I’ve been getting Win32:Rootkit-gen[Rtk] malware warnings from avast periodically the whole day today, especially every time i switch on m laptop.
i removed the files, sent it to the virus chest but the warnings keep coming.
the same type of malware, but different filename, always in the win32 drivers folder.
i tried deleting the system restore points like some people suggested, but the warning keeps coming up.
i don’t notice anything different with my computer except the warnings.
another computer using the same wireless network in my house is also having the same malware warning.
What should i do? Please help! I’m completely clueless when it comes to computers so step by step help would be a huge help!
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
I did the malware bytes scan yesterday night and there were again like 4 registry entries and i deleted them. i can’t find the log today.
The file (different names all the time) is alwyas from C:\windows\system32\Drivers[infected file.sys]
The avast log says Warning: signs of win32rootkit-gen[rtk] has been found in [file name]
I’ll do the other scans when i have a little bit of free time.
This is an old beta version of the avast anti-rootkit so as such isn’t worth considering.
The anti-rootkit is incorporated into the avast anti-virus (avast! Antirootkit, version 1.0) and it runs 8 minutes after boot and also before some of the on-demand scans, Standard and Thorough. So you don’t actually need to run it manually, even less hold on to this old beta version.
I would have much preferred that you posted the MBAM log as suggested before taking action. Not only that it gives us more of an idea of what is going on in your system.
So when does this detection win32:rootkit-gen happen (8 minutes after boot, during an on-demand scan, etc.) ?
@ Tech
I suggest that you remove the link from your canned script to the old beta avast anti-rootkit as the results aren’t worth much, considering the anti-rootkit is built in and of a later version.
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) → No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\RECYCLER\S-1-5-21-3550996072-8676403159-909192500-7258\sysdate.exe (Worm.Autorun.B) → No action taken.
i tried to remove the items but they say you can’t remove the first one.
any idea how that can be done?
the warning come up almost immediately after i boot up the computer. definitely less than 8 minutes. this time around after i rebooted after removing the registry it took longer to come up. also, the warning comes up twice within the first 10 mins or so of me using the computer.
If you can take action on the second one (see below) using the More Tools tab, FileAssassin tool to delete the file (copy and paste the bath below), that is a start.
C:\RECYCLER\S-1-5-21-3550996072-8676403159-909192500-7258\sysdate.exe (Worm.Autorun.B)
Before you do that:
Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page. If multiple scanners find these infected send the samples to avast for analysis and inclusion in the virus database.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
i can’t seem to find the infected file. i don’t have a folder called ‘recycler’ in the C drive.
I was doing some research and found this: http://spyware.scanspyware.net/spyware-removal/Worm.Autorun.B.html
is this site safe? shall i download their removal tool?
it seems to be pretty much what i need.
i can’t do any of the things you suggested because i can’t find the file.
i just did another MBAM search to try and find it again, but it now says my computer is not infected. but i got one virus warning within the first few minuted of booting up my computer.
It is most likely hidden (and possibly protected) from the normal windows tools, e.g. explorer.
So you could try what I suggested by using copying and pasting the full path into the various input fields for VirusTotal and after that File Assassin, e.g. the path given by avast’s detection C:\RECYCLER\S-1-5-21-3550996072-8676403159-909192500-7258\sysdate.exe
If that doesn’t cut it, then you can try the other anti-rootkit tools/programs suggested by superhacker, gmer or rootkit unhooker.
i did a simple superantispyware check and it found some trojans and deleted them. the avast warning hasn’t come up as yet. so fingers crossed it should be ok.
thanks for all your help david. really appreciate it
