Rootkit hiddenfile AHHHH! Please help!

My laptop was acting super wacky, freezing up - so I tried to run our avast scan. It kept freezing during the scan! Eventually I was able to get a report for the partial scans. 1,3,4 scans were fine with nothing detected but attempt 2 came back with the Rootkit…

It won’t let me copy and paste but there’s a ton of files (52 to be exact), all starting with
windows\winsxs severity high threat Rootkit:hidden file

It will not allow me to deleted or to quarantine the files…

I found this and the thread about logs to help clean…SO I downloaded the recommended malware and it came up with this huge list of threats but none of them were Rootkits. I tried to delete them but it wouldn’t, then said to restart. Once in quarantine, it did let me delete them.

Now the computer is atleast functioning enough for me to get online…but I am worried about the rootkit thing…what can I do?!

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122304

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

12/23/2011 2:01:36 AM
mbam-log-2011-12-23 (02-01-36).txt

Scan type: Quick scan
Objects scanned: 205129
Time elapsed: 11 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 27
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID{D2083641-E57F-4eab-BB85-0582424F4A29} (Adware.HotBar.CP) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{98D9753D-D73B-42D5-8C85-4469CDA897AB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ClickPotatoLiteAx.Info (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ClickPotatoLiteAx.Info.1 (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) → Value: ClickPotatoLite@ClickPotatoLite.com → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\clickpotatolitesa (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\Users\Baker\AppData\Roaming\clickpotatolite (Adware.ClickPotato) → Delete on reboot.
c:\program files\clickpotatolite (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files\clickpotatolite\bin (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files\clickpotatolite\bin\10.0.630.0 (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\plugins (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\clickpotato (Adware.ClickPotato) → Quarantined and deleted successfully.

Files Infected:
c:\Users\Baker\downloads\oi_setup (1).exe (PUP.Adware.OpenInstall) → Not selected for removal.
c:\Users\Baker\downloads\oi_setup.exe (PUP.Adware.OpenInstall) → Not selected for removal.
c:\programdata\clickpotatolitesa\clickpotatolitesa.dat (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaabout.mht (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaau.dat (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaeula.mht (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesa_kyf.dat (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\install.rdf (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\About Us.lnk (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\clickpotato customer support.lnk (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\clickpotato uninstall instructions.lnk (Adware.ClickPotato) → Quarantined and deleted successfully.

I re-ran the Avast quick scan and full scan again…but not sure if they really completed…both did come up negative though.

Can it come up + for a rootkit one scan and then stay hidden for another?? Or did I get rid of it?

It sounds like the virus was attacking your computer at the time you found it… therefore some of your OS could be corrupted/deleted. You should try going to Control Panel in Safe mode and do a Restore Point if you have one. A restore point won’t change any files but the ones in the C:\Windows folder and your registry.

Well, system restore do change files out of Windows directory (executables, drivers, dll, etc.).