Avast WEBforum

Other => Viruses and worms => Topic started by: click Tracy on January 25, 2013, 08:38:12 AM

Title: Help with rootkit swcustcfg please
Post by: click Tracy on January 25, 2013, 08:38:12 AM

Hello, I need some help.
Installed Avast Internet security recently and it reports on computer startup that it has found rootkit virus swcustcfg. Electing to delete fails and Avast reports it again on startup. Looking in this forum I found the procedure to attach the necessary ( I hope) log files. 3 in this post 2 to follow.
Cheers

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 25, 2013, 08:45:31 AM

Next 2 attach.

Title: Re: Help with rootkit swcustcfg please
Post by: Pondus on January 25, 2013, 11:32:15 AM

malware removers are notified.....check back later today

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on January 25, 2013, 01:44:27 PM

Hi and welcome,

Please download DDS from either of these links

LINK 1 (http://download.bleepingcomputer.com/sUBs/dds.com)
LINK 2 (http://download.bleepingcomputer.com/sUBs/dds.scr)

and save it to your desktop.

• Disable any script blocking protection
• Right-click and Run as Administrator dds to run the tool.
  
• When done, two DDS.txt's will open.
  
• Save both reports to your desktop.
  

---------------------------------------------------
Please attach the contents of the following in your next reply:

DDS.txt

Attach.txt
----------

(http://i1224.photobucket.com/albums/ee380/jeffce74/TDSK.jpg) Please download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)

• Double click TDSSKiller.exe
  
• Press Start Scan
  
• If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  
• Do Not Attempt To Fix Anything Now.  We just need to look over the report and be sure we are removing the correct items. 
• Attach the log in your next reply
• A copy of the log will be saved automatically to the root of the drive (typically C:\)
  

----------

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 25, 2013, 08:14:22 PM

Hello jeffce,
Thank you for attending. Files attached as req.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on January 25, 2013, 09:14:51 PM

It seems that the file that Avast Internet Security is picking up a false positive with swcustcfg.
----------

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html)
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
----------

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 26, 2013, 01:27:33 AM

Thanks jeffce,
combofix. txt attached

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on January 26, 2013, 02:58:47 AM

Before we continue, do you use this computer to access work or school by chance?

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 26, 2013, 03:10:37 AM

Yes Citrix Remote Desktop access.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on January 26, 2013, 05:54:29 PM

Hi,

Thanks for letting me know about the proxy settings.

I see that you have PCTools firewall Plus on your system as well as running Avast Internet Security (which has a firewall).  I would recommend that you uninstall PC Tools Firewall Plus.

Once you get that done, let me know how your system is running.

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 26, 2013, 11:30:29 PM

Yes jeffce, I realised I had 2 firewalls running when I was disabling stuff for the previous step, so I left PC tools  disabled. It is now totally removed as you suggested.

Start up and shut down times have improved and Avast still reports about swcustcfg presence.

I'm not sure what you mean about the proxy settings unless they were in one of the log files. Is/was Citrix part of the problem?

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on January 27, 2013, 04:39:24 AM

Hi,

I am speaking with a colleague about your system.  I will return as quickly as I can.  :)

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on January 29, 2013, 07:08:31 PM

Hi,

Apologies for taking so long...

The popup you are getting from Avast, could you post a screenshot of it?  The entry that is being detected, I believe, is a False Positive and we will just need to move the file to your Exclusions list.  :)

How is your system running otherwise?

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 30, 2013, 07:22:26 AM

Appears to be running OK, less delays opening progs etc. I'll get you that screen shot next post.

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 30, 2013, 08:17:07 AM

Screen shot

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on January 30, 2013, 03:54:42 PM

Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip) unzip to your Desktop.
 
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
 
Double-click gmer.exe. The program will begin to run.
 (https://dl.dropbox.com/u/73555776/GMER_Open.JPG)
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
 
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt" 
  
• Save it where you can easily find it, such as your desktop.

Attach the contents of GMER.txt in your next reply.
----------

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 31, 2013, 08:25:14 AM

Thanks jeffce,
File attached

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on January 31, 2013, 07:52:29 PM

Hi,

Good job!

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:Reg
[-HKLM\SYSTEM\CurrentControlSet\Services\swcustcfg]                                                                                     
[-HKLM\SYSTEM\ControlSet003\Services\swcustcfg]                                                                 
[-HKLM\SOFTWARE\Classes\CLSID\{FDB4A846-6A04-87BE-E5AB-393EDD021FC0}\lbzctmzg@]                                                                 
[-HKLM\SOFTWARE\Classes\CLSID\{FDB4A846-6A04-87BE-E5AB-393EDD021FC0}\urOqffuVocnJ@]

:Commands
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

-------

Post the new logs made by OTL and let me know if you are still receiving the warnings.  If you are, please just go ahead and add it to your Exclusions list in Avast. 

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on January 31, 2013, 10:46:48 PM

Still getting the warning.
Added to exclusions list.
Log file attached.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 01, 2013, 02:08:00 PM

Next time that it pops up get a screen shot of it so I can see what you are seeing now. 

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 02, 2013, 04:10:28 AM

Thanks jeffce,
Pop up screen grab and Avast full system scan log screen grab attached.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 02, 2013, 06:29:27 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

• Right-click and Run as Administrator SystemLook.exe to run it.
  
• Copy the content within the following codebox into the main textfield:
  

Code: [Select]

:filefind
*swcustcfg*

:regfind
*swcustcfg*


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 03, 2013, 08:14:50 PM

Thanks, log attached.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 04, 2013, 04:16:26 PM

Run SystemLook again but using the following:

Code: [Select]

:service
*swcustcfg*
Attach the new log when complete.

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 05, 2013, 06:41:07 AM

File attached

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 06, 2013, 02:06:25 PM

I would like to see something else.  There is not really any reason I can see why this keeps popping up.  It's not malicious...it's a false positive so it is nothing to be concerned over outside of Avast popping up.

Please open OTL.

• Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, click the None button near the top (it may looked greyed out)
  
• In the Extra Registry section change it to All
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open 2 notepad windows, OTL.Txt and Extra.txt. Please post the Extra.txt.
----------

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 07, 2013, 06:49:52 AM

Extras.txt attached
Cheers

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 07, 2013, 08:54:21 PM

Just to be sure...have you chosen in the drop down when the alert arises from Avast to Ignore?

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 07, 2013, 09:42:21 PM

Not ignore but delete. At one point when you suggested putting it in exclusions I ticked the checkbox to tell Avast to stop notifying about it.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 08, 2013, 12:13:29 AM

But it still continues?

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 08, 2013, 10:18:12 AM

Negative, Avast no longer reports the presence. A registry search finds 6 identical folders (see attach) and 4 reg entries (attached next post)

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 08, 2013, 10:20:07 AM

More attached.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 08, 2013, 10:24:26 PM

Hi,

So the warning are no longer occurring?  The entries that you are showing me are not active so you should be fine, even though it was a False Positive.

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 10, 2013, 04:53:57 AM

The warnings no longer come up so thanks heaps for your time and expertise with this matter. I'm extremely grateful.
Thanks again jeffce
Cheers

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 10, 2013, 05:14:17 AM

Hi,

Great to hear!!

(http://i1224.photobucket.com/albums/ee380/jeffce74/java-1.jpg) I see that your Java software is out of date.  Please go to Start >> Control Panel >> Programs and Features >> uninstall all versions of Java.

Now download and install the newest version from here >> http://java.com/en/download/index.jsp
-------------

(http://i1224.photobucket.com/albums/ee380/jeffce74/java-1.jpg) Clear Java Cache

See this page (http://www.java.com/en/download/help/5000020300.xml) for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  Downloaded Applets
  Downloaded Applications
  Other Files

• Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

• Click OK to leave the Java Control Panel.

----------

(http://i1224.photobucket.com/albums/ee380/jeffce74/mbam-3.jpg) Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner

Go here (http://go.eset.com/us/online-scanner) to run an online scannner from ESET.  Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
• Close the ESET online scan, and let me know how things are now.

----------

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 10, 2013, 03:36:46 PM

All seems OK .
Files attached.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 10, 2013, 06:55:07 PM

(http://i1224.photobucket.com/albums/ee380/jeffce74/OTL.jpg) Run OTL.exe

• Copy/paste the following text written inside of the quote box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Quote

  
  :Services
  
  :Files
  C:\Documents and Settings\Owner\Application Data\Auslogics\Rescue\Boost Speed\130120151031652.rsc   
  C:\E Drive Backup\OLD C DRV (E)\Download\tds3setup.exe
  
  :Commands
  [emptytemp]
  [start explorer]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

----------

Attach the new OTL log and let me know what remaining malware related problems you are having.

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 11, 2013, 10:19:55 AM

Log file attached.
No apparent problems.

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 11, 2013, 01:35:05 PM

Providing there are no other malware related problems...

(http://i149.photobucket.com/albums/s64/mxyzptlk1214/Vegeta.gif)  IT APPEARS THAT YOUR LOGS ARE NOW CLEAN SO LET'S DO SOME CLEANUP.   

This infection appears to have been cleaned, but I can not give you any absolute guarantees.  As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

The following will implement some cleanup procedures as well as reset System Restore points:

Press the Windows key + R and this will open the Run box. Copy/paste the following text into the Run box as shown and click OK.
  Combofix /Uninstall
  (Note: There is a space between the ..X and the /U that needs to be there.)

(http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg)
----------

(http://i1224.photobucket.com/albums/ee380/jeffce74/OTL.jpg) Clean up with OTL:

• Right-click and Run as Administrator OTL.exe to start the program.
  
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
  
• Say Yes to the prompt and then allow the program to reboot your computer.
  

----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
If you didn't already have it I would keep Malwarebytes AntiMalware though.

Here are some tips to reduce the potential for spyware infection in the future:

1. Internet Explorer.  Even if you don't use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.
Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.

2. FireFox.  If you use Firefox, I recommend installing the following add-ons to help make your Firefox browser more secure:
NoScript (http://"https://addons.mozilla.org/en-US/firefox/addon/noscript/")
AdBlock Plus (http://"https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/?src=ss")

3. Enable Protected Mode in Internet Explorer.  This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code.  To make sure this is running follow these steps:

• Open Internet Explorer
  
• Click on Tools > Internet Options
  
• Press Security tab
  
• Select Internet zone then place check next to Enable Protected Mode if not already done
  
• Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
  
• Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

4. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis.  With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

5. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly.  I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)

6. Make sure you keep your Windows OS current.  Windows XP users can visit Windows update  (http://v4.windowsupdate.microsoft.com/en/default.asp)  regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems.  Without these you are leaving the back door open.

7.   WOT   (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites.  WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

8.Finally, I strongly recommend that you read How to Prevent Malware found here (http://"http://users.telenet.be/bluepatchy/miekiemoes/prevention.html") and also PC Safety and Security - What Do I Need? (http://www.techsupportforum.com/forums/f112/pc-safety-and-security-what-do-i-need-525915.html).
 
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Title: Re: Help with rootkit swcustcfg please
Post by: click Tracy on February 12, 2013, 06:49:33 AM

Clean-up successful and thanks again Jeff
Cheers ;)

Title: Re: Help with rootkit swcustcfg please
Post by: jeffce on February 12, 2013, 01:40:29 PM

You are more than welcome!  Glad that I could help!  :)

Since this issue appears to be resolved ... I will discontinue monitoring. Glad we could be of assistance.
----------

Title: Re: Help with rootkit swcustcfg please
Post by: caribconsult on April 18, 2014, 10:21:16 PM

Same issue here. Question: is this 'swcustcfg' message a false positive and don't worry, or could this be a real root kit? No other scanner (Kaspersky, MBAR, MBAM, etc) has reported this rootkit.

Title: Re: Help with rootkit swcustcfg please
Post by: Pondus on April 18, 2014, 10:29:20 PM

Quote from: caribconsult on April 18, 2014, 10:21:16 PM

Same issue here. Question: is this 'swcustcfg' message a false positive and don't worry, or could this be a real root kit? No other scanner (Kaspersky, MBAR, MBAM, etc) has reported this rootkit.

1. You are posting in a 1 year old topic
2. If you have MBAM 1.75 as you say in your other post....then you dont have latest
3. For help, follow instructions  http://forum.avast.com/index.php?topic=53253.0

Title: Re: Help with rootkit swcustcfg please
Post by: caribconsult on April 18, 2014, 11:20:11 PM

First of all, thank you kindly for helping. I'm at my wit's end with this...I've been using the same suite of protection programs for over two years and this just started. I have the newest Avast free, I just downloaded the new MBAM, checked the rootkit box, ran a scan and it found this:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/18/2014
Scan Time: 5:04:22 PM
Logfile:
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.18.07
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Jeffrey

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 229192
Time Elapsed: 5 min, 30 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.DefaultTab.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\DefaultTab, Quarantined, [05fb34ccd22ed030d0e22c55679b5da3],

No other malicious items found

(end)

I quarantined the PUP. Is this what was causing the swcustcfg rookit message in Avast ? I notice Avast doesn't pop up a warning window every now and then like it used to, but it stopped after I updated it.  Nevertheless, an Avast scan still finds this.  Is this a false positive or do I have a real rootkit here, can you tell?  If you need more info, you email me direct at jeff@tcconsult.net

Thank you.

Title: Re: Help with rootkit swcustcfg please
Post by: Pondus on April 19, 2014, 12:07:09 AM

As said in the guide...start your own topic and attach the logs, not copy and paste