Rootkit Issue

Avast 7.0.1. Windows 7 64 bit. Nvidia 296.10. While doing a full scan a few minutes in Avast pop up says “root kit found… a suspicious hidden object (root kit) has been detected on your system. This may be a sign of malware infection”. I have had false posatives bfore so I slected ignore so I could update later and scan again to help confirm or deny the item as a false positive. When thefull scan finished it said some files could not be scanned because “the process cannot acess the file because another process has locked a portion of the file (33). Both files were in the appdata\roaming\NVIDA\GLCache folder; one item was a .bin file the other a .toc. Also avast said it had to restart the PC in order to complete the operation even though I am pretty certain I selected “ignore”. I got strange windows message when trying to restart “FAILURE TO DISPLAY SECURITY AND SHUTDOWN OPTIONS~” however this may be due to the ANVI anti malware software I just installed (after the avast scan). The Nvida scan result and the weird shutdown message may have something to do with the root kit that avast “found” or it could just be coincidence, just thought id let you know to be sure. Im more concerned that the file appears to have disappeared than the false positive. And if there was an infection i would probably reformat; even if avast tells me its gone now (that’s how paranoid i am!)

1 Basically i want to confirm 100% that my system is clean and to figure out what that “root kit” was and if it was a false positive. has there been confirmed false positives regarding this item?

2 I’m pretty certain I selected ignore (once) but may be i selected the “do not tell me about this root kit in the future” by mistake as in avast will ignore forever. So the first step is how do i change that ignore option so that i can scan ALL my files in my PC and check to see if avast now considers it a threat. There are no files in my virus chest nor in the “exclusions” tab. Thanks for your assistance

Greetings :wink:

Please follow this guide and please attach here needed logs.

http://forum.avast.com/index.php?topic=53253.0

Okay i did a full scan with avast, malwerebtyes anti malware, Iobit Malware fighter they found nothing

OTL did not work Avast sandbox stopped it, no logs it just closed after a few seconds, bit silly that avast itself sand boxes it when you use it to troubleshoot

No need for rouge kill since no files missing or infections found

No need for farbar service scanner since no internet issues

  1. AswMBR said scan finished successfully but again had false positives with firewall as well as on virus total. Since it finsihed sucesfully do i need to post the results; i cannot see where i uplaod a text file. Is it safew to copy/paste the content; like no personal information revealed or anything?

  2. So how do i find this root kit so i can check to see if a false positive; i did not remove it and it has just disappeared

  3. Id like to know HOW i was infected since i did not install anything or vist any dangerous websites if any. Could this then mean i was hacked specifically through my ip address?

  4. Any ideas about the windows shutdown message when i restarted after the initial avast scan “FAILURE TO DISPLAY SECURITY AND SHUTDOWN OPTIONS”. Please advise

Rather than make your own decisions on what is OK or not, follow the instructions on the guide link that was given by magna86; and please attach the logs so that magna86 a malware removal specialist can analyse them.

When you next run OTL, have the autosandbox Run normally and check the ‘remember my answer for this program’ option. You might want to set the AutoSandbox mode: to Ask rather than Auto (if it is on that), that way you choose the actions.

Sorry the wording suggested that i did not need to use certain programs because i did not have those specif issues; so to confirm i need to run OTL, aswMBR.exe Rougue kill and farbar?

How do i attach the logs i cannot find the upload button? Do i just copy/paste the results onto the website? Is that safe in terms of personal information etc?

the attach button is just belowe the txt box you are writing in. :wink:

attach malwarebytes / OTL / aswMBR logs

The instructions are on the link that was given, certain types of infection require different tools. But there are three (the first three) MBAM, OTL and aswMBR that are required for general analysis.

The others come under the SPECIFIC INFECTIONS LOGS category, generally you would be told to run those if required after the initial analysis of the other logs.

some info about the IObit company here…you may want to uninstall it
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

Okay attached are the logs for malwerebytes, OTL and ASW

Should i use any “normal” scanners similar to malwaerbytes?

I noticed the scans asked of me were quick, can i send full scan logs to you to make sure?

