Every scanner picks up a different infection

Viruses and worms
1

Hello,
I’m seeing minor changes in my laptop’s behavior and every scan I’ve run so far has picked up something. Sorry in advance for all the details but I’m not sure what information is relevant.
Day 1 - Avast Pro notified me that a rootkit had been moved to the chest (I wasn’t online but the wifi was on so I’m assuming something got through there).
Day 2 - When I was logging into my laptop Lenovo’s security manager no longer required a password to log in (I got info that there was a problem connecting to the TPM). Also there was a problem with the previously automatic connection to the house wifi (the laptop could see the signal & the password had been input but there was a problem with the automatic acquiring of the network address so every day I have to go to wireless network connection and click that I want Windows to configure my settings). I run Avast boot time scan and it found 15 new infected files (all rootkits). 14 were moved to the chest, 1 could not be deleted or moved to chest b/c the file could not be found. Nothing else was done on the laptop that day.
Day 3 - run boot time scan and found 3 new infected files (2 were moved to chest, 1 could not be deleted or moved). No other activities were done on PC that day.
Day 4 run boot time scan and 0 infected files were found but about 3000 less files were tested than both previous times. I downloaded malwarebytes and that found 1 issue (it’s been quarantined). Spybot found 2 items that it categorized as malware/registry key/danger level 10/10 & malware/directory/danger level 10/10 – I quarantined those. AswMBR has also found a suspicious item.

Thanks in advance for all the help.

2

What is the full message from avast?
What file was detected … and location, full file path

Removal team is notified. Since it is midnight in europe they probably wont reply before tomorrow

3

Hello,

Could you post the aswMBR.txt logreprot, scan results from standalone avast-gmer ARK tool?

I would like to see the avast! boot-time scan log as well. It is located here, post that as well.
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report[b]aswBoot.txt [/b]

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

4

I’m attaching the aswMBR file (I didn’t quarantine the suspicious item) and aswBoot scan.
While the actual boot scan report says that ALL the infections were moved to the chest, the scan results on the avast screen say something different. For the july 01 scan 15 files were found as infected – 14 were moved to chest, 1 could not be found. For the July 02 scan 3 files were found as infected – 2 were moved to chest, 1 could not be found. I’ve attached a pic to demonstrate what I mean.
I’m also attaching an avast file system shield report b/c after the last boot scan on 07/22 avast has moved new items to be quarantined with a similar location (C:\System Volume Information_restore{A8393674-085C-4723-B63E-39928C5F4C89}……).
I will download Combofix now and send the log as soon as it’s available.

5

Avast blocked the download of Combofix from bleepingcomputer.com & moved it to chest (C:\Documents and Settings\Admin\Local Settings\Temp\ZYgahW3N.exe.part [L] Win32:Dropper-gen [Drp] )

Am I supposed to disable Avast before I download Combofix or before I run it?

6

Yes … Right click avast tray icon and pause shields

7

Combofix scans

8

We shall run ComboFix one more time, and this time we will use CFScript for that running. Open notepad and copy/paste the text present inside the code box below:

FileLook::
C:\WINDOWS\System32\DLA\DLADResN.SYS

ClearJavaCache::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

.

I would also like to preform the additional ARK system scan and we will use MBAR for that check. Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:

  • ‘Could not load protection driver’. Click ‘OK’.
  • ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe

  • Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
  • When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.

> The following reports will be created in mbar folder:

  1. mbar-log-year-month-day (hour-minute-second).txt
  2. system-log.txt

Please post both MBAR’s logs in your next reply along with fresh created ComboFix.txt.

9

Im having a problem with Combofix.
I copied the code to the notepad and tried dragging CFScript.txt into ComboFix.exe but I get an error message. I redownloaded Combofix & get same error msg. Pic attached.

10

MBAR logs

11

Could you now reset (turn off and on) your system restore? Follow these manual:
http://support.microsoft.com/kb/310405

Could you just post the fresh FRST logs insted? And tell me do you still getting the avast! alearts?

12

Ive reset my system restore and attached FRST logs.

I’m not sure which Avast alerts you are referring to - if the question is: has anything new been added to the chest in the last 2 days then 'no", if the question is: does avast alert/block me while im browsing online then im not sure b/c I haven’t been paying attention, if you are asking if I’m getting alerts while opening eg. combofix then “yes”.

13

That is good answare. The following shall just preform some small (post cleaning) fix …

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1060933&SSPV=IENOSGBR
EmptyTemp:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

14

newest scan :smiley:

15

Hi,

No I do not need new scan. I need you to create the fixlist.txt with above code and execute that scrpt by pressing Fix button in FRST’s GUI.
Apon execution the script (fixlist) tool shall create a new report with name fixlog.txt. Post that here. :wink:

16

Hi
I think that’s what I did last night but ended up attaching the wrong thing. Im sorry… (crazy hectic work day).
I redid it just in case.

17

The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=> Manualy delete the C:\FRST[b]Quarantine[/b] folder.

Then, tell me how is the computer (and AntiVirus) behavior now?

18

It’s not working

19

In terms of computer behavior…the two issues that originally alerted me (1-Lenovo’s security manager no longer required a password to log in and 2- the Wifi stopped automatically acquiring a network address) are still present today. Im not sure if there is still something actively wrong with the laptop or if something was altered.
The fact that Avast has not moved anything new into the chest recently also doesn’t make me feel better since the day the laptop started behaving differently according to Avast the system was secured. If I hadn’t done the boot scans I wouldn’t have known there were so many rootkits. Even though Avast quarantined them and the system was supposed to be secure once again, more rootkits were discovered on the following boot scans. Once Avast’s scans came up clean, Spybot found something. Once Spybot’s scans came up clean Malwarebytes found something.
Have the scans I’ve been doing for you found anything?

20

This is what avast! says as RootKit.

File C:\drivers\other\Atmel TPM Driver Installer 3.0.3.15.msi|>Data1.cab|>atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\drivers\other\AtmelTpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\Program Files\Lenovo\Client Security Solution\pda\MININT\System32\DRIVERS\AtmelTpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\SWTOOLS\DRIVERS\TPM\AtmelTPM\AtmelTpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\SWTOOLS\DRIVERS\TPMATMEL\Atmel TPM Driver Installer 3.0.3.15.msi|>Data1.cab|>atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\SWTOOLS\DRIVERS\TPMATMEL\AtmelTpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211404.msi|>Data1.cab|>atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211405.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211406.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211407.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211408.msi|>Data1.cab|>atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211409.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\Downloaded Installations{34B5287F-49E4-4E91-9765-7C971E906A69}\Client Security Solution.msi|>Data1.cab|>atmeltpm.sys.DF24503F_5215_4680_A5FD_D95B810F3388 is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\Downloaded Installations{34B5287F-49E4-4E91-9765-7C971E906A69}\Client Security Solution.msi|>Data1.cab|>atmeltpm.sys.298D51BE_E56E_4798_9C66_D4D3C3CFDAA2 is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
Number of searched folders: 14699
Number of tested files: 924992
Number of infected files: 15

The detection in ‘System Volume Information’ are heuristic cache. By reseting the system restore, problem shall be resolved. The other detections are FP.

My job here is to located the active malware if present and target the same. We did fix some things but in real you where not infected. I shall remove my tools now.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.