Avast! finds a root-kit... then a blue screen appears!

When I updated Windows today, after an Avast! scan, a root-kit was found, in C:/Windows/SoftwareDistribution/Downloads/89… I started running malware bytes as Avast said it couldn’t move the file to its virus chest, or delete it. (It couldn’t be found.) I also started scanning with Aswmbr, and RogueKiller. Then I got a Blue Screen with the message attached in the LOG.txt file after I rebooted in safe mode… I rescanned with Avast, Aswmbr, and RogueKiller, Mbam, and nothing was found after the restart… And this is also why I don’t have the entire name for the file root-kit found - Avast! crashed and the log didn’t ever get made. Thanks for your patience!

  • In the BSOD report, it says quote on quote: Files that help describe the problem:
    C:\Windows\Minidump\041114-12604-01.dmp.
    Will this file be of any use?
  • Could this just be a false positive, or a problem with a new Windows update?

Let’s get some query answered –

[*]Did the BSOD occur before or after running aswmbr, and RogueKiller?
[*]Did the BSOD persist after a reboot or was that one time only?
[*]When avast! found the rootkit, what action was taken i.e. move to chest, delete et cetera?

Answer the above while I analyze your log. Since I am a mentee, my reply needs to be approved by our expert Essexboy prior to post here. I ask for your forbearance and take this as a good sign as now you have two pair of eyes looking at your issue.

Regards,
Valinorum

Here’s the exact order everything occurred in…
Avast! was the first scan ran, and found the rootkit.
I proceeded to download aswmbr, mbam, and rogue killer…
I ran Rogue killer and aswmbr at the same time, rogue killer finished.
When rogue killer stopped, I started a scan on mbam, (It might be useful to know the rootkit search was checked on the mbam scan.)
Aswmbr finished, and a minute or less after while mbam was still scanning, the BSOD occurred.

I haven’t gotten a BSOD since the first one, and this was the first time I’ve got one on this drive that I know of.

First I tried to move it to the chest, but Avast! said the file was not found, then I tried to delete it, but Avast! wouldn’t let me do that either.

Thank you for the information and your help so far! :slight_smile:

Please attach the RogueKiller and Malwarebytes’ Anti-Malware logs for my perusal.

Sorry to interefere, with your training Valinorum… Just wwanted to say welcome and have a good time training here. if you need anything do not hesitate to ask me!

You were not interfering, Michael. Thank you for the kind welcome. I’d have introduced myself but could not locate any “Meet and Greet” section which is fine by me as they are easily spammed. I am sure that I will learn a lot from all the experts here. Expect my question-flood – I ask a lot ::slight_smile: . Also, if you ever visit GeekToGo, you can find me under the same username.
Once again, thank you for the welcome. :slight_smile:
Regards,
Valinorum

Hi, I would PM you if I could… I have a G2G account. Just not active. Good luck!!

Thank you and you take care as well. :slight_smile:

Hi Thundagia, :slight_smile:

Do you still get rootkit alert?

[*]Step #1 Fix with OTL
[*]Re-run OTL by right clicking and choosing Run as administrator;
[*]Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word ‘quote’).

:Commands [createrestorepoint]

