I installed AVAST Home on my friend’s computer for the first time yesterday and the initial
scan found a virus called Win32:TIBS-AZX in the System32/Windev-599b-2d3.sys. It
couldn’t be repaired, so I moved it to the Virus Chest.
Now she can’t click on certain buttons within various websites. Press the mouse key and
nothing happens.
When I look on my computer for the System32/Windev-599b-2d3.sys file, there isn’t one.
I was hoping to copy it over to her System32 folder.
I found through web searches that this Trojan is called a “Rootkit” virus. All I want to do is
find a clean version of that file for Windows XP and install it on her PC. She is now upset
that I removed her Trend Micro AV and installed Avast. I guess living with an unknown Trojan
for God knows how long didn’t bother her. Any help is appreciated. Thankyou. -Bert (Chicago)
The Windev-599b-2d3.sys clearly isn’t a system file but a file placed in the system32 folder to make people think that it is an important system file so they won’t delete or move it.
Had you searched for the file name you would have found as I did, zero hits on google and that in its own right is suspicious.
So you won’t find a clean version of this file as it is completely malicious and not something that can be repaired/cleaned.
Some examples of the web sites and buttons might be useful.
Thankyou gentlemen. While awaiting your responses, I moved the file from the chest back to
the folder from whence it came, restarted her PC and tried pressing the buttons within www.UnitedSecurity.com agent’s section again. Pressing the buttons on my PC delivers the
pages/info desired, but not on hers still, even with the infected “ghost?” file put back where
Avast moved it from. So… I suppose that this file was not the issue. Will move it back to
the chest and download the lastest Microsoft updates to see if this makes a difference.
It might just be something related to the way her Cookies/Add-ons/Security settings are
configured. It is strange that those policyowner inquiries buttons at www.UnitedSecurity.com
have worked for her in the past, but suddenly no more after I installed AVAST on her PC
yesterday. Coincidence? My PC runs Avast and so do the other agent’s personal laptops.
No problem with any of us. Back to the drawing board. Thanks to everyone for your feedback.
I’ve always loved Avast and this Community! -Bert in Chicagoland
Had you searched for the file name you would have found as I did, zero hits on google and that in its own right is suspicious.
David,
When you see numbers and letters, try substituting a wild card: Windev*.sys brings up a lot of hits on Google.
Bert,
As David said, this is not a file you want to replace: it is a malicious file. Leaving the rootkit in place will put your friends personal details at risk, and allow her computer to be used for criminal activities.
You need to ensure the rootkit is removed and the computer cleaned up.
The page you mention uses JavaScript to launch a new page on a button click. There’s no reason why avast! should be blocking these clicks. I’d like to see the computer cleaned up properly first, and then see if the problem persists.
To that end, please run the rootkit scanners and a new avast! scan.
Is Panada Rootkit finder effective and will it clash with Avast if I scan my computer with it?
Yes, no.
Although it is effective, it is not 100% effective: no anti-malware scanner is, which is why I recommend three anti-rootkit scanners.
There are many anti-rootkit scanners available: if you follow David’s link, you will find many more.
To my mind, the three I mentioned are effective and user-friendly: i.e., they don’t require a great deal of knowledge on the part of the user about what they are actually doing.
Other anti-rootkit scanners like GMER are equally effective but require a bit more understanding.
Is it safe to run Avast alongside the rootkit finder due to them both scanning the same files (ie will it cause file corruption or will they take it in turns to scan each file)?
Is it safe to run Avast alongside the rootkit finder due to them both scanning the same files (ie will it cause file corruption or will they take it in turns to scan each file)?
I’ve never had a problem before, but you could always disable avast! before running the rootkit scan,
Could this topic be left open till an Avast representative puts my mind (not to question what you say FreewheelinFrank I am very very grateful for your response) its just that I’m the worrying type and the least thing gets me panicky/concerned, if not I shall just keep an eye on my system but thanks for any replies you have given me
Topics are always open, whether any of the Alwil team puts your mind at rest any time soon is the question.
We aren’t in the habit of making recommendations that are going to be harmful and we have over time recommended the three anti-rootkits mentioned by Frank with out any report of adverse effects.
Keeping your eye on a system that may be suffering from a rootkit infection would make me more panicky/concerned than using the anti-rootkit tools mentioned.
At some point you have to trust that we know what we are doing as for the most part the most active members of this forum don’t work for Alwil. The Alwil team have important tasks of developing the avast product and I honestly don’t know of any other software support forum that has as much input from the developers, but they can’t be here 24/7.
As David said, this is not a file you want to replace: it is a malicious file. [b]Leaving the rootkit in place will put your friends personal details at risk, and allow her computer to be used for criminal activities[/b].
You need to ensure the rootkit is removed and the computer cleaned up.
Please be aware that credit card details, financial website passwords and other information may be on its way to the hands of a criminal somewhere. Your friend needs to know this if she uses the computer for shopping, internet banking etc. There is also the risk of other personal information being stolen. If there is confidential information on the computer, this could be an issue. Furthermore, the computer could be being used for sending spam or attacking other computer systems (DoS attacks).
I’m trying to say here that there is more to worry about in leaving the rootkit in place than removing it- there’s no way to know what the rootkit is hidding, and what the risks are to you friend and others.
How dangerous is a rootkit?
The rootkit itself does typically not cause deliberate damage. Its purpose is to hide software. But rootkits are used to hide malicious code. A virus, worm, backdoor or spyware program could remain active and undetected in a system for a long time if it uses a rootkit.
Please don’t take what I’m saying the wrong way its just I like to cover all the bases before doing anything thats all, I am very greatful for all the help and suggestions, sorry for any offence caused
well thanks mate for everything it means a lot, I ran AVG anti rootkit free last night and everything seems ok the little avast icon only span round a few times so maybe it was just doing some idle scanning of its own
-Bert in Chicagoland
