new rootkit infection

[Asyn]

but i cant find the file manually. i followed the path but nothing. my system doesnt seem to have the file. and i m using folder lock software.

This could help...
http://www.malwarebytes.org/fileassassin.php
asyn

[DavidR]

It could also damage - Don't offer advice that could harm the users system, given what essexboy said in the post before your reply:

I can delete that file but, it may make the file locker programme inoperative

Have you set hidden files to show ?

And one even before that:

I can see nothing untoward there WinFLdrv.sys is running but it has not been modified or changed since march
http://www.threatexpert.com/report.aspx?md5=57f65e0f401e295406c1e0daa7836774  gives the details on the files loaded with Folder lock 6 and this is legitimate both in size and location

Is Avast still calling it ?

He is airing in the side of safety, what anyone offering advice on these forums should do, first do no harm and never delete unless 100% certain -

You can't just jump in to offer advice without reading all that has gone on before.
 
File assassin doesn't help you find a file it does nothing other than delete and in this case is highly likely to damage the users system.

FileASSASSIN is an application that can delete any type of locked files that are on your computer. Whether the files are from a malware infection or just a particular file that will not delete - FileASSASSIN can remove it. The program uses advanced programming techniques to unload modules, close remote handles, and terminate processes to remove the particular locked file. Please use with caution as deleting critical system files may cause system errors.

So in suggesting the tool you are inadvertently advising deletion.

[gautam7]

Hi everybody. as for essexboy i have set the hidden file to show in the folder option. but still nothing. the only file showed to me is winFLsrv. Is both the file same?


and as for David R and Asyn i m not planing to use fileassasin. i have not even try to delete it with avast. may be avast will be able to delete it. the only action i tried with avast is repair and move to chest which both failed with an error massage " access is denied(5)".

i have been having this rootkit in my system for quite sometime and till now i have not seen any virus symptom ( ie system slowdown, wabpage hijacking, popup etc). does this mean this is harmless whatever this file is. and avast is picking it as falsepossitive.

[essexboy]

That is the correct file (your extensions are hidden) upload that as a FP to Avast and see what happens

[gautam7]

how can i upload it to avast to report falsepossitive. i can not move it to chest.

[essexboy]

Zip a copy of the file and then upload it to Avast - can't find the FTP server data at the moment but I will look for it

[essexboy]

Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

[gautam7]

ok what is the sample? the

c:\windows\syswow64\winFLsrv (which i can find) or

the c:\windows\syswow64\winFLdrv.sys which avast finds (but i can not).


can i right clik in the file and use the option to compress and email? and i dont use outlook. i use gmail

[essexboy]

c:\windows\syswow64\winFLsrv (which i can find)  YES


can i right clik in the file and use the option to compress and email?  YES

[gautam7]

ok i will report back

[gautam7]

well sent the sample, but there is no conformation mail yet. so lets wait and see

[DavidR]

Generally you won't get a confirmation email, only if they need more information. Ultimately your confirmation would be that avast no longer alerts on it if it is confirmed as an anti-rootkit FP.

[gautam7]

hi everybody

well 5 days have passed since i submitted the infected file for analysis in avast lab. but still avast detects it, could not be repaired or move to chest. dont know they hv analysed the file or not. i hv been searching about rootkit and found out that eventhough they dont harm directly ( i still dont have any suspicious behaviour in my laptop) but they make the computer a guest house for other malware. so what should do?

should i wait some more days for avast to respond or i deleat it. i think i can loose the folder lock software for the shake of other more sensitive data on my laptop.

[gautam7]

Hi everybody

Today i deleated the file with avast. then rebooted scaned and this time avast didnot pick the rootkit. then i cheked the folder lock software it was also working fine. but problem is after i rebooted the computer after some hour and scaned again this time avast picked the rootkit again.  it seems that avast is unable to delete the file......... any advice.................. is it something to worry about that avast missed one time but picked up again.................

[essexboy]

I can delete the file but be advised that the programme will become inoperative

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Check the box that says Scan All Users
  
• Under the Custom Scan box paste this in

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
c:\windows\syswow64\winFLdrv.sys
/md5stop

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs