Win32: Rootkit_gen [Rtk] Notification Every Few Hours

Avast Free Antivirus / Premium Security
1

Hi guys. Please answer quickly if you can help.

I am running Windows 7 Pro 6.1.7601 SP 1 b7601

I use avast as my virus scanner (the free one).

I was recently going through some old install files I found on an external HD and seem to have gotten infected by one of them. It would be awesome if I knew which one it was so that it didn’t happen again, but for now let’s just focus on getting rid of it. Then if it happens again I will already know how to and will quickly get rid of whatever caused it.

I keep getting this notification from avast every few hours:
Threat Blocked
Object: http://47.88.216.68:8888/test.dat
Infection: Win32: Rootkit_gen [Rtk]
Process: C:\Windows\System32\wbem\scrcons.exe

I ran a rootkit scan but fell asleep so I am not sure what it said, but the computer booted up fine the next morning. Then the threat blocked messages came back.

This is driving me crazy.

I don’t want to just go in and delete a file from Sys32 because that could be potentially very stupid.

I downloaded and ran a full scan with malware bytes and it can’t find anything.

I am currently downloading HijackThis so I can run a scan with that and be able to post logs.

Can anyone help me out? I haven’t gotten an infection in like 10 years and don’t know what to do exactly…

Avasts Rootkit Scan at boot found nothing.

Ran hijack scan. Here’s the results:
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 13:50:33, on 2017-05-05
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.18639)

Boot mode: Normal

Running processes:
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host

Controller Driver\Application\iusb3mon.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Safe In Cloud\SafeInCloud.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Program Files (x86)\Maxthon5\Bin\Maxthon.exe
C:\Users\klear6\Downloads(From Maxthon)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page

= http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

https://www.duckduckgo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer

\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?

LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer

\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?

LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page

= http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer

\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer

\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title

= (IE Sux)
R0 - HKCU\Software\Microsoft\Internet Explorer

\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-

B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java

\jre1.8.0_121\bin\ssv.dll
O2 - BHO: Evernote extension - {92EF2EAD-A7CE-4424-B0DB-

499CF856608E} - C:\Program Files (x86)\Evernote\Evernote

\EvernoteIE.dll
O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-

D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit

\SetPointSmooth.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-

BC74-9C25C1C588A9} - C:\Program Files (x86)\Java

\jre1.8.0_121\bin\jp2ssv.dll
O4 - HKLM..\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel(R)

Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM..\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel

(R) USB 3.0 eXtensible Host Controller Driver\Application

\iusb3mon.exe"
O4 - HKLM..\Run: [EaseUS Cleanup] "C:\Program Files

(x86)\EaseUS\EaseUS Partition Master 11.0\bin\CleanUpUI.exe" 10

300

O4 - HKLM..\Run: [Dropbox] "C:\Program Files (x86)\Dropbox

\Client\Dropbox.exe" /systemstartup

O4 - HKLM..\Run: [EaseUS EPM Tray Agent] "C:\Program Files

(x86)\EaseUS\EaseUS Partition Master 11.0\bin\TrayPopupE

\TrayTipAgentE.exe"

O4 - HKCU..\Run: [GoogleDriveSync] "C:\Program Files

(x86)\Google\Drive\googledrivesync.exe" /autostart
O4 - HKCU..\Run: [Pushbullet] "C:\Program Files

(x86)\Pushbullet\pushbullet.exe" -show false
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows

Sidebar\Sidebar.exe /autoRun (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [mctadmin] C:\Windows

\System32\mctadmin.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows

Sidebar\Sidebar.exe /autoRun (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [mctadmin] C:\Windows

\System32\mctadmin.exe (User ‘NETWORK SERVICE’)
O4 - Startup: Astrill.lnk = C:\Program Files (x86)\Astrill

\astrill.exe
O4 - Startup: Send to OneNote.lnk = C:\Program Files

(x86)\Microsoft Office\root\Office16\ONENOTEM.EXE
O4 - Startup: Trillian.lnk = C:\Program Files (x86)\Trillian

\trillian.exe
O4 - Global Startup: Maxthon.lnk = C:\Program Files

(x86)\Maxthon5\Bin\Maxthon.exe
O8 - Extra context menu item: &Links to this page - C:

\ProgramData\AVG\AWL2015\Web\gbacklinks.htm
O8 - Extra context menu item: &Similar pages - C:\ProgramData

\AVG\AWL2015\Web\gsimilar.htm
O8 - Extra context menu item: Se&nd to OneNote - res://C:

\Program Files (x86)\Microsoft Office\Root

\Office16\ONBttnIE.dll/105
O8 - Extra context menu item: Translate this page with Google -

C:\ProgramData\AVG\AWL2015\Web\gtranslate.htm
O8 - Extra context menu item: View old version at &archives.org

