rootkit or false pozitiv?

[Castor]

Hi everyone my name is Castor, it is my first post here.

I know only the basics about the viruses and computers, so I am sorry if the answer is trivial for my problem
During Christmas I realized that my security system is not good enough (earlier I used this computer only offline), so I installed avast (internet security, trial version) and malwarebytes antimalware (+ later tdsskiller and aswMBR for rootkits). I did quick, full and boot scans as well and cleaned my system. It seemed that everything is ok, but yesterday the avast found a "rootkit" (name sig2.tmp in a temp subdirectory) during my second full scan. I tried to delete it but I got the following error message: the system does not find the file. Only the avast detected this file, nothing else. Furthermore later during a bootscan (I was asked to do it) even the avast detected nothing.
Other problem: 3 days ago the avast detected a "win32 trojan gen" (A0143408.dll in a backup subdirectory in the System Volume Information directory) during a full scan and put in the chest. Yesterday it found it again in the same directory during the second full scan. It was again identified only by the avast full scan, nothing else. Furthermore it was not picked by the real time security.
What do they mean? What should I do?

PS. I can not run the aswMBR anymore (first time it found nothing), it is too slow, probably something (avast?) is interfering with it so I can only attach the OTL files)

[Pondus]

I tried to delete it but I got the following error message: the system does not find the file.

well..it may not be so strange since it was in a temp folder

Furthermore it was not picked by the real time security.

again not so strange since the restore point is not in use....unless you use that restore point

[essexboy]

PS. I can not run the aswMBR anymore (first time it found nothing), it is too slow, probably something (avast?) is interfering with it

aswMBR uses the Avast engine to do a virus scan at the same time as it checks the MBR

sig2.tmp

This is a temporary file for signature updates - I believe Avast detected itself

Purge the restore points to remove the detections from system restore

I can see no apparent malware, are you experiencing any symptoms ?

[Castor]

Pondus,

thanks for your answer, of course you are right in both points. In the case of temporary file I realized it, but I was just afraid that there was something else which was not detected by Avast.


essexboy

"aswMBR uses the Avast engine to do a virus scan at the same time as it checks the MBR"
In this case do you have any idea why is it so slow? Yesterday it did not finish after 10 hours...


"This is a temporary file for signature updates - I believe Avast detected itself"
It does make sense, it could explain why only the Avast detected it.


"Purge the restore points to remove the detections from system restore"
Thanks, I will do it.


"I can see no apparent malware, are you experiencing any symptoms ?"

In the beginning the Avast and the malwarebytes antimalware detected (removed) some viruses for sure, that is the reason I asked your advice about the "rootkit". In general my computer and especially my internet is slower than earlier, but it could be explained by other factors. What would you advise for me?
Thanks for your help!

[Lisandro]

The MBR scanning takes seconds. The whole drive depend of your scanning settings and files (number, type...).

[Castor]

The MBR scanning takes seconds. The whole drive depend of your scanning settings and files (number, type...).

When I first used it a week ago it took about an hour (maybe even less) to finish.

[Lisandro]

When I first used it a week ago it took about an hour (maybe even less) to finish.

What else is running in background?

[Castor]

When I first used it a week ago it took about an hour (maybe even less) to finish.

What else is running in background?

As far as I know only the avast.

[Lisandro]

As far as I know only the avast.

Mystery then

[essexboy]

I have just run aswMBR on my system and as you can see it took just 10 minutes to run 

aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2011-12-30 19:46:42
-----------------------------
19:46:42.571    OS Version: Windows x64 6.1.7601 Service Pack 1
19:46:42.571    Number of processors: 4 586 0x2A07
19:46:42.571    ComputerName: MARTIN-HP  UserName: Martin
19:46:46.003    Initialize success
19:46:46.097    AVAST engine defs: 11123000
19:46:52.680    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:46:52.680    Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 3
19:46:52.711    Disk 0 MBR read successfully
19:46:52.727    Disk 0 MBR scan
19:46:52.727    Disk 0 unknown MBR code
19:46:52.727    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
19:46:52.742    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       482461 MB offset 206848
19:46:52.742    Disk 0 Partition - 00     0F Extended LBA            460152 MB offset 988286976
19:46:52.773    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        11154 MB offset 1930678272
19:46:52.805    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       460151 MB offset 988289024
19:46:52.820    Service scanning
19:46:53.912    Modules scanning
19:46:53.912    Disk 0 trace - called modules:
19:46:54.411    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:46:54.411    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006fcc060]
19:46:54.411    3 CLASSPNP.SYS[fffff88001d6e43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004add050]
19:46:57.391    AVAST engine scan C:\Windows
19:46:59.637    AVAST engine scan C:\Windows\system32
19:47:54.908    AVAST engine scan C:\Windows\system32\drivers
19:48:01.741    AVAST engine scan C:\Users\Martin
19:48:57.574    AVAST engine scan C:\ProgramData
19:49:42.366    Scan finished successfully
19:56:27.194    Disk 0 MBR has been saved successfully to "C:\Users\Martin\Desktop\MBR.dat"
19:56:27.194    The log file has been saved successfully to "C:\Users\Martin\Desktop\aswMBR.txt"

Windows XP Professional Edition Szervizcsomag 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)

You need to update to service pack 2 & 3 as soon as possible and also update IE to V8.  As at the moment you are wide open to a lot of exploits 

[Castor]

Windows XP Professional Edition Szervizcsomag 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)

You need to update to service pack 2 & 3 as soon as possible and also update IE to V8.  As at the moment you are wide open to a lot of exploits 

Thanks for your warning I am going to do it today.