Possible false positive rootkit?

[Bowdon]

Hi guys,

Ok I use my laptop as a backup for my nickname on an irc network during the night. My IP address is protected. I usually set the laptop up to keep online. Anyway this morning I wake up and its saying there is a rootkit on there. The thing is that its a valid file, in the correct place. Its a Vaio old laptop. Here is a page from bleeping computers about the file. http://www.bleepingcomputer.com/startups/IcVzMon.exe-26855.html.

So is this a false positive? I've done nothing on the laptop other that connect to the trusted network. Sit on googles front page all night and then logged off in the early morning. So I can't see how I've picked up a virus or anything.

Any ideas.

[Michael (alan1998)]

Hi, if you would like to be certain it's a FP please run the following programs. AdwCleaner, MBAM, OTL, aswMBR. Please ATTACH (Do not copy and paste) the logs.

http://forum.avast.com/index.php?topic=53253.0

After that has been completed I can have the removal guys check everything out.

Also, please upload the file and test it here: www.virustotal.com

[Bowdon]

Hi

thanks for replying to me. Ok I used the programs that you mentioned in the other thread. Though the interface for the OTL program was different and didnt have all those options shown in the picture. I just hit scan then saved the log. I also scanned with MBAM and saved that log. Nothing showed up on that. I then used Adwcleaner. I dont think anything showed up there either. Then lastly I used aswMBR. It scanned the computer and pulled up the same file avast did. From the looking in to the file it seems its part of sony's packages. I do have a sony laptop.

Also I scanned the file myself with avast and it said no threat file. I then uploaded the file to virustotal site and out of 47 places it scans the file only 1, Commtouch said it was a W32/Trojan.LZVW-4403 . I noticed avast is on thelist and that ticked it as ok.

Btw I should mention that when this 'rootkit' is detected its named as a Win32:Evo-gen . I've noticed there as been a few of those threads on the forums recently.

What should I do next?

[Pondus]

What should I do next?

Make coffee and wait     

[magna86]

Hi,

aswMBR uses avast! engine, therefore detection are the same.

Service Image Converter video recording monitor for VAIO Entertainment C:\Program Files\Sony\Image Converter 2\IcVzMon.exe **INFECTED** Win32:Evo-gen [Susp]

These detections are FP.

Abaut OTL log, are you been able to create OTL.txt logreport? Can you attach it here?

[Bowdon]

Ok I got OTL to work. It only created an OTL.txt log though.

I'll attach it.

[magna86]

Hi,
Posted logs are clean. No signs of active infection. This OTL fix shall remove some orphans keys and clean temp & cache files.



Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]

:OTL
O3 - HKU\S-1-5-21-2630728093-908478267-753119046-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2630728093-908478267-753119046-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.

:FILES
dir C:\Documents and Settings\Brian\Ÿ9Ÿ9 /c
C:\WINDOWS\System32\*.tmp
C:\WINDOWS\*.tmp

:COMMANDS
[EMPTYTEMP]

• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log