Sneaky rootkit?

Similar to “Sneaky rootkit” http://forum.avast.com/index.php?topic=121295.0 , several weeks ago avast said there was a rootkit detected and I was ushered towards a bootscan. I couldn’t find the log. Being concerned I had a virus, I used my recovery partition on my Asus laptop, the option which was: “Recover Windows to entire HD with two partitions. This option deletes all partitions from your hard drive and creates two new partitions “C” (25%) and “D” (75%).”

After reinstalling some programs and avast, I recieved the same notification that I had a rootkit. I also deleted the log accidentally. =( After some searching online, I wondered if I had an MBR virus. Stupid me, I also visited a couple websites before my Windows updated or I had avast reinstalled. A friend suggested I use SpyBot search and destroy, which got rid of a Widgi toolbar with 30 entries after I ran it in administrator mode.

Anyhow, I do not know if my security is currently compromised on my laptop or not. I haven’t been able to use my laptop now for weeks, because of my concerns. Thank you kindly for your time. MBAM didn’t turn up anything and logs attached.

malware removers are notified, check back later today

Does Avast give a file name and location ?

Download the GMER Rootkit Scanner. to your Desktop, it will be a randomly named .exe file .

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click the file you downloaded. The program will begin to run.

https://dl.dropbox.com/u/73555776/GMER_Open.JPG

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[
]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt
[*]Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Thank you kindly. I never saw avast give a file name and location. At first, GMER didn’t complete a scan maybe because the folder containing it was open. It finally ran and its log is attached along with the aswMBR log.

Hi I can see no sign of a rootkit or MBR rootkit there, is the system behaving properly ?

Thanks for looking. Yes, things are normal.

Are there any recommended prudent steps I might take should something be lurking? I’m just trying to be responsible.

Thanks again.

Not a problem, sometimes Avast does get a tad twitchy about low level drivers :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run AdwCleaner and press uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Great info, thank you for your time.

Before I run the system restore and shadow copies option, that won’t interfere with my recovery partition, will it? And maybe it’s normal, but OTL didn’t remove GMER.

Thanks.

Nope your recovery partition is safe … Just delete GMER from the desktop

Done and done. And I’ve installed a few things from the link you provided about how to stay safe. Thanks!!