Rootkit Found

[rm15]

C:\WINDOWS\system32\drivers\ndisuio.sys

"A suspicious hidden object (rootkit) has been detected on your system..."

I opened up Avast and did a scan of the drivers folder and nothing was found.

I'm not sure what to do here.

[DavidR]

The problem being this detection appears to have been the anti-rootkit scan and that uses heuristic methods not used in the conventional scanner.

Was this image example the same (other than file name) that was displayed ?

And in the top left was it Suspicious File Found or definitely Rootkit Found ?

Are you using XP ?
As this file name is associated with it, but that isn't a guarantee it is good, but it makes deletion as an option more risky, so Ignore would be the safer option for now.

See http://www.file.net/process/ndisuio.sys.html and http://www.processlibrary.com/directory/files/ndisuio/25623/

[rm15]

The image example you've posted is the same, except the text in the upper left is "Rootkit found" rather than "Suspicious file found" (as in your example).

I am using XP.

[DavidR]

OK, there is a chance that this is a legit file so don't act in haste and repent at leisure.

Now when this happens again, try clicking the Advanced option, I don't know if in avast6 there is a submit for analysis as there used to be in avast5, see image1 example of avast5 alert. If so then opt to send it for analysid and for the time being select Ignore for the option. But do not select the 'Do not tell me about this rootkit in the future.' Otherwise you would never know if the avast analysis corrected this detection.

I have XP Pro SP3 and I'm not getting any alert on this during the anti-rootkit scan (approx 8 minutes after boot) and I have that C:\WINDOWS\system32\drivers\ndisuio.sys file. See image2 for info on the file on my system, does yours match ?

See image3 as that driver file is running under explorer.exe.

So I'm at a bit of a loss as to what is happening on your system.

[rm15]

I am running XP Pro sp2 and the version of my file is:

5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

I'm also running Avast 5.1 and I've left the original "rootkit found" window open so I will submit it for analysis and then select "ignore" for now.

[DavidR]

OK, that is a good start.

But you really need to bring your OS up to date as your XP SP2 system no longer gets security updates leaving you more vulnerable to OS exploits.

The same is true of not running the the latest version of avast as it offers better levels of protection.

[rm15]

I've ignored the alert, but did not tell avast to ignore this issue in the future.  After submitting the info for analysis, I was prompted to do a boot-time scan, which turned up nothing.  Shouldn't the same rootkit have shown up?

[DavidR]

Not necessarily as the rootkit scan that runs 8 minutes after boot has more information when it is using its heuristic methods. Essentially it can compare against windows APIs that may not be available on the boot-time scan.

So the next rootkit scan should pick it up again.

[rm15]

The system has been up for a couple hours now and still nothing...  Strange.

[DavidR]

That's OK, leave it a few more reboots and see if it is picked up. If not then there is a good likelihood that it was a false positive detection which has now been corrected.

[rm15]

I've rebooted a couple of times now and still nothing.  I don't understand how Avast would not be detecting the same rootkit as I did not select for it to ignore the rootkit in the future.  Could the avast team have updated a false positive so quickly?  Thanks for your help.

[DavidR]

You are unlikely to be the only one to have had this alert and the avast CommunityIQ and personal submissions are likely to have resulted in the detection being analysed and the detection corrected.

[rm15]

I see.  Well, everything appears to be okay, so thanks again.

[DavidR]

You're welcome.