Hidden rootkits

[Sartigan]

Hi everybody, at my brother after he tried to connect to a server (Call of Duty United Offensive), avast popped up with two files as hidden rootkit (said that the recommended action is to delete and can be malicious) it was a red window (not a "virus detected"-like). I deleted the "Hidden rootkits"

Information:
- The service was the PunkBuster's
- Files: PnkBstrB.exe & PnkBstr.sys
- Information: "Rootkit: hidden"

Any ideas?

And please be quick, thank you

[DavidR]

First avast generally doesn't advise deletion.

I take it that this was part of the anti-rootkit scan ?:
"A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis."

So it normally advises do nothing unless it is certain it is a rootkit.
Punk Buster's PnkBstrB.exe & PnkBstr.sys are part of their anti-cheat function so are likely to be legitimately hidden.

[Sartigan]

I know PunkBuster and EvenBalance
That "Delete" deletes it from only the registry?

Avast was scanning normally (it was the resident shield)

[DavidR]

Well as far as I'm aware avast doesn't delete registry entries in isolation, if a detection is made and you select delete, etc. then and only then would it go to the registry for associated registry entries.

So I really don't know what is going on as the resident shield doesn't do a rootkit check, so the detection would have to be by signature. In which case you need to confirm the detection and submit to avast if an FP.

~~~
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder.

####
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the risk), add it to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

[Sartigan]

Well as far as I'm aware avast doesn't delete registry entries in isolation, if a detection is made and you select delete, etc. then and only then would it go to the registry for associated registry entries.

So I really don't know what is going on as the resident shield doesn't do a rootkit check, so the detection would have to be by signature. In which case you need to confirm the detection and submit to avast if an FP.

~~~
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder.

####
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the risk), add it to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Err... is this method enough?:
- If avast! pop up I select "Do not warn me again" at special options and I select do nothing

[DavidR]

I don't know what you mean by Err... is this method enough?

Do nothing doesn't allow it to run, it just doesn't take any action, move to chest, delete, etc.

Personally I don't believe using the "Do not warn me again" option is a wise one (in general terms) as I don't know if there is a way to subsequently reverse that option.

[Sartigan]

OK but I want PunkBuster, because some servers need it :S

And I want to play....
and if I make those files not-hidden? (I can make an application to change their attributes)

I had two options, "delete (recommended)" and "Do nothing", I couldn't move it to the chest repair etc.

[DavidR]

Then do as I said, exclude it from scans.

But do yourself and other avast users a favour and upload the files to virustotal and confirm or deny the detection and if it is a false positive submit the samples to avast fr analysis.

They can then correct the detection in the virus signatures (if it is a false positive) benefitting all avast users that are using punk buster. That is why I went to the trouble of giving the full instructions, to not just help you but other avast users.

I don't use any gaming software so haven't got punk buster to check it, not to mention I'm just another avast user like yourself.

[Sartigan]

OK but I can exclude only FOLDERS from the scan, I tried it, but PunkBuster is located in Windows/system32/...

I've repeat avast! detected this as a hidden rootkit NOT AS A VIRUS.

OK but i'm 13 if gaming is not fun for me I go to write programs but if I haven't got ideas I must play games, I have a 6 years old computer (Windows XP runs 3 years ago) and my computer's processor is 1.83GHz, I can't play Call of Duty 4 or something like this.

Or if I set the folder, write PnkBstrB.exe after the path name?

[DavidR]

Change the \* at the end of the path when you have selected the folder and change \* to \PnkBstrB.exe then repeat the process adding another exclusion and this time \PnkBstr.sys at the end.

[Sartigan]

OK, give a chance for this 

[DavidR]

The really important thing is to test the files at virus total and confirm they are clean and then submit to to avast.

[Sartigan]

File has already been analysed:
MD5:    194b04ad84a4ff7e10188039451221d5
First received:    2007.12.31 18:34:29 UTC
Date:    2009.03.10 21:21:26 UTC [>428D]
Results:    0/39
Permalink:    analisis/a77e67df59722ca56c8a65fc60022ddaf2f35101a7c6161be4656bdc247ee7ba-1236720086

Here is what VirusTotal wrote, but I can reanalyze now, let's test it:
http://www.virustotal.com/analisis/a77e67df59722ca56c8a65fc60022ddaf2f35101a7c6161be4656bdc247ee7ba-1273766942
Clean!

I said avast! didn't wrote VIRUS to these files!!! It was detected as hidden rootkit!

[Sartigan]

Yesterday, avast! didn't popped up with this "Hidden rootkit" problem. It could be a fresh database error or something like this, now avast! doesn't pops up. I need to reinstall PunkBuster at my brother

[DavidR]

Yes, probably an adjustment in the detections and that can include the detection of hidden rootkits also.