Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: x2397 on August 01, 2012, 05:55:03 PM

Title: rootkit found
Post by: x2397 on August 01, 2012, 05:55:03 PM
Avast updated today to def version 120801-0 and suddenly a red message popped up(not from the system tray, it is on my screen) saying there are 2 rootkits found- filename SVC: gupdai rootkit name Rootkit: and it gives me two actions to take: delete now or ignore, I can't move the files to chest. The thing is that I just reformatted my pc so my system should be clean, I already did a full system scan after I had reformatted a day ago and it came out clean, is this a bug?
Title: Re: rootkit found
Post by: mchain on August 01, 2012, 06:26:12 PM
Hi x2397,

Avast will run a rootkit scan 8 minutes in after a cold start (system startup).  SVC: gupdai is a service detected by Avast! as a malicious (hidden?) service running on your system.

Screenshot of message or file path of file detected?
Title: Re: rootkit found
Post by: x2397 on August 01, 2012, 06:31:09 PM
here is a screenshot
Title: Re: rootkit found
Post by: mchain on August 01, 2012, 06:50:58 PM
Have a look here at http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0)  download and run the first three programs (Malwarebytes. OTL, aswMBR.exe) and attach the logs in your next reply.
Title: Re: rootkit found
Post by: x2397 on August 01, 2012, 06:51:51 PM
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.01.05

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Biohazard :: BIOHAZARD-PC [administrator]

8/1/2012 12:00:28 PM
mbam-log-2012-08-01 (12-00-28).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 270645
Time elapsed: 23 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Title: Re: rootkit found
Post by: x2397 on August 01, 2012, 07:46:21 PM
here are the logs for otl
Title: Re: rootkit found
Post by: x2397 on August 01, 2012, 07:54:04 PM
asw log
Title: Re: rootkit found
Post by: essexboy on August 01, 2012, 09:29:26 PM
That looks like a false positive, could you expand the path so that we can get the file name
Title: Re: rootkit found
Post by: x2397 on August 01, 2012, 09:32:56 PM
 I pressed ignore so that I could close the window for otl scan I can't pull up the log since I can't find it in avast, no log was generated for it. Do you know how I could pull up the log or the file name?
Title: Re: rootkit found
Post by: essexboy on August 01, 2012, 09:41:48 PM
The log will be located at C:\ProgramData\AVAST Software\Avast\log\aswArThis is a hidden folder so you will need to unhide them to see it
Title: Re: rootkit found
Post by: x2397 on August 01, 2012, 09:49:40 PM
I attached the log
Title: Re: rootkit found
Post by: essexboy on August 01, 2012, 09:58:36 PM
Quote
Service gupdate [C:\Program Files]  **HIDDEN**
Service gupdatem [C:\Program Files]  **HIDDEN**
They are both Google services associated with Chrome and other Google programmes, although why they are hidden I do not know

Scan the following file with Avast

%ProgramFiles%\Google\Update\GoogleUpdate.exe
Title: Re: rootkit found
Post by: x2397 on August 01, 2012, 10:02:53 PM
I followed the path, but the Google folder is empty and I already disabled the hidden files.
Title: Re: rootkit found
Post by: essexboy on August 01, 2012, 10:05:58 PM
OK I can see the problem now, I just checked the OTL and there are no Google services there.  What I feel we have here is an orphan entry in the current control set that points nowhere.  Hence Avast is a tad concerned.

Next time you see it set it to ignore
Title: Re: rootkit found
Post by: x2397 on August 01, 2012, 10:10:11 PM
Thank you for all your help, your instructions were easy to understand and useful. Thank you for solving my problem.
Title: Re: rootkit found
Post by: essexboy on August 01, 2012, 10:28:05 PM
My pleasure enjoy