Author Topic: OMG Issues with Avast 7 on x64 - False Positive Rootkit?  (Read 19478 times)

0 Members and 1 Guest are viewing this topic.

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #15 on: April 08, 2012, 11:00:42 PM »
I'm a very low risk user - I don't surf weird places, I don't do torrents or crack-ware, I'm the only user on the machines I use for business and do not network these computers together such that the only points of contact between machines are Dropbox, Skype, Xmarks and LastPass.  But I also have to be very sure that I'm not infected because I provide simple electronic games in standalone .exe files.  My intention was to let this laptop be my general use machine so I could dedicate the desktop entirely to production work, isolated from any potential sources of contamination outside of Dropbox.  The Vista box is not a candidate because my husband uses it and he's not all that savvy. So my little business is offline until I have a for sure resolution to this.

The hidden partition thing has thrown me for a loop...I have no idea where that might have come from.  Right now, I'm poking a stick at Advanced System Care, which also has recent new version with a greatly expanded suite of utilities.  Might it have created a partition for its own use?  I know it creates restore points that don't seem to show up in the normal system restore points.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #16 on: April 08, 2012, 11:21:30 PM »
These  are the partitions found by aswMBR

Quote
20:00:06.401    Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
20:00:06.525    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       593880 MB offset 3074048
20:00:06.557    Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS        15099 MB offset 1219340288

The first 80 (A) 27 is the active partition and legit.  The recovery console of Vista / 7
 
Quote
27 Windows RE hidden partition
On MBR disks, type 0x27. On GPT disks, GUID: DE94BBA4-06D1-4D40-A16A-BFD50179D6AC. A hidden version of a Windows RE type 0x7 partition with NTFS. When this is installed, reboot and press F8 in order to boot into this Recovery Environment.

The second 00  07  is the windows partition that you boot to

Quote
07 Windows NT NTFS
Filesystem introduced in Windows NT 3.1.


Now the third one is curious up until now I have only seen this in its hidden form with TDL4, although the normal max size is 10Mb
So do you have either Unix or Linux on this partition

Quote
IFS which can be
OS/2's HPFS, Windows NTFS, Advanced Unix or QNX2.X(pre-1988). Type 0x07 is
not hidden and type 0x17 is hidden.
Quote
IFS = Installable File System. The best known example is HPFS. OS/2 will only look at partitions with ID 7 for any installed IFS (that's why the EXT2.IFS packet includes a special "Linux partition filter" device driver to fool OS/2 into thinking Linux partitions have ID 07).

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #17 on: April 08, 2012, 11:26:23 PM »
I don't do anything with Linux or Unix.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #18 on: April 08, 2012, 11:33:59 PM »
Are you utilising the backup function in Advanced System Care

Although I cannot find much information about that element

Also what is the make of the laptop ?  I can then see if there is a hidden recovery partition - which might fit those parameters

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #19 on: April 08, 2012, 11:40:17 PM »
I did end up with a Mac file (which I think is a version of Unix?) in my Dropbox over a year ago when a client put one in there, but I disconnected from that shared Dropbox after the project was completed.  I don't recall using any programs ported from either of these OSes, with the possible exception of GIMP, which I think started on Linux (not sure, but I first saw GIMP on a friend's Linux machine).

I am using the backup software (can't remember the name, maybe Paragon?) that came with a Western Digital external HD on the desktop.  I have not set up backup on the laptop yet as I don't yet have a backup drive for it.  I don't use Advanced System Care to do backups, but it does create restore points for many of the things it does, as mentioned previously.  The laptop is a Toshiba Satellite L775D-S7132.  http://us.toshiba.com/computers/laptops/satellite/L770/L775D-S7132

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #20 on: April 09, 2012, 12:05:56 AM »
Hmm not a great deal about the recovery partition - apart from it is hard to find and useless

That partition is not active and is just so much spare space at the moment

Could you run Diskmgmt.msc from the run box and see if the partition is showing in disc management 

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #21 on: April 09, 2012, 12:21:18 AM »
Results of Diskmgmt.msc attached.

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #22 on: April 09, 2012, 06:47:24 AM »
I went into my office and made the changes to Avast to make it ask before blocking stuff.  All of a sudden, the problem of mysterious non-loading and non-starting programs vanished, and two programs I thought were corrupted worked.

I then ran TDSS Killer on the desktop x64 that was having the same problems.  The only things it found were all "medium risk" unsigned or locked files, and all but 2 I quickly identified as legitimate.

