Hello all
I downloaded Avast Antirootkit 0.9.6 and it executed it on my Windows 2008 R2 VPS server.
It found 29 items on HDD and masive amount of items in the registry, more then 5000 and it still works …
Is it safe to Delete all those items?
Thank you.
Is it safe to Delete all those items?Impossible to answer without the log
avast have a rootkits scanner (gmer) integrated in the AV engine and will perform a rootkit scan 8min after computer start
Hello
thank you for your answer.
I downloaded it from http://files.avast.com/files/beta/aswar.exe
and executed in the temp directory and it still running.
I see aswar.log file in program directory (it is currently about 2 MB) - do you need that file?
I did not restarted my server, just executed aswar.exe and clicked on Start scanning.
Thank you.
do you need that file?To answer your question, yes
Experts are notified but they are probably not online before tomorrow
why are you running a rootkit scan, any problems?
OK I will upload a log once scanning is finished.
Before few days I saw that Google Chrome will not run any more (it displayed sad face so I asked Google for help.
They answered I need to try run some malware software.
I tried many of them and noticed that some of them want to install specific driver by Windows boot - to test the system - but they failed.
Then I was 99% sure that I have something but only Avast Antirootkit actually said there are Rootkits.
It runs now for more then hour and found more then 8000 items so I’m waiting it to finish.
I suppose I need to purchase some license to remove them?
Could you please give me any info about that?
Thank you.
I suppose I need to purchase some license to remove them?No
when scan is finish, attach log, dont remove anything
also see here > https://forum.avast.com/index.php?topic=194892.0
Scroll down to second picture > Farbar recovery scan tool
Follow instructions and attach the two diagnostic logs
Then a expert will assist you tomorrow
OK will do so, thank you.
Hi guys,
I just want to mention that aswar is a very old and obsolete version, you schould not use anymore.
Greetz, Red.
Is there any other Rootkit scanner for Windows Server 2008?
Thank you.
There are searchengines 
If you are running a server and need to ask the things you did here, I suggest you hire a real admin.
Hello
I did try other rootkit scanners but they can not run because they can not install some driver when booting. Only Avast was able to find them…
What real admin I need to hire? Could you please give me more info’s?
Thank you.
I think the question is, why are you running Windows Server 2008? Are you providing services to users or just running a no-cost OS?
I’m running VPS and there is Server 2008 installed.
for help, attach the requested logs
Hello
I sent you a PM.
Thank you.
Attach the log files to your post here.
-
Thanks for the log files but I am not going to download files from a unsecured, 3rd-party site.
-
This is a VIRTUAL machine. None of Avast’s scanners are designed to work on a virtual system. You could see if a scan with TDSSkiller finds anything; it does not need a reboot to scan the system. However, if it does scan, the software will most likely find every file suspicious as the files’ characteristics are not the ones expected due to the system running in a Virtual container.
-
Being a virtual system, why not restart the server with a fresh image? Or re-install Chrome to see if that fixes the Chrome issue?
Hello
that’s 3 txt files inside ZIP archive, nothing else. Do you have other option where I can upload the file? I can not post my log files to public.
TDSSkiller was not found anything but it can not install boot driver, just like MallWarebyte and other I try. I suppose it is because of virtual file system?
I can not install any fresh image because I have running programs, database etc. I’m aware that I can move them to new VPS but if possible, I will try to clean current system.
I reinstalled Chrome many times, it does not work. Chrome is not important at this moment.
Thank you for any help.
Does anyone want to help?
I can send log files on PM.
Thank you.
I will look at the log files PROVIDED my malware scanners say the file(s) are safe. What scanner produced these logs?