Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Hidden File After Multiple Rootkit Scans
Page 1 of 2 12››
March 7, 2012 08:54 Hidden File After Multiple Rootkit Scans #194785
Reply with Quote | Quick Reply | Top
KDP11

Avatar

Novice
Join Date: 7.3.2012
Posts: 9
Clicked on a legit looking email. AVG popped up to say it protected me. Thought I'd run a rootkit scan to be safe. Came back positive for rootkit . Clicked remove. Clicked yes to i'm sure. It was supposed to be ok. Ran another scan. Another hidden file with same tag comes up. They all look this way:

"";"C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WPF127.tmp";"Hidden file";"Reboot is required to finish the action"

"";"C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WPF3223.tmp";"Hidden file";

"";"C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WPF40.tmp";"Hidden file";"Reboot is required to finish the action"

"";"C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WPFAB.tmp";"Hidden file";"Object is inaccessible."


It keeps saying its taken care of upon reboot, but a new hidden rootkit file shows up with a slightly different ending number before .tmp. every time I run a new rootkit scan.

Am I ever going to be safe and rid of this?
March 7, 2012 15:39 Re: Hidden File After Multiple Rootkit Scans #194829
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello KDP11,

You may delete content of C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ folder manually.

Also , please provide us with both Gmer scan results Msinfo output and AVG Anti-Virus scan results for further analysis.

Thank you

___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us
March 7, 2012 16:25 Re: Hidden File After Multiple Rootkit Scans #194833
Reply with Quote | Quick Reply | Top
KDP11

Avatar

Novice
Join Date: 7.3.2012
Posts: 9
Hidden Rootkit Files..

I will send all those to you. I will also send email link I think it came from to virus@avg.

One of the scan results was different

"";"C:\WINDOWS\system32\DRIVERS\Lbd.sys";"Service function NtCreateKey hook -> Lbd.sys +0x87E";"Object is inaccessible."

"";"C:\WINDOWS\system32\DRIVERS\Lbd.sys";"Service function NtSetValueKey hook -> Lbd.sys +0xBFE";"Object is hidden"

I have since run disk cleanup and another avg rootkit scan. It comes back clean. Sorry I'm a novice. Should I be worried?
March 7, 2012 20:33 Re: Hidden File After Multiple Rootkit Scans #194865
Reply with Quote | Quick Reply | Top
Dusan Obert

Avatar

Administrator
Join Date: 12.8.2009
Posts: 1595
Hello KDP11,

Lbd.sys belongs to Lavasoft's Ad-aware. This detection is correct but it is most likely legitimate part of the program.
Please note that not all rootkit detections are a threat. You can read more in here - Anti-Rootkit False Positives part.

Please also note that using more than one security software with active resident part is not recommended and can cause conflicts and unpredictable computer behavior.

To allow us check for any other active threats, provide us with requested outputs.

Thank you
___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us
March 7, 2012 22:29 Re: Hidden File After Multiple Rootkit Scans #194875
Reply with Quote | Quick Reply | Top
KDP11

Avatar

Novice
Join Date: 7.3.2012
Posts: 9
I'm sorry for the Ad-Aware. I installed and ran it to double check. It was removed before all scans I'm sending. The anti-rootkit has been run twice since the last gmer scan I'm sending. It has come back negative both times. I finally found the temporary file content.ie5. I will delete all files again to be sure.

Not sure if it will help, but this started after a youtube spam letter about top videos.

Thank you for your time and wonderful support. I just hope I scanned and compressed everything correctly. Once again, sorry I'm computer stupid. Thank you so much.
March 8, 2012 12:02 Re: Hidden File After Multiple Rootkit Scans #194911
Reply with Quote | Quick Reply | Top
nemethste

Avatar

Administrator
Join Date: 1.11.2011
Posts: 1730
Hello KDP11,

Please check which browser addons are installed. These files may be continuously downloaded by some malicious add-on.

Scanning your computer with updated AVG Rescue CD may also help.

Are you also accessing some possible suspicious website?

Thank you.
___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us
March 8, 2012 16:48 Re: Hidden File After Multiple Rootkit Scans #194951
Reply with Quote | Quick Reply | Top
KDP11

Avatar

Novice
Join Date: 7.3.2012
Posts: 9
I run latest Mozilla Firefox browser. I don't access suspicious websites. I clicked on one valid looking email i thought was from youtube. Should i run a rescue cd? I have run multiple anti virus and anti rootkit scans. They keep coming back as no threats detected. Is there something bad on my computer? Please help.
March 9, 2012 04:43 Re: Hidden File After Multiple Rootkit Scans #194979
Reply with Quote | Quick Reply | Top
KDP11

Avatar

Novice
Join Date: 7.3.2012
Posts: 9
I just want to know if the scans revealed anything I should be concerned about. The post from the moderator suggested maybe running a rescue cd, but the reasons weren't clear. The only add ons I run are from avg safe search and a super cookie safeguard. I don't visit "suspicious sites".

As I said before, I've run multiple AVG computer and rootkit scans. Since I deleted ie.5 content files, the AVG scans come back as no sign of infection. Is there is a need to run a rescue cd? I just want to be told the reasons before i do. I need the experts to give me the steps. Thank you.
March 9, 2012 09:52 Re: Hidden File After Multiple Rootkit Scans #194995
Reply with Quote | Quick Reply | Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8235
Hello KDP11,

No, there is no need to run scan from AVG Rescue CD if all scans are clean then your computer is most likely cleaned.

Thank you
___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us
March 14, 2012 17:40 Re: Hidden File After Multiple Rootkit Scans #195386
Reply with Quote | Quick Reply | Top
KDP11

Avatar

Novice
Join Date: 7.3.2012
Posts: 9
I'm sorry for bothering again, but this keeps happening. I was all clear for 5 days after manually deleting all the temp content ie5 files i could, turning off auto restore, running multiple anti virus and anti rootkit scans and rootkit killer software. I haven't downloaded anything. I haven't gone to any suspicious sites. No suspicious emails. Then out of the blue these temporary internet content ie5. w****. tmp files come up on the rootkit scans again. I do what it says in the avg prompt, but they keep coming back today. Are they respawning somehow? what type of rootkit is this? What can I do?
Page 1 of 2 12››