170423.log - RKreport_SCN_06232014_174317.log
RKreport_SCN_06232014_174725.log - RKreport_SCN_06232014_175344.log - RKreport_SCN_06242014_170411.log - RKreport_SCN_06242014_172324.log
RKreport_SCN_06242014_182552.log - RKreport_SCN_06252014_105130.log

Attached Files



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 26 June 2014 - 03:17 AM

Looks good, let´s check for remainings.

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Scott Neslund

Scott Neslund
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 26 June 2014 - 08:17 AM

Looks clean.  Only found I unsafe app and that is from the Dell Backup and Recovery utility.

Attached Files



#6 Scott Neslund

Scott Neslund
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 27 June 2014 - 04:24 PM

Still waiting for a response.



#7 Scott Neslund

Scott Neslund
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 29 June 2014 - 09:58 PM

Anyone?



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 30 June 2014 - 06:04 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 03 July 2014 - 04:04 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users