Author Topic: IdriverT.exe Rootkit  (Read 11389 times)

0 Members and 1 Guest are viewing this topic.

Offline Sly_Toad

  • Jr. Member
  • **
  • Posts: 45
IdriverT.exe Rootkit
« on: November 15, 2013, 01:07:45 PM »
Hi. I'm having a bit of a problem here, so here it goes. And sorry for my english.

I have a Windows7 64x laptop, and today I did a clean install of Avast. Everything wen't fine. Next, I updated windows. So far so good. Did the mandatory reboot and left the laptop alone doing the rest of the bootscreen updates. 5 minutes after the computer rebooted, my fiancé calls me because she got an Avast Pop-up saying that
C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe was a Rootkit or Rootkitgen and that it should be deleted. She did that, without my consent. I don't have a copy of it in the vault... so I'm just wondering, if it was a false positive, is IDriverT.exe an important program?

I've googled it and it is used to install software... soooo, is it a false positive? How can I install it again, since she deleted it using avast? I also noticed that Firefox is part english and part portuguese (I'm portuguese)...

I also did a restore point, did a clean install of avast, but the problem is still there-

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37129
Re: IdriverT.exe Rootkit
« Reply #1 on: November 15, 2013, 01:34:19 PM »
Process libary  http://www.processlibrary.com/en/directory/files/idrivert/25919/


Quote
soooo, is it a false positive?
upload suspicious file(s) to www.virustotal.com / www.metascan-online.com / www.jotti.org  and test with multi AV scanners

however, since deleted, you now dont have that option   :-[


Offline Sly_Toad

  • Jr. Member
  • **
  • Posts: 45
Re: IdriverT.exe Rootkit
« Reply #2 on: November 15, 2013, 01:55:31 PM »
Yeah, it was deleted. But from what I understand, it's created when installing new software right? So, it's "created" and not part of the system. I've already installed and uninstalled firefox (seems like the problem is from mozilla side, because v.24 works great, and v.25 has some options in english... also tested this in another laptop, so I know it's not caused by the supposedly IDriverT.exe rootkit.

I saw the Pop-up Window: it said something like: SvC: (...) IDriverT.exe. win32Rootkit.gen or something similar. I hoovered the mouse to show me the full path. And It only had the option to delete or ignore. I was in the other laptop searching for an answer, when she said she deleted it. The problem is, the laptop she was on, was mine. Because her laptop (that I was using to search for an answer) was charging.

So, since she did what she did, now I don't have the file. And to be honest, I really don't want to format and install windows again lolol.

I'm going to scan the computer with a personalized scan, and with bootscan, and mbam and other software to see if they reveal anything.

The thing that feels odd is that it was right after that pop-up message with the green shield that windows had updated.

Weird...

Offline JWJr

  • Jr. Member
  • **
  • Posts: 27
Re: IdriverT.exe Rootkit
« Reply #3 on: November 15, 2013, 03:18:29 PM »
I got the same message this morning from my computer (WinXPSP3), for the same file: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe, 69,632 bytes, file version 11.0.0.28844, unchanged since April 2005.

I uploaded it to VirusTotal, where all 47 AVs (including Avast!) called it harmless.  -JW

Offline Merel

  • Newbie
  • *
  • Posts: 11
Re: IdriverT.exe Rootkit
« Reply #4 on: November 15, 2013, 08:25:03 PM »
Dito here !

I wonder why this happens NOW .... on the same day ??

It happens to be detected just after he monthly 'Microsoft Update' ?

(which is to be a perpetuous never-ending disaster story for so many victims of M$)

Offline Jstore

  • Jr. Member
  • **
  • Posts: 21
Re: IdriverT.exe Rootkit
« Reply #5 on: November 15, 2013, 09:42:55 PM »
does anyone know if this is truly a false possitive or not?

Offline smuggla

  • Newbie
  • *
  • Posts: 5
Re: IdriverT.exe Rootkit
« Reply #6 on: November 16, 2013, 12:38:03 PM »
Same here. I let Avast to delete it and did a boot time scan but seriously looks like a false positive since nothing else was infected and it happened one boot after windows update for me too. Although, deleting the file didn't affect windows functionality in any way and no program seems to miss the file... I can still see it in my chest and I don't want to delete it permanently(I thought avast already did but....) if it's important for installshield to work.

I also sent to the file to viruslab through avast ui.

edit: running vista x64
« Last Edit: November 16, 2013, 12:55:35 PM by smuggla »

Offline Jstore

  • Jr. Member
  • **
  • Posts: 21
Re: IdriverT.exe Rootkit
« Reply #7 on: November 16, 2013, 12:39:59 PM »
Does anyone have any other news regarding this infection? I'm really concerned, also, could someone explain what this file does exactly? I've googled the file name but it didn't come up with much information.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5420
  • Spartan Warrior
Re: IdriverT.exe Rootkit
« Reply #8 on: November 16, 2013, 01:02:11 PM »
Similar issue later determined to be a false postitive:  http://forum.avast.com/index.php?topic=139878.0

Clean, quarantine, or delete?  http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

To OP, please be gentle here, 'twas done in panic mode, so....

Another file query site:  http://www.bleepingcomputer.com/startups/IDriverT.exe-17105.html

Hope this answers your question.  You could try running sfc /scannow in cmd and see if windows recovers that file for you after the scan is done.
Windows 10 Home 64-bit 20H2 Avast Premier Security version 21.3.2459 (build 21.3.6164.652) UI version 1.0.612.

Offline smuggla

  • Newbie
  • *
  • Posts: 5
Re: IdriverT.exe Rootkit
« Reply #9 on: November 16, 2013, 01:05:46 PM »
Does anyone have any other news regarding this infection? I'm really concerned, also, could someone explain what this file does exactly? I've googled the file name but it didn't come up with much information.

I think it's way more likely that it's a false positive. We have same antivirus, it warns us after windows update, virustotal says it's clean and it's rootkit.GEN so avast doesn't even know what rootkit it is. Most likely it's just just microsoft bloatware which often acts like rootkits because they turn on immediately on the background. I hate all these updaters soooo much.

Actually I feel like my boot time was reduced after deletion so that makes me wonder. Hopefully avast admins will let us know soon...

Offline wallofasgard

  • Jr. Member
  • **
  • Posts: 27
Re: IdriverT.exe Rootkit
« Reply #10 on: November 19, 2013, 01:12:19 PM »
Same Detection here...without the ability to restore this file from virus chest,can you guys give me some advice on how to re-create or reinstall this file?

What virus definition version detects this file?Thanks.

Offline RXLA

  • Newbie
  • *
  • Posts: 1
Re: IdriverT.exe Rootkit
« Reply #11 on: December 03, 2013, 07:57:24 PM »
Does anyone have any other news regarding this infection? I'm really concerned, also, could someone explain what this file does exactly? I've googled the file name but it didn't come up with much information.

I think it's way more likely that it's a false positive. We have same antivirus, it warns us after windows update, virustotal says it's clean and it's rootkit.GEN so avast doesn't even know what rootkit it is. Most likely it's just just microsoft bloatware which often acts like rootkits because they turn on immediately on the background. I hate all these updaters soooo much.

Actually I feel like my boot time was reduced after deletion so that makes me wonder. Hopefully avast admins will let us know soon...

Does anyone have the same experience of reduced boot time after deletion?  I too feel the time is reduced but am curious if all are seeing this?