Rootkit or false alarm, please?

[1eyedjack]

Hi, I am running Avast 4.8 Professional, and in addition am running Spyware Detector.
A sweep by Spyware Detector shows an apparent rootkit infection, the file being
c:\program files\alwil software\avast4\data\aswar.run

Is there enough information from this in order to advise whether it as a false positive?
I am prompted to quarantine the file.  Would it cause any damage if I accepted the prompt and it is a false positive?

Interestingly I cannot see the file if I try to view the folder in Windows Explorer (even if I set it to view all hidden and system files).

I have also tried a full sweep using Webroot Spysweeper, which apparently checks for rootkits, and it did not detect anything.

Any help gratefully received.

[DavidR]

I auspect an FP by Spyware detector (never heard of this before) the aswar stands for Alwil SoftWare Anti-Rootkit so it looks like part of the anti-rootkit module. Though I don't have that file aswar.run in my avast4\data folder. That may well be because I'm using the Home version.

So it looks like what can happen tools to detect things being incorrectly detected as what it would be hunting for. Checking some of the other aswar files like aswar0.dll, aswar1.dll, arpot.dll and they are digitally signed by Alwil software, the signature wouldn't be good if it were modified and the avast self-defence module should stop it getting modified.

The file may only be there when the anti-rootkit scan is running 8 minutes after boot and it would only be running for a few seconds, that may account for why you can't see it in the data folder either.

I just ran a test running the anti-rootkit and that file didn't appear, though it wasn't run in the conventional way, see image.

[CharleyO]

***

This program has been reported here before. Last time I remember was March 12th when it's homepage was rated unsafe and the homepage is still rated unsafe today.

It's homepage is rated as unsafe by ScanDoo. Click image below to enlarge.


***