Avast’s background procedure keeps identifiying a rootkit gen problem in seemingly random files that keep appearing in my documents and settings\local settings temp folder. The files have names like 8630f80fa8.exe and 4462ab96e3.exe. I have tried deleting my entire temp folder and have let Avast delete it or move it to the chest, but a new file name eventually appears and avast squawks about it. I have tried running the following programs in both normal and safe modes: malwarebytes, Superantispyware, DrWeb, Avast Antirootkit, Trend Micro Rootkitbuster. None of them have reported an infection, even if I leave the exe file where it is. I have also tried running an Avast boot scan, and it reported nothing either. I’m not sure if this is a false alarm or not, but it’s been very frustrating as I’ve spent all day and night trying to figure out what is going on.
I have a hijackthis log, but it exceeds 10000 character so I cannot post it here.
I think I’ve tried most of these steps. Is there a place I can send the offending file when it appears so the avast people can look it over? I’ve tried sending it from within avast to them the other day, but haven’t received an answer and there was no indication that they would provide an answer.
Here’s what happens, same thing when I upload all of them:
File has already been analysed:
MD5: 1f8b438e8dd23c24550bdf179e03953e
First received: 2010.02.10 16:38:16 UTC
Date: 2010.02.11 04:39:40 UTC [>4D]
Results: 2/41
Permalink: analisis/1fe35246c7e0257abd433048294a76bc4137f5368c26edc27261f67b75f546c5-1265863180
HKLM\SECURITY\Policy\Secrets\SAC* 3/26/2004 6:42 PM 0 bytes Key name contains embedded nulls ()
HKLM\SECURITY\Policy\Secrets\SAI 3/26/2004 6:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 11/1/2005 4:22 AM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/16/2010 12:41 PM 80 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\tdx5s1qx.default\sessionstore.js 2/16/2010 12:41 PM 19.66 KB Visible in Windows API, directory index, but not in MFT.
C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\tdx5s1qx.default\Cache\072E30C5d01 2/16/2010 12:44 PM 108.13 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\tdx5s1qx.default\Cache\D2D49DA9d01 2/16/2010 12:44 PM 22.86 KB Visible in directory index, but not Windows API or MFT.
Hello Edgor, I am glad MBAM sorted you out.They are some outfit. Thanks for the feedback.But most of all thanks for the link, until I read that, I did not know you could use your MBAM license on two pc’s. I bought one the other day, and now Iv’e just used it on another. Cheers
Hi Edgor :