# Avast WEBforum

## Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: CUPIC on January 22, 2011, 02:01:32 AM

Title: Avast! doesnt remove a rootkit file
Post by: CUPIC on January 22, 2011, 02:01:32 AM
Hello to everybody, I'm new here and I'm looking for help.

First of all, sorry, my English is disaster.

Last night I used Avast! AV to scan my comuter and it found a infected ROOTKIT file on

C:/winodows/windows32/drivers/fylwqx.sys

Since Avast! found it i have a "blue screen" and I can't access to my User profile on Windows Vista.

Avast was not able to delete the infected file as well some others AV programs (AVIRA, SPYBOOT, AVG...). I have tried to remove the rootkit file manually but without success.

Now, I'm useing SAFE MODE with networking. But even in SAFE MODE, blue screen comes up frequently.

What do you think I should do?

Thank you!

Title: Re: Avast! doesnt remove a rootkit file
Post by: Rednose on January 22, 2011, 03:12:39 AM
Hi CUPIC, welcome to the forum :)

I am sorry to hear you have so much problems. The best I can do for you is to pm essexboy. He is in charge of the "viruses and worms" section, and the most qualified person here to help you.

http://forum.avast.com/index.php?topic=53253.0

Greetz, Red.

Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on January 22, 2011, 01:48:08 PM
Hi this can be run from safe mode

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
c:\system volume information|_REGISTRY_MACHINE_SOFTWARE;true;true;true /FP
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on January 23, 2011, 01:16:41 AM
Thank you very much for your help!

I did exactly as you said and here there are two files OLT.txt and EXTRAS.txt

When you have extra time, please check it and see if there is some suspicious services.

Thanks again!

Best regards!
Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on January 23, 2011, 01:32:43 PM
It looks like the infection came from a USB drive.  Once combofix starts running allow it to boot back to normal mode if possible.

Run OTL
• Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:OTLDRV - [2010.07.12 04:34:02 | 000,054,112 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.binO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.O2 - BHO: (no name) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - No CLSID value found.O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.O4 - HKU\S-1-5-21-4190731207-121853071-4191398483-1000..\Run: [futur] File not foundO33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exeO33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exeO33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\open\Command - "" = D:\fooool.exeO33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exeO33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exeO33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\open\Command - "" = D:\fooool.exeO33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exeO33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exeO33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\open\Command - "" = D:\fooool.exeO33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exeO33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exeO33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\open\Command - "" = D:\fooool.exeO33 - MountPoints2\{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}\Shell\AutoRun\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.comO33 - MountPoints2\{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}\Shell\open\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.comO33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\AutoRun\command - "" = fooool.exeO33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\explore\Command - "" = fooool.exeO33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\open\Command - "" = fooool.exeO33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\AutoRun\command - "" = D:\LANCE/srasli.exeO33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\explore\command - "" = D:\LANCE/srasli.exeO33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\open\command - "" = D:\LANCE/srasli.exeO33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\AutoRun\command - "" = fooool.exeO33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\explore\Command - "" = fooool.exeO33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\open\Command - "" = fooool.exe[2010.10.23 04:13:24 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\AVG10[2011.01.22 20:34:38 | 000,000,000 | ---- | M] ()(C:\Windows\System32\?????) -- C:\Windows\System32\?????[2011.01.22 20:20:18 | 000,000,000 | ---- | C] ()(C:\Windows\System32\?????) -- C:\Windows\System32\?????:Filesipconfig /flushdns /c:Commands[purity][resethosts][emptytemp][EMPTYFLASH][CREATERESTOREPOINT][Reboot]
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
.
THEN

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on January 26, 2011, 04:50:35 AM
First of all, thank you for your help.

I did everyting as you said: I run OTL scaner but it stop working processing one file:

PROCESSING... PROO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

And it lasts for hours ...

Thank you for help!

Should I format my disc?
Title: Re: Avast! doesnt remove a rootkit file
Post by: SafeSurf on January 26, 2011, 09:00:25 AM
CUPIC,

Hold off on formatting until Essexboy gives you further instruction.  He has other tools he can use to help you.  He usually comes on the forum late UK time.  Thank you.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on January 26, 2011, 06:29:10 PM
OK, I'm very patient and thankful!
Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on January 26, 2011, 08:43:37 PM
Continue straight to the combofix run now please
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on January 31, 2011, 06:28:36 PM
Thank you!

The file that  caused the problems now no longer exists!

That was the fylwqx.sys file in system32/drivers. And now I can access to my User prfile, normally.

But, I noticed one very strange service in startup on my msconfig, called ,,futur" It did not exist before.

Should I turn off that service?

The LOG combofix file is attached.

THANK YOU SO MUCH!
Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on January 31, 2011, 07:18:25 PM
Hi you must let combofix update - otherwise it cannot do its job properly.  You have been using some infected USB drives, they need to be vaccinated using Panda USB Vaccine  http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

• Click Start , then Run
• Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
File::
c:\users\User\AppData\Local\Temp\DZE.exe

Driver::
DZE
fylwqx

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{377dff67-a9de-11dd-bac3-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39106cf0-ab35-11dd-9726-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

• Combofix.txt
• A new OTListit log.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on January 31, 2011, 11:32:28 PM
I did everything as you said.

There is 2 files.

Thank you!
Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on January 31, 2011, 11:37:23 PM
That looks good now, what are your current problems ?
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on January 31, 2011, 11:38:26 PM
When I logged to my Windows normally, after I scaned my commputer with ComboFix, Spybot S@D ask me if i want to allow some changes.

Message was>

"DISABLE CMD"

What to do?

thank you!
Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on January 31, 2011, 11:39:59 PM
To be honest... Remove Spybot and get winpatrol and MBAM to cover your security

Allow it
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on January 31, 2011, 11:42:50 PM
Thank you very much!

I will install that MBAM, whatever it is!

THANKS!

Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on January 31, 2011, 11:47:23 PM
Here you go do this run and attach the log to see if I missed any waifs and strays

Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on February 01, 2011, 12:08:04 AM

But I still have one process or service in MSCONFIG's startup tab, called FUTUR. It has an "unknown" manufacturer and exe file of that service is at:

C:\Users\User\AppData\Roaming\Microsoft\zihooqu.exe

And it looks very malignant for me.

This service did not exist before few days.

I will post the report of The Malwarebytes when it finishs.

Thanks
Title: Re: Avast! doesnt remove a rootkit file
Post by: CraigB on February 01, 2011, 06:11:01 AM
CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av's on a system at one time.
Actually you also have some symantic/norton stuff still on there to, you can find removal tools here
http://uninstallers.blogspot.com/ scroll down the list to 23b and 26a,remember to delet the program's though add remove program's first then run the tool for each with reboot's inbetween,If you have deleted norton previously then just run the tool anyway to get rid of leftovers, when done finally clean your system with ccleaner.
Title: Re: Avast! doesnt remove a rootkit file
Post by: SafeSurf on February 01, 2011, 08:44:27 AM
@ craigb,
CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av's on a system at one time.
I believe this is an empty entry in the last ComboFix, but it would be best for Essexboy to take a look at this.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CraigB on February 01, 2011, 08:55:51 AM
@ craigb,
CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av's on a system at one time.
I believe this is an empty entry in the last ComboFix, but it would be best for Essexboy to take a look at this.
I agree
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on February 01, 2011, 10:18:22 AM
CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av's on a system at one time.

I don't have two (or more) AV programs, the MSE is on my comuter for a logn time, I download it once when I updated Windows. When I was running Combofix and OTL i was disable MSE and Spybot.

Symantic Norton? I have never installed that AV on my machine.

I have one undefined process on a computer that can not be excluded.

I believe this is an empty entry in the last ComboFix, but it would be best for Essexboy to take a look at this.

I agree too.
Title: Re: Avast! doesnt remove a rootkit file
Post by: Swarnava/Heaven GOD on February 01, 2011, 10:30:42 AM
Please tell that currently how much antivirus you have installed without avast?
Title: Re: Avast! doesnt remove a rootkit file
Post by: CraigB on February 01, 2011, 10:47:51 AM
Doesn't matter if MSE is disabled, there will still be low level driver's that are running so it should be uninstalled if you haven't already.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on February 01, 2011, 10:57:31 AM
Here you go do this run and attach the log to see if I missed any waifs and strays

Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

I did it!

The LOG file is attached.

Thank you!

Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on February 01, 2011, 08:32:57 PM
OK we will look in that area with a slightly different tool as it is more versatile - what problems do you have at the moment

• Make sure you close all other programs and don't use the PC while the scan runs.
• Select All Users
• Under additional scans select the following
Reg - NetSvcs
Reg - Disabled MS Config Items
Reg - Shell Spawning
File - Lop Check
File - Purity Scan

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on February 01, 2011, 09:21:35 PM
I scaned the computer, as you said.

There is OTS.txt
Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on February 01, 2011, 10:51:35 PM
Well looky what I found - I like this programme for its flexibility.  One of your users would have had problems logging in

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls][Registry - Safe List]< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]YN -> {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\] > -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\Software\Microsoft\Internet Explorer\Toolbar\YN -> WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]< Run [HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\] > -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunYN -> "futur" -> [C:\Users\User\AppData\Roaming\Microsoft\zihooqu.exe]< Winlogon settings [HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000] > -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon*Shell* -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\ShellYN -> C:\Users\User\AppData\Roaming\juzjf.exe -> < Winlogon settings [HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000] > -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon[Registry - Additional Scans - Safe List]< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YN -> futur hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> [Files/Folders - Unicode - All]NY -> C:\Windows\System32\????? -> C:\Windows\System32\獷楬汢捯污NY -> C:\Windows\System32\????? -> C:\Windows\System32\獷楬汢捯污[Empty Temp Folders][EmptyFlash][CreateRestorePoint][ZipFiles]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on February 02, 2011, 02:58:46 AM
I did everything as you said.

First, I turn off all runing programs. And I paste the fixes into "Paste fix here".

During the first scan, the program has stopped working. Windows has terminate the OSL.exe.

After that, I run OSL.exe again and it required computer to reboot.

BUT the OSL doesn't made any LOG file!

After that, Spybot S&D asks me to allow something and I allowed.

Well looky what I found - I like this programme for its flexibility.  One of your users would have had problems logging in

One of my useres?

My brother used the computer a few months ago, but now he has his own leptop and I'm the only one user of this computer.

Thank you very much!

And, sorry, my english is disaster, I'm a beginner.
Title: Re: Avast! doesnt remove a rootkit file
Post by: DavidR on February 02, 2011, 03:15:24 AM
Well it is 2:05am in the UK so essexboy will be in bed and not back on the forums until after he finishes work tomorrow.

Do you mean run OTS again as there is no mention of running OSL. So the last thing he asked for was to run OTS again and copy and paste the contents of the code box into the Paste fix here and click the Run Fix button.

So I would suggest you try that again, and ensure that you follow this first instruction:
Make sure you close all other programs and don't use the PC while the scan runs. This includes avast for the duration of the scan.

I don't know if the run fix produces a log, if not then run OTS again so that it produces a log after the fix to see if anything else needs to be done.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on February 02, 2011, 03:25:16 AM
Well it is 2:05am in the UK so essexboy will be in bed and not back on the forums until after he finishes work tomorrow.

Do you mean run OTS again as there is no mention of running OSL. So the last thing he asked for was to run OTS again and copy and paste the contents of the code box into the Paste fix here and click the Run Fix button.

So I would suggest you try that again, and ensure that you follow this first instruction:
Make sure you close all other programs and don't use the PC while the scan runs. This includes avast for the duration of the scan.

I don't know if the run fix produces a log, if not then run OTS again so that it produces a log after the fix to see if anything else needs to be done.

I run the OTS.exe, first time. But, the it STOP working and it was terminated by the Windows.

Next time I run OTS, and it made required (pasted) fixes but it doesn't made any log or txt file.
Title: Re: Avast! doesnt remove a rootkit file
Post by: DavidR on February 02, 2011, 04:01:25 AM
As I said I don't know if it does produce a report after the fix, that is why I suggested running OTS again in the normal Run Scan mode (for all users) as essexboy's first OTS scan, this post, http://forum.avast.com/index.php?topic=69884.msg591804#msg591804 (http://forum.avast.com/index.php?topic=69884.msg591804#msg591804).

The idea being to produce a report after you ran the fix to see if the fix worked and to see if essexboy needs to run additional tools.

That is me for the night shortly also as it is now 3am here in the UK.
Title: Re: Avast! doesnt remove a rootkit file
Post by: CUPIC on February 02, 2011, 07:22:44 AM

Maybe I didn't understand what essexboy said, but I thought that OTS has to produce a log file, every time after scaning/fixing:

After the OVS "fixed" the problem, it doesn't made any log file.

The suspicious process is still running on my computer, as you can see on this picture in attachment.

Title: Re: Avast! doesnt remove a rootkit file
Post by: DavidR on February 02, 2011, 04:08:29 PM
I'm not familiar with the tools essexboy uses, I'm only trying to help you do some work whilst he is unavailable.

So if the Run Fix doesn't produce a log as you say and I suspected, that is why I suggested running the OTS 'Run Scan' again to produce that log so that essexboy has something to work with when he gets back.

I don't know if you have rebooted after the OTS Run Fix, but you should probably do that before running OTS 'Run Scan' again to produce the log.
Title: Re: Avast! doesnt remove a rootkit file
Post by: essexboy on February 02, 2011, 08:12:35 PM
Quote
HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> C:\Users\User\AppData\Roaming\juzjf.exe ->
This references the winlogon settings od=f a subsidiary user on your system

David is correct if you press run scan as opposed to run fix then OTS will stall.  Add the script again and press run fix
Title: Re: Avast! doesnt remove a rootkit file
Post by: TheSecurityFreak on February 02, 2011, 11:34:11 PM
To be honest... Remove Spybot and get winpatrol and MBAM to cover your security

Allow it

Yeah, Spybot S&D has a bad detection rate.