Hi, I have been having problems trying to get rid of a rootkit only Avast can detect.

The Rootkit file name is SVC: WinRing0_1_2_0 and its showing up in my user>appdata>local>temp folder, but when I go there I can’t see it, only Avast does.

First time Avast found it I followed it’s instructions, Delete Now (recommended) then restarted and it done a boot scan which came up clean but about 2 minutes after my comp booted up, Avast had detected it again.

I then ran Malwarebytes Anti-Rootkit BETA which came up clean.

I don’t know where to go from here, any help would be much appreciated. Thanks.

Here are the Logs

I noticed it’s showing up in the aswMBR as HIDDEN along with 2 other files to do with Microsoft.NET Framework.

user>appdata>local>temp folder,

Is it still there?

Temp file cleaner didn’t work, still shows up in aswMBR after using it. Log attached.

From what iv’e read on rootkits so far today, they’re not something you can just delete as they freshly install everytime you boot or hit the trigger which ever that trigger may be. Ofcourse I could be wrong, I really don’t know much about this stuff, just what I read. This is getting me worried though, seeing some of the things that can be done with them.

essexboy will be online soon … may take a few hours

No problem, thanks!

I believe this may be related to Steam or one of the games

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File R3 WinRing0_1_2_0; \??\C:\Users\KR15MCS\AppData\Local\Temp\tmp5198.tmp [X] EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Done but doesn’t seem to have fixed the problem. Still showing in aswMBR.

Lets see if I can find the programme it is related to

For 32bit systems, please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

For 64bit systems, download SystemLook from here.

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinRing0_1_2_0 /s

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

.

That is not a rootkit, Avast is just reporting that the file is hidden. So it can be ignored. Are you experiencing any problems

I don’t think I’m having problems, I did just have to reconfigure my speaker settings because 2 of them mysteriously stopped working in 5.1 channel, but I’m not sure if that has anything to do with this.

I don’t really understand why Avast is doing this now, is it because this is a new file or has it always been there? And why does it come back after it is deleted?

Although it doesn’t appear to be causing problems I would still like it gone ofcourse, I would feel uncomfortable just to ignore it.

Thanks for your help!

OK lets see if we can remove it

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

ComboFix Log:

My system didn’t reboot, just explorer.exe. Should I reboot it? aswMBR is showing more hidden files after running the ComboFix programme, is that anything to worry about?

Should I reboot it?

Done a reboot, don’t notice any changes, Avast still detecting it as a rootkit.

No the terminology is hidden, there is a world of difference. Hidden means that it will not show at a cursory glance this is normal for several registry entries

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver:: WinRing0_1_2_0

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.