Avast Found a Rootkit

Today, Avast found a rootkit on my computer. I got a screenshot of it:


http://pixpipeline.com/st/2316b6adda2b.png

I don’t know if that is a false positive or not, but I deleted it anyway, just to be safe. I don’t know how it got there, because I haven’t done anything different lately, and I did the same things I always do. Also, after I restarted my computer, Avast blocked something from connecting to: electronicssense-search.com. I hope I’m not infected with anything serious.

Did a MBAM scan and it found 3 items. Here is the log:


Malwarebytes’ Anti-Malware 1.41
Database version: 2905
Windows 5.1.2600 Service Pack 3

10/4/2009 4:13:23 PM
mbam-log-2009-10-04 (16-13-23).txt

Scan type: Quick Scan
Objects scanned: 100243
Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\8c41affb.sys (Rootkit.Rustock) → Delete on reboot.

http://forum.avast.com/index.php?topic=46018.0

Thanks. I deleted the rootkit, after I got the message so I hope I didn’t do anything wrong. Like the person in that thread, I rarely ever get any viruses, so I kind of delete them too. My computer hasn’t been giving any weird behavior either, so I’m thinking the problem is fixed. I’ll do a boot time scan later though, just to make sure. Good job Avast!

It’s always better to quarantine than delete. Gives you choice; there is no disadvantage.

Run a scan again with MBAM. If the object should happen to be found, with a prompt to 'delete on reboot", please reboot promptly.
Post the scan report/s.
Hope all is well.

Ok I’ll do that. The only weird things I’ve noticed so far are two startup messages, and when I opened IE Avast popped up with a spyware warning of the file rasadhpl.dll which is in the Internet Explorer folder. Weird thing is, I quarantined the file yesterday.


Did you mean … rasadhlp.dll … instead?


Yes, actually that was what I meant. Typo, sorry. Is it a bad sign? Btw, computer is running normally as it usually does, no problems. The only virus alert I’ve gotten is the rasadhlp.dll file from the morning.

Well I did another MBAM quick scan, and it detected the same items again. Here is the log, I’ll be deleting the items soon.


Malwarebytes’ Anti-Malware 1.41
Database version: 2905
Windows 5.1.2600 Service Pack 3

10/5/2009 8:17:22 PM
mbam-log-2009-10-05 (20-17-18).txt

Scan type: Quick Scan
Objects scanned: 100485
Time elapsed: 6 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\8c41affb.sys (Rootkit.Rustock) → No action taken.


I would love some help getting rid of the virus once and for all since it keeps returning.

Ok, I restarted my computer after deleting those items and I got these two message boxes on starup, just like last time. And also Avast blocked my computer from connecting to that same site again right after my computer started up. I got screenshots of the message boxes this time:


http://pixpipeline.com/st/4094710bc561.png

and


http://pixpipeline.com/st/01d6cdd509dd.png


You can let MBAM fix those.

The file … rasadhlp.dll … is a valid file belonging to Microsoft. See the link below :

http://processlist.com/info/rasadhlp.html


Ok. I restored the rasadhlp.dll file from the Virus Chest and then when Avast popped up about it again I pressed no action.

could be an fp, or a worm could of patched it to make it malware.

Scan on www.virustotal.com

If it hasn’t been fixed yet or whatever, two AV will detect it, GDATA and Avast, and Gdata uses the same engine.

Well MBAM, found it too, so I deleted it with MBAM. I haven’t noticed anything wrong with IE though after deleting that file with MBAM. Did a boottime scan with Avast, and Avast found the rootkit that was hiding and I quarantined it, before the rootkit could load into my system. Haven’t done a new MBAM scan yet but I’m pretty sure my comp is now clean. Also, there is no more of my computer trying to connect to that website I told you guys about right after I boot. You rock Avast!

Yep did a check with MBAM, and all it found were 2 reg entries while doing the Extra and Heuristics Scan. It didn’t find any rootkits or any other problems this time. My computer is now clean! Yes! Thanks for all your help guys! :smiley: