Rootkit virus?

Avast fullscan found 1 tread named: c:\windows\assembly\NativeImages_v2.0.50727_32\System.Addln.Contra#\35a6b66e089f9164215c96127a0c6276\System.Addln.Contract.ni.dll when i scanned the assembly box avast sayd that the file cant be scanned. Rebootscan didnt find treads. Avasts tells its severity is high and its Rootkit:hidden file, it cant be moved to safebox as it says error (50), also deleting it dosent work as avasts wants to reboot comp but that does not do the trick. Is a virus and can it be deleted? Any help?

Hi,

go here: http://forum.avast.com/index.php?topic=53253.0

Please post Malwarebytes, OTL and aswMBR logs. After that Someone can help you

Hey
just were looking those, ill check them asap

c:\windows\assembly\NativeImages_v2.0.50727_32\System.Addln.Contra#\35a6b66e089f9164215c96127a0c6276\[b]System.Addln.Contract.ni.dl[/b]l
if able to....upload and test the file at www.virustotal.com post link to scan result here

Hey
The problem is I cant see the infected file itself, so I cant scan it.

Heres scan result for Malwarebytes Anti-Malware, althouth my program is finnish… but it did find bunch of other suspious files and deleted them.

Hey
Heres results for OTL scan

Got a problem with aswMBR, it keeps crashing middle of scanning, so abit hard to attach those files

try run it from safe mode… if no go just dropp it…removal experts have more tools

Dotnet is used by many different programmes, so as to which one was using it the time I do not know

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O3 - HKU\S-1-5-21-3100621200-1935484980-1270219906-1001\..\Toolbar\WebBrowser: (no name) - {D61ABD1F-D12F-4FEE-BB4A-74C66B7C64BD} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
IE - HKU\S-1-5-21-2170148910-3632287821-1312764814-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.delta-search.com/?q={searchTerms}&affID=119776&babsrc=SP_ss&mntrId=b4af30a30000000000000c60766adc85
IE - HKU\S-1-5-21-2170148910-3632287821-1312764814-1000\..\SearchScopes\{0F32E749-ECF3-410B-A8AF-8A882D8F5D3D}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
IE - HKU\S-1-5-21-2170148910-3632287821-1312764814-1000\..\SearchScopes\{CBC178DE-E569-4382-ADD5-CB4BD1063AE7}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=en_EU&apn_ptnrs=U3&apn_dtid=OSJ000YYFI&apn_uid=BF9DF929-058A-4F42-B12A-848D5923F9E5&apn_sauid=2E56C37E-00CA-4F60-BA2B-36EC2C73503E
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\ocr@babylon.com: C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\ocr@babylon.com
[2013.06.04 10:44:22 | 000,053,943 | ---- | M] () (No name found) -- C:\Users\jouni\AppData\Roaming\mozilla\firefox\profiles\3bgyzb9y.default\extensions\pricepeep@getpricepeep.com.xpi
[2013.02.02 22:24:10 | 000,001,294 | ---- | M] () -- C:\Users\jouni\AppData\Roaming\mozilla\firefox\profiles\3bgyzb9y.default\searchplugins\delta.xml

:Files
C:\Users\jouni\AppData\Local\Google\Chrome\User Data\Default\Extensions\licjnkifamhpbaefhdpacpmihicfbomb

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[
]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]post the contents of JRT.txt into your next message.

Hey

Heres OTL fix log and OTL quick scan log (OTL scan laggs [looked at file:c\windows\assembly\NativeImages…])

And AdwCleaner results:

And Junkware report:

How is the computer behaving now ?

Hard to say as it only had some miner lagg spikes. It maybe is more smoother atm. Yesterday and today windows crashed and rebooted itself after starting, idk was it caused by those junks removed or by NativeImage thing.

Could you run an Avast scan and see if the file is still detected

Running full system scan atm, (still running) it already found 1 infected file, idk is it same but well see.

OK let me know which one(s) they are when it has finished

Yep scan found the same file, I tryed to move it to karanteen, but failed as avasts wont move it
Ill also attach phote of scan result

Tread is: Rootkit: hidden file

OK I believe that may be a false positive

I will confirm that shortly