Suspicious file blocked

Now, I’ll keep this very short.
I never go on any dodgey websites or download any dodgey things, I’m extremely paranoid with PC security!

Avast found a rootkit : S-1-5-21-lots of numbers

I’m running vista SP 2.
I used to have Norton, MSE and avira. I ran a scan with malwarebytes and avast, they now find nothing.
I currently have CCleaner.

Is this a FP?

Probably should have mentioned I run Firefox 4 with adblock plus, lso deleter and noscript.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-19 18:35:40

18:35:40.225 OS Version: Windows 6.0.6002 Service Pack 2
18:35:40.225 Number of processors: 2 586 0xF0B
18:35:40.225 ComputerName: LAPTOP UserName: Gwylim
18:35:43.126 Initialize success
18:35:44.951 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
18:35:44.951 Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
18:35:44.967 Disk 0 MBR read successfully
18:35:44.967 Disk 0 MBR scan
18:35:44.983 Disk 0 unknown MBR code
18:35:44.983 Disk 0 scanning sectors +312578048
18:35:45.014 Disk 0 scanning C:\Windows\system32\drivers
18:35:51.347 Service scanning
18:35:52.939 Disk 0 trace - called modules:
18:35:52.970 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
18:35:52.970 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86a38ac8]
18:35:52.970 3 CLASSPNP.SYS[891a68b3] → nt!IofCallDriver → [0x85a5b798]
18:35:52.970 5 acpi.sys[888926bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x85a61030]
18:35:52.970 Scan finished successfully
18:36:17.930 Disk 0 MBR has been saved successfully to “C:\Users\Gwylim\Documents\MBR.dat”
18:36:17.945 The log file has been saved successfully to “C:\Users\Gwylim\Documents\aswMBR.txt”

looks clean…lets hear what the expert say

Could you give the full path of the infection found please

What would have helped would have been the suspicious file name and its location ?

The “S-1-5-21-lots of numbers” looks more like a registry key than a file name, check your scan logs for details.

Having said that, was it the anti-rootkit scan (runs 8 minutes after boot) of another scan that detected this ?

See image example of the anti-rootkit alert image, was it that ?

The full path is: C:\Windows\System32\WDI{86432a0b-3c7d-4ddf-a8…

EDIT:DavidR, No it was not that image, it was the new Avast UI with “Threat blocked” in the bottom right corner.

It seemed like around 8 mins after boot. I also have PuPs on, The virus name is “Win32:KillAV-AHY[Rtk]”

EDIT:DavidR, No it was not that image, it was the new Avast UI with "Threat blocked" in the bottom right corner.
you can right click the avast icon by the clock and select "show last pop-up" then take a screen shot and post here

http://i959.photobucket.com/albums/ae73/Idiotfish/Rootkitblocked.jpg

Just facepalmed, I call myself a C++ and Java programmer but I didn’t see “svchost.exe”, does this mean I’m ok?

Sorry for my infinite foolishness, -1 internets.

OK, this one will need some specialist assistance from essexboy.

What it means is that you have something on your system, undetected/hidden that is using svchost.exe for malicious purposes. Whilst the object has been moved to the chest and prevented further action (KillAV) the hidden element will have to be found.

ah crap…

Please please hurry, I’m really worried, will I have to reformat?

Not so bad at least avast appears to be keeping it in check and essexboy should get to the bottom of it with his knowledge and tools.

In the majority of cases a format is the last resort not the first

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

It’s informing me that the file is too large to upload even though it isn’t… (the avast site)

upload to Mediafire and post the sharing link please

http://www.mediafire.com/?5n5ew2728lqve4u

OK a few remants showing but as yet no evidence of a rootkit - so we will look deeper

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Users\Gwylim\AppData\Roaming\Mozilla\FireFox\Profiles\j5ladt4a.default\prefs.js
YN -> browser.search.defaultenginename -> "Secure Search"
YN -> browser.search.selectedEngine -> "Secure Search"
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-608388554-3097171775-3632551603-1000\] > -> HKEY_USERS\S-1-5-21-608388554-3097171775-3632551603-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< Drivers32 [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
YN -> "msacm.mkdmp3enc" -> [C:\PROGRA~1\ACERAR~1\DVWIZA~1\Kernel\Burner\MKDMP3Enc.ACM]
[Files - No Company Name]
NY ->  RSBuddy Login.ini -> C:\Users\Gwylim\AppData\Roaming\RSBuddy Login.ini
NY ->  RSBuddy_nerdragexz.ini -> C:\Users\Gwylim\AppData\Roaming\RSBuddy_nerdragexz.ini
NY ->  20xYJkS83BHk4 -> C:\Users\Gwylim\AppData\Local\20xYJkS83BHk4
NY ->  20xYJkS83BHk4 -> C:\ProgramData\20xYJkS83BHk4
[File - Lop Check]
NY ->  .# -> C:\Users\Gwylim\AppData\Roaming\.#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

Disable Avast whilst this runs - set the shields to off until reboot

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

My OTS results:-
All Processes Killed
[Registry - Safe List]
Prefs.js: “Secure Search” removed from browser.search.defaultenginename
Prefs.js: “Secure Search” removed from browser.search.selectedEngine
Registry value HKEY_USERS\S-1-5-21-608388554-3097171775-3632551603-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{21FA44EF-376D-4D53-9B0F-8A89D3229068} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-608388554-3097171775-3632551603-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
[Registry - Additional Scans - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\msacm.mkdmp3enc not found.
[Files - No Company Name]
File C:\Users\Gwylim\AppData\Roaming\RSBuddy Login.ini not found!
File C:\Users\Gwylim\AppData\Roaming\RSBuddy_nerdragexz.ini not found!
File C:\Users\Gwylim\AppData\Local\20xYJkS83BHk4 not found!
File C:\ProgramData\20xYJkS83BHk4 not found!
[File - Lop Check]
File C:\Users\Gwylim\AppData\Roaming.# not found!
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Gwylim
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 44479638 bytes
->Java cache emptied: 180225919 bytes
->FireFox cache emptied: 58523402 bytes
->Google Chrome cache emptied: 594288 bytes
->Flash cache emptied: 776 bytes

User: Marc
->Temp folder emptied: 32960 bytes
->Temporary Internet Files folder emptied: 103173 bytes
->Flash cache emptied: 1847 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 146999 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3884160 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 877876 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 320 bytes
RecycleBin emptied: 3639786 bytes

Total Files Cleaned = 279.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Gwylim
->Flash cache emptied: 0 bytes

User: Marc
->Flash cache emptied: 0 bytes

User: Mcx1
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05192011_214059

Files\Folders moved on Reboot…
File\Folder C:\Users\Gwylim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QYQNNFNJ\list-item-plus[1].png not found!
File\Folder C:\Users\Gwylim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JOUNDQ7Q\background-banner-middle-v9[1].jpg not found!
C:\Users\Gwylim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JOUNDQ7Q\background-banner-right-v45[1].jpg moved successfully.
C:\Users\Gwylim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JOUNDQ7Q\background_banner_green_50_v9[1].jpg moved successfully.
C:\Users\Gwylim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JOUNDQ7Q\background_button_green_full[1].png moved successfully.
C:\Users\Gwylim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5V0DR3QJ\background-banner-middle-v45[1].jpg moved successfully.
C:\Users\Gwylim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5V0DR3QJ\background-banner-right-v9[1].jpg moved successfully.
C:\Users\Gwylim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5V0DR3QJ\background_banner_green_50_v45[1].jpg moved successfully.

Registry entries deleted on Reboot…

Combofix results

Are you still getting the alerts ?