:OTL
SRV - [2014/04/07 14:19:48 | 004,492,776 | ---- | M] (iolo technologies, LLC) [Auto | Running] – C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe – (ioloSystemService)
O4 - HKLM…\Run: File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
[2014/04/11 19:19:59 | 000,000,000 | —D | C] – C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Mechanic Professional
[2014/04/11 19:19:58 | 002,155,152 | ---- | C] (iolo technologies, LLC) – C:\Windows\SysNative\Incinerator64.dll
[2014/04/11 19:19:58 | 002,097,984 | ---- | C] (iolo technologies, LLC) – C:\Windows\SysWow64\Incinerator32.dll
[2014/04/11 19:19:56 | 000,000,000 | —D | C] – C:\ProgramData\ioloGovernor
[2014/04/11 19:19:55 | 000,057,584 | ---- | C] (iolo technologies, LLC) – C:\Windows\SysNative\iolobtdfg.exe
[2014/04/11 19:19:55 | 000,000,000 | —D | C] – C:\Users\Cintra\AppData\Roaming\ioloGovernor
[2014/04/11 19:19:54 | 000,000,000 | —D | C] – C:\Program Files (x86)\iolo
[2014/04/11 19:09:19 | 000,000,000 | —D | C] – C:\Users\Cintra\AppData\Roaming\iolo
[2014/04/11 19:09:19 | 000,000,000 | —D | C] – C:\ProgramData\iolo
[2014/04/07 14:44:48 | 000,026,184 | ---- | M] (iolo technologies, LLC) – C:\Windows\SysNative\smrgdf.exe
[2014/04/11 19:20:55 | 000,000,406 | ---- | C] () – C:\Windows\SysNative\ioloBootDefrag.cfg
[2014/04/11 19:19:59 | 000,001,477 | ---- | C] () – C:\Users\Cintra\Desktop\System Mechanic Professional.lnk

:Commands
[emptytemp]


[*]Click on “Run Fix” and let the program run unhindered;
[]Your PC will reboot automatically and a log will be opened;
[
]Please post it in your next reply.


[*]Required Log(s):
[*]OTL Fix Log

Regards,
Valinorum

No, I haven’t since!
Thank you for your help! The log should be attached below!
And welcome to the Avast! forums, I hope you enjoy your time here! :wink:

No, I haven't since!
Good news. ;D
And welcome to the Avast! forums, I hope you enjoy your time here! ;)
Thank you for your kind welcome. :)
I have submitted your fix to Essexboy and will post here after his approval. Thank you for your patience.

Regards,
Valinorum

Hi Thundagia, :slight_smile:

[*]Step #2 Scan with Malwarebytes’ Anti-Malware
[*]Download Malwarebytes’ Anti-Malware from the suitable link below –
[list][]Download Link #1
[
]Download Link #2
[]Download Link #3
[*]Double-click mbam-setup.exe to install the application.
[*]Before clicking Finish perform the following actions –
[*]Un-check the box beside Enable free trial of Malwarebytes Anti-Malware Premium.
[*]Check the box beside Launch Malwarebytes Anti-Malware
[*]Once the program has loaded, The MBAM dashboard will appear with an alert to update - click the green button Update Now;
[*]Click on Setting
[*]Navigate to the tab Detection and Protection and check all the boxes under Detection Options
[*]From the Dashboard click on Scan Now;
[*]If threats are detected click on Apply actions. If the program asks to reboot your PC, let it do so;
[*]On completion of the scan click on View Detailed Log after that click on Export Button, select Text File and save the log to your Desktop;
[
]Attach the log in your next reply.[/list]


[*]Step #3 Run ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista / 7 users: You will need to to right-click on the either the Internet Explorer or Firefox icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

[*]Please go here then click on:
http://2-ps.googleusercontent.com/x/www.geekstogo.com/i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif.pagespeed.ce.drf6rgtaCz.gif

[b]Note[/b]:[i] If using Mozilla Firefox you will need to download [b]esetsmartinstaller_enu.exe[/b] when prompted then double click on it to install. All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.[/i]
[*]Select the option [b]YES, I accept the Terms of Use[/b] then click on: http://1-ps.googleusercontent.com/x/www.geekstogo.com/i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif.pagespeed.ce.lNUTYf4hmK.gif

[*] When prompted allow the Add-On/Active X to install.
[*]Uncheck the box beside Remove Found Threats
[*]Make sure that the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:
[list][*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology
[*]Now click on:
http://1-ps.googleusercontent.com/x/www.geekstogo.com/i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif.pagespeed.ce.KadG-KgShM.gif

[*] The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically. The scan may take several hours.
[*]Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.[/list]

When The Scan is Complete:

[*]If No Threats Were Found:

