Where to find logs of rootkits detected?

[noct]

Hi all,

When I started my computer yesterday, Avast told me that it found a rootkit in one of the Windows files. I let Avast delete it, and then I ran a boot-time scan like it suggested, and it came out clean.

However, this rootkit detection doesn't appear in any of the logs in Avast. I want to find out the name of the rootkit file, which I forgot to write down. First, I want to make sure that I didn't delete an important Windows file, and second, I want to do more research on it. So does anybody know where I can the rootkit detection history?

Thanks

[CraigB]

C:\ProgramData\AVAST Software\Avast\log  Is there nothing in the chest ? first choice of deleting the file is not the best, if unsure always quarantine.

[DavidR]

That would rather depend on what scanner detected it as to what log it might be in.

If it is the anti-rootkit scan 8 minutes after the boot (see image examples of alert) then the details would be in the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\aswAr.log (XP location) or C:\ProgramData\AVAST Software\Avast\log\aswAr.log (for Vista, win7).

So was it one of these ?

[noct]

Yes, it was the second type. I found the log in C:\ProgramData\Alwil Software\Avast5\log (the version of Avast is 6.0.1203 though). Unfortunately, it seems like that aswAr.log is overwritten every time the computer starts up.

So if it's the type in the second image, is there any chance of a false positive or is it definitely a rootkit?

[DavidR]

Yes it is overwritten on each time the anti-rootkit scan is run, so if the anti-rootkit scan has run again without alerting then it is resolved one way or another.

If you opted for the recommended delete action, it may not get picked up on the subsequent scans.
If you chose to Ignore it (which personally I would recommend, until you have investigated the problem) and it is no longer detected then it was likely to have been a false positive which has been corrected.

So which action did you take ?
Can you remember anything about the detection, e.g. file name and location ?

[noct]

I chose to deleted the file. All I can remember is that it's a .sys file in the Windows directory.

[DavidR]

Unfortunately having deleted it, there is no way to continue any investigation, which is why my recommended action despite what might be offered/recommended (only in the anti-rootkit detection) is Ignore and investigate.