Introduction and help needed!

Hello everyone!

Just thought I would introduce myself! I am an IT support technician (1st line) and I work in Manchester (UK) !

I have battled with many a virus in my time here but I am not an expert on Rootkits. Last night my Avast popped up with a message ‘Rootkit blocked’. It was Win32:KillAV-AHY. It was found in c:\windows\system32\wdi

It was moved to the virus chest, but my question is, is it safe there and could I remove it without causing serious issues with Windows?

Many thanks in advance!

Anything in the Virus Chest is safe there. We usually suggest leaving items there for several weeks and rescanning it every few days as virus definitions are updated. You may find that it is a false positive (FP), in which case you can then restore it or delete it depending on the file.

You can also upload the file in the Chest to Avast for analysis to see if it is a FP, and this will be done on the next virus update…very soon.

Since you found a rootkit, I also suggest running a boot scan as well if you didn’t already.

Thanks very much.

I have sent file for analysis as you have suggested and I will run a boot time scan.

I have noticed a change in my machine, sluggish at startup and Internet explorer 9 takes an age to load up…! Could be a seperate issue however!

Thanks again.

This is usually not a good sign, but we’ll see what the scans show.

You may want to check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

After doing the scans your are currently doing, follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTS logs (save them as ANSI and not Unicode). Post the MBAM log and the OTS log as an attachment (Additional Options > Attach > Post). Depending on the log reports, I can refer you to our Certified Malware Removal Expert named Essexboy.

Let me know if you have any questions. Thank you.

Thanks again,

I will come back to you with results.

Hi Can’t seem to post logs, when I upload and I click post, they vanish!

Am I being an idiot?!

http://forum.avast.com/index.php?topic=78403.0

Thanks Asyn,

So looks like could be false positive? I have sent file to Avast so I shall see if I hear anything back, or if it is changed in the next update.

Yes, very probably.

I’m checking back in with you. Have you received new Avast Update Virus Definitions yet since this appears to be a FP? If you have, please rescan what is in your Chest by right clicking on the item(s) in the Chest to rescan them. If they come out clean, you can try to restore them. Right click on each file individually and you will have the option what you would like to do with it. Additional help can be found if you open the Avast GUI > upper right corner you will see “Help Center” > “Virus Chest” > “Working Within the Chest Files.”

If after getting the virus updates and you rescan if does not come back clean, leave the file(s) in the Chest and rescan again after additional virus updates. Please cut and paste your MBAM log if it did not come back clean.

Let me know if you have any additional questions. Thank you.