Ok, newbie with migraine so please forgive any stupid questions.

Installed AVAST! yesterday after norton didnt find the problem. AVAST pass 1 found (among other things)
C:\WINDOWS\system32.…\svchost.exe as a Rootkit system modification
and
C:\WINDOWS\assembly..\RegCode.dll ans Rootkit: hidden file

I marked them for delete applied the request and then rebooted and did a bootscan.
then I reran full scan and svchost.exe was gone but RegCode.dll is still coming up as a Rootkit: hidden file.

How do I rid myself of this problem ?

Paula

Follow this guide here and attach the logs

http://forum.avast.com/index.php?topic=53253.0

Lower left corner > additional options > attach
If the logs are to big, then upload to http://www.mediafire.com/ and post the download link here

Installed AVAST! yesterday after norton didnt find the problem.

Norton came installed
Ran norton didnt find problem
installed avast
ran avast fixed first problems
noted remaining rootkit hidden file
uninstalled norton (got message about unable to unregister file types)
reran avast scan.

Malware trace follows
Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7680

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

08/09/2011 6:26:49 PM
mbam-log-2011-09-08 (18-26-49).txt

Scan type: Quick scan
Objects scanned: 170877
Time elapsed: 9 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTR to follow later this evening

Norton came installed Ran norton didnt find problem installed avast ran avast fixed first problems noted remaining rootkit hidden file uninstalled norton (got message about unable to unregister file types) reran avast scan.

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

Reran scan after norton uninstalled same problem … yes I know it was a stupid thing to do.
Prior to OTL run still had the full avast scan return that the C:\WINDOWS\assembly..\RegCode.dll was a Rootkit: hidden file.

Attaching the OTL files

I am wondering whether they are false positives. Let me know of any problems after this run

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - [2005/01/21 22:32:12 | 000,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc) DRV - [2003/08/15 23:22:12 | 000,082,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent) O3 - HKU\S-1-5-21-4086094332-3286426674-3171654885-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O4 - HKLM..\Run: [lphcc71j0e5an] File not found O4 - HKLM..\Run: [Sony Ericsson PC Suite] File not found O4 - HKLM..\Run: [SunJavaUpdateSched] File not found O4 - HKLM..\Run: [Symantec NetDriver Monitor] File not found [2011/09/07 22:36:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData

:Files
ipconfig /flushdns /c
C:\WINDOWS\system32\drivers\svchost.exe

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Ok, following instructions. Unless I hear differently will be doing the quick scan with nothing in the custome scans/fixes box and scan all users not set.

Paula

LOG from OTL run attached

Are the alerts still occuring ?

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt”
[*]Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Yes avast is still telling me about the rootkit hidden file.

Here is the GMER file. It didnt mention any rootkits.

THanks again
Paula

GMER shows clear - I wonder if this is a false positive, but lets do a driver check

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

OK, was running scan, it gave me the 10 minute estimate … then about 15 minutes later my laptop drops into suspend (30 min or more of non use should do that). opening and closing the lid is not recovering it from suspend so I will have to use the power switch. what should I do now about the scan ?

Paula

FYI when the machine came back combofix was gone from the desktop.

updating and rerunning avast right now.

Paula

Let me know if the rootkit alerts returns please

c:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a\RegCode.dll is still marked as high severity and status Threat: Rootkit: hidden file

Running boot scan for the next hour.

Paula

Hmm that is a legitimate file though lets run it through Jotti, although the possibility exists that it has been subborned

Jotti File Submission:

[*]Please go to Jotti’s malware scan

[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

[*]c:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a\RegCode.dll

[*] Click on the submit button

[*] Please post the results in your next reply.

It cannot find the file. so I double checked on a dos window
and was missing a 3a at the end of the number .

It still couldnt find the file so I tried to cd into the directory in dos window and it says
Data error .

Any ideas ?

Paula

OK I just realized something … and have been informed that I have been an idiot
(so you dont need to do it again)
Avast is giving me cyclic redundancy errors in this directory
and in two others
C:\WINDOWS\assembly\GAC\SystemManagement\1.0.5000…a3_AssemblyInfo_.ini
and
C:\WINDOWS\assembly\GAC\SystemManagement\1.0…a3\SystemManagement.dll

Now that I understand what cyclic redundancy actually means … I suspect this is
why I get the rootkit hidden file message and is leftovers from some virus ?

anyway to fix these ?

Paula

First thing to do is check the hard drive in case it is located in a bad cluster using chkdisc http://www.ehow.com/how_2052292_run-chkdsk-f-windows-xp.html

If that does not resolve it then an uninstall and reinstall of dotnet framework 1.0 would probably clear it