rootkit error

Hi I’m using home edition on XP.

This may have been covered but I couldn’t find it through this web search.

I keep getting “AVAST about a suspicious file in System 32… rootkit: hidden file… hidden service…”

I followed the avast instructions and still get this error.

It seems ever since this error the following has happen: can’t get a clean boot up, have to go through safe mode first; I get redirected on web pages to ad pages; getting pop ups (I use firefox and rarely got pop ups).

Can anyone help me?

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

What is the full path and file name ?
Check the C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log using notepad there is a summary at the bottom of that file that may contain the info.

This isn’t an error as such but an alert on a suspicious file.
So what instruction did you follow ?

Hi, thanks for replying.

I tried the boot-time scanning and still have the same problem.

Avast send a warning:

suspicious file found: "C:\windows\system32\drivers\MSIVXpkalsbynmodjinloebdvmlrnaicbfjda.sys |rootkit hidden file

"C:\windows\system32\drivers\MSIVXpkalsbynmodjinloebdvmlrnaicbfjda.sys |rootkit hidden service

Then the choice of “ignore” or “delete” (I choose ignore in case it’s an important file)

Then it ask for a schedule boot which I choose and after a time my computer freezes and the screen turns blank.

What can I do? Is it a virus?

The name seems to belong to a malware (virus).
Can you find that file using Windows Explorer?

OK this alert is almost certainly good as we have seen this random style file name in the drivers folder and it is invariably associated with a rootkit.

Just look in the drivers folder and take a look at the other file names, they tend to follow conventional file naming convention of 8.3 e.g. an 8 character file name and the 3 character file type. You will probably see some longer ones and these tend to be to make it easier to identify what it is (the program it is associated with) rather than to obscure it.

A google search on the file name returns only one hit, this topic, so that considering its location in the system32/drivers folder just makes it more suspicious.

So the next time it is detected on anti-rootkit scan 8 minutes after boot (I would reboot now to force the rootkit scan) I would say to delete it.