Author Topic: OMG Issues with Avast 7 on x64 - False Positive Rootkit?  (Read 19475 times)

0 Members and 1 Guest are viewing this topic.

Keter

  • Guest
OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« on: April 07, 2012, 06:10:36 PM »
I have a potential disaster on my hands.  I upgraded my desktop (Win 7 Pro x64) to Avast 7 Free a few days ago, and almost immediately, it reported a rootkit.  The screen that popped up cut off the name and location of the rootkit.  I let it delete and boot time scan, and the boot time scan reported nothing, but there was absolute mayhem on my system...many things no longer worked.  I was going to restore, but discovered all of my restore points were wiped out.  To reimage would require media I didn't have...I got that machine from Office Depot on sale, and apparently they had upgraded the machine from Home Premium to Pro, and sold it to me as Pro, while what was on the recovery partition was Home Premium.  I have a fledgling online business that requires daily attention, so I couldn't be down, and went and bought a brand new laptop (Win 7 Home Premium x64) yesterday and spent all of last night getting it set up, which included installing a paid version of Avast 7 (full suite).  This morning, after using for about an hour, up pops the same rootkit notice, again unreadable.  I let it do its thing, and am not yet sure if there's mayhem on this machine, too.  I haven't even had time to make the system disks, and this one has no restore partition, so if I've got damage here, too, I may just have gone out of business.  I can't find the Avast log files to get more information.  The single point of contact between these machines is the files in my Dropbox, which I scanned thoroughly using a third machine with Avast 7 before touching it with this new laptop, and it scanned as clean.

Any clue what I should do next?

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #1 on: April 07, 2012, 06:20:22 PM »
Update - Trend Micro Housecall just finished running and says everything is clean.

iroc9555

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #2 on: April 07, 2012, 06:25:41 PM »
Keter.

Essexboy, Avast! specialist to remove malware, has been notified. You can follow this guide and do as much as you can.

http://forum.avast.com/index.php?topic=53253.0

Attach logs for malwarebytes', OTL, and aswMBR.exe. Just Wait.

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #3 on: April 07, 2012, 07:34:12 PM »
Will do, thanks.  Malwarebytes Pro run on the other affected machine showed clean.  So far, about 2/3rds finished, Malwarebytes Free is finding nothing on the new machine.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #4 on: April 07, 2012, 07:37:13 PM »
Monitoring  ;D

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #5 on: April 08, 2012, 08:51:31 PM »
I was trying to place the post in the correct forum according to the instructions I was given (Viruses) but it now seems to have gone even farther AWOL (no clue how that happened) and is in http://forum.avast.com/index.php?topic=96894.0.  I will copy and repaste here with updates.

I have a potential disaster on my hands.  I upgraded my desktop (Win 7 Pro x64) to Avast 7 Free a few days ago, and almost immediately, it reported a rootkit.  The screen that popped up cut off the name and location of the rootkit.  I let it delete and boot time scan, and the boot time scan reported nothing, but there was absolute mayhem on my system...many things no longer worked.  I was going to restore, but discovered all of my restore points were wiped out.  To reimage would require media I didn't have...I got that machine from Office Depot on sale, and apparently they had upgraded the machine from Home Premium to Pro, and sold it to me as Pro, while what was on the recovery partition was Home Premium.  I have a fledgling online business that requires daily attention, so I couldn't be down, and went and bought a brand new laptop (Win 7 Home Premium x64) yesterday and spent all of last night getting it set up, which included installing a paid version of Avast 7 (full suite), other utilities I use, and starting to remove OEM installed crapware.

This morning, after using the new laptop for about an hour, up pops the same rootkit notice, again unreadable.  I let Avast do its thing, and am not yet sure if there's mayhem on this machine, too.  I haven't even had time to make the system disks, and this one has no restore partition, so if I've got damage here, too, I may just have gone out of business.  I can't find the Avast log files to get more information.  The single point of contact between these machines is the files in my Dropbox, which I scanned thoroughly using a third machine (Vista, 32-bit, identical access to the Dropbox account) with Avast 7 before touching it with this new laptop, and it scanned as clean.

I had Malwarebytes Pro on the desktop system, and it said everything was clean.  I downloaded and ran Malwarebytes (full trial) on the laptop, and it also reports clean (log attached).

