new rootkit infection

hi today avast picked up a new rootkit infection in my system. quick scan did not pick up anything but full system scan picked up the following rootkit infection

c:\windows\sysWOW64\winFL drv.sys

i m not been able to move it to chest. can not repair either. what should i do???
i m using windows 7 ultimate 64 bit OS.
plz help…
with best regards
gautam

Try free Mbam for removal…!!
http://www.malwarebytes.org/mbam.php
asyn

Gautam,

What was the detection as? and have you set the heuristics to maximum?

Also can you upload the file to virustotal.com and post the link to results here, please. If the infection is true we can ask one of the trained expert, here in forums, to deal with you. But first please answer the questions and post the link.

nmb

@ gautam7
Read this topic, http://forum.avast.com/index.php?topic=50922.0 as it mentions a program called Folder Lock, does that ring any bells with you ?
http://www.threatexpert.com/files/WinFLdrv.sys.html
http://www.threatexpert.com/report.aspx?md5=57f65e0f401e295406c1e0daa7836774

However there are some hits that indicate this could well be malicious, especially if you didn’t install the folder lock program:

Hi, well mbam doesnot detect a thing. and as devid R pointed out about folder lock… i actually have folder lock installed. may be this is the cause… again as for my friend nmb, i m using avast in default mode and i can not send the file to the chest so how can i upload it to virustotal??? i tried to follow the path but there is no such file in my c drive windows.

again since i hv folder lock installed so does this means its not an infection???

It doesn’t necessarily mean you haven’t an infection since you have folder lock installed as it is easy to create a file of that name, but it does make it less likely.

That is why it is worth uploading to VirusTotal:
To check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can copy the file from the original location to a temporary location first, see below. You may need to stop the file system shield temporarily to copy it to this temp location if avast alerts.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect* That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect* That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

  • In the meantime (if you accept the risk), add it to the exclusions lists:
    File System Shield, Expert Settings, Exclusions, Add and
    avast Settings, Exclusions
    Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Thank you David for your time. but as i said i can not browse the file to Virus total. because when i tried to browse no such file is found. and the file could not be move to chest. whenever i tried to move it to chest avast says access is denied. dont know what is happening…

Can you not find it normally using windows explorer ?
If not - Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

Then copy the file from the original location and paste it into the suspect folder in the instructions above.

well i tried this already. but still no finding this stupid rootkit file…my system doesnot seem to have the file…dont know where avast find it. avast says its a hidden file but still since i hv disabled hide system file i thought i will find it…any other ways…

Is avast still detecting it on each boot ?

avast detects it every time i do full system scan. quick scan does not detect anything

Time for essexboy. I have sent him a PM.

nmb

Time for GMER to have a look I feel

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Check the box that says Scan All Users
[*]Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /90

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

The Quick scan doesn’t run the anti-rootkit scan (or a very detailed AR scan).

well here goes everything. i got no warning.

i m giving gmer also as attachment.

hi everyone

Today i scaned the computer in safe mode. avast dont pickup the infection. but when i scaned again in normal windows, avast picked up the infection. i dont know how to interpreat the information. but thought i should inform u guys about it. and i m waiting for someone to interpreat my GMER log.

With regards
gautam

Well to start with some information might help, file name and location given in the detection ?

Whilst some rootkits might not be present/running in safe mode (though many do) that may be the reason for not finding it in a safe mode scan.

I’m not familiar with the GMER log information, but it is generally quite clear if it detects a rootkit, so attach the log to your next post.

well davidR i m refering to the original problem with which i hv started the topic. n i hv already posted my GMER and OTL logs as suggested by essexboy. i think he didnot get time to interpreat the log files. now just waiting…

hi everyone. i still have the problem. so dont forget about me :).

Hi sorry about that I lost my notifications

GMER does not detect that file and nor does OTL - I have a feeling it may be a false positive

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.