Valid RootKit Infection?

avast! Antirootkit, version 0.9.6
Scan started: Wednesday, September 17, 2008 12:05:49 AM

File C:\Users\shred\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUWELWKQ\errorPageStrings[1] HIDDEN
File C:\Users\shred\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUWELWKQ\ErrorPageTemplate[2] HIDDEN

Scan finished: Wednesday, September 17, 2008 12:11:02 AM
Hidden files found: 2
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

I ran AVAST Anti-Rootkit and got the above results. I cannot imagine where I would have picked up a Rootkit on this machine as I have the latest Version of Avast installed and running. I never go to even slightly risky sites with this computer, I have an old beater computer running XP that I use for anything that could be considered risky. Unless I picked it up playing Unreal Tournament Online. Is that even possible?


Since these are both in your Temporary Internet Files, I suggest you empty that folder.

By the way, are you really using IE5 to browse the internet? This is very unsafe to use these days.


I agree. Update to IE7 or download Firefox 3.

I actually have IE7 installed but primarily use Firefox 3 as my main browser. I do have the IE Tab installed in FireFox 3. I wonder if this has anything to do with it? I have a clean from the factory install of Vista Home Premium on that computer so IE5 has never even been installed on that system.

I let Avast Anti-Rootkit “clean” whatever those files were and after reboot rescanned and got a clean bill of health.

But my question remains, were those files actual Rootkits? If so should I be worried that my personal info has been compromised?

this is not a false detection probably… this situation was discussed some time ago and is caused by some running component of IE… generally when you have an process (which creates or deletes some temporary files) running while doing the antirootkit scan, you can expect this type of alerts… it’s easy - when the file gets hidden (deleted) during the scan, it looks like the act of rootkit and should be reported… it’s always good to terminate all unnecessary processes before starting the antirootkit scan…

Spybot Search And Destroy offers to delete files from the Temp Folder upon startup of that program, but I do not have it active and running, I use it as an On Demand Scanner only. Could that be what caused this?

Should I disable AVAST and my Comodo Firewall to run the RootKit Scan? That was about all I had running on my computer when I last scanned. If so, I will disconnect physically from the internet when I next run the Avast Ant-Rootkit program. As always, thank you for your help.

avast itself should not conflict with the antirootkit scan (off course only when the on-demand scan is not running)… to see other processes and their activity, you can use the ProcessExplorer (Sysinternals/Microsoft)… anyway, there’s no reason to worry about Temporary Internet Files\Content.IE5 folder :slight_smile: