RootKit: Hidden File

An Avast Internet Security full system scan on my Windows 7 Pro SP1 system found 6 files all with exe.mui extensions in a folder in "C:\Windows\winsxs". The files were flagged as “Threat: RootKit: Hidden File” I was unable to move to the chest or delete the files. I got the Error " The request is not supported (50) or “The system can not find the file specified (3)”. Avast recommended a Boot-time scan but when I did the Boot-time scan it said there were no threats. I have Malwarebytes Pro installed and a Malwarebytes Quick Scan found no threats. In addition if I scan the specific folder with Avast no threats are found. But if I run an Avast Full System scan again it flags the same 6 files as “Threat: RootKit: Hidden File”. When I try to view the folders contents in windows explorer I get a message saying the folder “refers to a location that is not available”. I’m confused why the Boot-time scan and folder scan would say no threat while the Full System Scan says there are threats. Attached are logs from OTL and aswMBR. Any help you could give me would be greatly appreciated.

It appears that Avast has a problem with the winsxs folder. It is a system folder and we have had a few false positives from there

Is the computer displaying any weird behaviour or symptoms ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-3446030877-795081281-3189135191-1001\..\SearchScopes,DefaultScope = {407B663C-DE14-4276-9F65-1A0B5B7DECCB}
@Alternate Data Stream - 235 bytes -> C:\ProgramData\TEMP:0FF263E8
@Alternate Data Stream - 1164 bytes -> C:\ProgramData\Microsoft:qQm96tpG0pPq9tKtEHihk
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:94EAB850
@Alternate Data Stream - 1141 bytes -> C:\ProgramData\Microsoft:Z4hFN937VyuI6qnA2fqVhYzsGVMw
@Alternate Data Stream - 1138 bytes -> C:\Users\My Files\AppData\Local\Temp:9q41KbpsQQ2JvFY5H
@Alternate Data Stream - 1136 bytes -> C:\ProgramData\Microsoft:WS1Ux99EIJxGpN5kGIIOm
@Alternate Data Stream - 1123 bytes -> C:\Program Files (x86)\Common Files\System:MXqKJvjlJsuN5HJf7NA63f
@Alternate Data Stream - 1057 bytes -> C:\Users\My Files\AppData\Local\Temp:X1QXVRcvfJFwBimJ0b
@Alternate Data Stream - 102 bytes -> C:\ProgramData\TEMP:6DFF1A8A
@Alternate Data Stream - 1014 bytes -> C:\ProgramData\Microsoft:5kGZ2mpX5GoEoofPxORCYYbw5

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks for the reply. No, the computer does not seem to have any weird behavior or symptoms. Attached is the OTL log from the Quick Scan I ran after running the fix. Do you need any specifics like the full path name and file names of the files flagged as Rootkits or any Avast scan logs etc.?

Not really if they are all in the winsxs folder

Could you just do a quick scan on that folder and let me know the result

A quick scan of the folder finds no threats but a full scan still lists the same 6 files as RootKits.

Actually, a quick scan of the folder where the root kits are listed shows no threat but a scan of the whole winsxs folder finds about 22 files say "error the system cannot find the file specified. "

At the moment I believe them to be false positives

As winsxs is where in reality your system runs from

All of the components in the operating system are found in the WinSxS folder – in fact we call this location the component store. Each component has a unique name that includes the version, language, and processor architecture that it was built for. The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store. Let me repeat that last point – there is only one instance (or full data copy) of each version of each file in the OS, and that instance is located in the WinSxS folder. So looked at from that perspective, the WinSxS folder is really the entirety of the whole OS, referred to as a "flat" in down-level operating systems. This also accounts for why you will no longer be prompted for media when running operations such as System File Checker (SFC), or when installing additional features and roles.

Thanks for your help. I’m just going to exclude them from future scans.

Run OTL and hit the cleanip button to remove it ;D

OTL’s Cleanup Button seems to have done it. Thanks for your help!