issue with win32:roothkit-gen (rtk)

Hi, i am having a issue with the above, had it for a few days now, not really sure how it started as I’m pretty careful what i go on etc…

Avast keeps saying its found the above in the windows\temp folder, and i keep deleting it and moving to chest but it keeps creating new folder names every few Min’s and reappears and avast finds it again, the folder names are all similar to tvvg.tmp, strt.tmp etc and its always a file called svchost.exe that it find infected in there.

I read a few sites stating that if you turn off the system restore and reboot the laptop then after reboot put it back on, the file should have cleared, i have tried this and it hasn’t in my case anyway.

does anyone please have any advice, oddly enough i have done a full system scan with avast separately and it says my laptop is clean, i have also run spybot, avast, and some online scanners, trend and online trojan scanner from windows sectary, all show my system being clean, its just avasts resident scanner keeps showing this all the time.

thanks

James

just as an addition heres a log from hijackthis, hope someone can look and spot something.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:59:39, on 12/12/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\James\2981137-Farmville_Auto_Harvester_Plower_Seeder_Bot_5_0\Farmville Auto Bot 5.0\Farmville Auto Bot.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘NETWORK SERVICE’)
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


End of file - 8566 bytes

What happens if you clean your temp folder?

with CCleaner http://filehippo.com/download_ccleaner/
in options > advanced > remove the tic on “only remove files older then 24h”

Hi, i do use ccleaner generaly anyway, when ever i delete these folders from the temp folder, it creates a new folder with a different name shortly after, then avast says its found that svchost.exe file then and just starts over.

Have you tried boot scan?

Boot time Avast Antivirus Scanning
http://www.digitalred.com/avast-boot-time.php

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

Dr.Web CureIt! http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/

Your HJT log looks ok, you could upload mctadmin.exe to virus total C:\Windows\System32\mctadmin.exe Although i think its legit.http://www.virustotal.com/ and post the results

Download, install, update, and run MalwareBytes AntiMalware,do a quick scan, and post the txt log.http://filehippo.com/download_malwarebytes_anti_malware/

I would also run GMER rootkit scanner and post the log as an attachment http://www.gmer.net/

everytime i try to download norman avast says its a virus

try right click the blue ball and disable

ive turned avast off and running norman now

Hi it looks like i am needing further help with this, i got rid of this malware, im not sure how, i was using a lot of different programs, and all of yesterday i didnt get any pop ups from avast saying i had any problems, ive not long got in from work and i had another warning on my screen from avast, this is saying its a trojan though and not a malware as it said before, oddly enough it seems to be using very simular paths as my previous one though, this one also keeps gettin fixed by avast then re-appearing shortly after in the temp folder under a different folder name, but is still using the file name svchost.exe as previous one, the current one i have on my screen right now is c:\windows\temp\nusa.tmp\svchost.exe

this one doesnt say its a win32:roothkit-gen (rtk), this one says its a win32:fakealert-fc (tri) trojan.

can anyone please advice, im really not sure how my laptop can have this on going issue with the amount of av software and the like i use and run regularly, i cant figure out why avast cant find it when i do a full system search, yet it find it on the resident scanner and as soon as it deleted it, it reappears again.

thanks

And you have run all the recomended tools, Norman. Dr.Web. Malwarebytes, GMER rootkit scanner ?
And posted the logs as micky77 suggested?

:slight_smile: Hi :

You potentially have a serious malware “Issue” and unless CERTIFIED “Malware
Removal Specialist” “essexboy” shows up here, I recommend you have your
computer checked by One of those Volunteer “Specialists” on an Advanced
Malware Removal Forum such as the One where “essexboy” helps out, namely at
http://www.geekstogo.com/forum/forums.html . There they will have you run
programs like “OTL”, which is better than HijackThis, and “RootRepeal”, which is
currently One of the best when it comes for looking for possible Rootkits .

here is a log from malwarebytes which says my system is clean, it may be also worth mentioning that when i search for things in google, when i click the links they often go to completely different sites and i get a popup from avast also saying a trojan has been found in it, if i right click the link and click open in a new tab it seems to open normaly, this doesnt happe all the time but has been a lot.

i also cannot download norman, each time i do avast says there is a virus in the setup file

i will try and get more logs, my log from hijackthis is above, not sure if you need a new one?

Malwarebytes’ Anti-Malware 1.42
Database version: 3358
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

14/12/2009 19:52:51
mbam-log-2009-12-14 (19-52-51).txt

Scan type: Full Scan (C:|)
Objects scanned: 247814
Time elapsed: 1 hour(s), 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi Spitisongs thank you for your reply, it does seem like i have a bad issue here, i have just downloaded rootrepeal myself, will run it and see how it goes, i will join this other forum though after the scan has finished.

thank you

I agree with spiritsongs, you may have a serious infection that is blocking the download of these tools and Malwarebytes is not able to fiend it. Essexboy will be the man to solve this

Yes this looks like a tdss rootkit, Drweb is well worth trying as its had some success recently.( it can repair infectedlegit sys files,like atapi.sys ) As for Rootrepeal Open the program > click report > scan > tick all the boxes > ok > tick C drive, post the log as an attachment in ‘additional Options.’

hi, thanks for your reply, i am running dr web as we speak, it has initialy found what it says is a backdoor.tdss.565 in the system32\svchost.exe file although i am still gettin avast sayin it keeps finding the same issues in the temp file, dr web says its eradicated this issue but still seems its coming back, i did do a quick scan with dr web before and it found the same as i have just decribed as above in the system32 folder, so it seems when it fixes the problem it just comes back somehow.

i have joined the forum that was mentioned and awaiting feedback from there.

also rootrepeal will not work on my laptop, each time i open it i get errors saying differnet thigns have failed to load, and as i try to do a scan it says it cant find the driver to work, i even got a blue screen from tryin to use it.

dr web is doing a ful scan at the mo and seemed like its gonna take a good hour or more to finish, i will let you know how i get on, this software has at least fond something in my system32 folder anyway, just makes me wonder why avast cant?

I should have suggested running DrWeb in safe mode, sorry

thanks i will try in safe mode later, i am in work at the moment, i had left the house this morning with my laptop doing a boot scan with avast, dr web didnt get rid of the problem running in windows normal mode, will try safe mode later though, i really want to clean this without having to fo a format

Only use the f8 key method to enter safe mode, NOT msconfigMake sure you download the newest version of DrWeb.The initial scan is a quick one.When it has finished, do a complete one then reboot.
If this fails , the only other options are Combofix, which has been removed temporarily from bleeping computer because of issues with a rootkit ( probably yours ;D ) So you will have to wait until its sorted.

The other tool (which I am unfamiliar with), is TDSS Killer from Kaspersky
Someone on the other forum may help or suggest that http://support.kaspersky.com/viruses/solutions?qid=208280684