Background info: This computer belongs to my mom, I thought the infection had been stopped from spreading to it by avast!. I was prompted Win32:Rootkit-gen [Rtk] and INF:AutoRun-gen@bhv [Wrm] when putting a USB drive into the computer but was told the infected files had been put into quarantine and system was safe etc. The USB drive was new and had only been inserted into one of my own computers before. That was on 2012-06-26 and I duly reformatted my computers (there was other evidence of them being infected as well though nothing showed on scans). I’ve scanned quite a few times with avast!, some other AV:s and MBAM and no finds until now, when avast! detects Sinowal-IK, Delf-MBA as well as several Java exploits (Java:CVE-2012-0507-D, Java:CVE-2012-0507-AX, Java:CVE-2012-0507-F, also Java:Downloader-BQ). All were moved to quarantine.

Computer is rarely used so I find it improbable it was infected some other time the preceeding month with a trojan seperately from my own infection.

The boot-up scan after moving these items to quarantine showed nothing, yet when opening Chrome the real-time protection was prompted (see attachment, unfortunately not in English but I’m sure the pertinent information can be understood).

MBAM scan found two infections that were removed (see attachment log).

OTL scans also attached.

My questions are threefold:

1. This system was lacking a firewall so I installed one (Zonealarm). Are there any other steps I should take to ensure protection? How can I know computer is safe just by nothing detected anymore? Nothing was found for a month, despite several scans, how do I know everything was found now?
2. Can the other computers be considered safe after a reformat? (In other words, is a rootkit of this type removed by a reformat?). Should I just reformat this computer as well?

Very grateful for any advice.

OTL log too large to attach with the other stuff so posted seperately.

Tried a few times unsuccessfully to create this topic, hope I didn’t manage to make several topics at once.

Hi Sinowal is an MBR type infection so I will need to check that out as well… You will lose flash in firefox/chrome as I am deleting a suspect flash file, a reinstall of flash will fix that.

I will also clear all temporary files

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll ()

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Thank you for your help. As far as I could see there were no extras log for this one, let me know if I missed anything.

Both MBR and OTL look OK … Are you experiencing anything unusual ?

I’ll check a few things that didn’t work previously and get back to you.

It’s my moms computer so can’t say for sure it’s unusual but there’s a lot of freezing and crashing, while trying Internet banking Chrome was frozen for 4 minutes before I terminated it. Wasn’t able to get a new Chrome or Firefox window open and working until I restarted the computer after five minutes or so of trying. It’s a fairly new computer, I removed most the bloatware that came with it and there’s almost nothing installed on it so I do find the behaviour a bit strange.

Also I assume this type of infection is supposed to go unnoticed, how certain can one be really just because the logs doesn’t show anything and does reformatting help?

edit: forgot to mention everything was fine at first for quite a while (at least over an hour) before any problems arose, no freezing or crashing or anything, it’s been fine now since the restart as well. Don’t know much about these things so I don’t know if it’s useful info or not. I do realize it could be unrelated. Thank you again for your help.

No I generally go by symptoms as opposed to the logs as there are thing I will not see

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Found 2 suspicious, cure not available.

A reformat kills this beastie, so you are OK there

How is this one behaving now as it may need repairs

Haven’t used it much except for replying to this topic and following instructions here so can’t say for sure. I suppose a clean full reformat would be best (would also get rid of the bloatware) but I don’t have Win 7 discs at hand currently, would factory reset work or could the recovery partition have been infected?

The recovery partion is a protected one and it generally is nice and safe

That’s good to hear. Thank you for your advice.