Avast WEBforum
Other => Viruses and worms => Topic started by: Zlatan on March 24, 2009, 10:14:39 PM
-
Hi to all. I'm new to this forum and I hope that someone can help me. Maybe a month a go Avast informed me that a rootkit was found. I scanned all drives, but it didn't found anything. When I started working on my PC, Avast (again) informed me that a rootkit was found. I did boot scan - and again nothing. And every day same story. Five, or six days a go, I snapped - crushed down a system and reinstall Windows. Everything was just fine till today - "rootkit found" again. Any suggestions?!
-
Yes some more information, like the file name and location ?
The C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log file (open with notepad) contains info on the anti-rootkit scan.
The avast anti-rootkit scan runs 8 minutes after boot, so is this when it happens ?
If so the rootkit scan uses heuristics which aren't used in the conventional scans, so it isn't unusual that nothing was found in the conventional signature scans.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
-
Thanks. I'll try it, and I will tell you what happens.
-
And that information on the detection is ?
-
I guess he hasn't gotten that far yet. :(
-
Yes we are too darn quick ;D
-
I've tracked him - it's Win32:Rootkit-gen[RTK], and it was located on Windows\system32\x and \Windows\Temp\sig6.tmp. I moved them to a chest, but in folder \system32\ there is file \xcopy\. Should I remove it?
-
xcopy what ?
As what you have shown is a folder \xcopy\ not a file, that folder isn't in my XP Pro folder structure.
There is xcopy.exe in the \system32\ folder which is a legitimate windows file, so is that what you are talking about, see image ?
-
Hello. I suddenly am getting an Avast warning page. About 2 suspicious files, both are the system32 file, both have the same name the only difference is in the title of the driver file ( Drivers or drivers ). Their name is ovfsthmipwbkeypakosswqibvptyegewrduhbq.sys The capital D is a rootkit hidden file and the lower case d is a hidden service. the Avast warning recommends ignore and submit. How do I submit them, there is nothing to let me know that I have sent them to the lab. And when do I hear back from the lab if the files are OK or not. Thanks
-
They should be submitted automatically as part of the next auto update if you don't change the settings on that screen.
You can also do a manual update (probably better so no wait) and that will start the process off, first avast checks for updates and downloads any signatures and then it would upload the suspect files (and they are highly suspect). If you monitor the manual update you should see the upload process.
I would then suggest that you rename these files, place SUS (for suspect) in front of the existing file name. What this does is any registry entry or process that would be trying to run these file names wouldn't find them.
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer (or you may not find them), Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
Generally you don't get contacted when they are uploaded in this way as they don't have your email address the info uploaded is anonymous. What you would find that the file would be detected in the normal avast on-demand/boot-time or resident scans as a signature would be added to detect the previously suspect file. I highly doubt that they are OK.
What is your firewall ?
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- 1. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
- 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
-
Yes it is \system32\xcopy.exe file. So it's legitimate Windows file?
-
Yes it is \system32\xcopy.exe file. So it's legitimate Windows file?
Did you submit it to www.virustotal.com? Which were the results?
It does not seem to be legitimate... but I could be wrong.
-
Yes it is \system32\xcopy.exe file. So it's legitimate Windows file?
You can check that by the file properties as in the image I posted in Reply #7
@ Tech it is a legitimate file name and location, see my earlier posts, whilst that doesn't say it is clean but avast didn't detect anything in the file and was just a suspicion by Zlatan. There is however nothing wrong with confirmation it is clean at virustotal.
That wouldn't confirm a legit MS File as that would require the file had a digital signature and not all MS files have this. Without Zlatan's OS and version number we couldn't even check the MD5 as that may be the only way to confirm it.
-
Virustotal says it's clean, and Avast doesn't report "Rootkit found" anymore. My OS is WindowsXP Black edition, sorry I didn't say that before - but as I told you in my first post - this is the first time that I'm on this forum. But definitely not the last! Thank you all guys for help.
-
You're welcome.