Avast does not like OTL.  It wants to put it into the sandbox.  I forced it to run normally.  Logs are attached.  Ran aswMBR.exe, log attached.

===

Sorry, I'm not sure what happened... I posted originally in General because I wasn't sure a possible false-positive rootkit issue belonged in with viruses and trojans.  Following reading the instructions post you linked me to, I thought I copied, updated and reposted in the viruses forum with the logs attached.  Now apparently the post is in the avast! Distributed Network Manager forum... ???confused???

The only new behavior I have to report is that 8 more Windows updates popped up last night and took an astonishing 2 hours to complete and shut down.  This is a brand-new Toshiba Satellite L775D-S7132, on which I have installed only Avast, Advanced System Care, Firefox, Pokki (utility toolbar), Skype, Malwarebytes, and the diagnostic utilities mentioned in the instruction email.  All but the diagnostic utilities are "old friends" that I use on my other two systems, including the Vista x86 box that has remained unaffected.  Sometimes this new laptop runs like a Pentium 2 with 512MB of RAM.

One other symptom:  I noticed this morning that some shortcut icons have disappeared, replaced with just the default icon.  I noticed this same behavior on my x64 desktop following the "rootkit" removal.  The more I think about this, the more I think that there never was a rootkit on either machine and that the new Avast is misidentifying files vital to x64 systems.  I hope I am wrong.  I've been an Avast user and advocate for many years.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #6 on: April 08, 2012, 09:18:20 PM »
I run a win7 64 bit and have received no alerts

This is what Avast was concerned about

20:00:06.557    Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS        15099 MB offset 1219340288

This is a hidden partition on your hard drive the 17 indicates that is most probably the TDSS file system boot sector.  I would like to get a second opinion on it as it is about 100 times larger than normal

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
     

     
  • Click the Start Scan button.
     

     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
     

     
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #7 on: April 08, 2012, 09:20:34 PM »
A couple of other items:

I just ran Kaspersky's TDSS Killer with all options enabled and it found nothing.

I installed a piece of software that I wanted to try (I'm trying to find an easy and relatively competent web site creation program for a friend), EzGenerator 4, on the desktop computer and it would not run...it would start and then mysteriously disappear with no warning before I could do anything with it.  I just installed it on this laptop, and guess what?  Up pops Avast and kills it.  (I got no such warning on the desktop, but the duration between warning and killing the program looks identical).  I tried to set it such that it would run in the sandbox, but Avast still killed it.  I forced Avast to let it open normally, and the program opened with no problem.  SO...it looks like what was making me think I might have had some sort of infection on the desktop actually was Avast killing my programs but failing to put up the popup as it did on the laptop.

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #8 on: April 08, 2012, 09:22:40 PM »
For clarification, I found TDSS Killer on my own a bit earlier and ran it as shown in your post, Essexboy.  :)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #9 on: April 08, 2012, 09:27:23 PM »
What can you tell me about that partition - did you hide it ?

Also set the avast autosandbox and behaviour shield to ask, you will then get the choice as to whether to run it or not

Could you attach the TDSSKiller log

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #10 on: April 08, 2012, 10:00:08 PM »
I have done nothing on either affected machine with partitions.  The desktop computer has a D: partition for system recovery, created by HP, the OEM, and I have literally never done anything with it except look at its contents. The laptop, the one I'm currently providing log files from, has no partition at all.

Arrgh..."autodecide" setting not in the main settings configuration.  Now I gotta check each module to see what else is hiding.

I couldn't find a log file from the earlier run, but I re-ran it and was able to get a "report" from this run which I copied into a text file.  I think this is the same thing. If not, can you give me a hint where to look or what name to look for?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #11 on: April 08, 2012, 10:09:05 PM »
Here you go behaviour shield first and then autosandbox


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #12 on: April 08, 2012, 10:09:41 PM »
And sandbox

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #13 on: April 08, 2012, 10:18:32 PM »
Thanks.  I found the first autosandbox setting on my own, but not the second.  Interesting... I can't wait to apply this to my desktop computer to see how much it revives.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #14 on: April 08, 2012, 10:23:38 PM »
A lot of the decision making that Avast does is based on the frequency of the programmes use, digital signature, where it came from etc...

So if it is an old programme that very few people use it will be viewed with suspicion until either it has a better handle on it or you confirm it is safe.  But remember this is a double edged sword, if you told it that virut was safe, it would still block it but probably not until after some damage was done