Author Topic: Trouble with a rootkit  (Read 7852 times)

0 Members and 1 Guest are viewing this topic.

Zlatan

  • Guest
Trouble with a rootkit
« on: March 24, 2009, 10:14:39 PM »
Hi to all. I'm new to this forum and I hope that someone can help me. Maybe a month a go Avast informed me that a rootkit was found. I scanned all drives, but it didn't found anything. When I started working on my PC, Avast (again) informed me that a rootkit was found. I did boot scan - and again nothing. And every day same story. Five, or six days a go, I snapped - crushed down a system and reinstall Windows. Everything was just fine till today - "rootkit found" again. Any suggestions?!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trouble with a rootkit
« Reply #1 on: March 25, 2009, 12:30:07 AM »
Yes some more information, like the file name and location ?
The C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log file (open with notepad) contains info on the anti-rootkit scan.

The avast anti-rootkit scan runs 8 minutes after boot, so is this when it happens ?
If so the rootkit scan uses heuristics which aren't used in the conventional scans, so it isn't unusual that nothing was found in the conventional signature scans.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Zlatan

  • Guest
Re: Trouble with a rootkit
« Reply #2 on: March 25, 2009, 07:13:34 PM »
Thanks. I'll try it, and I will tell you what happens.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trouble with a rootkit
« Reply #3 on: March 25, 2009, 08:14:34 PM »
And that information on the detection is ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
Re: Trouble with a rootkit
« Reply #4 on: March 25, 2009, 08:37:37 PM »
I guess he hasn't gotten that far yet.  :(
For generic computer (not avast) problems, you can also visit my forum for help: http://www.jacobytech.net/forum

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trouble with a rootkit
« Reply #5 on: March 25, 2009, 08:51:08 PM »
Yes we are too darn quick ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Zlatan

  • Guest
Re: Trouble with a rootkit
« Reply #6 on: March 28, 2009, 08:14:48 PM »
I've tracked him - it's Win32:Rootkit-gen[RTK], and it was located on Windows\system32\x and \Windows\Temp\sig6.tmp. I moved them to a chest, but in folder \system32\ there is file \xcopy\. Should I remove it? 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trouble with a rootkit
« Reply #7 on: March 28, 2009, 09:10:35 PM »
xcopy what ?
As what you have shown is a folder \xcopy\ not a file, that folder isn't in my XP Pro folder structure.

There is xcopy.exe in the \system32\ folder which is a legitimate windows file, so is that what you are talking about, see image ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fiero

  • Guest
Re: Trouble with a rootkit
« Reply #8 on: March 29, 2009, 06:35:50 AM »
Hello.   I suddenly am getting an Avast warning page.  About 2 suspicious files, both are the system32 file, both have the same name the only difference is in the title of the driver file ( Drivers or drivers ).  Their name is ovfsthmipwbkeypakosswqibvptyegewrduhbq.sys  The capital D is a rootkit hidden file and the lower case d is a hidden service.  the Avast warning recommends ignore and submit.  How do I submit them, there is nothing to let me know that I have sent them to the lab.   And when do I hear back from the lab if the files are OK or not.  Thanks

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trouble with a rootkit
« Reply #9 on: March 29, 2009, 04:48:45 PM »
They should be submitted automatically as part of the next auto update if you don't change the settings on that screen.

You can also do a manual update (probably better so no wait) and that will start the process off, first avast checks for updates and downloads any signatures and then it would upload the suspect files (and they are highly suspect). If you monitor the manual update you should see the upload process.

I would then suggest that you rename these files, place SUS (for suspect) in front of the existing file name. What this does is any registry entry or process that would be trying to run these file names wouldn't find them.

- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer (or you may not find them), Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

Generally you don't get contacted when they are uploaded in this way as they don't have your email address the info uploaded is anonymous. What you would find that the file would be detected in the normal avast on-demand/boot-time or resident scans as a signature would be added to detect the previously suspect file. I highly doubt that they are OK.

What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Zlatan

  • Guest
Re: Trouble with a rootkit
« Reply #10 on: March 30, 2009, 12:22:15 AM »
Yes it is \system32\xcopy.exe  file. So it's legitimate Windows file?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Trouble with a rootkit
« Reply #11 on: March 30, 2009, 01:30:36 AM »
Yes it is \system32\xcopy.exe  file. So it's legitimate Windows file?
Did you submit it to www.virustotal.com? Which were the results?
It does not seem to be legitimate... but I could be wrong.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trouble with a rootkit
« Reply #12 on: March 30, 2009, 02:23:18 AM »
Yes it is \system32\xcopy.exe  file. So it's legitimate Windows file?

You can check that by the file properties as in the image I posted in Reply #7

@ Tech it is a legitimate file name and location, see my earlier posts, whilst that doesn't say it is clean but avast didn't detect anything in the file and was just a suspicion by Zlatan. There is however nothing wrong with confirmation it is clean at virustotal.

That wouldn't confirm a legit MS File as that would require the file had a digital signature and not all MS files have this. Without Zlatan's OS and version number we couldn't even check the MD5 as that may be the only way to confirm it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Zlatan

  • Guest
Re: Trouble with a rootkit
« Reply #13 on: March 31, 2009, 08:53:31 PM »
Virustotal says it's clean, and Avast doesn't report "Rootkit found" anymore. My OS is WindowsXP Black edition, sorry I didn't say that before - but as I told you in my first post - this is the first time that I'm on this forum. But definitely not the last! Thank you all guys for help.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trouble with a rootkit
« Reply #14 on: March 31, 2009, 09:27:25 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security