Author Topic: Avast 4.8 and rootkit alert (Read 11974 times)

alanrf · « **Reply #15 on:** April 12, 2008, 11:44:30 PM »

My system logs do indeed show that the driver is created and then (after the display information is obtained) the driver is immediately deleted. Leaving just the main process running. The driver loading is also recorded in the boot log (ntbtlog).

DavidR · « **Reply #16 on:** April 13, 2008, 12:40:56 AM »

That is fine, but it seems strange that it would be around at boot to be caught by avast Unless speedlever has procexp.exe run on boot. But equally why it is caught by avast yet yours isn't. Definitely strange.

speedlever · « **Reply #17 on:** April 13, 2008, 12:50:07 AM »

For the record, I do not have PE run at boot. I have a shortcut to it on my quick launch bar only.

speedlever · « **Reply #18 on:** April 13, 2008, 12:54:10 AM »

Check this sysinternals thread for more info about this issue.

DavidR · « **Reply #19 on:** April 13, 2008, 01:16:40 AM »

Thanks for taking the time to post on the Sysinternals Forums, good to get it direct from the source.

psw · « **Reply #20 on:** April 13, 2008, 07:38:32 AM »

So Avast logic is clear. Rootkit scan is launched after 120 sec from system load. If a) for any loaded driver driver file is deleted during rootkit scan (procexpXXX.sys) or b) driver process is terminated during scan (Gigabyte markfun.w32) then these drivers are meet 'hidden' criteria (file invisible - 'hidden' or process invisible - 'hidden').

Author Topic: Avast 4.8 and rootkit alert (Read 11974 times)

alanrf

Re: Avast 4.8 and rootkit alert

DavidR

Re: Avast 4.8 and rootkit alert

speedlever

Re: Avast 4.8 and rootkit alert

speedlever

Re: Avast 4.8 and rootkit alert

DavidR

Re: Avast 4.8 and rootkit alert

psw

Re: Avast 4.8 and rootkit alert