Avast rootkit scanner result

Viruses and worms
1

Hello,

I had a virus infection several months ago with false windows security. I managed to remove this I thought but I noticed a number of strange things recently on the computer with Windows security centre failing to load.

I ran the avast anti rootkit from http://public.avast.com/~gmerek/aswMBR.htm

This did not find any rootkit but did find :

22:06:36.964 File: C:\WINDOWS\system32\rundll32.exe INFECTED Win32:Malware-gen

This above file is not found when I complete a full avast scan with the normal free avast anti virus.

How do I get rid of this file, if I should? Do I click fixMBR, which is the only option on the antirootkit tool available to click for this file?

Follows is the full output of this scan:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-22 22:04:03

22:04:03.282 OS Version: Windows 5.1.2600 Service Pack 3
22:04:03.282 Number of processors: 1 586 0x905
22:04:03.282 ComputerName: IBM-TPAD UserName: IBM User
22:04:05.545 Initialize success
22:04:07.067 AVAST engine defs: 12052101
22:04:21.098 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
22:04:21.098 Disk 0 Vendor: HTS548040M9AT00 MG2OA5DA Size: 38154MB BusType: 3
22:04:21.138 Disk 0 MBR read successfully
22:04:21.138 Disk 0 MBR scan
22:04:21.148 Disk 0 Windows XP default MBR code
22:04:21.148 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
22:04:21.158 Disk 0 scanning sectors +78140160
22:04:21.488 Disk 0 scanning C:\WINDOWS\system32\drivers
22:04:34.817 Service scanning
22:04:53.755 Modules scanning
22:05:07.515 Disk 0 trace - called modules:
22:05:07.535 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys AGRSM.sys PCIIDEX.SYS
22:05:07.535 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82f4cab8]
22:05:07.535 3 CLASSPNP.SYS[f86f5fd7] → nt!IofCallDriver → \Device\00000076[0x82f1c9e8]
22:05:07.535 5 ACPI.sys[f866c620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x82f1cd98]
22:05:08.046 AVAST engine scan C:\WINDOWS
22:05:13.353 AVAST engine scan C:\WINDOWS\system32
22:06:36.964 File: C:\WINDOWS\system32\rundll32.exe INFECTED Win32:Malware-gen
22:07:58.773 AVAST engine scan C:\WINDOWS\system32\drivers
22:08:08.297 AVAST engine scan C:\Documents and Settings\IBM User
22:10:12.435 AVAST engine scan C:\Documents and Settings\All Users
22:10:21.599 Scan finished successfully
22:12:47.979 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\IBM User\Desktop\MBR.dat”
22:12:47.979 The log file has been saved successfully to “C:\Documents and Settings\IBM User\Desktop\aswMBR.txt”

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-22 22:04:03

22:04:03.282 OS Version: Windows 5.1.2600 Service Pack 3
22:04:03.282 Number of processors: 1 586 0x905
22:04:03.282 ComputerName: IBM-TPAD UserName: IBM User
22:04:05.545 Initialize success
22:04:07.067 AVAST engine defs: 12052101
22:04:21.098 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
22:04:21.098 Disk 0 Vendor: HTS548040M9AT00 MG2OA5DA Size: 38154MB BusType: 3
22:04:21.138 Disk 0 MBR read successfully
22:04:21.138 Disk 0 MBR scan
22:04:21.148 Disk 0 Windows XP default MBR code
22:04:21.148 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
22:04:21.158 Disk 0 scanning sectors +78140160
22:04:21.488 Disk 0 scanning C:\WINDOWS\system32\drivers
22:04:34.817 Service scanning
22:04:53.755 Modules scanning
22:05:07.515 Disk 0 trace - called modules:
22:05:07.535 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys AGRSM.sys PCIIDEX.SYS
22:05:07.535 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82f4cab8]
22:05:07.535 3 CLASSPNP.SYS[f86f5fd7] → nt!IofCallDriver → \Device\00000076[0x82f1c9e8]
22:05:07.535 5 ACPI.sys[f866c620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x82f1cd98]
22:05:08.046 AVAST engine scan C:\WINDOWS
22:05:13.353 AVAST engine scan C:\WINDOWS\system32
22:06:36.964 File: C:\WINDOWS\system32\rundll32.exe INFECTED Win32:Malware-gen
22:07:58.773 AVAST engine scan C:\WINDOWS\system32\drivers
22:08:08.297 AVAST engine scan C:\Documents and Settings\IBM User
22:10:12.435 AVAST engine scan C:\Documents and Settings\All Users
22:10:21.599 Scan finished successfully
22:12:47.979 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\IBM User\Desktop\MBR.dat”
22:12:47.979 The log file has been saved successfully to “C:\Documents and Settings\IBM User\Desktop\aswMBR.txt”
22:20:05.729 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\IBM User\Desktop\MBR.dat”
22:20:06.359 The log file has been saved successfully to “C:\Documents and Settings\IBM User\Desktop\aswMBR.txt”

Thanks for any help!

2

hmm…lets just confirm its not a FP…can u try uploading C:\WINDOWS\system32[b]rundll32.exe[/b] here:

www.virustotal.com and post the link to result here on next reply.

3

Thanks for your response.

Uploaded it to virustotal and no detection out of 43.

https://www.virustotal.com/file/3e8e1b5d62ec63a4e7899a5d9e3f71fa3f498acb1edde3e7174376a0dc2b7a2a/analysis/

I am happy to accept your expertise that this is a FP. Nothing comes up on the Avast full scan or MBAM, I’m just surprised to be finding malware alerts on the rootkit scan.

Thanks for your time.

SHA256: 3e8e1b5d62ec63a4e7899a5d9e3f71fa3f498acb1edde3e7174376a0dc2b7a2a
SHA1: 3a71c8dec3be14b47e76f5ac5f8ec66b1e3367b8
MD5: 1b3d8375d1e96ca29e3b867b69168bae
File size: 32.0 KB ( 32768 bytes )
File name: rundll32.exe
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-03-20 15:30:53 UTC ( 2 months, 1 week ago )

4

I didn’t expect VT to find anything is this came out in a rootkit scan, VT can’t replicate that scan.

5

Any idea what it is and why it is showing on this scan and not others? Is it a problem?

There is a problem on the computer sometimes of windows security centre and avast not loading on booting and the computer freezing after.

Regards,

6

if u wish a thorough check up then follow this:
http://forum.avast.com/index.php?topic=53253.0

and attach all logs here…

essexboy notified…

7

if you attach (not copy and paste) a malwarebytes and OTL log, then the removal specialist may find out
http://forum.avast.com/index.php?topic=53253.0

8
essexboy notified
Essexboy is on vacation. ;)

Jeffce is notified…

9

Oh! i see thanks! for that

10

Monitoring… :slight_smile: