Has RootKit been deleted?

I recently did a scan and two threats were found. One of which was a rootkit: ‘‘Rootkit:hidden file’’ and the other was a trojan (I think): ‘‘Win32: Crypt-LUQ [trj]’’.When I tried to put them in the chest, the rootkit displayed an error message ‘‘Error: the request is not supported (50)’’ and the trojan displayed the error message: ‘‘Error: the process cannot access the file because it is being used by another process (32)’’.When I tried to delete them, the rootkit displayed an error message: ‘‘Error: the system cannot find the file specified(2)’’ and the trojan said ‘‘Action postponed until the next reboot’’.

So I kept the action for both as Delete and rebooted, running a boot scan and the boot scan found no threats.

Does this mean my computer is now safe? Or is rootkit ‘hidden’ somehow as it said it was a ‘hidden file’ and has the trojan been deleted?

Any help would be much appreciated

follow this guide and attach the logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

Thanks,
I have scanned with malwarebytes and aswMBR already as it happens, so I have pasted the logs below. I will also use OTL if these are inconclusive (I have no idea what anything in the log from aswMBR means)

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.12.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jabalounatz :: JABALOUNATZCOMP [administrator]

13/03/2012 15:15:12
mbam-log-2012-03-13 (15-15-12).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 256480
Time elapsed: 1 hour(s), 24 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-14 17:53:48

17:53:48.375 OS Version: Windows 5.1.2600 Service Pack 3
17:53:48.375 Number of processors: 1 586 0x209
17:53:48.375 ComputerName: JABALOUNATZCOMP UserName: Jabalounatz
17:54:01.109 Initialize success
17:54:09.171 AVAST engine defs: 12031400
17:54:49.046 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0
17:54:49.046 Disk 0 Vendor: Maxtor_6 NAR6 Size: 39205MB BusType: 3
17:54:49.062 Disk 0 MBR read successfully
17:54:49.078 Disk 0 MBR scan
17:54:49.343 Disk 0 Windows XP default MBR code
17:54:49.359 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 14998 MB offset 63
17:54:49.406 Disk 0 Partition - 00 0F Extended LBA 24199 MB offset 30716280
17:54:49.437 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 16002 MB offset 30716343
17:54:49.453 Disk 0 Partition - 00 05 Extended 8197 MB offset 63488880
17:54:49.531 Disk 0 Partition 3 00 0B FAT32 MSDOS5.0 8197 MB offset 63488943
17:54:49.578 Disk 0 scanning sectors +80276805
17:54:49.812 Disk 0 scanning C:\WINDOWS\system32\drivers
17:56:36.468 Service scanning
17:58:17.765 Modules scanning
17:59:03.718 Disk 0 trace - called modules:
17:59:03.734 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll IdeChnDr.sys
17:59:03.750 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x823679c0]
17:59:03.750 3 CLASSPNP.SYS[f8578fd7] → nt!IofCallDriver → \Device\00000067[0x82383f18]
17:59:03.750 5 ACPI.sys[f84ef620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0[0x82383030]
17:59:04.203 AVAST engine scan C:\WINDOWS
17:59:59.093 AVAST engine scan C:\WINDOWS\system32
18:04:30.093 AVAST engine scan C:\WINDOWS\system32\drivers
18:04:50.171 AVAST engine scan C:\Documents and Settings\Jabalounatz
18:26:35.015 AVAST engine scan C:\Documents and Settings\All Users
18:26:50.937 Scan finished successfully
18:47:38.203 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Jabalounatz\My Documents\MBR.dat”
18:47:38.343 The log file has been saved successfully to “C:\Documents and Settings\Jabalounatz\My Documents\aswMBR.txt”

Yes run the OTL scan please

aswMBR seems quite happy ;D

Okay I attach the OTL logs, sorry for the delay!

And the OTL logs look nice, whatever you had it is now gone ;D

Are you experiencing any problems at all ?

No problems it seems, it is just a bit worrying that the avast scan found a rootkit and trojan (couldn’t delete) but then on restart they were gone: any ideas as to why this could be? I know that rootkits can be elusive.

Also are all of the errors in the Extras.Txt log anything to worry about?

Much thanks

The errors are nothing to be concerned about - just windows housekeeping things

When you got these detection were they in memory i.e. did they have PID numbers

Sorry for my lack of knowledge, but what are PID numbers?

I have looked in the folder where it said the rootkit was and it is not there, but the file where it said the trojan was is still there.

It is in D:\System Volume Information\catalog.wci would it be okay to just delete this?

Ah OK that is in system restore and is not a problem - I feel the other may have been a detection of another anti-malware programme on your computer. Malwarebytaes, Superantispyware or spybot

Lets clear the restore points now

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Okay cheers, have done all that,
when I look in the folder D:\System Volume Information\catalog.wci all the files are still there including the one it said was a trojan but this is all right?

Yes in that case it is a false positive - purely due to the way the file is stored

To remove OTL just run it and press the cleanup button

Cool cool, thanks for the help!

No problem that is what we are here for ;D

I don’t know why they didn’t show up in scans before though: I had scanned 9 days earlier…

Virus definitions are updated daily - sometimes two or three times so an ocassional FP will slip through