Need help with win32:Rootkit-gen [Rtk}

[Nealva]

I performed a boot time scan at the recommendation of an Avast scan and this is the report that I received.

06/18/2008 23:09
Scan of all local drives

File C:\Windows\System32\config\atww\mck.dll is infected by Win32:Rootkit-gen [Rtk]
----------------------------------------
06/19/2008 08:07
Scan of all local drives

File C:\Windows\System32\config\atww\mck.dll is infected by Win32:Rootkit-gen [Rtk]
----------------------------------------
06/21/2008 09:31
Scan of all local drives

File C:\Windows\System32\config\atww\mck.dll is infected by Win32:Rootkit-gen [Rtk], Move to chest: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Repair: Error 42060 {The file was not repaired.}
Number of searched folders: 11217
Number of tested files: 71092
Number of infected files: 1


I need help understanding what the report is telling me and advice on how to proceed.

Thanks in advance for any help that anyone can provide.

Neal

[Lisandro]

To know if C:\Windows\System32\config\atww\mck.dll is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders' to manage the file(s).

If it indeed infected, the better will be send it to Chest rather then direct deletion.

I also suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[DavidR]

I don't believe it is a false positive as a google search on the file name returns a number of suspect hits.

Firstly Virus total would be my first consideration/task.
Second would be to use some of the other anti-rootkit tools that Tech gave links for, if this truly a rootkit then it would be logical to check with anti-rootkit tools as early as possible.
Then the other steps.

[differentgrl]

I am trying to follow the steps listed by Tech
avast! translator
avast! Überevangelist

However I had a Trojan called "MS Juan" a few days ago that seems to have been cleared by Malwarebytes once I unhide my hidden files before scanning. Before it was cleared 3 .dat files would pop up with the Trojan files. I noticed some .tmp with the same name beginning ("seneka" something".tmp") in the temp folder so I scanned them with avast. It recognizes them as rootkit files but I cannot put them in the chest I get the message that the chest server is not connecting and something to do with RPG. Help please. I already tried repairing avast.

now the only thing popping up when i scan with Malwarebytes are 2 listings related to system32/userinit.exe
I'm new to all this so please bare with me.

[differentgrl]

ok now that i've run avast on bootup I can't log on to Administrator. This was happening before under the profiles I had created but not admin. It logs on and then immediately logs right off.
The good news is it was able to put bad files in the chest during the avast scan. Is there anything I can do now?