Author Topic: rootkit found  (Read 6438 times)

0 Members and 1 Guest are viewing this topic.

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
rootkit found
« on: August 01, 2012, 05:55:03 PM »
Avast updated today to def version 120801-0 and suddenly a red message popped up(not from the system tray, it is on my screen) saying there are 2 rootkits found- filename SVC: gupdai rootkit name Rootkit: and it gives me two actions to take: delete now or ignore, I can't move the files to chest. The thing is that I just reformatted my pc so my system should be clean, I already did a full system scan after I had reformatted a day ago and it came out clean, is this a bug?
« Last Edit: August 01, 2012, 06:26:04 PM by x2397 »

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5420
  • Spartan Warrior
Re: rootkit found
« Reply #1 on: August 01, 2012, 06:26:12 PM »
Hi x2397,

Avast will run a rootkit scan 8 minutes in after a cold start (system startup).  SVC: gupdai is a service detected by Avast! as a malicious (hidden?) service running on your system.

Screenshot of message or file path of file detected?
Windows 10 Home 64-bit 20H2 Avast Premier Security version 21.3.2459 (build 21.3.6164.652) UI version 1.0.612.

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
Re: rootkit found
« Reply #2 on: August 01, 2012, 06:31:09 PM »
here is a screenshot

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5420
  • Spartan Warrior
Re: rootkit found
« Reply #3 on: August 01, 2012, 06:50:58 PM »
Have a look here at http://forum.avast.com/index.php?topic=53253.0  download and run the first three programs (Malwarebytes. OTL, aswMBR.exe) and attach the logs in your next reply.
Windows 10 Home 64-bit 20H2 Avast Premier Security version 21.3.2459 (build 21.3.6164.652) UI version 1.0.612.

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
Re: rootkit found
« Reply #4 on: August 01, 2012, 06:51:51 PM »
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.01.05

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Biohazard :: BIOHAZARD-PC [administrator]

8/1/2012 12:00:28 PM
mbam-log-2012-08-01 (12-00-28).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 270645
Time elapsed: 23 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
« Last Edit: August 01, 2012, 07:24:35 PM by x2397 »

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
Re: rootkit found
« Reply #5 on: August 01, 2012, 07:46:21 PM »
here are the logs for otl

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
Re: rootkit found
« Reply #6 on: August 01, 2012, 07:54:04 PM »
asw log

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: rootkit found
« Reply #7 on: August 01, 2012, 09:29:26 PM »
That looks like a false positive, could you expand the path so that we can get the file name

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
Re: rootkit found
« Reply #8 on: August 01, 2012, 09:32:56 PM »
 I pressed ignore so that I could close the window for otl scan I can't pull up the log since I can't find it in avast, no log was generated for it. Do you know how I could pull up the log or the file name?
« Last Edit: August 01, 2012, 09:39:35 PM by x2397 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: rootkit found
« Reply #9 on: August 01, 2012, 09:41:48 PM »
The log will be located at C:\ProgramData\AVAST Software\Avast\log\aswArThis is a hidden folder so you will need to unhide them to see it

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
Re: rootkit found
« Reply #10 on: August 01, 2012, 09:49:40 PM »
I attached the log

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: rootkit found
« Reply #11 on: August 01, 2012, 09:58:36 PM »
Quote
Service gupdate [C:\Program Files]  **HIDDEN**
Service gupdatem [C:\Program Files]  **HIDDEN**
They are both Google services associated with Chrome and other Google programmes, although why they are hidden I do not know

Scan the following file with Avast

%ProgramFiles%\Google\Update\GoogleUpdate.exe

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
Re: rootkit found
« Reply #12 on: August 01, 2012, 10:02:53 PM »
I followed the path, but the Google folder is empty and I already disabled the hidden files.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: rootkit found
« Reply #13 on: August 01, 2012, 10:05:58 PM »
OK I can see the problem now, I just checked the OTL and there are no Google services there.  What I feel we have here is an orphan entry in the current control set that points nowhere.  Hence Avast is a tad concerned.

Next time you see it set it to ignore

Offline x2397

  • Jr. Member
  • **
  • Posts: 81
Re: rootkit found
« Reply #14 on: August 01, 2012, 10:10:11 PM »
Thank you for all your help, your instructions were easy to understand and useful. Thank you for solving my problem.