I installed the latest programme version (2014.9.0.2006) this week for Avast Internet Security and ran a rootkits full scan which returned the following:

C:\avast! sandbox\S-1-5-21-722940579-2821837991-2511709083-1000\sfzone\C\Users\Franck\AppData\Local\Temp.…\GoogleUpdateSetup.exe

C:\avast! sandbox\S-1-5-21-722940579-2821837991-2511709083-1000\sfzone\C\Users\Franck\AppData\Local\Temp\CRX_DF399A9B383A\ChromeRecovery.exe

The severity for both is High
status: Threat: Rootkit:hidden file

I tried every action without success, from fix automatically to delete, move to chest, reboot etc. but I keep getting an error message: Access is denied.

Obviously I can’t access the path suggested by avast either.

Ran AdwCleaner and have attached log

Am clueless whether it is a false affirmative or real viruses.

Might need step by step action as am complete newbie!

Cheers

This is a FP, been posted already…

Thanks. AdwCleaner found Babylon in ProgramData which seems to be a virus though. Also found Tarma.

If you would like to check you PC, then follow this guide and attach the logs (Adwcleaner, OTL, Aswmbr)

http://forum.avast.com/index.php?topic=53253.0

I attach OTL,aswMBR, adwCleaner and mbam logs. Detected and deleted 16 PUPs, all babylon and tarma.

Can you check logs to see if avast was right with the 2 rootkits in sandbox.

Cheers

Last log attached

The rootkit is a false positive and can be safely ignored

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-722940579-2821837991-2511709083-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=12242E55F9AD7456&affID=119357&tt=250613_gr1&tsp=4927
IE - HKU\S-1-5-21-722940579-2821837991-2511709083-1000\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
O2:64bit: - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKU\S-1-5-21-722940579-2821837991-2511709083-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4:64bit: - HKLM..\Run: [GiveasyouLive] C:\Program Files\GiveasyouLive\GiveAsYouLiveServer.exe (Everyclick Ltd)
[2013/06/28 22:40:47 | 000,000,290 | ---- | C] () -- C:\Windows\Tasks\DSite.job

:Files
C:\Program Files\GiveasyouLive

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks Essexboy. What’s the “C:\Program Files\GiveasyouLive\GiveAsYouLiveServer.exe (Everyclick Ltd)” line for?

It is some charity stuff… when you shop online they give a precentage to…whatever
If you go to youtube and search for give as you live there is a video…

here’s the otl log.

wrong OTL log attached. here’s the correct one. Ta.

That is a tracking toolbar along with ad generation

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Hi. Phew! all working, clean scans. You’ve been a fantastic help. Cheers. :slight_smile:

Our pleasure :slight_smile:

have run full rootkit scan with same result re. 2 rootkits in sandbox. Path still the same. Seems it happened after I updated google chrome today after Happy to live with it if it’s a FP but wonder why the scan keeps returning the virus alert after I cleaned the machine with OTL, malewarebyte, etc?

It is due to the nature of Avast sandbox, as it hides files from the main system the scan gets very suspicious. Avast cannot exclude that folder from the scan as there is nothing to stop malware creating a folder with the same name.

OK this is all new to me. So how do we know this is not a maleware?

Because you are using Avast, If you have safe zone then reset the contents