Hi

Since last update of my Avast 5 (2010-02-27), I have now many files systems in my virus chest ??? and annotate win32:Rootkit-gen [Rtk] ???

I can get online listeen, if necessary …

This is not good for my mini-laptop and I have now many problems with that … (no problem before that)

I use Windows guenuine XP french (up-to-date, SP3 et more, last update 26 or 27 feb), Spybot (up-to-date) and Firefox 3.6 (up-to-date).

WHY ???

How to restore the situation (removing these files systems from chest) ???
Not possible to do a restoration in safe mode works (26 feb or before)

Please, thanks for yours rapids answers now. (sorry for my english)

René Paul

Some examples of the file names, the original location might help, e.g. (C:\windows\system32\infected-file-name.xxx) ?

Restoring from the chest requires that the file isn’t considered infected, so if that isn’t the case then avast won’t let that happen, so what errors are you getting when you try to restore ?

Possible to extract list in the chest ?

If no, I can attach a printscreen of this, in this forum or just write somes exemples files ?

in chest: With right click on a file, I can restore (overwrite) but if I scan the file after, always win32:Rootkit-gen [Rtk]

Restoration in safe mode not work, no error message, just: not possible to restore at this point (date)…

A selective screenshot would be fine so the image isn’t too big (file size wise), see example.

avast doesn’t run in safe mode so the services required for the chest to function fully may not ne running.

first attachment …

second attachment …

and third attachment …

That is a boot load of detections and for the life of me I can’t believe they are all wrong and the drivers folder is a common folder for rootkit. I have never seen anything of this magnitude before in almost 6 years on the forums.

It really is hard to suggest where to start or how this might have started, but two areas that could well have been a start point one the keygen.exe file which is commonly going to carry unwanted guests and the second, fjhdyfhsn.bat which could start the ball rolling.

The greatest majority having a last changed date/time very close together but then again the transfer time is also the same. So I don’t know if this was as a result of a massive attack or not.

What avast! version and VPS file (virus definitions) number, e.g. 4.8.1368 (or 5.0.418) and 100228-0 (see about avast!) ?

Were these detected during a routine on-demand scan that you ran or detected by the resident on-access scan ?

Hi that looks really bad - rather than do an analysis first I will go straight in with two tools that are pretty potent

Download TDSSKiller and save it to your Desktop.

[*]Extract the file and run it.
[*]Once completed it will create a log in your [b]C:[/b] drive
[*]Please post the contents of that log

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I’ll be back later

I do not understand that everything was OK and February 27, everything is dark came.

I rarely download and I’m not going to potentially dangerous sites.

I’m doing very well in computer and my system was flawless

thanks for your support and attention.

Best René

Hi Rene be advised it is quite late here in the UK and I may be safely tucked up in bed by the time you post the logs. But, I will look at them first thing in the morning

Me also … Yet all this happened February 27, suddenly after the last update of Avast. I closed my computer with 2-3 errors messages and opening the next day, bingo …

For keygen.exe, I know what it is and antivirus properly responded by chest …

For fjhdyfhsn.bat, I don’t know …

I do not know why but it is the antivirus that has reacted. I have only read my articles from RSS feeds with Google Reader before leaving (in FireFox) …

Program version: 5.0.418
Virus definitions version: 100228-1

detected by the resident on-access scan

United Kingdom + 5h versus Canada

The attachment file …

File attachment …

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Fcopy::
c:\windows\system32\drivers\aec.sys | c:\windows\system32\dllcache\aec.sys

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt.

File attachment …

Have you updated avast - and are you still getting the rootkit alerts ?

I am in safe mode with power network, the strict minimum …

Avast is not running and not sure it can operate in this mode. No update since yesterday.

I have no warning message, but given the amount of system files in chest, too many problems in normal mode, unable to function well.

Are you able to restore the files from the chest ?