Author Topic: Avast reports rookit:hidden file on scan, but can't remove/repair/move file  (Read 9899 times)

0 Members and 2 Guests are viewing this topic.

enovak

  • Guest
Ran a scan today and Avast found Threat: Rootkit: hidden file, plus four other files that indicated Error: Data error (cyclic redundancy check) (23)

The rootkit is associated with:

C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#\0c4ec58f70e0fe6e74458c35fb260e2d\Syste.Runtime.Caching.ni.dll

The 4 files that indicated the CRC error were:

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#
C:\WINDOWS\Temp\FLT1985.tmp
C:\WINDOWS\Temp\FLT1986.tmp

A boot scan did not yield any problems.

A subsequent Full System scan yielded the same result as above.

I cannot move the file to the chest, repair it, or remove it.

What are my next steps to remove this?  Is it a legitimate threat?

Thank you!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
A CRC error means that the file is corrupt

enovak

  • Guest
Am I actually infected with a rootkit?  Or is the file simply corrupted?

Also is there a way to resolve this?

Thank you in advance for all your help!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
The only way to determine that is to run a scan

Download aswMBR.exe ( 4.5mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 




On completion of the scan click save log, save it to your desktop and post in your next reply

enovak

  • Guest
Running scan now.   It flagged that same file.  I will post the complete scan when it finishes.

Thank you

enovak

  • Guest
Attached is the log from the aswMBR scan.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
How is the computer behaving, any problems ?

enovak

  • Guest
No errors or strange behavior, just sometimes there is a lot of disk activity that I can't account for which slows the system down.  In some cases I see AppleMobileDeviceServices chewing up 50% of my CPU - I kill that process and that resolves that.  I believe it is a known problem with Apple?

Also sometime the WLTRAY.EXE process seems to have a memory leak and consumes more and more memory.  A reboot resolves that.

No strange behavior on reboot.

I also ran an ESET online scan on the laptop, but it only found two undesirable apps that I may not want - and those were recent installs that I have since removed.

Has aswMBR actually removed/resolved/repaired  the file in question?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
No it just noted that it was hidden, that in itself is not a problem..  As some windows files are hidden

enovak

  • Guest
Any thoughts on how to clear this with regard to the scan?  This has never shown up before.   And boot scan does not indicate anything.  I am running another ESET scan currently and will let you know if it yields anything.

Just concerned that there is something lurking...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
If you are concerned I could delete the file, but a programme that uses dotnet may not function properly

enovak

  • Guest
Can I remove support for .Net and then restore/install support for .Net?  Do you think that would resolve it?  Since Avast keeps finding the CRC errors on those files?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
With the CRC errors it may be prudent to remove all dotnet versions and install just the ones you need

Download the dotnet cleanup tool from here http://blogs.msdn.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-08-90-44-93/dotnetfx_5F00_cleanup_5F00_tool.zip to your desktop
Extract Cleanup_tool.exe to the desktop and run

Then re-run aswMBR

enovak

  • Guest
Ran the cleanup tool and removed all versions of .Net - but aswMBR reports the same thing.

See attached log

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
OK I shall now kill it for you

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Files
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Cach#\0c4ec58f70e0fe6e74458c35fb260e2d\System.Runtime.Caching.ni.dll

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.