Possible rootkit

Viruses and worms
1

Heeeeyyy everybuddy 8)

Avast found several files infected with a rootkit, but access is denied, so it can’t do anything with them.

I did a boot scan with avast, it found nothing.

I downloaded Malwarebytes, ran a scan it didn’t detect anything.

So, what am I missing here?

2

What scan was this found on (anti-rootkit scan 8 minutes after boot or other) ?
Is there any reason given for the access denied ?

What is the infected file name, where was it found ?

3

Monitoring if needed…

4

Puzzling ain’t it? :o

5

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

6

@ tigerstriper
Well still puzzling as the file name is still a mystery, the path you show doesn’t include the actual file name, the WinSxS (Windows Side-by-Side) directory/folder can be massive, so it could be like looking for a needle in a haystack without the details. See http://blog.tiensivu.com/aaron/archives/1306-Demystifying-the-WinSxS-directory-in-Windows-XP%2C-Vista-and-Server-20032008.html and http://www.winvistaclub.com/f16.html.

The detection isn’t saying for certain that it is a rootkit, but a hidden file and there could well be a legit reason for that but no one can say if that might be the case as we don’t have the full path and file name. You should be able to expand the column width (drag the column separator to the right or double click on the column separator) so you can see the full details.

So it is entirely possible that considering the nature of the WinSxS folder, there may well be a hidden .dll file running, but that can’t be confirmed as we don’t know the full folder location and file name.

In short, [b]Winsxs, which stands for ‘Windows Side By Side’[/b], is Windows native assembly cache. Libraries which are being by multiple applications are stored there. This feature was first introduced, in Windows ME and was considered as Microsoft’s solution to the so-called ‘dll hell’ issues that plagued Windows 9x.

I’m not sure this needs specialist intervention until it is identified if there is a problem and ‘hidden file’ as opposed to a definitive detection isn’t a clear cut infection.