Help please with Win:32Rootkit-gen [Rtk]

[Jahn]

I'm running Avast Home 4.8.1169 VPS 080412-0 which is detecting this in C:\WINDOWS\system32\ChCfg.exe. Only Avast is detecting this at Jotti and VirusTotal. (XP SP2)

[DavidR]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't there already) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If it is indeed a false positive (and it looks like it), add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

[Jahn]

Will do. Thank you DavidR.

[DavidR]

You're Welcome.

Is this coming up on the on-demand scan or the anti-rootkit module ?

[Jahn]

You're Welcome.

Is this coming up on the on-demand scan or the anti-rootkit module ?

The first detection occurred while running a Spybot S&D scan. Resident Shield?, or would that be the anti-rootkit module? I'm not sure. I've looked through each provider, but none are showing a last infected file.

When I did a context menu scan of the file it was also detected by Avast. Next, I did a boot scan where it was also detected. In the boot scan log there is an error 42127, I believe the file is part of Windows Debugging Tool.

04/12/2008 09:35
Scan of all local drives

File C:\symbols\mshtml.pdb\6F9A8A1A0091498DADE722A06D4B10EE2\mshtml.pd_\mshtml.pdb Error 42127
File C:\WINDOWS\system32\ChCfg.exe is infected by Win32:Rootkit-gen [Rtk]

My internet connection is half-speed today, and I'm thinking the infection may be real. I ran a Hijack This but all looks normal. I could run ComboFix to see what it finds. Or, I have Acronis TI and might just restore a previous image. For now, I'm just waiting for you gurus to respond.

Thanks again, DavidR!

[DavidR]

Personally I pause the Standard Shield when running other security scans, this not only reduces the overall scan duration as files aren't twice by avast and S&D, it avoids possible conflict if both programs recognise the same virus signature and finally if that scanner unpacks its signatures to scan avast might detect that.

It looks like the standard shield detected it as I have heard that the rootkit module may not place an entry in the avast log viewer.

I wouldn't be too worried about the error entry. I would suggest a google search on the cfcfg.exe file name, http://www.google.com/search?q=ChCfg.exe. In this case it with the VT result and the google search it looks like it could be a false positive. Send the sample to avast and exclude from scans.

I doubt this if it were an infection would see that drop in your internet connection speed without other symptoms being present. I assume you have a firewall capable of blocking unauthorised outbound Internet Connections ?
This would show any bandwidth stealing trojan, but the physical connection speed I would say is unrelated.

[Jahn]

Thanks DavidR. I had already done a Google search and I do have Realtek Audio. I need to be sure, though.

The error 42127 entry is unrelated to the rootkit detection, they're just both in the same scan result.

I sent the sample yesterday at 12:49PM EDT. Also, I use PC Tools FW.

Thanks again.

[DavidR]

You're Welcome.

If you haven't already done so you could exclude the file from scans as in my reply #1.

[Jahn]

I've got it in the chest for now. If I encounter any system problems I may have to restore and exclude it. Maybe Avast will have an answer soon.

You guys are awesome!

[DavidR]

You won't normally get a direct response unless they require more information, so periodically scan it 'in the chest' to see if the VPS has been corrected. When it has restore it to the original location.

[Jahn]

Will do. Thank you.

Edit: I forgot to mention my bandwidth returned to normal last night. Probably just a server down for maintenance.

[Atheros7212]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't there already) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If it is indeed a false positive (and it looks like it), add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

hi there, i really need help getting rid of some kinda of malware named: Win32:Rootkit-gen [Rtk] 

i play an online RPG game, and for the last 6 months, the game has worked fine on my computer, but just today, when i clicked on my game icon to start the game, my Avast poped out saying that it's detected "Win32:Rootkit-gen [Rtk]" in my game's directory (program files)  and Avast is stopping my game from working. please, i really need some help on this!!!  :'( :'( :'(

[misak]

False positive alert Win32:Rootkit-gen [Rtk] will be fixed in next VPS update.

[Jahn]

80414-1 stopped the detection. Thank you everyone.

[Atheros7212]

False positive alert Win32:Rootkit-gen [Rtk] will be fixed in next VPS update.

but is there anything that i can do in the meantime?  :'(