Avast reports rookit:hidden file on scan, but can't remove/repair/move file

Ran a scan today and Avast found Threat: Rootkit: hidden file, plus four other files that indicated Error: Data error (cyclic redundancy check) (23)

The rootkit is associated with:

C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#\0c4ec58f70e0fe6e74458c35fb260e2d\Syste.Runtime.Caching.ni.dll

The 4 files that indicated the CRC error were:

C:\WINDOWS$hf_mig$\KB2509553\SP3QFE\tcpip.sys
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#
C:\WINDOWS\Temp\FLT1985.tmp
C:\WINDOWS\Temp\FLT1986.tmp

A boot scan did not yield any problems.

A subsequent Full System scan yielded the same result as above.

I cannot move the file to the chest, repair it, or remove it.

What are my next steps to remove this? Is it a legitimate threat?

Thank you!

A CRC error means that the file is corrupt

Am I actually infected with a rootkit? Or is the file simply corrupted?

Also is there a way to resolve this?

Thank you in advance for all your help!

The only way to determine that is to run a scan

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Running scan now. It flagged that same file. I will post the complete scan when it finishes.

Thank you

Attached is the log from the aswMBR scan.

How is the computer behaving, any problems ?

No errors or strange behavior, just sometimes there is a lot of disk activity that I can’t account for which slows the system down. In some cases I see AppleMobileDeviceServices chewing up 50% of my CPU - I kill that process and that resolves that. I believe it is a known problem with Apple?

Also sometime the WLTRAY.EXE process seems to have a memory leak and consumes more and more memory. A reboot resolves that.

No strange behavior on reboot.

I also ran an ESET online scan on the laptop, but it only found two undesirable apps that I may not want - and those were recent installs that I have since removed.

Has aswMBR actually removed/resolved/repaired the file in question?

No it just noted that it was hidden, that in itself is not a problem… As some windows files are hidden

Any thoughts on how to clear this with regard to the scan? This has never shown up before. And boot scan does not indicate anything. I am running another ESET scan currently and will let you know if it yields anything.

Just concerned that there is something lurking…

If you are concerned I could delete the file, but a programme that uses dotnet may not function properly

Can I remove support for .Net and then restore/install support for .Net? Do you think that would resolve it? Since Avast keeps finding the CRC errors on those files?

With the CRC errors it may be prudent to remove all dotnet versions and install just the ones you need

Download the dotnet cleanup tool from here http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-08-90-44-93/dotnetfx_5F00_cleanup_5F00_tool.zip to your desktop
Extract Cleanup_tool.exe to the desktop and run

Then re-run aswMBR

Ran the cleanup tool and removed all versions of .Net - but aswMBR reports the same thing.

See attached log

OK I shall now kill it for you

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Files
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#\0c4ec58f70e0fe6e74458c35fb260e2d\System.Runtime.Caching.ni.dll

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here is the log result that popped up upon reboot.

I have not re-run OTL yet. Please let me know if I need to re-run OTL in scan mode, and whether I need to paste the same information in the scan files area before the scan.

According to OTL that file is not on your system

Lets see if there is an additional copy, or if it is created by the net framework as required

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
/md5start
System.Runtime.Caching.ni.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Here are the results of the scan - and thank you again for all your help!

Just in case the previous logs were the ones from the wrong run, here are the correct ones:

Still can’t find it… Lets go fishing

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now