Every scanner picks up a different infection

[REDACTED]

Hi
I think that's what I did last night but ended up attaching the wrong thing. Im sorry.... (crazy hectic work day).
I redid it just in case.

[magna86]

• The following will implement some post-cleanup procedures:






It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.


=> Manualy delete the C:\FRST\Quarantine folder.




Then, tell me how is the computer (and AntiVirus) behavior now?

[REDACTED]

It's not working

[REDACTED]

In terms of computer behavior…the two issues that originally alerted me (1-Lenovo’s security manager no longer required a password to log in and 2- the Wifi stopped automatically acquiring a network address) are still present today. Im not sure if there is still something actively wrong with the laptop or if something was altered.
The fact that Avast has not moved anything new into the chest recently also doesn’t make me feel better since the day the laptop started behaving differently according to Avast the system was secured. If I hadn’t done the boot scans I wouldn’t have known there were so many rootkits. Even though Avast quarantined them and the system was supposed to be secure once again, more rootkits were discovered on the following boot scans. Once Avast’s scans came up clean, Spybot found something. Once Spybot’s scans came up clean Malwarebytes found something.
Have the scans I’ve been doing for you found anything?

[magna86]

This is what avast! says as RootKit.


File C:\drivers\other\Atmel TPM Driver Installer 3.0.3.15.msi|>Data1.cab|>atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\drivers\other\AtmelTpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\Program Files\Lenovo\Client Security Solution\pda\MININT\System32\DRIVERS\AtmelTpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\SWTOOLS\DRIVERS\TPM\AtmelTPM\AtmelTpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\SWTOOLS\DRIVERS\TPMATMEL\Atmel TPM Driver Installer 3.0.3.15.msi|>Data1.cab|>atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\SWTOOLS\DRIVERS\TPMATMEL\AtmelTpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211404.msi|>Data1.cab|>atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211405.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211406.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211407.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211408.msi|>Data1.cab|>atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP961\A0211409.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\Downloaded Installations\{34B5287F-49E4-4E91-9765-7C971E906A69}\Client Security Solution.msi|>Data1.cab|>atmeltpm.sys.DF24503F_5215_4680_A5FD_D95B810F3388 is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\Downloaded Installations\{34B5287F-49E4-4E91-9765-7C971E906A69}\Client Security Solution.msi|>Data1.cab|>atmeltpm.sys.298D51BE_E56E_4798_9C66_D4D3C3CFDAA2 is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atmeltpm.sys is infected by Win32:Rootkit-gen [Rtk], Moved to chest
Number of searched folders: 14699
Number of tested files: 924992
Number of infected files: 15


The detection in 'System Volume Information' are heuristic cache. By reseting the system restore, problem shall be resolved. The other detections are FP.

My job here is to located the active malware if present and target the same. We did fix some things but in real you where not infected. I shall remove my tools now.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[REDACTED]

I’m very sorry if my question seems repetitive. I just wanted to make sure the system is clear – should I be concerned that there is a discrepancy between what the avast report is showing (that all infections have been moved to the chest) and the pic I sent in the 2nd msg which shows the avast screen I see and that some infections could not be moved?

Also the Avast rootkit report references the Atmel TPM Driver and Lenovo’s client security solutions  which I thought were responsible for the laptop’s password protection which is currently not working (pic attached). How do I get that to work again?

Any advice on the wifi being unable to automatically acquire an address? Will I have to go into properties and check off “use windows to configure my wireless network” every single time I power on the laptop? 

And finally do you have any advice as to which malware software, other than avast, I should keep on my comp (malwarebytes? Spybot? ) Any online scanners I should use periodically?

Thank you so much for you time 

[magna86]

I told you, the detection are FP. I would suggested you to make a contact with  avast! Team using this link:

http://www.avast.com/contacts
Peek into 'Report a Virus' sections

Between MBAM and SpyBoot ... SpyBoot was a great software but it can not follow current modern malware. Keep MBAM along with avast!

[REDACTED]

Thank you so much for your help   

[magna86]

 

[REDACTED]

Ugh! New stuff after Delfix was run. I thought the "system Volume Information" stuff was going to resolve itself after resetting the system.


8/29/2014 4:38:01 AM   C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP996\A0218277.exe [L] Win32:Dropper-gen [Drp] (0)
File was successfully moved to chest...
8/29/2014 7:38:45 AM   C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP997\A0218640.exe [L] Win32:Dropper-gen [Drp] (0)
File was successfully moved to chest...

[Pondus]

Ugh! New stuff after Delfix was run. I thought the "system Volume Information" stuff was going to resolve itself after resetting the system.


8/29/2014 4:38:01 AM   C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP996\A0218277.exe [L] Win32:Dropper-gen [Drp] (0)
File was successfully moved to chest...
8/29/2014 7:38:45 AM   C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP997\A0218640.exe [L] Win32:Dropper-gen [Drp] (0)
File was successfully moved to chest...

is is in a restore point so a backup of previous infection ..... you dont need that so delete restore points and create new

[REDACTED]

I thought using Delfix purged system restore points and created new ones. The two came up after using Delfix. Do I download delfix again??