Rootkit Problem!

Hi guys,

I’m new to the forum. Yesterday my Avast found a rootkit. I tried fixing it but it says “Error: Access is denied (5).” I then tried moving it to chest but my avast just went in a state of perpetual thinking but never moved to chest. So I decided to do a boot scan. But I cannot seem to find the boot log files even with hidden files shown. I then ran like 5 more full system scans and 2 boot scans afterwards (excessive I know) but they found nothing. I also used Malwarebytes to do a full system scan and it did not find anything. I don’t know if the first boot scan deleted the rootkit or not since I cannot find the boot log. Do you guys think it is safe to assume it did delete it? If not, how should I go about confirming whether or not my computer is truly clean?

The rootkit was C:\Windows\Temp_avast_\ws1EC2BEB0.dat. I tried looking around in the forums to see if anyone ever got this but can’t seem to find any related threads. Please help guys I really want to know if my computer is clean or not.

Thanks.

https://forum.avast.com/index.php?topic=53253.0

Ok I did what the link you gave me asked for.

Logs attached:

anybody help?

Have patience, most helpers are sleeping now.

Nothing evident there, lets empty the temp files first

Are you experiencing any problems ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I will try that when I get home tonight. Thanks!

I haven’t had any problems until today. I booted up my computer to do the scan as you instructed but for some reason my computer booted to a grey screen for my desktop with no icons, toolbar, etc. Just empty grey. First time this ever happened. Restarting seemed to make it boot normally. Any ideas what happened there? Can a rootkit even do that?

Here’s Fixlog:

That may have been FRST emptying the temp files

Are you still getting the alerts

So you think it’s do to FRST running from the first time (i.e. the first time I ran it so no fixlist that you gave involved) that produced the grey screen on boot up?

Also, I never had alerts to begin with. It was one scan that found the rootkit but failed to repair due to error stated in my initial post and also could not move to chest. So I did a boot scan but am not sure if I am clean now since I cannot find the boot scan logs even with hidden files shown. Subsequent scans with both avast and malwarebytes don’t seem to show anything.

Do all my logs look okay?

The system looks clean, as the file was in a temp folder it was actually causing no harm

Thats good to hear. What prompted me to scan in the first place was when I logged onto my email account, I saw a quick cmd execution that appeared and disappeared w/in a fraction of a second and this never happened before. And so that’s why I scanned and it came up with that rootkit.

If you are certain my system is clean now, then I can rest assured.

Thanks for all of your help essexboy.

You can use another scanner for a second opinion

Download DrWeb Cureit from here to your desktop it will have a random name
Run the programme
Tick the agreement and select next
Click the green hyperlink “select objects for scanning”

https://dl.dropboxusercontent.com/u/73555776/cureit1.JPG

Select all objects bar Random access memory
Press Start scanning

https://dl.dropboxusercontent.com/u/73555776/cureit2.JPG

On completion click “Open report” and attach that in your next reply

https://dl.dropboxusercontent.com/u/73555776/cureit3.JPG

Will try that when I get back. Does it play nice with Avast and Malwarebytes or will I have to disable those before I run?

It may complain about them but you can ignore it :slight_smile:

Ok I ran the scanner essexboy. It didn’t detect anything. I can’t seem to post the log for you either because its 1.84 mb and forums max at 1mb. Any ideas how to bypass?

hey if it is to big to attach here, you can upload it to filesharing site and give the link to essexboy to collect.

If it detected nothing then the programme agrees with me and your system has no rootkit. Are you experiencing any problems ?

Nope seems to be running fine. Will report back if anything new or strange does occur. So far so good.

Thanks again for all of the help essexboy.