Possible Rootkit/Trojan(s)

[CamB]

Hi again. You told me to tell you if I still have any problems, so here I am. I'm having the same problems as before, although I'm a little more confident that the computer is clean.

I ran both avast and Avira, neither found any infections (I then removed Avira). Malwarebytes' found 4 files that it labeled "Security.Hijack". It claims to have successfully quarantined and removed them, and a re-scan found nothing. I've attached the MBAM log in case you're interested in taking a look. Ad-Aware and SuperAntiSpyware found a lot of cookies, but that's all (I've since removed Ad-Aware).

I followed your cleanup instructions, removing all the programs and defragmenting and such. However, the problems I've mentioned previously are still here. I can't use my flash drive in this computer now (and I know it's not a problem with the flash drive, as it works fine in other computers), and the computer hangs at startup. The Windows theme that plays when you log on to an account is delayed by at least 4 or 5 minutes, and during that time, I can't use the task bar, the task manager, or do much of anything.

Obviously, I'm not the expert here, but could the .sys files that avast moved to the virus chest be causing this? If avast is preventing those from running, maybe that could be causing some errors.

[essexboy]

Run MBAM again and delete the IFEO registry files - unless you have already done so


Does windows see your flash drive ?

Go to control panel > Device manager and let me know if there are any yellow exclamation marks

[CamB]

Yes, when I inserted the flash drive, the USB Mass Storage Device listing under the Universal Serial Bus Controllers list has an exclamation mark next to it. It says under Properties that "Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged".

The same message and exclamation marks appear next to Microsoft Kernel Acoustic Echo Canceller, Microsoft Kernel Audio Splitter, Microsoft Kernel DRM Audio Descrambler, and Microsoft Kernel GS Wavetable Synthesizer under Sound, video and game controllers.

Also, I believe that MBAM deleted those IFEO registry files, but how can I make sure? I don't know where they're located on the computer.

[essexboy]

Just run MBAM again and then delete them if they are there

Just checking on the drivers, I believe it is just a matter of uninstalling them, rebooting and then letting windows re-install I will check though

[SafeSurf]

@ Essexboy,

The OP is now having additional problems and opened a new thread: http://forum.avast.com/index.php?topic=64176.0.  I redirected him to return here for your instructions.

[essexboy]

Aye 'tis a worm from an e-mail attachment or USB drive

[CamB]

Okay, so back to this thread. Sorry if I made a new one unnecessarily.

Anyway, I'm a little confused now. Is my computer clean or not? Essexboy concluded that it was earlier, and several virus/malware/spyware scans came up clean as well. And is this advice about restoring one of the files and submitting it to VirusTotal good? It seems to me like if those files are indeed infected restoring any of them would be the last thing I would want to do.

Also, I don't know if this matters now, but I'm fairly certain I haven't gotten any viruses from e-mails, as I haven't received any e-mails which I didn't already know where they came from, and I haven't opened most of them, let alone opened any attachments or clicked any links.

[SafeSurf]

Do you use a USB / Flash drive?  I know Essexboy will be back, but in the meantime, install protection against autorun.inf with Panda USB Vaccine for USB devices
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/.  You will receive an email from them with a link to download the software.

The software will ask you to "vaccinate" your machine...click on the box to say yes as this will disable autoruns and prevent autoruns.inf infections on your machine from propagating or in the future; should you want to reverse this in the future you just un-tick the box.  It will also ask you to vaccinate USB, flash drives, etc. whenever one is inserted into your machine no matter what drive...you can either say yes (resident) or no (on-demand: as long as you remember to do it every time a NEW device is put in your machine).  Once a device is vaccinated, it's done.

If you previously used a USB/flash drive in the past that now is infected, right click from Windows Explorer and do a full format to cleanse your USB/flash drive.