Author Topic: Suspicious Files Found! - Rootkit: hidden file  (Read 9652 times)

Offline prong

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Suspicious Files Found! - Rootkit: hidden file
« on: November 21, 2008, 08:16:20 PM »
Hi, I really hope someone can help me out with this...

I'm using avast! 4.8.1290, VPS 081120-0 and Windows XP Home SP2

A couple of days ago I updated avast! (program and database), and ran a thorough scan. After a few minutes I got the following message:

Quote
avast! Warning
Suspicious Files Found!
Suspicious files have been detected (using a heuristic method). This may be a sign of malware infection. Please allow the files to be submitted to our virus lab for analysis.

There were 117 files listed as 'Rootkit: hidden file' (see attached list), and the option to Delete or Ignore. After some quick research on Google, it looked as if at least some of the files were legit, so I clicked 'Ignore'. I then received this message:

Quote
avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! scan all your data in the boot phase, before the virus can be activated. Do you want to schedule the boot-time scan and restart the computer?

I clicked 'yes', avast! ran the boot-time scan but it found nothing.
I then took a look at the avast 'Warning' log to try and see what caused the above warning message, and in addition to the aforementioned 'Rootkit: hidden file' entries, it said: 'Sign of "<" has been found in'...listing the location as the same as all 117 of the Rootkit entries, each one followed by '||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||'. Take a look at second attachment to see what i'm on about   ;D

I tried running a thorough scan again, and exactly the same thing happened. Weirdly though, the antirootkit scan that avast! performs automatically after start-up never detects anything.

Anyone know whats going on here? Any help would be much appreciated.

Offline essexboy

  • avast! √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 28969
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #1 on: November 21, 2008, 08:32:18 PM »
Do you have an Acer ?

Offline julieinwv

  • Jr. Member
  • **
  • Posts: 32
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #2 on: November 21, 2008, 08:46:20 PM »
Prong,

Sounds like what happened to me.

Offline prong

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #3 on: November 21, 2008, 09:17:03 PM »
Yeah, I'm using an Acer. I'm guessing that means the first few files on the list are false positives - my googling suggested they were Acer-related files. Still not sure about all the others though.

Offline essexboy

  • avast! √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 28969
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #4 on: November 21, 2008, 09:40:42 PM »
The others are related to windows PID data 

Offline yearcalendar

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #5 on: November 22, 2008, 08:17:47 AM »
I am having the same problem too. :(

waiting to see if updates will solve the problem if these are FPs

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #6 on: November 22, 2008, 10:34:37 AM »
I am having the same problem too. :(
Did you send the files for analysis?
The best things in life are free.

Offline yearcalendar

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #7 on: November 22, 2008, 12:36:50 PM »
I am having the same problem too. :(
Did you send the files for analysis?

Yep. Actually, i did a rescan quite a few times. Ooops.. LOL. Everytime Avast rescans, it sent out the files for analysis (I ticked the check box).

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #8 on: November 22, 2008, 01:35:43 PM »
Everytime Avast rescans, it sent out the files for analysis (I ticked the check box).
Hope they correct and improve detection soon.
The best things in life are free.

Offline prong

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #9 on: November 22, 2008, 04:07:17 PM »
The others are related to windows PID data 

That explains the files in the \SoftwareDistribution\Download\ folder, and I've subsequently figured out that the files in \twain_32.dll\stdsc\ relate to an old webcam, and the files in \twain_32.dll\escndv\ are Epson scanner drivers. So it looks as if all of those supposed Rootkit: hidden files were false positives. However, I ran a scan again this time selecting the options to submit the files to the virus lab, and to Ignore the files and not be told about them in the future, and I still received the warning message about a virus in the operating memory, and the log entry about 'Sign of "<" has been found in'...etc.  ???

Is the 'virus' in the memory just avast! thinking there's still a rootkit present? And is the file with 'Sign of "<", with all the '||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||'s in it, something generated by avast!?

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11566
  • Gender: Male
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #10 on: November 24, 2008, 04:42:45 PM »
The "|COO1||COO2|" etc. thing was fixed in the 1290 build, but chances are the log entries come from a previous version.

Or do you disagree?
If at first you don't succeed, then skydiving's not for you.

Offline prong

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #11 on: November 24, 2008, 06:53:27 PM »
The "|COO1||COO2|" etc. thing was fixed in the 1290 build, but chances are the log entries come from a previous version.

Or do you disagree?

The problem only started after I updated to the 1290 build. I tried to scan again today (build 1290, VPS 081123-0), and I'm still getting the same problems, only rather than 'Sign of "<" has been found in...', the log now says 'Sign of "#" has been found in...' followed by multiple instances of ||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||

Offline prong

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #12 on: November 28, 2008, 04:46:30 PM »
Updated to build 1296, and the problem remains  :(

Should I just manually add all those FPs to the exclusions list? Will that stop the 'virus in operating memory' warning?

Offline prong

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Suspicious Files Found! - Rootkit: hidden file
« Reply #13 on: January 02, 2009, 02:37:35 PM »
Re: http://forum.avast.com/index.php?topic=40382.msg347020#msg347020

Since updating to VPS 081229-0, the problem now seems to be solved. Many thanks to Vlk and the Avast team for getting this sorted out.

And yes, my Windows volume is formatted as FAT32.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now