win32:Rootkit-gen [Rtk]

Viruses and worms
1

Yesterday after the avast update it started to beep, catching many files by this virus win32:Rootkit-gen [Rtk]. It acted the same like Win32:AutoRun-BDI [Wrm], with which I had problems on January (actually exactly three months before). It was creating files like D:/D.exe, some pif and scr files in other locations. I thought I have got rid of it with the help of DrWeb CureIt tool as evertthing was OK for 3 months and all the scans with different programms showed no threats.

All those files were moved to the virus chest (but I had not deleted them not on January, not now).

And two other files avast also moved to the virus chest stating them as win32:Evo-gen [Susp].

I did the Malvare bytes scan yesterday, nothing was found. Now I’m performing a new scan. Will post a log later.

2

hey i suggest you follow this guide and attach your logs

http://forum.avast.com/index.php?topic=53253.0

we need otl, mbam, adwclener and awsmbr.

3

I will attach the logs as soon as I can.

But while I’m still doing the scan, avast went crazy again. I noticed at those locations, where the file creation was detected, there are now some TMP files created like trzE8.tmp, trzE9.tmp, etc.

4

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

5

Finished malware bytes scan, it found those tmp files as threats.

Then did that TFC thing, after the reboot, avast again started beeping, new tmp files were created.

6

Malwarebytes log say no action taken did you click the remove selected button after scan?

7

Ehm, no. Should I run the Malware bytes again then?

8

yes… update and run

and install this http://mcshield.net/

9

Well, I am doing the MB scan again, but meanwhile avast detects creation of new files. So, the new files that are detected will not show up on the scan report in the areas already scanned. Maybe I shoul adjust the settings and only try to scan only the locations (if possible) the threats are detected in. I still will finish this full scan and then try to do a new one.

10

Go direct to the OTL scan on completion please

11

OTL logs

12

So, what should I do next?

13

you wait for essexboy to be back :wink:

14

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

15

Downloaded it, but I’m not sure it’s working.

The last sentece in the blue box says
t was unexpected at this time.

16

No, its not doing anything, now closed it. Meanwhile, more and more crap files were created when avast was turned off.

17

OK could you reboot to safe mode and run from there

18

The same… No change.

19

OK download a fresh copy of Combofix but this time rename it to svchost then retry

20

also in safe mode?