Rootkit Found

Avast found a rootkit called Win32:Evo-gen [Susp]. It tells me to either delete now, or ignore. The boot up scan didn’t get rid of it and appeared again and found nothing. I don’t understand this whole log thing. Which one am I suppose to copy and paste? Malwarebytes scanner didn’t find the rootkit either.

Win32:Evo-gen [[b]Susp[/b]]
susp = suspicious

what is the file name detected… and location …full file path

follow this guide and attach logs…not copy and paste http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done, malware experts will be notified and help you
when finish, all tools used will be removed

The file name is SVC: TVT Backup Pro. I’m doing that log thing now.

when done, also upload and test the file at www.virustotal.com if tested before, click new scan
post link to scan result here

There’s no room, for the Extras log. I don’t know where is the SVC: TVT Backup Pro is located. I never heard of that file.

you dont have to put all logs in same post if there is no room
anyway. the extra.txt log is usually not needed as it is just extra tech info …

malware removers are notified, it may take some hours before they arrive…

Hi,

Can you tell us what avast has been detected as rootkit. Path of the file is important.
Also, are you using multiboot or Windows is only system here?

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
PRC - [2013/05/01 00:11:08 | 000,042,784 | ---- | M] (Yontoo LLC) -- C:\Documents and Settings\T60\Application Data\Yontoo\YontooDesktop.exe
SRV - File not found [Auto | Running] -- C:\Program Files\Yontoo\Y2Desktop.Updater.exe C:\Documents and Settings\T60\Application Data\Yontoo\YontooDesktop.exe -- (Yontoo Desktop Updater)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.v9.com/?utm_source=b&utm_medium=update&from=update&uid=ST9100821AS_5NJ0PZ6XXXXX5NJ0PZ6X&ts=1369848857
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=ST9100821AS_5NJ0PZ6XXXXX5NJ0PZ6X&ts=0
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={0B8390E7-DBF3-11E2-944A-001B7708FE48}
IE - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.v9.com/?utm_source=b&utm_medium=update&from=update&uid=ST9100821AS_5NJ0PZ6XXXXX5NJ0PZ6X&ts=1369848857
IE - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.v9.com/web/?utm_source=b&utm_medium=update&from=update&uid=ST9100821AS_5NJ0PZ6XXXXX5NJ0PZ6X&ts=0
IE - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={0B8390E7-DBF3-11E2-944A-001B7708FE48}
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)
O4 - HKU\S-1-5-21-602162358-1757981266-1417001333-1003..\Run: [MPOptimizer] "C:\Program Files\MaxPerforma Optimizer\MaxPerforma.exe" /scan File not found
O4 - HKU\S-1-5-21-602162358-1757981266-1417001333-1003..\Run: [Optimizer Pro] C:\Program Files\Optimizer Pro\OptProLauncher.exe File not found
O15 - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..Trusted Domains: cinemanow.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..Trusted Domains: cinemanow.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..Trusted Domains: qflix.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..Trusted Domains: roxio.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..Trusted Domains: sonic.com ([redirect] http in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1757981266-1417001333-1003\..Trusted Domains: sonic.com ([redirect2] http in Trusted sites)

:FILES
ipconfig /flushdns /c
dir C:\Documents and Settings\All Users\Application Data\TEMP /c
C:\Documents and Settings\T60\Application Data\Yontoo
C:\Program Files\mozilla firefox\searchplugins\qvo6.xml
C:\Program Files\mozilla firefox\searchplugins\v9.xml
C:\Program Files\MaxPerforma Optimizer
C:\Program Files\Optimizer Pro
C:\Documents and Settings\All Users\Application Data\Babylon
C:\Documents and Settings\All Users\Application Data\InstallMate
C:\Documents and Settings\All Users\Application Data\SweetIM
C:\Documents and Settings\T60\Application Data\Optimizer Pro
C:\Documents and Settings\T60\Application Data\Yontoo

:COMMANDS
[CREATERESTOREPOINT]
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

----- next -----

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

I tried searching for the TVT Backup Pro file and nothing comes up. It also keeps saying SVC: is not a valid folder, if I put it there. Windows XP is the only system. For some reason, when I turned on my Laptop this morning, that Avast Rootkit pop up is not showing up, anymore.

I tried that log in OTL and it keeps saying it’s not responding. Disabling Malwarebytes, by turning off protection, doesn’t work. Is it still running, even though it saids not responding, or did it completely froze?

uninstall Malwarebytes … then try run OTL fix again

Uninstalling Malwarebytes worked.

@Luis2

Can you tell us the filename or the filepath or attach us screenshot of avast warning. That would help us a lot. This detection could be FP or real malware detections.
Logs shows that you PC isn’t so great, we shall need to run some fixes too.

Since you have been run OTLFix after FRST scan, you will need to re-run FRST again, ensure all options are ticked as you did before and attach here fresh FRST adn Addition log reports.

The filename was SVC: TVT Backup Pro. I think SVC: TVT stands for ThinkVantage Toolbox service. It’s the closes thing to it and that Avast warning isn’t appearing again.

FRST logs show me that detected services was related to TVT_Backup_Protection Rescue and Recovery service (Lenovo Group Limited), found on Lenovo’s laptop computers.
Note: Folder path is: C:\Program Files\Lenovo\Rescue and Recovery

TVT Backup Protection Service; C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

First services (TVT Backup Protection Service) is stoped and disabled. Therefor I assume avast doesn’t detect that anymore because the service is not active. When services starts again, then you may hear from avast again. Know that this is FP caughted with avast “Eve-Gen” heuristic detections.

Second services (TVT Scheduler) is running and set up as “auto”.

I see some crapware leftovers + I will remove some AVG remains.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
HKLM\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0AQQBaAEoAQgBFAC0ARwBLAEQATQBEAC0AUwA3AEQAQgBBAC0ATgBXAE0AQgBQAC0ARQBWAEwATABEAA"&"inst=NwA2AC0AMQA2ADgAMgAwADYAMwA5ADgANAAtAFAATAArADkALQBEAEQAVAArADAALQBTAFQAOQAwAEEAUABQACsAMQAtAEkATABMAEkARAArADEAMwA2ADAAMQA1ADkANwA5ADgALQBJAEEAVgBSACsANQAtAEkAQQBWAFIAVABFACsAMQAtAE4AMQBEACsAMQA"&"prod=92"&"ver=9.0.914
RLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.qvo6.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=ST9100821AS_5NJ0PZ6XXXXX5NJ0PZ6X&ts=1365317724
SearchScopes: HKLM - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = 
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll No File
C:\Program Files\AVG
CHR HKLM\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Windows\System32\jmdp\SweetNT.crx
C:\Windows\System32\jmdp\SweetNT.crx
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
U2 CertPropSvc; 
CMD: ipconfig /flushdns
END
  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

[color=#008000]Note: If the tool warned you about the outdated version please download and run the updated version.

fixlog attached. Virustotal result: https://www.virustotal.com/en/file/66d1a30db2cab92b29a206449fb2eb31786f7b3a3384e25d5229caa134bdd321/analysis/1379641424/

You are malware free. We need to remove used tools.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

----- and -----

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

I used DelFix and downloaded MCshield. So this means everything is done?

From the my part. Next time if you get the same warning, now you know what is it and detected services is legit.