  • C:\ProgramData\AVG\AWL2015\Web\tuarch.htm
    O9 - Extra button: @C:\Program Files (x86)\Evernote\Evernote

\OLIEResource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a}

  • C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes

\AddNote.html
O9 - Extra ‘Tools’ menuitem: @C:\Program Files (x86)\Evernote

\Evernote\OLIEResource.dll,-101 - {A95fe080-8f5d-11d2-a20b-

00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\

\EvernoteIERes\AddNote.html
O10 - Unknown file in Winsock LSP: c:\windows

\system32\asproxy.dll
O10 - Unknown file in Winsock LSP: c:\windows

\system32\asproxy.dll
O10 - Unknown file in Winsock LSP: c:\windows

\system32\asproxy.dll
O10 - Unknown file in Winsock LSP: c:\windows

\system32\asproxy.dll
O10 - Unknown file in Winsock LSP: c:\windows

\system32\asproxy.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) -

Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Astrill OpenVPN Service (ASOVPNHelper) - Astrill

  • C:\Program Files (x86)\Astrill\ASOvpnSvc.exe
    O23 - Service: ASProxy - Astrill - C:\Program Files

(x86)\Astrill\ASProxy.exe
O23 - Service: aswbIDSAgent - AVAST Software s.r.o. - C:\Program

Files\AVAST Software\Avast\x64\aswidsagenta.exe
O23 - Service: Avast Antivirus (avast! Antivirus) - AVAST

Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) -

Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: DbxSvc - Unknown owner - C:\Windows

\system32\DbxSvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) -

Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) -

Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) -

Google Inc. - C:\Program Files (x86)\Google\Update

\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) -

Google Inc. - C:\Program Files (x86)\Google\Update

\GoogleUpdate.exe
O23 - Service: Intel(R) Integrated Clock Controller Service -

Intel(R) ICCS (ICCS) - Intel Corporation - C:\Program Files

(x86)\Intel\Intel(R) Integrated Clock Controller Service

\ICCProxy.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-

1000 (IEEtwCollectorService) - Unknown owner - C:\Windows

\system32\IEEtwCollector.exe (file missing)
O23 - Service: Intel(R) HD Graphics Control Panel Service

(igfxCUIService1.0.0.0) - Unknown owner - C:\Windows

\system32\igfxCUIService.exe (file missing)
O23 - Service: Intel(R) Capability Licensing Service Interface -

Intel(R) Corporation - C:\Program Files\Intel\iCLS Client

\HeciServer.exe
O23 - Service: Intel(R) Dynamic Application Loader Host

Interface Service (jhi_service) - Intel Corporation - C:\Program

Files (x86)\Intel\Intel(R) Management Engine Components\DAL

\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:

\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech,

Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth

\lbtserv.exe
O23 - Service: Intel(R) Management and Security Application

Local Management Service (LMS) - Intel Corporation - C:\Program

Files (x86)\Intel\Intel(R) Management Engine Components\LMS

\LMS.exe
O23 - Service: Malwarebytes Service (MBAMService) - Malwarebytes

  • C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:

\Windows\System32\msdtc.exe (file missing)
O23 - Service: MxService - Maxthon International ltd. - C:

\Program Files (x86)\Maxthon5\Bin\MxService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102

(Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file

missing)
O23 - Service: Internet Pass-Through Service (PassThru Service)

  • Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-

Through\PassThruSvr.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300

(ProtectedStorage) - Unknown owner - C:\Windows

\system32\lsass.exe (file missing)
O23 - Service: RealtekWlanU - Realtek - C:\Program Files

(x86)\REALTEK\USB Wireless LAN Utility\RtlService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2

(RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe

(file missing)
O23 - Service: Realtek DHCP Service (RTLDHCPService) - Realtek -

C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility

\RTLDHCP.exe
O23 - Service: RunSwUSB - Unknown owner - C:\Windows\runSW.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) -

Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP)

  • Unknown owner - C:\Windows\System32\snmptrap.exe (file

missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) -

Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) -

Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SAMSUNG Mobile Connectivity Service

(ss_conn_service) - DEVGURU Co., LTD. - C:\Program Files

\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
O23 - Service: AVG PC TuneUp Service (TuneUp.UtilitiesSvc) - AVG

Technologies - C:\Program Files (x86)\AVG\AVG PC TuneUp

\TuneUpUtilitiesService64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101

(UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe

(file missing)
O23 - Service: Intel(R) Management and Security Application User

Notification Service (UNS) - Intel Corporation - C:\Program

Files (x86)\Intel\Intel(R) Management Engine Components\UNS

\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003

(VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file

missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) -

Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) -

Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104

(wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe

(file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110

(wmiApSrv) - Unknown owner - C:\Windows\system32\wbem

\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player

\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program

Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)


End of file - 12161 bytes

2

Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4