Win32:Rootkit-gen [Rtk]

[HullBreach]

Avast full system scans have been reporting a lot of password protected files that could not be scanned (example) so I ran a boot-time scan. These were the results, and I opted to delete all the files which Avast reported success in doing. I ran Avast Antirootkit and these were my results:

avast! Antirootkit, version 0.9.6

File C:\## aswSnx private storage  **HIDDEN**
File C:\## aswSnx private storage\snx_rhive  **HIDDEN**
File C:\## aswSnx private storage\snx_rhive.LOG  **HIDDEN**
File C:\## aswSnx private storage\webStorage  **HIDDEN**
File C:\## aswSnx private storage\webStorage\attrib  **HIDDEN**
File C:\## aswSnx private storage\webStorage\image  **HIDDEN**
File C:\## aswSnx private storage\webStorage\snx_fs.dat  **HIDDEN**

Hidden files found: 7
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

Another one, after disabling System Restore:

avast! Antirootkit, version 0.9.6

File C:\## aswSnx private storage  **HIDDEN**
File C:\## aswSnx private storage\webStorage  **HIDDEN**

Hidden files found: 2
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

Another one, I think after I connected my external hard drive to scan for viruses, and then running another boot-time scan which came up clean:

avast! Antirootkit, version 0.9.6

Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4018\Shell] MinPos1024x768(1).x=-1  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4018\Shell] MinPos1024x768(1).y=-1  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] FolderType="Music"  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] MinPos1024x768(1).x=-1  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] MinPos1024x768(1).y=-1  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] WinPos1024x768(1).left=139  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] WinPos1024x768(1).top=46  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] WinPos1024x768(1).right=939  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] WinPos1024x768(1).bottom=646  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] Vid="{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] Mode=6  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4038\Shell] Col=0  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4097\Shell] MinPos1024x768(1).x=-1  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4097\Shell] MinPos1024x768(1).y=-1  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4519\Shell] FolderType="MusicArtist"  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4519\Shell] MinPos1024x768(1).x=-1  **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\4519\Shell] MinPos1024x768(1).y=-1  **HIDDEN**
avast! Antirootkit, version 0.9.6

Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

So I'm wondering, is my computer still infected? Another computer using the same router had the same infected Combofix files as well.

[DavidR]

Well lets start with the first issue:
Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn't know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to.

From the examples of those file names and locations in the image, they belong to adobe, related to updates (which they now password protect) and for whatever reason they are now in restore points. Normally after a user deletes or moves the original files system restore creates a restore point.

So there is nothing to be concerned with, but personally I would suggest that you clear all restore points (disable system restore as you have done, reboot and enable) this will clear the old ones and create a new restore point. Otherwise you will get the files are password protected on future scans, but you can choose to ignore that notice (which is all it is, on those), but for other files you still have to investigate the legitimacy of them being password protected, as outlined above.

@@@@
Now for the rest, first there should have been no requirement to run a boot-time scan (avast would normally suggest it if it had made a detection), so you wouldn't have seen these. Avast runs an anti-rootkit scan 8 minutes after boot, and that didn't alert under normal circumstances.

Would you expect private storage to be hidden, I think I would, that is the point of privacy:
File C:\## aswSnx private storage  **HIDDEN**
This belongs to the avast sandbox and is where it stores sandboxed data so being hidden and isolated is what it is trying to achieve. The same is true of the other references to C:\## aswSnx private storage locations/files.

The latter about your external HDD, I don't know why that is set to be hidden, but I wouldn't be to concerned about it as it may be that it is hidden to only those with permissions to access it.