Author Topic: Avast reports rookit:hidden file on scan, but can't remove/repair/move file  (Read 3367 times)

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Here is the log result that popped up upon reboot.

I have not re-run OTL yet.  Please let me know if I need to re-run OTL in scan mode, and whether I need to paste the same information in the scan files area before the scan.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
According to OTL that file is not on your system

Lets see if there is an additional copy, or if it is created by the net framework as required

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.


  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
/md5start
System.Runtime.Caching.ni.dll
/md5stop
CREATERESTOREPOINT


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post  both logs

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Here are the results of the scan - and thank you again for all your help!

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Just in case the previous logs were the ones from the wrong run, here are the correct ones:

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Still can't find it... Lets go fishing

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Here is the resulting log from CombFix.  I am not sure the system rebooted as I was not at the console when it ran to completion.

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
And here is the C:\ComboFix.txt file you requested.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Not even combofix/GMER is finding a hidden file there...  I wonder if it is associated with SAS as I believe that uses the net framework

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
I don't know what SAS is.   Should I try re-installing .Net framework to see if it will over-write the file?

Offline enovak

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Is SAS Super Anti-Spyware app?  I do have that installed - or at least I did at one time.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69218
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Is SAS Super Anti-Spyware app?  I do have that installed - or at least I did at one time.

Yes SAS is Super AntiSpyware.

I have SAS Pro, but resident protection is disabled (as I also have MBAM) and I haven't come across anything like this. I have a whole slew of different .net framework versions.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Yes try a re-install

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now