|
Nasty rookit infection
|
11-30-2014, 06:06 PM
(This post was last modified: 12-03-2014, 05:49 AM by George midleton.)
Help guys my laptop which runs windows 7 got infected by rookit i got redirekts and sometimes my pc shutted down and restart i can t boot in to safe mode task manager is blocked also cmd and regedit .How can i remove it ?
11-30-2014, 06:27 PM
Hi George
Welcome to Britec forums. What makes you think its a Rootkit? What happens when you try to boot to Safe mode? 
11-30-2014, 07:04 PM
Hi George, can you run a scan please and post results.
![[Image: tdsskiller-logo.png]](https://briteccomputers.co.uk/forum/tutorials/tdsskiller-logo.png){kind=logo} Run TDSSKiller Scan· Please download TDSSKiller and save the file to your Desktop.· Right-Click TDSSKiller.exe and Run as administrator.· Click Change parameters. Place a checkmark next to Detect TDLFS file system. · Click Start Scan. please be patient and Don't use computer while scan is running. · If infected files are found, please change the action to skip. · Click Continue and close TDSSKiller. · Look for log file in root directory that's c:\ please copy contents of the log and paste it in your next post.
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support!
<input type="hidden" name="cmd" value="_s-xclick"> <input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q"> <input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online."> <img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0"> </form> </div></left> 
11-30-2014, 08:15 PM
(11-30-2014, 06:06 PM)George midleton Wrote: Help guys my laptop which runs windows xp got infected by rookit i got redirekts and sometimes my pc shutted down and restart i can t boot in to safe mode task manager is blocked also cmd and regedit .How can i remove it ?let me see your system 32 drivers area if its okay
12-01-2014, 11:58 AM
(This post was last modified: 12-01-2014, 12:09 PM by George midleton.)
I Can t find my log files and it find some infections Rookit.Boot.SST.a and i skip it and Rookit.Win32.TDDS.tdl4 and i also skip it
12-01-2014, 02:05 PM
George you should have in your c: drive (local drive) a txt log which resembles something like this;
12-01-2014, 03:36 PM
Can you open the TDSSkiller program and select 'Report' at the top right of the app.
Copy and paste into your post. Thanks
12-01-2014, 04:53 PM
(This post was last modified: 12-03-2014, 05:49 AM by George midleton.)
i tried rogue killer and the infection is still there here the log file of rogue killer.My pc is still slow and i get redirects
RogueKiller V8.0.2 [08/31/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: https://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: https://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : sasikanths [Admin rights] Mode : Scan -- Date : 09/03/2012 12:08:59 ¤¤¤ Bad processes : 1 ¤¤¤ [SUSP PATH] DCSHelper.exe -- C:\ProgramData\DatacardService\DCSHelper.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 6 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-152525020-1768887692-1819828000-8660\$c182ca9b37ed9fb8dc733c18a75e9731\n.) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-152525020-1768887692-1819828000-8660\$c182ca9b37ed9fb8dc733c18a75e9731\n --> FOUND [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-152525020-1768887692-1819828000-8660\$c182ca9b37ed9fb8dc733c18a75e9731\@ --> FOUND [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-152525020-1768887692-1819828000-8660\$c182ca9b37ed9fb8dc733c18a75e9731\U --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-152525020-1768887692-1819828000-8660\$c182ca9b37ed9fb8dc733c18a75e9731\L --> FOUND ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD3200BEVT-08A23T1 ATA Device +++++ --- User --- [MBR] a938e97353ed57ab51c1e0d857d78417 [BSP] 4d6e8fe963cb2155f50711def37919ce : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 60000 Mo 1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 122881185 | Size: 245234 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt
12-01-2014, 08:02 PM
okay George midleton i need you to do a scan with hitman pro and dr web cure it to see if there more rootkit activity
|
| Users browsing this thread: |
| 1 Guest(s) |
