system
October 18, 2013, 7:46pm
1
For about three/four weeks avast reports to have found a rootkit. The complete message is:
A suspicious hidden object (rootkit) has been detected on your system. This may be a sign of a malware infection. It is recommended to remove the object immediately.
Rootkit information:
When I select “Delete Now” as the action to take, it seems the rootkit is deleted. However after a couple of days avast reports the same rootkit again.
Besides avast displaying this message, my computer reponds normally. So is this a false positive or a real threat?
Asyn
October 18, 2013, 7:48pm
2
Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)http://forum.avast.com/index.php?topic=53253.0
system
October 19, 2013, 7:47pm
3
Hi Asyn,
Thanks for your support.
I have attached the reports.
Please let me know, if you find something suspicous.
Regards,
system
October 19, 2013, 8:00pm
5
Looked at your logs A Badly infected system. Wait untill essexboy the malware expert will see your logs and avise you to clear.
If adwcleaner reports all this stuff then you are badly infected!!! generally!!!
The reported file is part of windows defender and is a hidden file hence the Avast warning. But, you can safely ignore it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://websearch.searchiseasy.info/?pid=499&r=2013/08/26&hid=12071195910811923614&lg=EN&cc=NL&unqvl=33
IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKLM\..\SearchScopes\{274daec0-c4e8-4f30-9e5c-9424990769b9}: "URL" = http://search.tb.ask.com/search/GGmain.jhtml?p2=^0D^xdm269^YYA^nl&ptb=8496634C-3569-4DA1-9035-0A4D14805F57&ind=2013101914&n=77fd7f5a&psa=&st=sb&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^ZO^xdm043^YY^nl&si=EL_UTFIG_20&ptb=88A375E7-7249-4CFA-8113-3D9BD2437756&ind=2013040311&n=77fc8eb7&psa=&st=sb&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=295&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=3533238505504138&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}: "URL" = http://search.imesh.com/web?src=ieb&systemid=1&q={searchTerms}
IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^man000^^&ptb=FC8630D7-B29E-4916-86DC-C6D871871645&psa=&ind=2013012009&st=sb&n=77fc2029&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2857573
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.searchiseasy.info/?l=1&q={searchTerms}&pid=499&r=2013/08/26&hid=12071195910811923614&lg=EN&cc=NL&unqvl=33
IE - HKLM\..\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}: "URL" = http://search.tb.ask.com/search/GGmain.jhtml?p2=^HJ^xdm255^YYA^nl&si=COnWlNmwp7kCFYRP3godQCsABQ&ptb=29232A43-4DA6-4832-AED8-0D87C8C61ABA&ind=2013083105&n=77fd35e1&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-459960741-3575779535-305645799-1008\..\URLSearchHook: {213c8ed6-1d78-4d8f-8729-25006aa86a76} - No CLSID value found
IE - HKU\S-1-5-21-459960741-3575779535-305645799-1008\..\URLSearchHook: {327f75ed-061b-4339-8cc6-5dd45ad1396d} - No CLSID value found
IE - HKU\S-1-5-21-459960741-3575779535-305645799-1008\..\URLSearchHook: {5bcf818d-78c8-41b8-ba89-65c5fdac4fc4} - No CLSID value found
IE - HKU\S-1-5-21-459960741-3575779535-305645799-1008\..\URLSearchHook: {b2bf7b3f-bf0b-4c48-aec6-f92c51be63e1} - No CLSID value found
IE - HKU\S-1-5-21-459960741-3575779535-305645799-1008\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-459960741-3575779535-305645799-1008\..\SearchScopes\{274daec0-c4e8-4f30-9e5c-9424990769b9}: "URL" = http://search.tb.ask.com/search/GGmain.jhtml?p2=^0D^xdm269^YYA^nl&ptb=8496634C-3569-4DA1-9035-0A4D14805F57&ind=2013101511&n=77fd7dc7&psa=&st=sb&searchfor={searchTerms}
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\specialsavings@vshsolutions.com: C:\Users\AVVE Solutions\AppData\Roaming\Mozilla\Extensions\specialsavings@vshsolutions.com [2013-01-20 15:53:02 | 000,000,000 | ---D | M]
[2013-01-20 15:53:02 | 000,000,000 | ---D | M] (Special Savings) -- C:\Users\AVVE Solutions\AppData\Roaming\Mozilla\Extensions\specialsavings@vshsolutions.com
O2 - BHO: (Toolbar BHO) - {074d3229-0a22-491b-b9dd-ff3171d75f25} - C:\Program Files\MarineAquarium3Free_57\bar\1.bin\57bar.dll (MindSpark)
O2 - BHO: (Search Assistant BHO) - {0eeaa2c3-0cd7-4364-b82e-f9257081c860} - C:\Program Files\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll (MindSpark)
O2 - BHO: (MediaBar) - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\Program Files\iMesh Applications\MediaBar\ToolBar\imeshdtxmltbpi.dll ()
O2 - BHO: (UrlHelper Class) - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files\iMesh Applications\MediaBar\Datamngr\IEBHO.dll (iMesh, Inc)
O3 - HKLM\..\Toolbar: (Marine Aquarium Lite) - {07189b84-b33b-4a1e-9b32-ad203c983c20} - C:\Program Files\MarineAquarium3Free_57\bar\1.bin\57bar.dll (MindSpark)
O3 - HKLM\..\Toolbar: (MediaBar) - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\Program Files\iMesh Applications\MediaBar\ToolBar\imeshdtxmltbpi.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-459960741-3575779535-305645799-1008\..\Toolbar\WebBrowser: (Marine Aquarium Lite) - {07189B84-B33B-4A1E-9B32-AD203C983C20} - C:\Program Files\MarineAquarium3Free_57\bar\1.bin\57bar.dll (MindSpark)
O4 - HKLM..\Run: [Marine Aquarium Lite Search Scope Monitor] C:\Program Files\MarineAquarium3Free_57\bar\1.bin\57SrchMn.exe (MindSpark)
O4 - HKLM..\Run: [MarineAquarium3Free_57 Browser Plugin Loader] C:\Program Files\MarineAquarium3Free_57\bar\1.bin\57brmon.exe (VER_COMPANY_NAME)
[2013-09-29 09:58:21 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip Registry Optimizer
:Files
C:\Program Files\iMesh Applications
C:\Program Files\MarineAquarium3Free_57\bar
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the topQuick Scan button. Post the log it produces in your next reply.