Win32:Rootkit-gen (Rtk)

Hello,

Okay here I go… I am looking for hard and fast soutions for this one…
For some reason Avast has detected a worm or – on my computer.
Keeps on warning me: Avast! On-access scanner message Malware was found.

C:\Huadio.tmp contains a sample of Win32:Rootkit-gen (Rtk)
The continuous recommendation is: Move to chest…
I have done that several times

Avast has scanned my system in DOS mode…
In DOS mode and normal running mode: I have deleted, moved and even renamed it several times, but the warning still keeps coming back

How do I remove delete and/or get rid permanently so that Avast doesn’t keep sending me the Malware warning that it is…?

??? ??? ???

Please send all suggestions to my email address: bradf36972@yahoo.com

Thank you,

Brad Friedman

Dear all:
I have the same situation.
according to avast log file’s PID, “huadio.tmp” is made from ashServ.exe.
This program is avast’s file.
Does avast have bug?

Could be a false positive, maybe.

Upload the file to VirusTotal and post the results.

I have the same problem. It started when I reregistered Avast and did an update.
The file analysis is:

File huaudio.sys received on 07.15.2008 07:34:15 (CET)
Current status: finished

Result: 7/33 (21.21%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.11.0 2008.07.14 -
AntiVir 7.8.0.64 2008.07.14 TR/Rootkit.EIG
Authentium 5.1.0.4 2008.07.15 -
Avast 4.8.1195.0 2008.07.14 Win32:Rootkit-gen
AVG 7.5.0.516 2008.07.14 Dropper.Agent.IYM
BitDefender 7.2 2008.07.15 -
CAT-QuickHeal 9.50 2008.07.14 -
ClamAV 0.93.1 2008.07.15 -
DrWeb 4.44.0.09170 2008.07.14 -
eSafe 7.0.17.0 2008.07.14 -
eTrust-Vet 31.6.5954 2008.07.14 -
Ewido 4.0 2008.07.14 -
F-Prot 4.4.4.56 2008.07.14 -
F-Secure 7.60.13501.0 2008.07.15 -
Fortinet 3.14.0.0 2008.07.14 -
GData 2.0.7306.1023 2008.07.15 Win32:Rootkit-gen
Ikarus T3.1.1.26.0 2008.07.15 Virus.Win32.Rootkit
Kaspersky 7.0.0.125 2008.07.15 -
McAfee 5338 2008.07.14 -
Microsoft 1.3704 2008.07.15 -
NOD32v2 3267 2008.07.15 -
Norman 5.80.02 2008.07.14 W32/Rootkit.EIG
Panda 9.0.0.4 2008.07.14 -
Prevx1 V2 2008.07.15 -
Rising 20.53.10.00 2008.07.15 -
Sophos 4.31.0 2008.07.15 -
Sunbelt 3.1.1536.1 2008.07.12 -
Symantec 10 2008.07.15 -
TheHacker 6.2.96.379 2008.07.14 -
TrendMicro 8.700.0.1004 2008.07.15 -
VBA32 3.12.8.0 2008.07.15 -
VirusBuster 4.5.11.0 2008.07.14 -
Webwasher-Gateway 6.6.2 2008.07.14 Trojan.Rootkit.EIG
Additional information
File size: 5311 bytes
MD5…: 17db4fcbdc84e1d5c4962d6491886755
SHA1…: dd7b0e7c2b64f4a51dde50202e4ebcece3888ad2
SHA256: 0e98207a3a968b40c314d8c491bfe84c6bc9e935764dd1265af29042e7049b32
SHA512: 12b8c148944ed27768b4616a98e4d5c37a00042ab38c0fbe98a40bdd409a16a3
cbc0501b1c34435363b94aa5e88672869f979b10405fbc2a4b68523a00aa18e5
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1029e
timedatestamp…: 0x3d62f11f (Wed Aug 21 01:47:11 2002)
machinetype…: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x280 0x862 0x880 6.22 12c1379f93274f616a475f7618f1fc40
.rdata 0xb00 0xb4 0xc0 2.54 ad77934cccd49daeeaea21d5b5fb91b9
INIT 0xbc0 0x252 0x260 5.08 9dea09b7aa9b2e55c500a9a8d87181a5
.rsrc 0xe20 0x3b0 0x3c0 3.39 2c1da13939d4a86831ca554530719f98
.reloc 0x11e0 0x76 0x80 3.05 b11f2e108fbd3ac4d3890b2d2060d364

( 2 imports )

ntoskrnl.exe: ZwUnmapViewOfSection, ZwOpenSection, ZwClose, MmGetPhysicalAddress, ZwMapViewOfSection, IoDeleteSymbolicLink, IofCompleteRequest, RtlInitUnicodeString, IoCreateDevice, IoCreateSymbolicLink, IoDeleteDevice, MmAllocateContiguousMemory, MmFreeContiguousMemory
HAL.dll: HalTranslateBusAddress, WRITE_PORT_ULONG, WRITE_PORT_USHORT, WRITE_PORT_UCHAR, READ_PORT_ULONG, READ_PORT_USHORT, READ_PORT_UCHAR

( 0 exports )

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

You may want to look at this.

yo tengo el mismo problema

El virus se llama Win32:Rootkit-gen [Rtk]
Nombre del archivo: C:\WINDOWS\system32\pphc38gj0ej0j.exe
Tipo de software: Rootkit (Encubridor)

This is an english only forum. Translation please.

Follow the instructions in my post.

Translation: Spanish (automatically detected) » English yo tengo el mismo problema El virus se llama Win32:Rootkit-gen [Rtk] Nombre del archivo: C:\WINDOWS\system32\pphc38gj0ej0j.exe Tipo de software: Rootkit (Encubridor) I have the same problem

The virus is called Win32: Rootkit-gen [RTK]
Filename: C: \ WINDOWS \ system32 \ pphc38gj0ej0j.exe
Type software: Rootkit (accessories)

Upload pphc38gj0ej0j.exe to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

The pphc38gj0ej0j.exe file name looks like it is randomly generated (usually Vundo or that family), so you could try SUPERantispyware On-Demand only in free version.