Rootkit detected

Avast Free Antivirus / Premium Security
1

Hi
I just installed Avast Free Antivirus 6.0.1203

After a scan it reported a rootkit - I told Avast to delete it but I did not take down the name or path of the file.

I tried to find the log and found logs in

C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log

But I cannot seem to find any mention of a rootkit in these logs…

Could you please tell me how I can view the log?

Thanks,

2

First - Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest (a protected area) and investigate.

However, you don’t say what scan it was ?
But I suspect it may have been the anti-rootkit scan 8 minutes after boot, does this sort of match the time frame (see image example of alert) ?

If so check the anti-rootkit scan log - For winXP C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\log\aswAr.log. For Vista/win7 C:\ProgramData\Avast Software\Avast\log\aswAr.log. Open with notepad and you can copy and paste the path and file name, etc…

3

Hi DavidR,

Thank you very much for your reply.

I did see exactly the window that you attached a screen capture of. Not knowing what to do, I just deleted the file. Unfortunately I did not copy down the name of the file before deleting.

I checked the file:

C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\log\aswAr.log (I am running XP Pro)

The file states at the end:

Scan finished: Thursday, September 08, 2011 5:55:59 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

But based on the date and time of the scan, this is a log of the scan done AFTER the scan that detected the rootkit.

So I have not been able to find any info on the specfic file name and path that was deleted.

I am VERY worried about this rootkit and would very much like to know what specifically its threat is.

Is there anything else I can do to find this out?

eg:

Is there a log that stores info about older scans?

Is there a chest that stores deleted files?

Thank you

4

The aswAR.log file is overwritten otherwise it could get very large, so if you have rebooted or run another scan which includes the anti-rootkit scan that old data is gone.

Only files sent specifically to the chest (not an option with the anti-rootkit scan) are sent to the chest. Deletion of the files doesn’t even send them to the recycle bin as they could well be detected there on other scans, so that file is history.

As a result of that there really is no way to investigate and this is why my comment about not rushing to deletion is so important.

5

HI There,

And Thank You In Advance Anyone !

IThank For Your Time And Efforts, I Cannot Tell You How Much i Appreciate It !!
Best Wishes To All For A Great Week Ahead,
Blessings,
Wild Wizard

6

The Rest Of My Message Sorry …

Did As you Said, Scanned W/AVG Rootkit Over 900,000 Files And Says no Infections…And Use OTL…Also…
Will Do The Rest Of Your Suggestions, Again Sorry For Taking Up All This Space And Being In The WRONG Forum Place :frowning:

Thanks Again,
Blessings,
Wild Wizard
Have A Nice Week Ahead…Sorry…

7

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use Comodo Cleaning Essentials (CCE), or MBAM, or SUPERantispyware to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Read these instructions and provide more info with the logs generated. But, please, do NOT post there, open a NEW thread for your specific problem and help us to help you.
  6. Clean your Hosts file (replacing it) with HostsMan tool.
  7. Disable System Restore and then reenable it again.
  8. Immunize your system with SpywareBlaster.
  9. Check if you have insecure applications with Secunia Software Inspector.

If the infection avoids booting the computer, take a look here http://forum.avast.com/index.php?topic=79107.0

8

tech,isn’t it possible that there’s some sort of problem or error?
one night infections: 0,next night: 1100-1200 seems unusual.

9

Sure: 1) False positives or 2) Real infections.

10

I Am Soooooooooo Very Very Sorry NooB At AVG, But Computers 20+ Yrs, My Deepest Apologies, And Thank You SOOOOOOOOOO Much For Your Help ! I Started A New Thread In The Right Place And Have U/L Many Reports…

I’ll Modify The Posts And Take Out All The Body Of The Messages Or I Am Sure You Can Delete Them,

Thanks Again For Your Help And Your Gracious Understanding,
Best Wishes To You And Alpha1 Thanks Sooooooooo Much !
Blessings,
Wild Wizard
Again My Deepest Apologies, I Just Freaked Out :frowning: Sorry …

11

Where Can i Get Ahold Of You Mr Tech…i Don’t Want To Ask A Lot Of Questions Here As You SAid Its Not The Right Place…Then Where Can I Go?? AVG Rootkit Scan = 0 , So Hopefully LOTS Of False Positives, Doing AVG Thorough Scan And Up To 4,000,000 Files But Some Say " Locked File Not Tested" And “Password Protected, Not Tested” “Found Tracking Cookie.Revsci”
After Moving Something To The Chest Can I Delete ( You Said After 2 Weeks ) And Make SUre It IS Deleted Using DOD Shredder ? Ok I’ll Stop Now…Sorry…

Have More Questions But DOn’t Want You Upset I Am In The Wrong Place, Please Provide Me A Place To Go… ???

I Have A Thread Here …"viruses and worms / viruses and worms / Re: RootKit And Lots More Problems Thank You In Advance ! Ahhhhhhhhhhhh :frowning: "

Thanks Again For All Your Help,
Blessings
Wild Wizard