Jump to content

Really terrible rootkit, cant boot PC unless boot with driver signature disabled.


Recommended Posts

I restarted my PC earlier and when I did it booted up to a BSOD saying that it was in recovery, throwing up various errors. The only way I could get the computer to boot was by disabling driver signature protection and booting without it. Now I'm just riddled with trojans all over my computer, but I really wanted my pictures off the hard drive. Is there any way to clean them off? I don't have a windows CD and I deleted the recovery partition like a dumbass.

Here is a JRT scan log, which is the first thing I did in attempts to remove this trojan/rootkit.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 8.1 x64
Ran by Miles (Administrator) on Mon 06/13/2016 at 20:54:41.42
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


File System: 13

Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\Miles\AppData\Local\packageaware (Folder)
Successfully deleted: C:\Users\Miles\AppData\Local\ysearchutil (Folder)
Successfully deleted: C:\Users\Miles\AppData\Roaming\couchpotato (Folder)
Successfully deleted: C:\Users\Miles\AppData\Roaming\productdata (Folder)
Successfully deleted: C:\Windows\system32\Tasks\Uninstaller_SkipUac_Miles (Task)
Successfully deleted: C:\Windows\Tasks\Uninstaller_SkipUac_Miles.job (Task)
Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Windows\prefetch\FREEYOUTUBETOMP3CONVERTER.EXE-44400E43.pf (File)
Successfully deleted: C:\Windows\prefetch\FREEYOUTUBETOMP3CONVERTER_4.1-1E5A229D.pf (File)
Successfully deleted: C:\Windows\prefetch\FREEYOUTUBETOMP3CONVERTER_4.1-3F494072.pf (File)
Successfully deleted: C:\Windows\prefetch\FREEYOUTUBETOMP3CONVERTER_4.1-A3810EEC.pf (File)
Successfully deleted: C:\Windows\prefetch\FREEYOUTUBETOMP3CONVERTER_4.1-AAF5472A.pf (File)

 

Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{40C4B74E-575A-47ED-A473-E3BDFA64AA2E} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 06/13/2016 at 20:56:39.68
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I also have a HijackThis log if anyone is interested in seeing it.

 

I really appreciate any help.

NMqb5fa.jpggpqTTy8.jpg

Link to post
Share on other sites

Hello IhateRootkits and welcome to Malwarebytes,

The driver you quote is not malicious as far as i`m aware, you will need to go to Toshiba website for an updated driver. The following link maybe helpful to you: http://www.carrona.org/drivers/driver.php?id=TVALZ_O.SYS

Also run the following and post the two produced logs.....

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Thank you,

Kevin....
Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.