Jump to content

Computer infected with various (?) trojans; can't remove.


Recommended Posts

Hello all,

Recently I acquired a computer from a friend and found quite a bit of nasty stuff on it (malware wise) and I'm having a bit of difficulty getting rid of it.

A couple of the particular nasties are: Win32.Malware!Drop (found in services.exe) and the Rootkit.0Access which is found in the following path as per the logs:

C:Windows\Installer\{319f54dd-3ebb-e090-7a54-5061745869c7}\u\800000cb.@ (Rootkit.0Access) -> no action taken.

Now, Vipre detects the Win32.Malware!Drop trojan but not the Rootkit.0Access which MBam does detect, however, MBam does not detect the Win32.Malware!Drop trojan (unless they're the same thing which I don't think they are)

Vipre won't remove the Win32.Malware and even though Mbam shows (via logs) that the Rootkit.0Access trojan has been quarantined and deleted successfully, it's still there upon doing another deep scan.

What can I do to get rid of this stuff? I don't use this system for sensitive banking or account usages but I would like to clean it out none-the-less.

I'm not exactly sure what I should do here so I was hoping an expert on the subject could guide and direct me.

All help is greatly appreciated!

Thank you in advance!

Link to post
Share on other sites

  • Root Admin

Based on that, your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

  • How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    http://www.dslreports.com/faq/10451
  • When Should I Format, How Should I Reinstall
    http://www.dslreports.com/faq/10063
  • I will try my best to clean this machine but I cannot guarantee that it will be 100% secure afterwards.
  • I also cannot guarantee that that I can even clean the machine and it is possible that it can become more unstable and no longer boot on its own.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

STEP 1

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.


    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.

STEP 2

Please visit this webpage for instructions on running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Don't skip the step about disabling your Anti-Virus it needs to be disabled long enough to remain disabled even after a computer restart

When the tool is finished, it will produce a report for you.

Please attach the C:\ComboFix.txt log on your next reply so that we can continue checking and cleaning the system.

If you get a message similar to this: "Illegal operation attempted on a registry key that has been marked for deletion" please just restart your computer and everything should start working again.

Send me back all logs when completed as attachments.

Thanks

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.