Author Topic: [Resolve]Is this Real ROOTKIT???  (Read 7672 times)

0 Members and 1 Guest are viewing this topic.

bong2x

  • Guest
« Last Edit: November 26, 2010, 08:47:23 AM by bong2x »

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: Is this Real ROOTKIT???
« Reply #1 on: November 25, 2010, 10:23:01 AM »
I think that a false threat sense avast and Gdata is using the same engine so. hopefully avast will correct this with the next virus update.

thanks for sharing and helping improving avasts detection rate. 
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: Is this Real ROOTKIT???
« Reply #2 on: November 25, 2010, 10:29:07 AM »
@bong2x
have sendt you a PM

bong2x

  • Guest
Re: Is this Real ROOTKIT???
« Reply #3 on: November 25, 2010, 11:11:07 AM »
Done ;)

we cannot say what is it. so we wait the result of investigation
 
Edit: i miss read it
« Last Edit: November 25, 2010, 11:25:58 AM by bong2x »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2294
Re: Is this Real ROOTKIT???
« Reply #4 on: November 25, 2010, 05:22:26 PM »
Hello,
send us (virus@avast.com) the file to analyze, please. Put "False positive" to subject.

Milos

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: Is this Real ROOTKIT???
« Reply #5 on: November 25, 2010, 05:39:39 PM »
Sample is sendt  ;)

OBS: subject - sample requested

bong2x

  • Guest
Re: Is this Real ROOTKIT???
« Reply #6 on: November 25, 2010, 05:50:16 PM »
Hello,
send us (virus@avast.com) the file to analyze, please. Put "False positive" to subject.

Milos

Done!!!

sir,
i use to send virus from the chest and i always put " potential Malware"  and put the comment "for investigation"
if i do like that, it will be still at the same detection?

Regards!!!

bong2x

  • Guest
Re: [Resolve]Is this Real ROOTKIT???
« Reply #7 on: November 26, 2010, 08:48:49 AM »
Thanks avast team for your fast action

i don't understand why other detected it now  ??? ??? ::)

http://www.virustotal.com/file-scan/report.html?id=5922fb1d14408060c4f00ad08208194cf5c0406bbd19deaef719f27b84441adf-1290757866


Regards!!!
« Last Edit: November 26, 2010, 08:57:02 AM by bong2x »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89021
  • No support PMs thanks
Re: [Resolve]Is this Real ROOTKIT???
« Reply #8 on: November 26, 2010, 02:36:58 PM »
Sheep, or if you check what it is that they are actually detection they are heuristic or undefined detections, these are more prone to false positive if they are over sensitive.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bong2x

  • Guest
Re: [Resolve]Is this Real ROOTKIT???
« Reply #9 on: November 26, 2010, 03:17:15 PM »
i check those files before sending and i see that do not have publisher name. maybe that make the avast detect as threats. but maybe because maybe that Win7 is a fresh install.

do you think what is the deference (see picture)
the 652kb is the one that avast capture do not have publisher. and the regeneration is 0kb and it has publisher

if you see that picture whats on your mind???

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: [Resolve]Is this Real ROOTKIT???
« Reply #10 on: November 26, 2010, 04:03:08 PM »
Norman analysis - Added detection

autochk.exe : Processed - Dloader.AMOBY
« Last Edit: November 26, 2010, 04:12:05 PM by Pondus »

bong2x

  • Guest
Re: [Resolve]Is this Real ROOTKIT???
« Reply #11 on: November 26, 2010, 04:37:57 PM »
Complicated ha???
in my XP it is not Captured by Avast but in Win7 is identified as Rootkit
so be very careful about adding this threats.
do not let people out there suffer for just a small mistakes
this file the function of original files is to check the hardware before start-up and before shutdown
if this file is deleted it will prompted you at the start. autochk.exe not found skip the process
and it will slow down your computer at the start-up.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: [Resolve]Is this Real ROOTKIT???
« Reply #12 on: November 26, 2010, 05:44:01 PM »
If i upload and scan the the one i find in my Win7-32bit  C:\Windows\system32\autochk.exe i get this

autochk.exe - 0/43 - MD5   : 41e4c8eba464e7d6a5ba5e8827732aeb
http://www.virustotal.com/file-scan/report.html?id=a3447c256d3dee0c999a220d0e4f4a471e2eb6024232474bc47dbaa30ed5b025-1290789226

sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Auto Check Utility
original name: AutoChk.Exe
internal name: AutoChk
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Malwarebytes say CLEAN



The one you sendt me

autochk.exe - 3/43 - MD5   : 43bcf660eaddafcbf638a1af757ca3ae
http://www.virustotal.com/file-scan/report.html?id=941eb31e50c6ed7cf8b2231794bb17577e696d8573b0d53729e76ca22c030f4e-1290789618


sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Malwarebytes detect it as Trojan.Agent




« Last Edit: November 26, 2010, 05:50:03 PM by Pondus »

bong2x

  • Guest
Re: [Resolve]Is this Real ROOTKIT???
« Reply #13 on: November 26, 2010, 08:14:51 PM »
Thanks Pondus!!!

I am also wandering, why my autochk.exe do not have a publisher and copyright.
is it possible that Trojan replaced the whole file?? i will Re install my Win7 and try again.

Regards!!!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: [Resolve]Is this Real ROOTKIT???
« Reply #14 on: November 29, 2010, 12:31:33 PM »
and finaly from Avira.....they where late this time


Quote
File ID FilenameSize (Byte)Result
25963354 autochk.exe 652.5 KB MALWARE


Please find a detailed report concerning each individual sample below:
 FilenameResult autochk.exe MALWARE

The file 'autochk.exe' has been determined to be 'MALWARE'. Our analysts named the threat RKit/Undef.A. The term „RKIT/“ denotes a piece of software that uses cloaking techniques to hide itself from view. Therefore it has to be categorized as potentially malicious.Detection will be added to our virus definition file (VDF) with one of the next updates.