I have Avast to scan during screen saver mode and it found Win32:Malware-gen and i moved it to the chest it then found Win32:Rootkit-gen[Rtk] every time it scanned in a different location.
No adverse affects as far as computer speed, boot up, internet - i just know these should not be here and the Win32:Rootkit-gen[Rtk] keeps replicating
Here is my initial Malware scan as well as the OTC scan although the OTC scan only rendered 1 txt file OTC.txt there was no Extras.Txt as stated in the (Logs to assist Tread)
Here is also a screen shot of my Virus Chest in Avast to give you an idea of what is happening
Any help suggestions would be appreciated, before i just reformat the C drive
Something keeps restoring it into the drivers folder and the moves to the chest appear to be creating a restore point which is subsequently being detected. So it really isn’t cropping up in a different location. When is this detection on ndiswan.sys happening ?
Presumably the malware-gen doesn’t keep coming back in the Internet Temp Files location as there is only one occurrence in the chest ?
I would have suggested you install avast 5.0, but that isn’t advisable until this is resolved.
Unfortunately I’m not familiar with the OTS log analysis, so I will have to leave that to someone else.
Since MBAM doesn’t find anything related to ndiswan.sys (presumably it is still present in the drivers folder, a common target for rootkits) and this is a generic (-gen) detection and this is also a legit file name (which means nothing) it should be checked out to ensure the detection is good, see ~~~~ below. See image of my ndiswan.sys file I have XP Pro SP3, so it should match yours) and I haven’t had any detection, image 2.
You could also check the offending/suspect file at: [url=http://www.virustotal.com/][b]VirusTotal - Multi engine on-line virus scanner[/b][/url] and [b]report the findings here[/b] the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
- avast4 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the [b]Standard Shield, Customize, Advanced, Add[/b], type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
In the Standard Shield provider, the commas separate each different action:
Open the standard Shield provider.
Click the Customize button.
Click on the Advanced tab.
Click the Add button and finally paste the C:\Suspect* into the filed.
No I suspect they will have the same MD5 (unique identifier) number as the one you scanned (MD5 : 7647eefa0aa6efdccecc5be4924cd312), but you didn’t upload the only one I asked about ndiswan.sys. So I would suggest you do have that one scanned.
Though as I said I believe it will result in the same confirmation that the detection is good and you need someone to analyse your OTS log.
You could try this in the meantime, see below, that’s me for the night a bit after 4am here.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button. Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt”
[*]Save it where you can easily find it, such as your desktop.
Well the VT results confirm the avast detection is good and the MD5 number matches the other one you send. This confirms my suspicion that the detection is the same and when first moved to the chest cause it to be saved in the system restore location.
Unfortunately I see nothing obvious in the GMER report.
Now here we come to the rub, this is a legitimate file name in XP SP3, which also use and the copy I have in that location has a different MD5 number:
ndiswan.sys
MD5: EDC1531A49C80614B2CFDA43CA8659AB
So your file does seem to have been modified as you too have XP SP3. So please recheck my images I posted in Reply #2 above which show file size in bytes (91,520 bytes) does your ndiswan.sys file size match this ?