Hello Everyone. Could use some help. I installed avast today and then ran a bootscan. Avast found win32:Rootkit-gen, I put the file in the chest but could do nothing else with it. I ran the bootscan again and it is still showing up, is now quarantined twice! I don’t dare delete it because it is located in a windows file and I don’t want to ruin my computer. Any advice would be appreciated. This is the exact location of the file:
C:\Windows\Temp\zum63D2.tmp\upgrade.exe
Is it ok to delete this because it is a temp file? Need to know the best way to fix this. Thanks!
Whilst it should be OK to delete as it is a temp location it it requires further investigation and since deletion is final it shouldn’t be an early option. It is also strange as it would appear to be inside an archive file zum63D2.tmp (and .tmp is a temporary file not associated with an archive file) unless this is using the period in a folder name ?
Do you know anything about this zum63D2.tmp file/folder ?
It it is continually coming back even deletion may not resolve it as it looks like there is another element restoring this file or downloading it again.
What is your OS and Firewall ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
If using winXP or Vista SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner (if you use this don’t install the toolbar or crawler or the anti-virus module). Or a-Squared free On-Demand only with free version(if using win98/ME).
When installing Avast free 4 days ago (OS:VIsta) i got:
c:\Users*****\AppData\Local\Temp\Ctrlat20.exe is infected by win32:rootkit_gen.
I deleted Ctrlat20.exe and it seems that there is no problem, but i am not totally sure if i did not loose an important file OR if i distroyed the virus? troyan? OR if Avast is making false positives?
Next time, better than deleting, send the file (or add it) to avast Chest.
This way will allow further investigation and make possible to answer your questions…
It’s a temporary one… doesn’t seem an essential file.
Most probably. Did you scan with avast after that?
I scanned with avast after that and no malware was found.
I deleted the file in a too much hurry and as you say I should have sent the file to virustotal. I know these people from Hispasec (not personnally though), we belong to the same country.
I still am wondering if this malware was a virus ,a worm or a trojan and where i could find more good information about it.
I wonder how i got infected since i had another AV (Bull Guard) before and do not think i stood more than a few hours without any active AV.That´s why i think it could be a false positive, but cannot really check now.
You would need to compare the MD5 of your file (unfortunately you deleted it) with the reported MD5 of the file submitted to virustotal to be absolutely sure it is the same.
The reason I say that is I have also done a search and found info on the file but with a different MD5 number.
The rootkit-gen (the -gen part) is a generic signature which is trying to catch many fish with one hook so to speak, so there will be a possibility of it catching something unintended. So for the two reasons above it is important to ‘first do no harm’ move to the chest and investigate. However being in a Temp folder it is unlikely that there would be any harm don in this case.