Rootkit infection?

[neuerung]

Avast! has been telling me there is a rootkit infection in my PC, something called rootkit-gen. Then, it asks me to press 1 to delete it, and so on. But when I press 1 (or 3, to put it in the vault), nothing really happens. I get a message to the effect that the operation is incompatible with this sort of file. TDSS Killer, otherwise, says that there is no infection. What to think? I will appreciate any help.

[Anupam]

I think that you are talking about the boot time scan of Avast? Its because on boot time scan only, it gives the options numbered 1, 2 etc.

Does it give the location of the file that it tells to be infected? Please share the path of the file here, so that we can see which file it is flagging as rootkit.

Its labeled as gen, so it can be a false positive, but cannot be sure, and have to be careful, since its a rootkit.

Please share the file name, and the path where its located.

To be sure, you can scan the system with a system rescue CD, like Kaspersky, which are available for free.

[kendall.a]

You could also try scans with Malwarebytes, SuperAntispyware, HitmanPro, or Emisoft and see if they come up with any rootkits.

[neuerung]

I will run a new scan and make a note. I'll let you know.

[neuerung]

I ran a new boot scan with Avast! I got a message saying that C:\System volumen information\_restore {2F2...}...[ASPack] is infected by Win32:Rootkit-gen [Rtk]
Do you need the long string of letters and numbers in the path of the file?
Thanks for any help.

[kendall.a]

Two things:

1. Did you run any of the scans that I suggested above?
2. It appears that it might be in one of your restore points. I would recommend turning off System Restore so that it clears all of your restore points. Reboot. Then, if it boots clean, turn System Restore back on and make a new restore point.

[Anupam]

Quote:

Originally Posted by kendall

2. It appears that it might be in one of your restore points. I would recommend turning off System Restore so that it clears all of your restore points. Reboot. Then, if it boots clean, turn System Restore back on and make a new restore point.

Yes, that's what should be done.

[bo.elam]

Quote:

Originally Posted by neuerung

I ran a new boot scan with Avast! I got a message saying that C:\System volumen information\_restore {2F2...}...[ASPack] is infected by Win32:Rootkit-gen [Rtk]
Do you need the long string of letters and numbers in the path of the file?
Thanks for any help.

This looks like a FP to me but if I was you I would follow Kendalls advice. Don't worry and don't start deleting files, your computer has not been infected.

Bo

[MidnightCowboy]

There's a bit more information about this here:

http://forum.avast.com/index.php?topic=47662.0

To my knowledge, the Win7 2011 rogue AV can also trigger a (genuine) alert like this.

IMO perhaps the most effective way to check out this system is to submit a HijackThis log to somewhere that can analyze it.

[neuerung]

Hello again. I did two things: 1) I ran a Malwarebytes scan. Result: three adware things, but no rootkit. 2) I cleared the restore points as kendall suggested. Then, I ran Avast! again (complete system sacn). Result: no threats detected. I will run a reboot scan for a final check.
I appreciate a lot all your help. And, of course, I wish you a Merry Christmas and a Happy New Year!