Author Topic: Rootkit after Windows Update?  (Read 5437 times)

0 Members and 1 Guest are viewing this topic.

Offline vittau

  • Jr. Member
  • **
  • Posts: 24
Rootkit after Windows Update?
« on: September 11, 2012, 07:45:35 PM »
Hi,

I've just got a rootkit alert seconds after Windows Update completed installing KB2735855 (System update), KB2736233 (ActiveX), KB80830 (Malware removal) and KB915597 (Definition Updates).

I said "ignore", and then proceeded to reboot the computer to finish the updates.
I suppose it was a false positive? I'm fairly sure my OS is clean.

Also, I can't seem to find any log of this detection to post here...
« Last Edit: September 11, 2012, 07:47:23 PM by vittau »

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7078
  • When you think you know, Think Again
Re: Rootkit after Windows Update?
« Reply #1 on: September 11, 2012, 07:51:07 PM »
Hi,

I've just got a rootkit alert seconds after Windows Update completed installing KB2735855 (System update), KB2736233 (ActiveX), KB80830 (Malware removal) and KB915597 (Definition Updates).

I said "ignore", and then proceeded to reboot the computer to finish the updates.
I suppose it was a false positive? I'm fairly sure my OS is clean.

Also, I can't seem to find any log of this detection to post here...

What's Your OS?
Just finished WIndows Update on my XPSP3 with no issues/ or Alerts. :)
***HP ENVY 15K LT W10 Pro 21H1 64Bit/750GB HD/16GB Ram/Avast Premium 21.9.2493b/Secureline VPN v.5.12.5699b/ADU v.21.3b/ASB v.94.0b/SANDBOXIE-plus/MailWasherPRO
**HP Compaq 8510p LT W10 Pro 20H2 64Bit/1TB HD/8GB Ram/WD/ADU v.21.3b/SANDBOXIE/MailWasherPRO/HotSpot Shield
     
RIP*Dell Inspiron XPsp4 PRO 32Bit/Avast(since 2002)18.8.2356/WP/Comodo FW 3.14/Secureline/Comodo IceDragon v.40
LAYERED SECURITY SOFTWARE

Offline vittau

  • Jr. Member
  • **
  • Posts: 24
Re: Rootkit after Windows Update?
« Reply #2 on: September 11, 2012, 07:52:57 PM »
Windows 7 Professional SP1 (x64)

EDIT: Just finished a quick scan with 0 detections. Avast, what's gotten into you? :P
I suppose a full system scan wouldn't be necessary to detect an active rootkit?
« Last Edit: September 11, 2012, 08:07:14 PM by vittau »

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7078
  • When you think you know, Think Again
Re: Rootkit after Windows Update?
« Reply #3 on: September 11, 2012, 08:21:13 PM »
Windows 7 Professional SP1 (x64)

EDIT: Just finished a quick scan with 0 detections. Avast, what's gotten into you? :P
I suppose a full system scan wouldn't be necessary to detect an active rootkit?

If you are concerned, you could do a 'Boot Time Scan'(never hurts) although, I believe Avast scans for rootkits several seconds into boot. :)
***HP ENVY 15K LT W10 Pro 21H1 64Bit/750GB HD/16GB Ram/Avast Premium 21.9.2493b/Secureline VPN v.5.12.5699b/ADU v.21.3b/ASB v.94.0b/SANDBOXIE-plus/MailWasherPRO
**HP Compaq 8510p LT W10 Pro 20H2 64Bit/1TB HD/8GB Ram/WD/ADU v.21.3b/SANDBOXIE/MailWasherPRO/HotSpot Shield
     
RIP*Dell Inspiron XPsp4 PRO 32Bit/Avast(since 2002)18.8.2356/WP/Comodo FW 3.14/Secureline/Comodo IceDragon v.40
LAYERED SECURITY SOFTWARE

Offline vittau

  • Jr. Member
  • **
  • Posts: 24
Re: Rootkit after Windows Update?
« Reply #4 on: September 11, 2012, 08:34:39 PM »
If you are concerned, you could do a 'Boot Time Scan'(never hurts) although, I believe Avast scans for rootkits several seconds into boot. :)
Oh well, I think I'll pass, these full scans take forever. :P

Everything in this computer is always up-to-date, and I know what I'm doing (computer science undergraduate), so I'm guessing avast's heuristics got confused there somehow...

Offline Tetsuo

  • Poster
  • *
  • Posts: 594
Re: Rootkit after Windows Update?
« Reply #5 on: September 11, 2012, 09:07:50 PM »
 Avast does a rootkit scan 8 minutes after boot, so basically it depends on how many times you switch your system on.
« Last Edit: September 11, 2012, 09:10:33 PM by Tetsuo »

Offline vittau

  • Jr. Member
  • **
  • Posts: 24
Re: Rootkit after Windows Update?
« Reply #6 on: September 11, 2012, 09:16:41 PM »
Avast does a rootkit scan 8 minutes after boot, so basically it depends on how many times you switch your system on.
Every day. I don't keep it on at night.

Is there a place where I can see the history of detections? I can't seem to find that detection logged anywhere...

Offline Tetsuo

  • Poster
  • *
  • Posts: 594
Re: Rootkit after Windows Update?
« Reply #7 on: September 11, 2012, 09:25:45 PM »
I guess it's aswAr.txt in the log folder.

Offline vittau

  • Jr. Member
  • **
  • Posts: 24
Re: Rootkit after Windows Update?
« Reply #8 on: September 11, 2012, 09:34:48 PM »
I guess it's aswAr.txt in the log folder.
aswAr.log is already replaced with a newer version, with 0 detections...  :(
aswAr.txt, I can't find this one. I suppose you confused the extension?

Offline vittau

  • Jr. Member
  • **
  • Posts: 24
Re: Rootkit after Windows Update?
« Reply #9 on: September 11, 2012, 09:42:57 PM »
I have a theory here:

avast Anti-rootkit was running at the EXACT same time as Windows Update replaced a critical file. avast AR asked Windows what file was supposed to be running, but because WU just changed it, it read a different file and that triggered the alert.
Now it doesn't trigger anymore because the new file is already registered.

Is that possible?

Offline Tetsuo

  • Poster
  • *
  • Posts: 594
Re: Rootkit after Windows Update?
« Reply #10 on: September 11, 2012, 09:54:39 PM »
I suppose you confused the extension?

yeah, sorry!

If in doubt, try a simple full system scan. It won't take long and the rootkit scan will be "deeper".
« Last Edit: September 11, 2012, 10:00:40 PM by Tetsuo »

Offline user_1000

  • Full Member
  • ***
  • Posts: 129
Re: Rootkit after Windows Update?
« Reply #11 on: September 11, 2012, 09:57:30 PM »
This update might be the reason to false alert: http://support.microsoft.com/kb/2735855 (Windows Filtering Platform Update for Windows 7), because Avast Web Shield uses Windows Filtering Platform. At least I think so.
Windows 7 SP1 x64