Just thought I would introduce myself! I am an IT support technician (1st line) and I work in Manchester (UK) !
I have battled with many a virus in my time here but I am not an expert on Rootkits. Last night my Avast popped up with a message ‘Rootkit blocked’. It was Win32:KillAV-AHY. It was found in c:\windows\system32\wdi
It was moved to the virus chest, but my question is, is it safe there and could I remove it without causing serious issues with Windows?
Anything in the Virus Chest is safe there. We usually suggest leaving items there for several weeks and rescanning it every few days as virus definitions are updated. You may find that it is a false positive (FP), in which case you can then restore it or delete it depending on the file.
You can also upload the file in the Chest to Avast for analysis to see if it is a FP, and this will be done on the next virus update…very soon.
Since you found a rootkit, I also suggest running a boot scan as well if you didn’t already.
After doing the scans your are currently doing, follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTS logs (save them as ANSI and not Unicode). Post the MBAM log and the OTS log as an attachment (Additional Options > Attach > Post). Depending on the log reports, I can refer you to our Certified Malware Removal Expert named Essexboy.
I’m checking back in with you. Have you received new Avast Update Virus Definitions yet since this appears to be a FP? If you have, please rescan what is in your Chest by right clicking on the item(s) in the Chest to rescan them. If they come out clean, you can try to restore them. Right click on each file individually and you will have the option what you would like to do with it. Additional help can be found if you open the Avast GUI > upper right corner you will see “Help Center” > “Virus Chest” > “Working Within the Chest Files.”
If after getting the virus updates and you rescan if does not come back clean, leave the file(s) in the Chest and rescan again after additional virus updates. Please cut and paste your MBAM log if it did not come back clean.
Let me know if you have any additional questions. Thank you.