Author Topic: Avast reports rookit:hidden file on scan, but can't remove/repair/move file  (Read 3363 times)

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Ran a scan today and Avast found Threat: Rootkit: hidden file, plus four other files that indicated Error: Data error (cyclic redundancy check) (23)

The rootkit is associated with:

C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#\0c4ec58f70e0fe6e74458c35fb260e2d\Syste.Runtime.Caching.ni.dll

The 4 files that indicated the CRC error were:

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#
C:\WINDOWS\Temp\FLT1985.tmp
C:\WINDOWS\Temp\FLT1986.tmp

A boot scan did not yield any problems.

A subsequent Full System scan yielded the same result as above.

I cannot move the file to the chest, repair it, or remove it.

What are my next steps to remove this?  Is it a legitimate threat?

Thank you!

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28987
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
A CRC error means that the file is corrupt

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Am I actually infected with a rootkit?  Or is the file simply corrupted?

Also is there a way to resolve this?

Thank you in advance for all your help!

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28987
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
The only way to determine that is to run a scan

Download aswMBR.exe ( 4.5mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 




On completion of the scan click save log, save it to your desktop and post in your next reply

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Running scan now.   It flagged that same file.  I will post the complete scan when it finishes.

Thank you

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Attached is the log from the aswMBR scan.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28987
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
How is the computer behaving, any problems ?

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
No errors or strange behavior, just sometimes there is a lot of disk activity that I can't account for which slows the system down.  In some cases I see AppleMobileDeviceServices chewing up 50% of my CPU - I kill that process and that resolves that.  I believe it is a known problem with Apple?

Also sometime the WLTRAY.EXE process seems to have a memory leak and consumes more and more memory.  A reboot resolves that.

No strange behavior on reboot.

I also ran an ESET online scan on the laptop, but it only found two undesirable apps that I may not want - and those were recent installs that I have since removed.

Has aswMBR actually removed/resolved/repaired  the file in question?

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28987
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
No it just noted that it was hidden, that in itself is not a problem..  As some windows files are hidden

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Any thoughts on how to clear this with regard to the scan?  This has never shown up before.   And boot scan does not indicate anything.  I am running another ESET scan currently and will let you know if it yields anything.

Just concerned that there is something lurking...

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28987
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
If you are concerned I could delete the file, but a programme that uses dotnet may not function properly

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Can I remove support for .Net and then restore/install support for .Net?  Do you think that would resolve it?  Since Avast keeps finding the CRC errors on those files?

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28987
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
With the CRC errors it may be prudent to remove all dotnet versions and install just the ones you need

Download the dotnet cleanup tool from here http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-08-90-44-93/dotnetfx_5F00_cleanup_5F00_tool.zip to your desktop
Extract Cleanup_tool.exe to the desktop and run

Then re-run aswMBR

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Ran the cleanup tool and removed all versions of .Net - but aswMBR reports the same thing.

See attached log

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28987
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
OK I shall now kill it for you

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Files
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#\0c4ec58f70e0fe6e74458c35fb260e2d\System.Runtime.Caching.ni.dll

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now