Not sure if computer is still infected with Trojans?

[jpardee]

Greetings fellow users! Can someone please look at this DDS and tell me with your expertise

whether or not we are still infected and what I can do next to clean this machine. I have run updated versions of Malwarebytes, Superantispyware, Avira Antivirus and three of the free online scanners like Panda, Bitdefender and Eset. I have run disc cleanup and went into the browsers and deleted temporary Internet files as well.

Initially this all started when I discovered on a buddy’s computer that his Norton’s anti-virus had been turned off and his Malwarebytes program was not operational. I uninstalled Nortons then downloaded Avira antivirus, ran the scanner and it located the TR/ATRAPS.Gen2 Trojan and moved it to quarantine. I then uninstalled the non-working Malwarebytes, updated it and ran the full scan, it located Trojan.Dropper.BCMiner which it reported it had quarantined and deleted successfully. After several days (2/3) Malwarebytes, Avira and Superantispyware are not detecting any infections but then when I ran Eset online scanner on June 8, 2012 it claims it found several Trojans these appeared to be located in Temporary Internet files (Internet Explorer) but most of the Trojans are located in

C:\Users\ESH-001\DesktopGeek Squad Backup\Documents and settings\Administrator\Application Data\Sun\Java\Development\cache\6.0\18\13a2e652613d0d3e

java/TrojanDownloader.OpenStream.NAC trojan,

Eset claimed it cleaned by deleting.

I’m concerned because this is his business computer. I have made backups to DVD and to an external hard drive using Windows Back-up and restore. We just need to know if we could still be infected or not and how to proceed from here.

Thank-you very much for any help or advice you can give us!!!

DDS.txt Torries.txt

Attach.txt Torries.txt

[MrCharlie]

LSP: mswsock.dll

This file indicates that you're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

Your computer is infected with a nasty rootkit. Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

• There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  
• There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  
• I strongly suggest you back up all of the important items on the system before we continue.
  

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

===================================

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[jpardee]

Thank-you MrC. for taking the time to read and respond to my post . I agree, when it comes to some of these nasties

probably better to reformat and reinstall to ensure the malware is removed . This computer has been disconnected from the Internet for

over a week now. I will need to confer with the owner on Monday to see if he would like to go ahead with the cleaning. I will post back as soon as I meet with him. I have run Windows Back up and restore to a brand new hard drive and DVDs. Do you think there is a likelihood the malware has found its way to the backups as well? I ran the backups after the scanners (Malwarebytes, Superanitspyware, Avira AV, and online scanners, Bitdefender, TrendMicro and Panda) starting coming up clean.

Thanks again for the help. Jake

[MrCharlie]

OK, thanks for letting me know.

Do you think there is a likelihood the malware has found its way to the backups as well?

I can't be sure one way or the other.

Sometimes these infection aren't fixable and you end up formatting and reinstalling anyway.

MrC

[jpardee]

Hello MrC ! looks like you are more than busy today. I met with my friend and he has decided to reformat and re-install. Soooo I know what I will be doing today. Thanks again for your time and also for the links to the dsl reports, I did read them. I am making a donation through PayPal in the hopes when I get everything re-installed and up and running maybe you or one of your colleagues could take a gander at a new DDS report and give me your blessing in the realm of uninfected computing.

[MrCharlie]

OK.....

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!