Avast WEBforum
Other => Viruses and worms => Topic started by: enovak on October 26, 2012, 11:54:40 PM
-
Ran a scan today and Avast found Threat: Rootkit: hidden file, plus four other files that indicated Error: Data error (cyclic redundancy check) (23)
The rootkit is associated with:
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#\0c4ec58f70e0fe6e74458c35fb260e2d\Syste.Runtime.Caching.ni.dll
The 4 files that indicated the CRC error were:
C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#
C:\WINDOWS\Temp\FLT1985.tmp
C:\WINDOWS\Temp\FLT1986.tmp
A boot scan did not yield any problems.
A subsequent Full System scan yielded the same result as above.
I cannot move the file to the chest, repair it, or remove it.
What are my next steps to remove this? Is it a legitimate threat?
Thank you!
-
A CRC error means that the file is corrupt
-
Am I actually infected with a rootkit? Or is the file simply corrupted?
Also is there a way to resolve this?
Thank you in advance for all your help!
-
The only way to determine that is to run a scan
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
-
Running scan now. It flagged that same file. I will post the complete scan when it finishes.
Thank you
-
Attached is the log from the aswMBR scan.
-
How is the computer behaving, any problems ?
-
No errors or strange behavior, just sometimes there is a lot of disk activity that I can't account for which slows the system down. In some cases I see AppleMobileDeviceServices chewing up 50% of my CPU - I kill that process and that resolves that. I believe it is a known problem with Apple?
Also sometime the WLTRAY.EXE process seems to have a memory leak and consumes more and more memory. A reboot resolves that.
No strange behavior on reboot.
I also ran an ESET online scan on the laptop, but it only found two undesirable apps that I may not want - and those were recent installs that I have since removed.
Has aswMBR actually removed/resolved/repaired the file in question?
-
No it just noted that it was hidden, that in itself is not a problem.. As some windows files are hidden
-
Any thoughts on how to clear this with regard to the scan? This has never shown up before. And boot scan does not indicate anything. I am running another ESET scan currently and will let you know if it yields anything.
Just concerned that there is something lurking...
-
If you are concerned I could delete the file, but a programme that uses dotnet may not function properly
-
Can I remove support for .Net and then restore/install support for .Net? Do you think that would resolve it? Since Avast keeps finding the CRC errors on those files?
-
With the CRC errors it may be prudent to remove all dotnet versions and install just the ones you need
Download the dotnet cleanup tool from here http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-08-90-44-93/dotnetfx_5F00_cleanup_5F00_tool.zip to your desktop
Extract Cleanup_tool.exe to the desktop and run
Then re-run aswMBR
-
Ran the cleanup tool and removed all versions of .Net - but aswMBR reports the same thing.
See attached log
-
OK I shall now kill it for you
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Files
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#\0c4ec58f70e0fe6e74458c35fb260e2d\System.Runtime.Caching.ni.dll
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here is the log result that popped up upon reboot.
I have not re-run OTL yet. Please let me know if I need to re-run OTL in scan mode, and whether I need to paste the same information in the scan files area before the scan.
-
According to OTL that file is not on your system
Lets see if there is an additional copy, or if it is created by the net framework as required
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
/md5start
System.Runtime.Caching.ni.dll
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Here are the results of the scan - and thank you again for all your help!
-
Just in case the previous logs were the ones from the wrong run, here are the correct ones:
-
Still can't find it... Lets go fishing
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Here is the resulting log from CombFix. I am not sure the system rebooted as I was not at the console when it ran to completion.
-
And here is the C:\ComboFix.txt file you requested.
-
Not even combofix/GMER is finding a hidden file there... I wonder if it is associated with SAS as I believe that uses the net framework
-
I don't know what SAS is. Should I try re-installing .Net framework to see if it will over-write the file?
-
Is SAS Super Anti-Spyware app? I do have that installed - or at least I did at one time.
-
Is SAS Super Anti-Spyware app? I do have that installed - or at least I did at one time.
Yes SAS is Super AntiSpyware.
I have SAS Pro, but resident protection is disabled (as I also have MBAM) and I haven't come across anything like this. I have a whole slew of different .net framework versions.
-
Yes try a re-install