Hello everybody,
My machine is protected by Avast Internet Security 2015.10.0.2208, all modules active except firewall, as I also have Online Armor Free for a few years, so I postponed the work of parameterizing a new firewall.
Some days ago, the antivirus alerted me that the Avast firewall service program was affected by a rootkit. So, it restarted the machine to launch a scan at start.
Reportedly, there is no rootkit any more.
What is my reaction supposed to be ?
Particularly, is any new installation needed before activating the Avast firewall ?
Considering the particularities of a rootkit, is it enough to use a program that was installed on the machine and so was reachable by the rootkit itself, to get rid of it ?
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
Thanks, going to do that this Sunday.
I do not remember, must I ask for each thread to be notified of answers ?
I see nothing for that in my profile …
[EDIT] For better readability : we spent some time finding the good menu about this question, the following of the thread is on the next page.
- OK, you’re welcome.
- Go to: PROFILE → Notifications
- You mean in there ?
you know where the reply button is? … there is a notify button next to reply button
Yes.
This concerns the current thread, doesn’t it ?
Well, as you see on the picture, in the Profile menu, I have Summary, Account settings, Forum profile, Set password. Not Notifications. I had a glance in each of the three first sub-menus.
Under Look and Layout enable: Use sidebar menus instead of dropdown menus when possible.
yes … the one i have used
The one Asyn talk about is under Profile > Modify (left side) > Notifications (in drop down menu)
if you do as Asyn say, enable sidebar menu then it is a bit easier to navigate
Maybe as an administrator you have a different menu, this is why I inserted a copy of the Profile menu.
It seems there are two things, except the password, that I can modify : account settings, forum profile.
In account settings I have only one column (except if you consider the field headers as a column).
In forum profile, personalized picture is presented on different columns, the rest is on one column.
see attached screenshot
if you do like Asyn say … enable sidebar, then notification is on left side
It would be a good beginning that I find that sidebar enabling setting.
Do I find it in Profile / Account Settings, or in Profile / Forum Profile ?
(And Pondus, you showed me an admin menu …)
Meanwhile, we’re way OT here. 
Is your main concern the rootkit or the forum settings…!?
Got it !
It is in Account Settings, but there is another drop-down menu afterwards, that is called Modify Profile, and Notifications is in there.
Thank you.
(I was notified of an answer while I was writing this, I am going to see …)
MBAM found something, but is at about one tenth of its scan. I wanted to finish with the forum settings before speaking of this again, because the two topics mixed risked to be unreadable.
OK, continue with your logs now.
So, first the context.
Windows XP Home SP3, 1024MB RAM, 1596 Mhz proc
Online Armor 4.0.0.14 Free (firewall, programs keeper)
Advanced SystemCare 8 (system coherence control : disk, register, shortcuts …)
Avast Internet Security (all modules activated except firewall)
Beginning of the results :
Malwarebytes Anti-Malware
www.malwarebytes.org
Update, 01/02/2015 13:50:40, SYSTEM, UC00004, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1,
Update, 01/02/2015 13:50:40, SYSTEM, UC00004, Manual, Rootkit Database, 2014.11.18.1, 2015.1.14.1,
Update, 01/02/2015 13:51:15, SYSTEM, UC00004, Manual, Malware Database, 2014.11.20.6, 2015.2.1.3,
(end)
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 01/02/2015
Scan Time: 13:51:48
Logfile:
Administrator: Yes
Version: 2.00.4.1028
Malware Database: v2015.02.01.03
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: admin
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 774439
Time Elapsed: 2 hr, 45 min, 56 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 1
Redir.ChercheUs, HKU\S-1-5-21-1745311521-3265096205-4005268043-1007-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MENUEXT\Recherche avec cherche.us, , [53f40712fe8c86b05e59370054b018e8],
Registry Values: 0
(No malicious items detected)
Registry Data: 11
PUM.Hijack.StartMenu, HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[3314e3367a109c9a45db9b0fb64f9e62]
PUM.Hijack.StartMenu, HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[fe49ec2de8a23ff7c15f8d1d31d4817f]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[2b1c2aefc1c934029090317925e052ae]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[f453c65377138ea8b9678d1d59ac6e92]
Hijack.SearchPage, HKU\S-1-5-21-1745311521-3265096205-4005268043-1007-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page, http://www.cherche.us, Good: (http://www.google.com), Bad: (http://www.cherche.us),[60e748d1305afc3aaca4fcad27de6a96]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1007-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[c384c5546d1d2b0b7fa16b3f986dd12f]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[b69145d4ddad77bf59c76941b94cf10f]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1009-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[d0777d9cc8c238feb56b921870957f81]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1010-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[6bdce336e7a3c07628f88822b94c9a66]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1041-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[27208d8c85054ceabe62eebc09fcb54b]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),[0c3b66b3bdcdce684ad69a10b550619f]
Folders: 0
(No malicious items detected)
Files: 4
PUP.Optional.Spigot.A, C:\Program Files\Application _Updater\ApplicationUpdater.exe, , [0047be5b3852d6608649aff89c652fd1],
Rootkit.Agent, C:\WINDOWS\1431312.exe, , [6add63b62a60290ddcbb61546d98a858],
Rootkit.Agent, C:\WINDOWS\8942531.exe, , [f750bb5e92f8063082153e770afb58a8],
PUP.Optional.Conduit.A, C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\ancien.bycojd1pdefault\prefs.js, Good: (), Bad: (user_pref(“CT2067599.SearchFromAddressBarUrl”, “http://search.conduit.com/ResultsExt.aspx?ctid=CT2067599&SearchSource=2&q=”);), ,[2225b7623b4fda5c954443a616efff01]
Physical Sectors: 0
(No malicious items detected)
(end)
Synthesis of MBAM report :
Malicious items detected : 4
Non-malware items detected : 12
Now I am going to look at the next tool.