Hello
I have been fighting this infection for a week now.
I am about ready to give up and reformat my drive. it is a big deal because I have a lot of programs installed.
I ran:
Norton suite (froze the computer) removed
Karpersky suite: remove viruses but cannot remove the trojan in the HD boot sector
Created Norton rescue disk
Karpersky rescue disk
reboot from rescue disk
ran Karpersky suite remove viruses but cannot remove the Trojan in the HD boot sector
Tds killer remove viruses but cannot remove the Trojan in the HD boot sector
Malwarebytes
Enset online scan: no threat found
ran Combofix
ran Saphos virus removal tool
I looked at some of the threads on the forum one thing I didn’t do is
is use OTL with the scrip. and I don’t know how to do that.
I am also wondering if the computer is really booting from the rescue disk.
Looks like you have a major infection that has been partially removed.
WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.
Disable your AntiVirus and AntiSpyware applications.
Double-click on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
Ok I want to give it one shot and then I will have to bite the bullet and resinstall everything.
So I have downloaded combofix, and actually I let Kaspersky run a full scan overnight and it detected the Rootkit.Boot.Pihar.b and it can’t be removed…
OK it is running.
I have disconnect the internet from the infected compurer and I am reesponding from my laptop.
It is preparing the log shouls be 10 more minutes or so.
[*]Double-click to run TDSSKiller.exe
[*]Press Change Parameters
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click on the Start Scan button
[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
[*]Copy and paste the log in your next reply
[*]A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.
OTL
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output.
[*]Check the boxes beside LOP Check and Purity Check.
[*]In Custom Scans/Fixes please put the following: netsvcs
/md5start
consrv.dll
/md5stop
createrestorepoint
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
[*]Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
In your next reply please attach the logs made by OTL and TDSSKiller.