[list][*]Put a checkmark in [b]"Uninstall application on close"[/b]
[*]Close the program
[*]Report to me that nothing was found
[*] [b]If Threats Were Found[/b]:
    [*]Click on [b]"list of threats found"[/b]
    [*]Click on[b] "export to text file"[/b] and save it to the desktop as [b]ESET SCAN.txt[/b]
    [*]Click on [b]Back[/b]
    [*]Put a checkmark in [b]"Uninstall application on close"[/b] ([b]Be sure you have saved the file first[/b])
    [*]Click on [b]Finish[/b]
    [*]Close the program
    [*]Attach the report here

[/list]

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


[*]Required Log(s):
[]Malwarebytes’ Anti-Malware Log;
[
]ESET Scan Log

Regards,
Valinorum

The Mbam log is posted below.
Although, I couldn’t run the ESET scanner for some reason. I disabled Avast! and ran IE as an administrator, but when I click the link the page doesn’t load. ( I get the message This page can’t be displayed •Make sure the web address http: %22http is correct. While IE is on the web address of http: %22http wXw.eset.com us online-scanner %22 - Spaces are /'s, Double spaces are //'s, wXw subs for www.) Is the link incorrect or I am doing something wrong? ???

Can you try with another browser?

I suspect you messed the HTML coding up. I’ve tried Safari, CHrome and IE. All failed.

Found it! The [u]"[/u]www.eset.com/us/online-scanner[u]"[/u]

the “” doesn’t belong their.

@Thundagia, see my next post. I’ve just mass quoted his post and fixed the HTML errors.

Yep remove the inverted commas in the link … This forum does not support them :slight_smile:

Hi Thundagia, :slight_smile:

[*]Step #3 Run ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista / 7 users: You will need to to right-click on the either the Internet Explorer or Firefox icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

[*]Please go herethen click on:
http://2-ps.googleusercontent.com/x/www.geekstogo.com/i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif.pagespeed.ce.drf6rgtaCz.gif

[b]Note[/b]:[i] If using Mozilla Firefox you will need to download [b]esetsmartinstaller_enu.exe[/b] when prompted then double click on it to install. All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.[/i]
[*]Select the option [b]YES, I accept the Terms of Use[/b] then click on: http://1-ps.googleusercontent.com/x/www.geekstogo.com/i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif.pagespeed.ce.lNUTYf4hmK.gif

[*] When prompted allow the Add-On/Active X to install.
[*]Uncheck the box beside Remove Found Threats
[*]Make sure that the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:
[list][*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology
[*]Now click on:
http://1-ps.googleusercontent.com/x/www.geekstogo.com/i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif.pagespeed.ce.KadG-KgShM.gif

[*] The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically. The scan may take several hours.
[*]Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.[/list]

When The Scan is Complete:

[*]If No Threats Were Found:

[list][*]Put a checkmark in [b]"Uninstall application on close"[/b]
[*]Close the program
[*]Report to me that nothing was found
[*] [b]If Threats Were Found[/b]:
    [*]Click on [b]"list of threats found"[/b]
    [*]Click on[b] "export to text file"[/b] and save it to the desktop as [b]ESET SCAN.txt[/b]
    [*]Click on [b]Back[/b]
    [*]Put a checkmark in [b]"Uninstall application on close"[/b] ([b]Be sure you have saved the file first[/b])
    [*]Click on [b]Finish[/b]
    [*]Close the program
    [*]Attach the report here

[/list]

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


[*]Required Log(s):
[]Malwarebytes’ Anti-Malware Log;
[
]ESET Scan Log

Regards,
Valinorum

Just to make it easier. I’ve “Quoted” your post Valinorum. And fixed the links that way he can proceed.

Edit: Removed more HTML errors. Valinorum, to see what I posted. Just Quote my reply and scan the text for the links and HTML coding etc. Now I’ll stop. Sorry to be a thorn!

My apology. I have edited my canned speech. Thank you for the correction, Michael.

@Thundagia, Were you able to perform the scans?