Windows 7: Problem with rootkit win32k.sys

I seem to be having this problem with a rootkit. The rootkit in question is actually a file that AVG claims is "hidden". avast!, SUPERAntispyware and malwarebytes do not seem to detect it. I have tried formatting the disc using the TOSHIBA recovery disc I created. the rootkit is still there.



Attatched is the AVG scan log.

However I don't understand how I got it. I have COMODO Free Firewall, AVG Free, avast! Free, SUPERAntispyware Free, Malwarebytes Anti Malware and IObit Malware Fighter Free.

Thanks in advance

stupot65

Keep and run 1 A/V only ( even A/Vs which are not running real time can cause conflicts)
Run either a HIPPS or a BB, but not both for the same reason.
You can have a few on demand only malware scanners, but not active.
Surf from a SUA account only.
Sandboxie is your friend.
I think that file is a part of windows ( not bad )

You may want to read up on this file first before trying to remove it.

What is the win32k.sys file?

With multiple av programs on you likely now see AVG reporting a false positive if no other program is detecting any malwares on the system. The variation of that being the "C:\WINDOWS\win32k.sys:2" is known to be a ZeroAccess rootkit.

The win32k.sys file however is a Windows driver that seems to be corrupted where you could expand a fresh copy from the 7 dvd at the command prompt to the bad file replaced. The information on the two different files can be seen at win32k.sys - win32k.sys:2 - Program Information

thanks for that

Windows 2000, XP, and Vista as well as 7 all see the exact same NT form of driver. You can find that in the "C:\Windows\System32\" folder on each of the versions.

The AVG log shows that the file was found corrupted not infected by or being a malware where the reformat of the drive and recovery clean install would see the fresh copy of that as well as every other main file go back on. This is why the other programs failed to detect it being a normal system file you would expect to see.

I bet you are running better now however. As far as av programs it's always best as elstupido pointed out to have only one on at a time due to the often seen software clashes. Most installers will automatically prompt on seeing another program removed first before the install will continue.

avg is the only fully installed one. the rest are installed in compatible modes

Stop the process in Task Manager, then un-install IObit\Advanced SystemCare

I had the Advanced System Care on here for a bit along with the free edition of AVG a couple of years back and never had any real problems. But the mesh even in compatibiliy mode of all the programs conbined isn't good.

This is one reason I went with a newer program(VIPRE Internet Security 2012 presently on) someone recommended and found it covers more then several combined! The ASC program wasn't even on the retail 7 but had been on Vista along with AVG at the time and later while running the 7 beta builds.

If the log from the scan was seen before you used the recovery option it wouldn't matter now since AVG was pointing at a corrupted file. If still seeing the same the recovery may not have been as full leaving the driver file needing replacement if other problems are appearing.

Between a run of the System File Checker using the sfc /scannow command at the Start>Run command line while having the 7 disk in the drive and even booting live for the Repair tools to run the Startup repair tool may see the file replaced for you if you are running into start up problems.