lac97inf.sys infected with Win32:Rootkit-gen!

[CrazyNekoRun]

Okay, I'm freaking out a little here. My computer was lagging at first and then I restarted it - but it wouldn't turn on. I restarted it again and it wanted to go into safe mode, so I just turned it off and on. And as soon as I got on, it told me I had malware. C:\DOCUME~1\CJ\LOCALS~1\Temp\lac97inf.sys was reported as infected with Malware, and identified as Win32:rootkit-gen [Rtk]. I can't remove it because it says the file is being used by another process. I can't move it or anything.

I also ran Avira's Rootkit scan, but nothing popped up.

A friend told me sometimes Avast picks up false positives. Is this one of them? I want to be sure I don't get any backdoor viruses. D:

I ran HijackThis and my log is in the attachment. I hope someone can help me soon. Is this really a Rootkit or not? And if it is, help me get rid of it or move it! D:

[Lisandro]

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI. VirusTotal and Jotti both have file size limit of 10Mb.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list. But I won't do it to a temporary file...

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

[CrazyNekoRun]

I tried uploading the file to VirusTotal and Jotti. It said 0 bites popped up when I chose to upload C:\Documents and Settings\CJ\Local Settings\Temp\lac97inf.sys, and when I went to Browse and tried to open it that way, the Malware warning popped up again. VirScan.org doesn't work as well. My friend speculates that Avast is not letting me upload the file at all, even if I copy and paste the path.

I also used the Avast! AntiRootkit, but nothing pops up when I used the scan. (This is after Avast 4.8 picked it up and I chose No Action).

[DavidR]

Did you pause the standard shield just before you upload (and enable once uploaded) this may allow the file to be uploaded and not result in the 0byte file size, however if it was avast, I would have though you would have got an alert as you tried to upload it.

There is some malware that also blocks uploading as we have seen similar when trying to upload to VT.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest (or copy from another location) to this folder and upload it to VirusTotal without avast alerting.

[CrazyNekoRun]

Thanks guys. That really helped out. Alright, here are the results:

http://www.virustotal.com/analisis/ca3058588b30918c5741da4c9a135b84

Overall, only Avast is seeming to detect it, so I suspect it's a false positive. Anyone else to help confirm this with their ideas would be great. And then I'll send an email about it as soon as possible. I feel much better now after this.

[Lisandro]

Overall, only Avast is seeming to detect it, so I suspect it's a false positive.

Yeah... seems a false positive indeed.

[CrazyNekoRun]

Thanks a lot for the confirmation. I'm trying to send them an email right now...

But...Apparently I can't upload it with gmail because it's an exe file. Any other alternative ways to attach the file? I thought VirScan.org could turn it into a zip, but I'm not sure how. D:

Edit: Nevermind. I believe it sent through Hotmail. Thanks again you guys!

[Maxx_original]

doing the google search for "lac97inf.sys" i saw many suspicious hits... it seems to be a part of logitech software and drivers, but why it would be located (permanently) in the temp folder? and it must do something strange, when it was picked up by antirootkit..

[CrazyNekoRun]

doing the google search for "lac97inf.sys" i saw many suspicious hits... it seems to be a part of logitech software and drivers, but why it would be located (permanently) in the temp folder? and it must do something strange, when it was picked up by antirootkit..

Really now? i mean, like I said, it doesn't seem to be caught by any other Anti-Virus other than Avast. I have a few Logitech softwares. Avast Antirootkit doesn't catch it, Avira doesn't catch it, and Avira's rootkit search doesn't catch it. Other anti-viruses don't seem to have caught it. It seems most likely a false positive, caused by the logitech software/drivers. Right?

I sent the email so I hope it'll be taken care of in the new update. I got the warning again. D:

What else do you think it could be?

[Fulks]

This is CNR's friend. The part that concerns me, upon having a second look at search results for lac97inf, is that the only place this filename seems to turn up is in temp folders of people complaining they have spyware problems. Some others, in asking for advice on spyware removal, have been told to remove that file in addition to a number of other things. The only strange thing about you is that your HijackThis log is almost spotless--there isn't even a reference to 'lac97inf' in the log, and no processes sticking out as abnormal.

My other thought is, if this is a legitimate driver or file, what is it doing in the temp folder? It should be in a system directory or program directory. Of course, DON'T put the file in any sort of system directory, since my suspicion is it doesn't belong there. While one website states this driver may be used by Windows, it never cites a specific application or process, there's no reference to it in any search I've done on Microsoft, and one other site lists the file as 'dangerous.' Though the program offered on that site itself seems fishy. I don't think it's causing troubles, but I do think it needs to be removed. What we need is a program that will free it from whatever other source is using it. And, at that, find out what is using it that makes it unremovable. It may also give us a clue as to what it's purpose is, and if dangerous, how to get rid of it.

I'd like to hear what an expert thinks about this.

[DavidR]

Well I would try
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

So it should be able to say what is using it in order to be able to stop that process, etc.

[Maxx_original]

we decided to remove the rootkit-gen detection on this file...