Thank you for your assistance

I noticed the scans asked of me were quick, can i send full scan logs to you to make sure?
full scan is not necessary
Should i use any "normal" scanners similar to malwaerbytes?
what do you mean by normal scanners ?

Sorry to ask how come full scan are not necessary; is it not it possible for this rootkit to have gone some where other than where quick scans would find them? Bear in mind that this item seems to have just dissapeared; avast noticed it, i selected ignore once then i have not managed to find it since which is what worries me

“Normal” scanners like malwerbtyes and IOBIT malware fighter; as opposed to the ones like hyjack this and the ones i have posted logs for and getting someone to check them out. Basically “normal” meaning ones i detect and remove infections myself

You commented on Iobits; is it the general consensus that the program is not good or safe? Is it just there there were some theft issues or is it just redundant software when you have malwarebytes since they (used to?) use the same detection database. Thanks

Sorry to ask how come full scan are not necessary;
read this thread and you find the answer. http://forums.malwarebytes.org/index.php?showtopic=10405
You commented on Iobits; is it the general consensus that the program is not good or safe? Is it just there there were some theft issues or is it just redundant software when you have malwarebytes since they (used to?) use the same detection database. Thanks
you cant trust a company that steal from other.....and you dont need it when you have malwarebytes

@AVastly ,

[*] You are clean. There is no active malware on your system.

You are running x64 bit system.
There are rootkits in wild for x64 bit systems, but they are still rare.
Basically we find them on 32 bit machines.

And i really recommend to you to remove Iobits softwere.

Why?

==> Please attach avast logs from here:

C:\ProgramData\AVAST Software\Avast\report

==> Download TFC to your desktop.

[*]Close any open windows.
[*]Double click the TFC icon to run the program
[*]TFC will close all open programs itself in order to run,
[*]Click the Start button to begin the process.
[*]Allow TFC to run uninterrupted.
[*]The program should not take long to finish it’s job
[*]Once its finished it should automatically reboot your machine,
[*]if it doesn’t, manually reboot to ensure a complete clean

Hi, thanks everyone for the help so far. Sorry for all the questions but getting answers to them all would really help me, thanks again. I have included the Avast logs

A) Any reason to re install – generally what happens is I get paranoid that my system is infected for weeks after a “false positive” or whatever it was then cave in and reformat

B) What was that windows error message “failure to display security and shutdown options”

C) What was that “root kit” where did it go, is it a false positive, why not in results or virus chest when i selected ignore once, how did I get it, will I get re infected. I have included the snapshots to see if they will help elucidate things. How can i DE-ignore it. Like set Avast to not ignore it? There is nothing in my chest or exclusions tab

D) How to do an EXTENDED/full root kit scan since by default it only does a quick one also should i do safe mode scans to be sure everything is clean?

E) In terms of general PC security what should i use; Avast, Malwerebtyes and… Can you recommend any programs which look for port holes or other network based vulnerabilities as opposed to just general malware etc?

Again thank you very much for all of your assistance

Sorry have to add the other logs in another comment

Final logs

Final logs

From avast logs:

Number of infected files: 0

Abaut cpuz 13 - its FP

Driver name:
cpuz135

Driver File:
c:\windows\system32\drivers\cpuz13 x_xx.sys <— ( x_xx are random number and bit verzion )

http://www.cpuid.com/

What was that windows error message “failure to display security and shutdown options”
This error is not caused by malware. Since this is still security forum ... :D ;)

:wink:

Okay thanks for your help. Just a couple of questions though

A) if it was a false positive how come no one else reported it, normally other people post on the forum about false positive but i have not seen any about this specific file sorry to keep nagging its just that i have to have a clean PC for work

B) What programs would you recommend using for security; Avast, Malwerbytes and…

Thanks again

Okay thanks for your help.
NP ;)

A: It is a fals positives … In fact, the file is detected with his heuristic and files tribute but it is not a malware.

B: …and your brain. ;D
There is no better protective softwere bat you.

You already have a firewall.
You may add MCShield if you wish. I definitely recommend it …
http://amf.mycity.rs/mcshield/
MCShield v2 is an antimalware program designed to prevent infections transmitted via removable drives.