I ran full scans on numerous AV programs. The first being avast, then malwarebytes, then SuperAntiSpyware. None of them found anything.
After talking with a “tech” friend, he told me it sounds like it is a root-kit of some sort. So I looked online and downloaded the Malwarebytes “Anti-rootkit” tool. It found 4 trojans, which I followed the steps to remove. It didn’t ask for a restart, so I did one anyway, but I still get the avast warnings. As many as 1 per second for 20 seconds.
I’m out of options, so I’m hoping someone here can give me some directions and guidance into fixing this problem.
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I’d be grateful if you would note the following:
[] The fixes are specific to your problem and should only be used for the issues on this machine.
[] It’s often worth reading through these instructions and printing them for ease of reference.
[] If you don’t know or understand something, please don’t hesitate to say or ask!! It’s better to be sure and safe than sorry.
[] Please reply to this thread. Do not start a new topic.
[] If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
[]Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so. DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
[*]Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
[*] Double click dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.
Please include the contents of the following in your next reply:
[*]Double click TDSSKiller.exe
[*]Press Start Scan but do nothing else as we are just looking for what is there.
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[*]Attach the log in your next reply
[*]A copy of the log will be saved automatically to the root of the drive (typically C:)
Ok, I downloaded both programs. DDS ran but did not generate any .txt files. I ran it again to be sure and did a search for them… nothing.
TDSSKiller ran and found 19 infections, all medium risk. I tried to paste the log and it said I exceeded the maximum length. I tried to attach it, and it would not let me see any files, just folders.
[*]Download OTL to your desktop.
[*]Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output.
[*]Check the boxes beside LOP Check and Purity Check.
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
[*]Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
[]Download the tool found here to your Desktop so it is easy to find.
[]Double click on the file you just downloaded to install it to your system.
[*]Once the tool is installed, double-click on the Tweaking.com Registry Backup icon Note The tool should automatically open to the Backup Registry tab.
[*]Press Backup Now
[*]When the back up is complete, the tool will tell you that Successful / Files Backed Up
[*]You have now successfully backed up your Registry.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Attach the new OTL log and let me know how your system is running.
So I followed your instructions to input the code into OTL. I selected the “Run Fix” button and it did it’s thing. Afterwards, it asked to reboot, which I did.
After the reboot, I noticed that I didn’t have any internet connection. I had the “yellow triangle with the exclamation point” inside saying that I was connected to an unidentified network. I restarted my modem and re-connected my Ethernet cable and problem solved.
I do not have any AV software active atm, should I go ahead and enable Avast again?
WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
If you would like to format and reinstall your Operating System please let me know and we can assist you with that.
If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.
ComboFix
Download Combofix from either of the links below, and save it to your desktop. Link 1 Link 2
Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please attach the C:\ComboFix.txt for further review.
Damn… do you know how long it’s been on this pc? Also, there is another pc in the house that connects to the internet via router. The computer infected with the rootkit is “wired” via ethernet for internet access, my question is can the other computer get infected?
I think a reinstall of the operating system would be best. This is Windows Vista 32-bit, do you think I should reinstall that or get Windows 7?
It is hard to say how long this infection has been on the system. It is possible that the other system could have been infected but it’s really hard to say for sure. This infection is not known to jump systems. I would just keep a good eye on that system to be sure.
I think you are making a good decision…it is just what I would do as well. It is always good to upgrade your operating system if you can afford the newer system. If not, just reinstall Vista. I have been using Vista for years now with no problems.
Thanks for the link Jeff! Quick question, I do not have any Windows Vista product key as I don’t think the pc came with one. Do you know where I could find mine? The first day we got the computer, I made 3 recovery discs. Are these the Windows Vista DVD’s?
Usually the product key for Windows is on a sticker that is found on the side of your computer if it’s a desktop. If it is a laptop, the product key might be found on the bottom of the computer or even in the battery compartment. Take a look and see what you find.
Thanks again for your time Jeff! I recovered my system and all looks good. Just a couple “simple” questions now…
Vista is asking me if I wanna create a factory default backup image… I’m pretty sure this is what I did when I first purchased the computer. My question, do I need to create the 3 DVDs again or can they be used multiple times?
And my last question is regarding computer protection… I will be installing the free version of Avast, and I was wondering if that should be my sole free anti-virus software or could I have multiple for more protection? I used to have AVG and Avast. As well as Malwarebytes and SuperAntiSpyware for scans and stuff… Can I go ahead and have all those again?