Rootkit: system modification

Hello all

For a couple weeks now, I’ve had avast scans showing various infected files in the C:\Windows\servicing\Packages and C:\Windows\Prefetch folders. All being labeled as Threat: Rootkit: system modification. Each of the boot-time scans afterward haven’t found anything until yesterday, which said a file in D:\hp\apps was a Threat: Win32:Malware-gen.

I thought that might have fixed it, but today it listed another file in C:\Windows\LiveKernalReports\WATCHDOG as another Rootkit: system modification. I’ve also been running Malwarebyes as well as Spybot- Search & Destroy, though neither have shown any problems.

Also I haven’t noticed anything wrong with the computer, other than avast seems to be scanning a fair bit slower now. I’m completely lost on what to do. Any help would be greatly appreciated.

Could you run the following please as I feel this may be an FP

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Ah, much appreciated. Think it froze, but hope it’s enough to be helped. Also, not sure if it’s related, but the computer said it recovered from a blue screen twice while trying to run it.

Hmm methinks this needs a bit of a longer look

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Hope I followed the directions correctly.

Actually I can see very little there, lets empty the temps and see if that helps with the scan speed

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3951965710-614173830-3903581707-1000\] > -> HKEY_USERS\S-1-5-21-3951965710-614173830-3903581707-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Ah k

Total Files Cleaned = 2,831.00 mb
This may slow your scan speed down a bit

What are your current problems ?

Files being marked as infected by avast, seems like they come back after rebooting the computer a few times. Haven’t seen any in the scans today though. Ah, and do I need to do anything about the drivers labeled as suspicious by aswMBR?

No they are mui files and Avast seems to have a bit of a downer on them at the moment - I have 3 on my system ;D

Ooo, alright. Also it doesn’t seem like the scanning speed has managed to pick up any yet.

Within Avast do you have caching enabled ?

Ah, sorry for the late response. Yeah, both caching options are checked.

Could you uninstall - run aswclear and then re-install http://www.avast.com/uninstall-utility

Possibly a stupid question, but when I reinstall will I need that same code I used the first time?

What version of Avast do you have ? Free or Pro

I think it’s the pro version.

OK you should have an avastlic file which contains your registration

So continue and once Avast is installed double click the Avastlic file

Sorry for being such and idiot, but where should it be? All I see in the license folder are two text documents regarding terms and conditions.

Go to this page and ask for the licence to be resent http://www.avast.com/resend-license-paid.php