TNott Posted December 11, 2012 ID:622405 Share Posted December 11, 2012 I have the 5 nasty viruses that I'm having trouble getting rid of and was looking for some help. I ran MBAM 3 times with unchanging results except for the first scan which removed several viruses. AVG Resident Shield Alert shows 2 threats detected. - Trojan horse Generic29.ANPX - Trojan horse BackDoor.Generic15.CGSYMBAM shows 3 threats detected- Trojan.Dropper.BCMiner - Rootkit.0Access - Rootkit.0Access Link to post Share on other sites More sharing options...
MrCharlie Posted December 11, 2012 ID:622406 Share Posted December 11, 2012 Welcome to the forum, please start at the link below:http://forums.malwar...?showtopic=9573Post back the 2 logs here.....DDS.txt and Attach.txt<====><====><====><====><====><====><====><====>Next.......Please remove any usb or external drives from the computer before you run this scan!Quit all running programs.Please download and run RogueKiller to your desktop.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrC------->Your topic will be closed if you haven't replied within 3 days!<--------(If I don't respond within 48 hours, please send me a PM) Link to post Share on other sites More sharing options...
TNott Posted December 11, 2012 Author ID:622409 Share Posted December 11, 2012 Here are the files you requested + the MBAM logRKreport1_S_12112012_02d1816.txtattach.txtdds.txtmbam-log-2012-12-11 (15-54-35).txt Link to post Share on other sites More sharing options...
MrCharlie Posted December 12, 2012 ID:622455 Share Posted December 12, 2012 Please read the following information first.You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?http://www.dslreports.com/faq/10451When Should I Format, How Should I Reinstallhttp://www.dslreports.com/faq/10063I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Run RogueKiller again and click ScanWhen the scan completes > click on the Registry tabPut a check next to all of these and uncheck the rest: (if found)[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-4080741863-472385838-1986248349-1001\$e61a80e3a40eaef89206a99a727233f8\n.) -> FOUNDNow click Delete on the right hand column under Options-------------Next click on the Files tab and put a check next to these and uncheck the rest. (if found)[Tr.Karagany][FOLDER] plugs : C:\Users\Patricia Patterson\AppData\Roaming\Adobe\plugs --> FOUND[Tr.Karagany][FOLDER] shed : C:\Users\Patricia Patterson\AppData\Roaming\Adobe\shed --> FOUND[ZeroAccess][FILE] @ : C:\windows\Installer\{e61a80e3-a40e-aef8-9206-a99a727233f8}\@ --> FOUND[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4080741863-472385838-1986248349-1001\$e61a80e3a40eaef89206a99a727233f8\@ --> FOUND[ZeroAccess][FOLDER] U : C:\windows\Installer\{e61a80e3-a40e-aef8-9206-a99a727233f8}\U --> FOUND[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-4080741863-472385838-1986248349-1001\$e61a80e3a40eaef89206a99a727233f8\U --> FOUND[ZeroAccess][FOLDER] L : C:\windows\Installer\{e61a80e3-a40e-aef8-9206-a99a727233f8}\L --> FOUND[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-4080741863-472385838-1986248349-1001\$e61a80e3a40eaef89206a99a727233f8\L --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND[susp.ASLR][FILE] services.exe : C:\windows\system32\services.exe --> FOUNDNow click Delete on the right hand column under Options~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Next...............Please read the directions carefully so you don't end up deleting something that is good!!Please note that TDSSKiller can be run in safe mode if needed.Here's a video that explains how to run it if needed: Please download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.Put a checkmark beside loaded modules.A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK.Click the Start Scan button.The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue.Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out:If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueAny entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.~~~~~~~~~~~~~~~~~~~~You can attach the logs if they're too long:Bottom right corner of this page.New window that comes up.MrC Link to post Share on other sites More sharing options...
Staff screen317 Posted December 17, 2012 Staff ID:624060 Share Posted December 17, 2012 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 17, 2012 ID:624184 Share Posted December 17, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts