Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: G747 on May 18, 2011, 02:55:16 AM

Title: Win32:Rootkit-gen[Rtk]
Post by: G747 on May 18, 2011, 02:55:16 AM

Hello everyone,


Two days ago, I was hit with Win7 2011 antivirus. It disabled Mbam and MSE. I was able to to get into mbam to scan and found:

Trojan.exe.shell.gen (File)
Hijack.exefile (Registry Value)
Hijack.StartMenuInternet (Registry Data)
Broken.OpenCommand  (Registry Data)
The above is now in quarantine

I ran a full scan with mbam and hasn't found anything again and did a full scan with avast and bootscan. I just finished a quick scan with avast and it found C:\Users\Computer\AppData\Local\hif.exe. The option to move to chest results in an: Error:Access us denied(5)

Will the delete option get rid of it?
Thank you for any information.

Title: Re: Win32:Rootkit-gen[Rtk]
Post by: Lisandro on May 18, 2011, 03:04:08 AM

MSE and avast will conflict sooner or later...
Better is having just one antimalware at a time.

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Read this instructions (http://forum.avast.com/index.php?topic=53253.msg451454#msg451454) and provide more info with the logs generated.
6. Clean your Hosts file (replacing it) with HostsMan (http://www.abelhadigital.com) tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
9. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).

Title: Re: Win32:Rootkit-gen[Rtk]
Post by: G747 on May 18, 2011, 03:06:19 AM

I removed MSE from my computer I only use MBAM for on demand and avast free.

I was only using MSE and MBAM at the time this happened, I still had access to the internet as was able to download avast.

Thank you for the instructions. :)

Title: Re: Win32:Rootkit-gen[Rtk]
Post by: Lisandro on May 18, 2011, 03:11:14 AM

Take a look...
http://www.virusremovalguru.com/?p=6871
http://www.myantispyware.com/2011/02/19/how-to-remove-win-7-anti-virus-2011/
http://www.spywarevoid.com/remove-win-7-anti-virus-2011-win7-antivirus-2011-removal-steps.html
http://www.antioxidant-supplement.org/remove-windows-7-anti-virus-2011-easy-to-remove-windows-7-anti-virus-2011-from-your-computer