TRO/ROOT KIT?

Avast rescue disk says I have a Trojan. I remove it and it reappears. Avast rescue disk says I have a Trojan with 6 mo. newer data base. I remove it and the same Trojan reappears. Comodo CCE says I have a root kit. I remove it and it reappears. Comodo CCE with updated data base says I have a root kit. I remove it and same one reappears. Mbam and Avast IS scan clean. SFC says clean and all drivers are digitally signed. I posted OTL and aswMBR. RKreport to follow. Any help would be appreciated

NEXT FILE

NEXT FILE

NEXT FILE

Any scan done inside Win does not show the Trojan. Only a boot disk scan with the “SAME” Avast data base that scans clean inside Win shows the Trojan from outside Win. I posted yesterday. Where is anybody? Any help would be appreciated. Thanks.

Note for the future - You can attach up to 4 files per post, provided the total doesn’t exceed 200KB.

What would have been helpful, is the file name, location and full malware name of the detection.

You say that you used the Avast rescue disk to scan:
Why did you feel it necessary to do this ?
Before you did that did you have the latest virus definitions ?

David… thanks for the response. Yes, I am far from perfect. Sorry. The rescue disk came with its own data base out of the box. It showed the Trojan. I removed it and next day it was not there. I then scanned with the updated “Advast” data base that scanned clean with Avast IS and the rescue disk again found the same Trojan a few days later. I am simply monitoring the computers since they are always doing unexplainable things. Like showing a Win security breach that magically goes away all by itself a week or so later.

The file name, location and malware name help us to help you, e.g. it gives us an idea what it is that we might be dealing with. So can you give the details of the detection for Comodo CCE and Avast rescue disk, the file name, location and malware name given ?

I don’t know how it is that you actually get the latest virus definitions for the Avast rescue disk, but the one that comes with it is likely to be a little out of date and if this is a false positive then it may have been corrected, then we are only chasing the comodo cce detection, but in any case the above information help us.

David, yes the Avast rescue disk is about 6 mo. outdated out of the box, but it gives an option to update the data base and I updated it to the same version that Avast IS was running and it found the same Trojan. Unfortunately, I thought I wrote it down, but may have only done typed Google searches of it. It was something like ???sorry I can not guess very well???. I will have to repeat the scans. As far as Com… scan, it filled a directory of “quarantine” and said “C:## aswSnx private storage”

Well that is the location of the private storage of the avast sandbox, so I would expect it to be hidden.

So my guess is that comodo cce goes, it got it wrong in taking hidden as somehow a rootkit.

David, thanks. I just do not have the expertise to understand how the same Avast data base can show a Trojan when scanned outside Win and not see it inside Win. I also do not understand how Win takes a “security tampered” hash mark changed file and turns it into a non hash mark changed file without any restore being done on it. Also I am trying to understand how the “Trojan” and Com… scan results reappear days later, after initial results confirm that they were gone. I assume that the 4 files that were too big to post all at once, were not helpful. (Could you please confirm this.) I am glad that there are experts like you that understand all this. Thanks.

Nothing untoward showing in the logs and as David stated the file location is the safe zone area

If you have no apparent problems then I would ignore the report of a rootkit

I’m not familiar with what the Avast rescue disk is actually looking for over and above the standard AV scan. However, since it also runs outside of windows the C:## aswSnx private storage would be visible, where it is hidden when windows is running.

But as essexboy says it looks like your system is clear.

Ess… and Dav…, thanks. I am learning with your help. Maybe it was Com… that fixed Win security breach. All I know is that it loaded the directory “quarantine” with many files and scripts that Win refused to empty from the wastebasket. Said that their names were too long to empty from trash. The persistent find is “WIN32:Small-HUF [Trj]”.
I did a rescan and it still returns. Both with 6 mo old data base and current data base. File is too large to upload to virus total. It is pagefile.sys. How it was able to scan clean for awhile before, I do not know. All I know now is that it reloads every time. Since it persists with both data bases that are 6 mo. different, says to me that it could not be a false positive. After all, how could a false positive remain for over 6 mo.?
Whatever Com… removed, it sped up the computer noticeably in one case and slowed down another noticeably. Same program and same data base.
Avast can see the hidden directory and reports nothing other than the one above. Com… places a lot into Quarantine directory and does not see what Avast reports

Pagefile.sys is a system swap file. You can clear it by setting no virtual memory and then rebooting, MS has a fixit here that will do it for you http://support.microsoft.com/kb/314834
About halfway down is a fixit button press that and allow the programme to run

Ess…, thanks again. Yes the fix worked, but the fix causes Win to close very slowly. Since Win recreates the pagefile.sys and erasing it at close only covers up the Trojan, I undid the fix and it scanned clean with both data bases. I then connected to the net etc. and the Trojan returned. How do I need to configure Avast to stop the return of the Trojan? Thanks in advance.

What file is Avast reporting ? As this could be a false positive

The Trojan name is “Win32:Small-HUF [Trj]”. It is inside “pagefile.sys”. I am running Avast IS and Comodo CCE finds both of Avast’s hidden directories “##asw…” and Quarantines them as root kits. Avast (RESCUE DISK) (Both data bases 6 mo. apart) finds the Trojan above and deletes it. I reload and Win regenerates a Pagefile. Avast finds the same Trojan in the pagefile and deletes it.

“D:\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
D:\ProgramData\Malwarebytes\Malwarebytes’ Anti-Malware\mbam-setup.exe{embedded}\setup.exe ERROR: Unknown packer version.
D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe{embedded}\setup.exe ERROR: Unknown packer version.
;--------------------------
;Files: 345464
;Folders: 21767
;Files size: 40727044965
;Infected files: 1
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******
;******
;Command header
;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2
;******
D:\pagefile.sys DELETE OK 1 0”

I restart Win and tell Win to delete the page file and close and restart Win and verify the pagefile is regenerated. Then I rescan with the Avast rescue disk with both data bases 6 mo, apart and the Trojan is gone.(I can see Avast scan the pagefile)

“D:\ProgramData\Malwarebytes\Malwarebytes’ Anti-Malware\mbam-setup.exe{embedded}\setup.exe ERROR: Unknown packer version.
D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe{embedded}\setup.exe ERROR: Unknown packer version.
;--------------------------
;Files: 347277
;Folders: 21884
;Files size: 34337455711
;Infected files: 0”

I connect to the net etc, and then rescan with the rescue disk and the Trojan is back on both data bases 6 mo apart scans. How do I stop the Trojan from returning? Thanks in advance.

I do not think it is a trojan… To me this smells like a false positive, if the installed Avast does not detect it, to be honest I would ignore the rescue disc detection .

Ess…, thanks, but the same data base of the “installed” Avast that works in the “reacuedisk” Avast does recognize it. Only when I move the Pagefile.sys so it is no longer in use by Win does the “installed” Avast detect it.