Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast detects a rootkit but is unable to delete it.


  • This topic is locked This topic is locked
11 replies to this topic

#1 colours

colours

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 December 2011 - 01:18 PM

Hi,
Avast detects a root kit and asks if it should delete it, I say yes, it asks for a reboot and a boot scan which I agree..but then at the boot scan it doesn't detect anything and doesn't remove anything either. Later I get the message again stating that Avast has detected a rootkit in the c:system32 files..and I think it states that its in the drive:sfloppy.sys
I also did an Avast full scan which also shows that there is a threat but when asked to delete it ..it goes through the same process of restart>bootscan>nothing deleted and again the same pop up message.
I think Avast is unable to remove that threat.
Please help.

BC AdBot (Login to Remove)

 


#2 colours

colours
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 December 2011 - 01:28 PM

Here's the DDS report:

.
DDS (Ver_11-05-19.01) - FAT32x86
Internet Explorer: 8.0.6001.18702
Run by Digital choice at 23:54:03 on 2011-12-06
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.30 [GMT 5.5:30]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Digital choice\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
C:\Program Files\AVAST Software\Avast\defs\11120602\Sf.bin
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306150182687
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {BBA34E8B-D8E0-41C4-8E0F-D7E0FDF2B2F2} = 218.248.255.139,218.248.255.216
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\digital choice\application data\mozilla\firefox\profiles\7hbsh1p3.default\
FF - plugin: c:\documents and settings\digital choice\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\digital choice\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\digital choice\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-2 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-2 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-2 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-2 44768]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-12 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-12 136176]
.
=============== Created Last 30 ================
.
2011-12-02 18:05:24 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-02 18:04:57 41184 ----a-w- c:\windows\avastSS.scr
2011-12-01 00:32:38 -------- d-sh--w- C:\FOUND.090
2011-11-29 10:57:30 -------- d-sh--w- C:\FOUND.089
2011-11-28 19:23:30 -------- d-sh--w- C:\FOUND.088
2011-11-28 18:56:48 -------- d-sh--w- C:\FOUND.087
2011-11-28 18:27:44 -------- d-sh--w- C:\FOUND.086
2011-11-28 18:01:52 -------- d-sh--w- C:\FOUND.085
2011-11-28 17:08:32 -------- d-sh--w- C:\FOUND.084
2011-11-27 11:50:12 -------- d-sh--w- C:\FOUND.083
2011-11-25 21:16:42 -------- d-sh--w- C:\FOUND.082
2011-11-25 19:54:46 -------- d-sh--w- C:\FOUND.081
2011-11-16 16:58:32 -------- d-sh--w- C:\FOUND.079
.
==================== Find3M ====================
.
2011-12-02 10:15:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 23:55:43.26 ===============

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 06 December 2011 - 01:41 PM

Hi, please see this post, this is most likely a false positive detection.

Do you have any problem that actually points to an infection (pop ups, google redirects, extreme slowness)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 colours

colours
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 December 2011 - 04:19 PM

Thank you Elise.
Avast pop up was the only thing that worried me when I came here, but now that you gave me the link, I guess I don't have to worry.
But, while I'm here, do you see anything malicious in my dds report?

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 07 December 2011 - 02:56 AM

I see nothing malicious, but I see evidence a disk check was run multiple times. Did you do this yourself?

UPDATE XP
--------------
Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.[/color]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 colours

colours
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 07 December 2011 - 03:57 PM

Thank you for replying. What is a disk check? I don't know what it is.
Just two days back I called someone to repair my computer because it wouldn't start. All they did was change something, and they told me it is called a battery.
If its a software thing, I don't know. All I do is run Malwarebyte scans or Avast Scans.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 07 December 2011 - 04:05 PM

It is a scan of the filesystem structure and surface structure of your harddisk.

You can do this by clicking Start > Run, type chkdsk /r and press enter.
When asked to schedule the scan for next reboot, please do so (type Y and press enter).
Restart your computer and let the disk check run unhindered. Note, this may take a long time.

You'll not see any report except for what is on screen during the scan, but with what I see here it can't hurt to run it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 colours

colours
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 07 December 2011 - 04:14 PM

Do you suggest I do that disk check now?
Sorry, I didn't understand if you explained what it was or asked me to do a disk check now.

PS: Could it be possible that my computer has done this disk check by itself? Because before I got my computer repaired, my computer would automatically shutdown by itself and restart, and before restarting it did some kind of a scan. From your explanation I feel like it could be that. My computer did it by itself before restarting..and then finally shut down and didn't start at all. So I had to call people for repair.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 08 December 2011 - 02:50 AM

Yes, that is quite possible. I would indeed recommend you to do the disk check now. It is possible that the one who repaired your computer did this as well, but to be sure, it doesn't hurt to repeat it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 colours

colours
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 09 December 2011 - 07:40 PM

I did the disk check. At first I got an error message, then I noticed in your post that you had placed a space after chkdsk.
It did the scan and as you said I didn't get a report. However, I read something on screen that said "Windows finished disk check and didn't find any problem" There was something more too..but because the screen changed so quickly I couldn't read.
So, I think its all fine. Thank you so much.

Edited by colours, 09 December 2011 - 07:43 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 10 December 2011 - 05:05 AM

Good to hear that! :)

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 18 December 2011 - 12:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users