Author Topic: help with rootkit  (Read 3047 times)

0 Members and 1 Guest are viewing this topic.

critters09

  • Guest
help with rootkit
« on: July 21, 2010, 10:50:25 PM »
I am working on my mother-in-law's pc. Avast is giving a warning that malware was found. File name: C:\Windows\System32\ntdll.dll  malware type: rootkit
The recommended action is to move to chest. I tried this but then I get a "cannot process C:\Windows\System32\ntdll.dll specified file is read only".  What should I do now? Should I move the file or delete?
Thanks,

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88759
  • No support PMs thanks
Re: help with rootkit
« Reply #1 on: July 22, 2010, 12:08:52 AM »
Ensure that your virus definitions version is up to date this occurred a couple of days ago and was corrected in the next virus definitions update. Many topics about ntdll.dll in the viruses and worms forum.

Does your mother in-law not have the engine and virus definitions on auto update (the default setting as this should have automatically corrected the detection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

critters09

  • Guest
Re: help with rootkit
« Reply #2 on: July 22, 2010, 12:39:17 AM »
She does have auto update, however, she is on dial-up. I checked the log and it looks like the definitions were updated on 7-17-10. I can't even open the browser, let alone get online. I can't get past the avast warning screen. One time it let me get in to the avast screen where I was able to schedule a boot scan. The scan started fine but then froze up on Windows\system32\dllcache file.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88759
  • No support PMs thanks
Re: help with rootkit
« Reply #3 on: July 22, 2010, 01:33:38 AM »
There is something stopping the updates, the latest is 100722-1 released a couple of hours ago. Try a manual avast update.

The one in the dllcache location is a backup one so shouldn't be in use. The one in system32 is a system file and avast won't send that to the chest or delete it (and you shouldn't try to remove it either), so you should select No Action.

What avast version are you using 4.8 or 5.0 ?

What browser is she using as I believe this is related to IE using ntdll.dll, so you could try installing firefox, download on your system an transfer.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

critters09

  • Guest
Re: help with rootkit
« Reply #4 on: July 22, 2010, 02:02:46 AM »
She uses firefox. It is version 4.8. I just booted it up again. Got the avast warning. This time when I hit No action, it disappeared, the last time I tried it just froze up. I tried to open firefox and just sits there with the hourglass. I now notice that the indicator light on the front of the tower is blinking red. This is new.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88759
  • No support PMs thanks
Re: help with rootkit
« Reply #5 on: July 22, 2010, 02:57:48 AM »
Once you have booted if you get the alert select the No Action and don't try to do anything other than do a manual VPS update so as to get the latest VPS signature updates.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

critters09

  • Guest
Re: help with rootkit
« Reply #6 on: July 23, 2010, 01:44:30 PM »
I ended up doing a system restore. It wouldn't let me open a browser before it would just freeze up. Since doing system restore, I am no longer getting the warning, have updated avast and ran a thorough scan as well as Malwarebytes and Spybot. So far so good.
Thanks for all the help.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88759
  • No support PMs thanks
Re: help with rootkit
« Reply #7 on: July 23, 2010, 03:26:28 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security