Hi, I ran avast and this came up with these three threats:
C:\Users\Frenches\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\7d561b26-5fab83cc Threat: Win32:Rootkit-gen [Rtk]
C:\Windows\assembly\GAC_32\Desktop.ini Threat: Win32:Sirefef-PL [Rtk]
C:\Windows\assembly\GAC_64\Desktop.ini Threat: Win32:Sirefef-PL [Rtk]
The first one listed was able to be moved to the chest successfully, while Avast failed to move the others two. The results shows: “Error: Access is denied (5)” for both…
I am about to start the scans, as instructed in the posting titled: “Topic: Logs to assist in cleaning malware”, but I wanted to start the thread in case someone could offer specific help, if you have encountered this threat before. Any assistance or advice would be greatly appreciated.
Hi, I ended up doing a boot-time scan, which took a while, but those threats were located and successfully moved to the chest, from what I can tell. I re-ran the full scan on Avast and it came out clean, no threats detected. Do you think they’ve been eliminated? In your opinion, should I take any more action?
Thanks for you help.
[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.
Please attach the contents of the following in your next reply:
Hi, Sorry for the delayed action, I just got home from work.
I ran the scans as directed in the intro post and will attach them here. Hopefully this will shed some light on the status of my computer. I’ve noticed some small but strange things, which makes me think I haven’t successfully dealt with this threat, like when my screen saver has been on, and I wake my computer up again, their are strange track mark lines across my desktop and when I right click on a link in my browser, the menu isn’t visble…strange, but maybe just coincidence.
Hi Jeffce, Sorry, I forgot to do as you asked. I stopped my script blocking protection, but wasn’t able to find the Run as Administrator option when I right-clicked…hope this will still report correctly.
I’ve attached the reports that resulted in the DDS scan.
Thanks!
WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.
ComboFix
Download Combofix from the link below, and save it to your desktop. Link
Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.
Hi Jeff. Very sorry to hear this. Unfortunately I’m at work at the moment but I’m up for seeing this through until we’ve resolved this. Thanks for you willingness to help! I’ll run the scan you’ve asked for as soon as I get home.
Hi Jeff,
I disabled my avast anitspyware and ran the ComboFix as you asked. The log is attached to this post for you review. Please let me know how bad things look…
Thanks!
I notice that you have both Avast and Trend Micro running at the same time. Having more than one antivirus program running at the same time can seriously degrade the performance of your system. Please uninstall either Avast or Trend Micro (which ever you prefer) using either the provided uninstall feature that is part of the antivirus program or through Add/Remove Programs (for Vista and Win 7 users to go to Programs and Features in the Control Panel). As a rule of thumb one should run one firewall, one antivirus program in memory, and one antispyware utility in memory. It’s fine to have other security tools available on an as-needed or on-demand basis, but when multiple tools simultaneously perform the same function, you’re asking for trouble.
Let me know how your system is running once that is complete.
Hi,
I didn’t even realize I had two running simultaneously! I only meant to have Avast. I’ve deleted Trend Micro and reran the ComboFix. I have attached the new report to this posting. Everything else seems to be running fine (on the surface). I’ll wait for you next steps.
Thanks,
Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
ESET Online Scanner
Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.
Hi Jeff…I’m very sorry! I wasn’t aware that this thread had overflowed onto “page 2” and I was waiting for you response, unaware that you had already replied. I guess that’s why I have the “newbie” status! I went on a trip for a week and just got back yesterday. I’m not sure if you will repond since this thread has gone cold, but I’m giving it a shot.
I’ve performed the tasks per your direction. Java has been uninstalled. Malwarebytes “quick scan” reported no malicious items. Threats were found during the ESET scan and I’ve copied and pasted them below. Hopefully it hasn’t been too long and I’ll hear back from you.
Thanks.
ESET found threats:
C:\Users\Frenches\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\7b376e52-5839f4e8 multiple threats
C:\Users\Frenches\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4e0f223e-140d794f a variant of Java/Exploit.CVE-2013-0422.K trojan
C:\Users\Frenches\Documents\SopCast\Setup-SopCast-3.3.2-2010-12-15.exe a variant of Win32/Bundled.Toolbar.Ask application
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Post the new OTL log and let me know how your system is running.