Win32: Rootkit-gen [RTK] can not remove

I have problem with the Win32: Rootkit-gen [RTK] a month, I remove it it back, I format the computer, the more he returns.

Scans all my cds and format the pen drive, used to a linux ditribuição had to check something in the pen drive, most do not contain anything.

Useful information is that if I clean the computer and get into the internet without it some more and so I connect it is back.

Because of this must be some program that downloads the malware again, is there any way to find out what this malware low, for example using a firewall to see the connection?

Sorry as I write is that I do not know English, you use an automatic translator.

What is the name and location of this file

The file always appears in the folder C: \ WINDOWS \ system32

He has varied as numbers 626, 253 etc…

The last detected by avast window is: C: \ WINDOWS \ system32 \ 253.exe \ [UPX] \ [Embedded_I # 6ba0]

The file appears in windows explorer in C: \ WINDOWS \ system32 \ 253.exe \

In this malware usually appear from time to time, some files like 227.exe that avast does not detect, I sent the file to virus total is the 40 anti virus malware 2 be said, is 7 suspect, I have the report because the format pc more always appear this win32: rootkit-gen [RTK] is disinfected more when connected to the Internet, it appears again.

The others I can happily remove, also has appeared, win32: trojan-gen and win32: vitro only format remedied.

What win32: rootkit-gen [RTK] is currently the only one who can not remove, nor with formatting.

He was the first malware to infect me, since when I have computer.

First, download HijackThis, choose scan and save a logfile. Copy/pastethe txt log here.
http://filehippo.com/download_hijackthis/

Second Download MalwareBytes Antimalware, install, update choose quick scan copy/paste the log here
http://filehippo.com/download_malwarebytes_anti_malware/

Lastly from a clean computer, download Avira Rescue program,double click on downloaded file, insert blank cd,the program is automatically burnt to disc. Insert disc into infected computer, REBOOT

Note any infections found, and report them here, before renaming

[b]http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130[/b]

There is a super person on this forum called Tech, he is from Brazil, I will send him a personal message, he will be able to communicate better with you :slight_smile:

Also, do you have the VirusTotal report from when you sent the file ?

This message can not delete.

The low is correct that he had written here is wrong.

As my internet is dial which will take a while for the downloads when the downloads finish put the logs.

The Avira I want a cyber download the newest version.

The Avira rescue cd I had downloaded the version is more old has about 15 days.

Thank you.

Very new, today http://dl1.pro.antivir.de/package/rescue_system/common/en/rescue_system-common-en.exe

I asked to download the file more he is in iso format can be or has to be the exe?

Iso, needs burner http://dl1.pro.antivir.de/package/rescue_system/common/en/rescue_system-common-en.iso

You said you sent the file to VirusTotal, can you post the results

The format the file was deleted yesterday the only pc that is always around the win32: rootkit-gen [RTK] but also from time to time appear as other win32: vitro when the other can solve less this win32: rootkit-gen [RTK]

I believe the symptoms is that some malware does not detect avast (I tried several anti virus nothing solved) eutenho than avast these products:

SUPERAntiSpyware Free Edition

Spybot search and destroy

And the little time I’ve used spyware terminator is re-use.

Looks like a trojan (I believe that is the name for trojan that downloads other malware) new low undetected malware.

There is a tool to help find unknown malware?

The malware says bytes have found 3 more malware because it excludes not exclude the warnings of security around the plant I have to remove it:

Memory processes infected: 0
Memory Modules Infected: 0
Registry keys infected: 0
Infected registry values: 0
Infected registry items: 3
Folders infected: 0
Files infected: 0

Memory processes infected:
(No malicious item was found)

Memory Modules Infected:
(No malicious item was found)

Registry keys infected:
(No malicious item was found)

Infected registry values:
(No malicious item was found)

Infected registry items:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center \ UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.

Folders infected:
(No malicious item was found)

Infected files:
(No malicious item was found)

The Avira does not detect anything in the forty or avast.

Once I put the log of HijackThis.

The log of HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:28:53, on 28/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\Discador itelefonica\DiscadorCompitelefonica.exe
C:\WINDOWS\system32\slrundll.exe
C:\Documents and Settings\Usuario\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.baixaki.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Arquivos de programas\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘Default user’)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip..{925148F4-231D-4E87-8124-05E90B5172A6}: NameServer = 200.204.0.138 200.204.0.10
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe


End of file - 5044 bytes

Have you run the disc ? Maybe previously, recently !
I see nothing in the HijackThis log

You mention win32: vitro, as far as I know this is incurable. I am having difficulty understanding ( my fault )

Vitro or Virut http://forum.avast.com/index.php?topic=42709.0

Even after reformat, this will easily reinfect,if its on your pen drive etc

The vitro never appeared when first detected format.

Have some malware on my pc which is strange anyone other low detects nothing on my pc. :cry:

I read the topic of win32: vi vitro using fdisk to say I do not know what this is I have one more question:

The malware may be in the mbr is not resolved when I format?

This removed more vitro appeared here a few days back he and the win32: rootkit [RTK] o appeared vitro does not have a month.

There is not anything I can do to at least decobrir which these low-malware program?

Thank you.

I recommend installing this update: http://www.microsoft.com/downloads/details.aspx?displaylang=pt-br&FamilyID=0d5f9b6e-9265-44b9-a376-2067b73d6a03

4 days is installed is that the malware could not turn someone diser for me is that malware is update?