Win32:Rootkit-gen

[kyuuketsuki_kurai]

I just got 2 pop ups today from Avast regarding files that appear to be or are part of my Google Notifier.
I have put them in the chest for now, but I'm thinking it could be a false positive, since they appear to be legit files, as far as I can tell.
The files in question are:
C:\Program Files\Google\GoogleToolbarNotifier\swg-5.1.1309.15642\SearchWithGoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
These seem to be the only files coming up, but this happened while I had no internet connection, so it stuck me as odd. Can anyone comment on this?
Thanks for any help.
Kurai

[Jtaylor83]

Upload both files to VirusTotaland post results.

[kyuuketsuki_kurai]

SearchWithGoogleUpdate.exe comes up clean. http://www.virustotal.com/analisis/6b35b0442bddd946b01b0086b7a7edbc9707f6f99c69d5237143c86554d22b78-1247584120
swg.dll comes up detected by Avast and GData. http://www.virustotal.com/analisis/ae2575c44cf3047480bf3eb870f54df2c7a50c8ac252202df30cef75def90dd2-1247695569

[mathboyx215]

Could be false postive because g data uses the avast engine

[Milos]

Thanks for notice, will be fixed in next VPS update.

[kyuuketsuki_kurai]

So these are false positive, then?
I can restore them?

[DavidR]

Yes but you have to wait for the VPS to be updated, check (scan) the file from within the chest and when it isn't detected then you can Restore it.

Edit: attachments removed.

[kyuuketsuki_kurai]

Okay. Thank you very much for your assistance.

[DavidR]

You're welcome, there has been an update since your last post I believe  (current version 090716-1) check that you have it and scan the file again.

[silvermac]

hi guys can you help me this one....

my Last update was on may 6, 2009 and im not connected to internet for almost 2 months.. then after that i found rootkits in my pc... when i updating my pc it doest work and and the msg in VRDB is not done yet... what can i do to update and remove rootkits in my pc.. ty guys!!

[kyuuketsuki_kurai]

Please post what exactly was found (for example: Win32:Trojan-gen)and in what file(s).
Please, include file paths and be sure to take careful note in the spelling of the file names.

[silvermac]

hi  this is what i found....

C:\WINDOWS\SYSTEM32\nmdfgds0.dll
Rootkit: hidden process

[W8Lifter]

I got SEVERAL virus/worms/trojans the other day that wont allow me to load WinXP, so I am running in Safe Mode with Networking.

After many attempts, I was able to delete or move, but still have 2 that wont go away.

One is the Win32:Rootkit-gen ya'll are discussing. Im hoping there is a way to deal with them all, so Im going to list them here, rather than post in several separate threads.

I have:

Win32 Rootkit-gen UPS.exe  in C://Documents/Settings/UPS_NR1.exe

Win32 UPS (cryp) in  C://...../letter_UPS55364.doc

I tried moving, deleting, repairing & nothing works.

I just updated Avast defiinitions to no avail. The Win profile these files are in is not accessible and states there is 0 Files/0 Bytes, so I cant see them, modify, etc.

Is there a tool I can use to remove this and others? Sorry, but Im new to this problem, so please have patience. Thank you.

[Milos]

hi  this is what i found....

C:\WINDOWS\SYSTEM32\nmdfgds0.dll
Rootkit: hidden process

Hi,
all files with this filename submitted as false positives to us are not false positives.

Milos