Win32:Rootkit-gen [Rtk]

Hello, fine people.
So, Avast! told me I had this rootkit in explorer.exe, and said I should run a boot scan. I did, it found the same thing again but I couldn’t do anything but ignore it (couldn’t delete, repair, etc.).
I ran Avast! again from Windows, it found the same problem in C:\Windows\explorer.exe; C:\Windows\W7SOC\explorer.exe; and C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364… Avast! was able to move the W7SOC\ and \winsxs\ versions of explorer.exe to chest, but again couldn’t do anything about Windows\explorer.exe
Note: W7SOC is just a silly thing to customize the start button’s look, I have had it for ages.

Then I ran Malwarebytes:Anti-Malware, it didn’t detect anything.
Then I ran Trend Micro RootKitBuster, it didn’t detect anything.
Then I run OTL (attaching the logs).

I ran Avast! on Windows\explorer.exe and it still had the virus, but I found the Windows backup (explorer.backup.exe) right next to it. Avast! said that backup file was clean.
So after some fiddling I managed to manually delete explorer.exe and replace it with the explorer.backup.exe.

Now, my question is should I do anything else? Would you do something else to make sure you are clean?

Thanks for reading and any help you offer!
Cheers.

Hi there could you update Avast as that was a false positive two days ago

Hey! Thanks for the quick response.

Well, its weird. This happened yesterday and I was guessing it detected the threat right after updating itself (I have automated antivirus definitions update and “ask me when program update is available”). The w7soc and winsxs versions of explorer.exe are still in the chest and I just run Avast! on its own chest folder and didn’t detect anything so I guess it wasn’t fully up to date yesterday. Ok, just knowing its highly likely it was just a false-positive is a relief.
Thanks!

If they now show clear you can restore them from the chest :slight_smile:

Yeah, OK!

could be this …or done by stream update

9.3.2014 - 140309-1
This VPS update contains only fixes to existing definitions or removal of false alarms.