7/10/2009 6:33:57 PM Owner 1428 Sign of “Rootkit: hidden file” has been found in “C:\WINDOWS\Temp_avast4_\unp23992893.tmp” file.
7/10/2009 6:33:59 PM Owner 1428 Sign of “” has been found in “C:\WINDOWS\Temp_avast4_\unp23992893.tmp||AntiRootkit [FILE]|||10|0|2|COO1||COO2||” file.

False positive or ???

Hijack This Logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:55 PM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Advanced SystemCare 3] “C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe” /startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

–
End of file - 4617 bytes

Strange… seems a false positive as that file is an avast temporary file, generated while scanning.
Can you run a full avast scanning?

yeah was going to Bootscan afterwards. [EDITED] Alright I’ll run the normal scan now.

Zero infected with Folder option Hidden file off, Should i run bootscan?

It won’t hurt… but it seems to was a glitch… a false positive detection that won’t be repeated…

:o

07/10/2009 20:01
Scan of all local drives

Number of searched folders: 1821
Number of tested files: 90079
Number of infected files: 0

You’re clean. If you want to be completely sure:

1. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
2. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.

Ok I’ll use MBAM ,thanks a lot for your help ,have a nice day. ;D

avast! Antirootkit, version 0.9.6
Scan started: Friday, July 10, 2009 8:31:17 PM

Scan finished: Friday, July 10, 2009 8:31:58 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

This location the avast4 folder is where avast unpacks archive files to be scanned, signified by the unp999999.tmp file names where the 999999 is a random number. These files should be cleared after avast has unpacked and scanned the archive. So something happened to stop these temporary files from being removed.

This has happened in some cases because of having another AV or resident security application installed as avast unpacks the files in the avast4 folder the other application can try to hook/lock these files to scan them and this could stop avast from a) scanning them and b) removing them from the temp folder so they are subsequently detected on an on-demand scan.

This however, is theory and I see no security application in your HJT log that would be capable of this hooking/locking of the file. So to me it just looks like avast for some reason didn’t clear the temp folder after scanning.

Windows leave a lot of junk in C:\WINDOWS\Temp and some install routines leave junk there as well.

CCleaner gets rid of the junk:
CCleaner v2.21.940 - Standard Build
http://www.ccleaner.com/download/downloading <== make sure you un-select the Yahoo toolbar if you do not want it
CCleaner v2.21.940 - Slim
http://www.ccleaner.com/download/builds/downloading-slim <== English only with no Toolbar

I only use Avast [1 AV per computer]…not sure but seems like an rare issue though

I do use Ccleaner and Advanced Systemcare 3. Thanks anyways

Yes as I said nothing on your system should get in the way and this is just a hiccup. Clearing out that sub-folder and or sending it to the chest would resolve any issue. Even if it were left there it is effectively inert (not active) as there is nothing that knows it is there, so nothing would be able to run it.

One strange thing is when its detected,there’s ONLY DELETE option or IGNORE.
Don’t have ‘‘send to chest’’ option. First time encountered such issue

That isn’t strange at all as it isn’t a conventional detection but one using heuristics in the anti-rootkit scan and those are the only options. Because it is a heuristic detection it is airing on the side of safety in recommending Ignore, but gives you the option of deletion.

You should also have got this message in the alert:
“A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.”

I see,anyways its 100% false positive right?

Who said its a false positive, certainly not me or anyone else.

All that has been said is that this is a file that avast unpacked into its temp folder that should have been removed after the scan. I haven’t the slightest idea why that didn’t happen, but consequently it is being detected and as the message suggests you should allow it to be sent for analysis and avast uploads it during the next update.

So that really is what you should do for avast to analyse it, then and only then would you know if it is a false positive as subsequent scans would either not detect it (an indication of a false positive) or it could be detected by a conventional signature (created after analysis) so that conventional scans could detect it and not just the heuristic anti-rootkit scan.

Yeah,i re-scan twice and found nothing. No more rootkits alert whatsoever. Thanks anyways.

You’re welcome.