rootkit or false pozitiv?

Hi everyone my name is Castor, it is my first post here.

I know only the basics about the viruses and computers, so I am sorry if the answer is trivial for my problem :frowning:
During Christmas I realized that my security system is not good enough (earlier I used this computer only offline), so I installed avast (internet security, trial version) and malwarebytes antimalware (+ later tdsskiller and aswMBR for rootkits). I did quick, full and boot scans as well and cleaned my system. It seemed that everything is ok, but yesterday the avast found a “rootkit” (name sig2.tmp in a temp subdirectory) during my second full scan. I tried to delete it but I got the following error message: the system does not find the file. Only the avast detected this file, nothing else. Furthermore later during a bootscan (I was asked to do it) even the avast detected nothing.
Other problem: 3 days ago the avast detected a “win32 trojan gen” (A0143408.dll in a backup subdirectory in the System Volume Information directory) during a full scan and put in the chest. Yesterday it found it again in the same directory during the second full scan. It was again identified only by the avast full scan, nothing else. Furthermore it was not picked by the real time security.
What do they mean? What should I do?

PS. I can not run the aswMBR anymore (first time it found nothing), it is too slow, probably something (avast?) is interfering with it so I can only attach the OTL files)

I tried to delete it but I got the following error message: the system does not find the file.
well..it may not be so strange since it was in a temp folder
Furthermore it was not picked by the real time security.
again not so strange since the restore point is not in use....unless you use that restore point
PS. I can not run the aswMBR anymore (first time it found nothing), it is too slow, probably something (avast?) is interfering with it
aswMBR uses the Avast engine to do a virus scan at the same time as it checks the MBR
sig2.tmp
This is a temporary file for signature updates - I believe Avast detected itself

Purge the restore points to remove the detections from system restore

I can see no apparent malware, are you experiencing any symptoms ?

Pondus,

thanks for your answer, of course you are right in both points. :slight_smile: In the case of temporary file I realized it, but I was just afraid that there was something else which was not detected by Avast.

essexboy

“aswMBR uses the Avast engine to do a virus scan at the same time as it checks the MBR”
In this case do you have any idea why is it so slow? Yesterday it did not finish after 10 hours…

“This is a temporary file for signature updates - I believe Avast detected itself”
It does make sense, it could explain why only the Avast detected it.

“Purge the restore points to remove the detections from system restore”
Thanks, I will do it.

“I can see no apparent malware, are you experiencing any symptoms ?”

In the beginning the Avast and the malwarebytes antimalware detected (removed) some viruses for sure, that is the reason I asked your advice about the “rootkit”. In general my computer and especially my internet is slower than earlier, but it could be explained by other factors. What would you advise for me?
Thanks for your help!

The MBR scanning takes seconds. The whole drive depend of your scanning settings and files (number, type…).

When I first used it a week ago it took about an hour (maybe even less) to finish.

What else is running in background?

As far as I know only the avast.

Mystery then ::slight_smile:

I have just run aswMBR on my system and as you can see it took just 10 minutes to run

aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software Run date: 2011-12-30 19:46:42 ----------------------------- 19:46:42.571 OS Version: Windows x64 6.1.7601 Service Pack 1 19:46:42.571 Number of processors: 4 586 0x2A07 19:46:42.571 ComputerName: MARTIN-HP UserName: Martin 19:46:46.003 Initialize success 19:46:46.097 AVAST engine defs: 11123000 19:46:52.680 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 19:46:52.680 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 3 19:46:52.711 Disk 0 MBR read successfully 19:46:52.727 Disk 0 MBR scan 19:46:52.727 Disk 0 unknown MBR code 19:46:52.727 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048 19:46:52.742 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 482461 MB offset 206848 19:46:52.742 Disk 0 Partition - 00 0F Extended LBA 460152 MB offset 988286976 19:46:52.773 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11154 MB offset 1930678272 19:46:52.805 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 460151 MB offset 988289024 19:46:52.820 Service scanning 19:46:53.912 Modules scanning 19:46:53.912 Disk 0 trace - called modules: 19:46:54.411 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 19:46:54.411 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006fcc060] 19:46:54.411 3 CLASSPNP.SYS[fffff88001d6e43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004add050] 19:46:57.391 AVAST engine scan C:\Windows 19:46:59.637 AVAST engine scan C:\Windows\system32 19:47:54.908 AVAST engine scan C:\Windows\system32\drivers 19:48:01.741 AVAST engine scan C:\Users\Martin 19:48:57.574 AVAST engine scan C:\ProgramData 19:49:42.366 Scan finished successfully 19:56:27.194 Disk 0 MBR has been saved successfully to "C:\Users\Martin\Desktop\MBR.dat" 19:56:27.194 The log file has been saved successfully to "C:\Users\Martin\Desktop\aswMBR.txt"
[b]Windows XP Professional Edition Szervizcsomag 1[/b] (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = [b]6.0.2800.1106[/b])

You need to update to service pack 2 & 3 as soon as possible and also update IE to V8. As at the moment you are wide open to a lot of exploits

Thanks for your warning I am going to do it today.