Rootkit infection? - please help

Hello
I am truly sorry to post this thread - I still have another thread from over a week ago with a previous infection but I thought I was clean from that one and to be honest because I said I thought I was clean I'm not sure if I'll get a reply to the first one......

Another user on my pc is having problems that aren't showing on my user account. Several windows open when they log on and each says that it is trying to open a different file, "You have chosen to open xxxxx.exe (or .dll etc) from pathname. Would you like to save this file? SaveFile / Cancel". We cannot access the internet from this account.

Avast! found Win32-Rootkit-gen(RTK) which it quarantined.

I have run your Read & Run me routine again but could not get CCCleaner to run in the dodgy account although it ran on all the others.
SuperAntispyware, MalwarebytesAntiMalware & Mgtools all ran ok with nothing found. Tried to run RootRepeal but had to stop it after 3 hours as it seemed to be taking so long again (last time it ran for 2.5 days and still didn't finish)
I have had a window pop-up for Download Helper 4.4.1.
As part of the Read & Run me routine I had disabled SpywareDoctor and now I can't start it up again - don't know if this is due to malware or my stupidity!

After the first infection last week I followed your How to Protect Yourself from Malware and have installed Comodo but I'm not sure if I'm blocking things that I should be allowing, so don't know if I'm making things worse through ignorance.

Can you please please help me - I am not at all computer savvy and am now getting very confused. Have attached the logs that I have. THANK YOU.

 

Hi and thanks for helping me.

I ran cccleaner on each user account but it would not run on the Katie account (I did this 3 days ago and cannot remember exactly what messages I got, sorry).

I ran SuperAntispyware, MBAM and Combofix from the Liz (admin) account, because I thought that they would check all the files on the computer, not just those associated with the Liz account - is this correct?

AVAST picked up Win32-Rootkit-gen(Rtk) in
c:\windows\system32\config\systemprofile\appdata\local\av.exe.

I still can't enable SpywareDoctor (paid-for version) - should just be able to click a button to do this, but nothing happens. SpywareDoctor has disappeared from my system tray (the one by the clock).

The "James" user account does not load properly - just get a blue screen for ages that says "Preparing your desktop..." and then two windows, one of which says
"Windows cannot open this file
ie4unit.exe
. use the web service to find the correct program
.select a program from a list of installed programs"
When I eventually manage to log on to this account, it says,
"User profile not loaded correctly, temporary profile created"

When I log on to the "Katie" and the "JakeisgaywithJames" (sorry) accounts, several windows open, each says
"Opening xxxxxxxx.exe
You have chosen to open xxxxxxx.exe
which is a: exe file
from pathname
Would you like to save this file?
Save file/Cancel"

I can close all these windows but when I want to run anything from the desktop, this window pops up again. Several icons on the desktop are not showing correctly, and on the Katie desktop have been replaced by the Firefox icon. On the JakeisgaywithJames desktop, they have been replaced by the cccleaner icon.

I am also getting the message
"Location not available.
c:\Documents and Settings is not accessible
Access is denied"
for several folders including c:\Users\All Users\Desktop
when I use explorer.

Sorry that this is so long, but I don't know what is important and what's not.

Thanks again.

 

Hi TimW
Thanks for the advice - this'll take me a while to do! I'll let you know how things are when I've done.

Liz

 

Hi
I have now got rid of the "Location not available" msg by disabling "show hidden files" which I hadn't done after my previous clean-up.

Apparently the "infected" Katie user account was ok for a couple of days after my first clean-up and didn't have all these windows popping up when you logged onto it. On 6th Feb we got the msg that Microsoft.NET Framework Assistant 1.1 had been installed as an add-on, and these problems seem to have started after that.

It is going to be a huge job to back up all the data on the infected account onto cd - can I either copy it onto my external hard drive (J, OR do a system restore to before the Microsoft.NET was installed OR should I uninstall Microsoft.NET OR am I barking up the wrong tree?

Thanks
Liz

 

Hi
After your post on 9th Feb I deleted the "Jakeisgaywithjames" and the "James" user accounts. The Jakeisgaywithjames account has completely disappeared with no trace of any files that I can see. The James account SEEMS to have disappeared but the C:\Users\James folder and sub-folders are still there. Some folders have files in even though I thought I had deleted them. (The icon on the welcome screen where you would normally log on to the account has disappeared so it LOOKS as though the account no longer exists.)

I haven't deleted the suspicious "Katie" account because I haven't had the time to copy all the data files yet, so I created a new "KT" account as a temporary measure. This has exactly the same problem as the suspicious Katie account - all the programs that load up at logon want to open in the same window, this time Nikon Viewer because that was the first one that came up and I clicked on it. Now everything wants to run in Nikon Viewer but nothing WILL run. I have managed to get Internet Explorer to run from this new logon, though.

I had to run sfc /scannow from the Command Prompt with the path
C:\Windows\system32>sfc /scannow
Hope this was ok - it "did not find any integrity violations."

I cannot run either SAS or MBAM from the Katie account because they want to open in Firefox. I tried to use explorer to find the .exe files and run them, but the same thing happened (these programs both have the Firefox icon instead of their own). I don't know how to run them in SAFE mode.

BTW a new user account has appeared, called ASP.NET Machine Account. It is a standard user, password protected, and can only be seen from Control Panel.

Thanks for ur help.

 

Thanks so much for all your help, I'll post in the software forum now to carry on.

Liz