Email Notification...does that mean it's cleaned?

Viruses and worms
1

Hi,

I just got an email notification from a computer that is out of my reach right now and I cannot contact the person who has it. The message is here:

avast! [95120M1]: File “C:\Windows\Temp\TMP00000E220A267F1F99FDF605” is infected by “Rootkit: hidden file” virus.
“Full system scan” task used
Version of current VPS file is 100608-1, 08/06/2010

Since this was caught by a full system scan, and I haven’t received another email from this system, can i assume it’s been cleaned?

Thanks,

2

Yes and no…
I mean, rootkits are hidden virus and generally replicant.
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Clean your temporary files. You can use CleanUp or CCleaner for that.

  2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
    If avast does not detect it, you can try DrWeb CureIT! instead.

  3. It will be good if you download, install, update and run MBAM (or SUPERantispyware or even SpywareTerminator).
    If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.

  4. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

  5. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

  6. Browser hijacking and problems with antivirus update could be managed in some scenarios by cleaning the hosts file (at C:\windows\system32\drivers\etc folder). The file does not have an extention, it’s simply hosts.
    The default file consists of a number of example lines preceded with # The only required line is
    127.0.0.1 localhost
    You can get a good replacement with HostsMan that keep it clean (avoid infections) and updated: http://www.abelhadigital.com

  7. After you’re clean, disable System Restore on Windows ME, XP or Vista. System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.

  8. Use the immunization of SpywareBlaster.

  9. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.Emanoel

3

Thanks for the terrific advice! When I get my hands on the pc, i’ll be sure to follow these steps!

thanks again,

4

You’re welcome. Feel free to come back any time you need help or just to change experiences 8)