Gsservice.exe  - based on info here http://www.sevenforums.com/system-security/177935-strange-block-software-being-auto-installed.html , I copied the file to a thumb drive, deleted it and rebooted. I have not seen any of the malicious behavior described in that post, but better safe than sorry.   Everything so far seems to work, so if that wiped out something, it isn't anything I use regularly and I can always reinstall. 

sptd.sys - identified as used by Daemon Tools, which I have installed but rarely use.  http://www.bleepingcomputer.com/startups/sptd.sys-13477.html

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #23 on: April 09, 2012, 12:10:14 PM »
As the third partition is showing in disc management and has the correct parameters I believe it is OK.  The latest TDL does make us a bit twitchy about unknown partitions.  But, as you say better safe than sorry

If you are happy then run OTL and hit the  cleanup button that will remove itself and associated files/folders
aswMBR can be just deleted from the desktop
 

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #24 on: April 10, 2012, 03:47:52 AM »
Cool, thanks...

Another thing I discovered:  Avast was stepping on Malwarebytes, preventing it from starting at boot up as it is supposed to, and again not notifying even though it is now set to ask.

Here's the error message in Malwarebytes:  [Shell_NotifyIcon] Failed to perform desired action. Error Code: 1008

Here's the workaround ( http://forums.malwarebytes.org/index.php?showtopic=29099 ):

Under Additional Protection > AutoSandbox > Settings > Files that will be excluded from automatic sandboxing:

    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\ProgramData\Malwarebytes' Anti-Malware\rules.ref
    C:\Windows\System32\drivers\mbam.sys  <<<<<<<<<<<< doesn't seem to be in the most recent version of Malwarebytes
    C:\Windows\System32\drivers\mbamswissarmy.sys

After making that change, Malwarebytes started normally.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #25 on: April 10, 2012, 01:32:45 PM »
@ Keter
I have MBAM Pro on XP Pro and on Win7 and have made zero exclusions for it in avast and it works as expected. The only thing that I have done is add the c:\windows\temp\_avast_ folder (where avast sends/unpacks files that are to be scanned) to the MBAM Ignore List.

So I really don't know what it going on some systems. Do you have the MBAM Pro version (presumable so) ?

Windows Error code 1008 = An attempt was made to reference a token that does not exist. What was it you were doing when this error occurred ?
« Last Edit: April 10, 2012, 01:34:21 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #26 on: April 10, 2012, 04:30:41 PM »
Cool, thanks...

Another thing I discovered:  Avast was stepping on Malwarebytes, preventing it from starting at boot up as it is supposed to, and again not notifying even though it is now set to ask.

Here's the error message in Malwarebytes:  [Shell_NotifyIcon] Failed to perform desired action. Error Code: 1008

Here's the workaround ( http://forums.malwarebytes.org/index.php?showtopic=29099 ):

Under Additional Protection > AutoSandbox > Settings > Files that will be excluded from automatic sandboxing:

    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\ProgramData\Malwarebytes' Anti-Malware\rules.ref
    C:\Windows\System32\drivers\mbam.sys  <<<<<<<<<<<< doesn't seem to be in the most recent version of Malwarebytes
    C:\Windows\System32\drivers\mbamswissarmy.sys

After making that change, Malwarebytes started normally.
If you've found yourself to be one of the few that have required exclusions between avast and MBAM Pro then on top of the exclusion DavidR mentioned (  c:\windows\temp\_avast_ folder ) you might want the current exclusions found here in section k  http://forums.malwarebytes.org/index.php?act=findpost&pid=417798  the exclusions you posted are from a much older version of MBAM.

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #27 on: April 10, 2012, 06:09:14 PM »
Malwarebytes Pro is set to start at system startup.  I was "doing" nothing other than just starting the computer.  The error occurred from the failure of Malwarebytes to start, which started happening AFTER I allowed Avast to make changes to the desktop system.  So far, I am not seeing this behavior on the laptop, but because it is a much newer machine, it has a very simple setup without multiple upgrades and the complications that can come from that.

Whichever file was being interfered with to trigger that error apparently was one on the list I provided.  Yes, I know it was for an older version, which is why I labeled the file that no longer appears in the current version.  Silly me, after four days of no sleep trying to sort this computer mess out and get back to work before what few VCs are watching my project decide I'm too lame to deal with any more, I didn't experiment past the point of getting it to work.

After having run so many tests on these computers, I am convinced that Avast false-positived on something unique to x64 systems.  The fact that it threw up the very same malformed rootkit notification (the UI is malformed such that it can't be read) on a brand new laptop as it did on a much older desktop system, and both are x64, while an even older x86 machine that shares a nearly identical setup to the x64 desktop and ALL of the files in common between the x64 desktop and the laptop pretty much proves that there isn't a real infection, or it would have been flagged on the x86 box as well.  (I run setups that are as identical as possible on all computers precisely to make maintenance and diagnostic work easier.)  The fact that TDSS Killer and all other malware programs I ran all came up clean seems to indicate no problem exists.

After making the settings changes to Avast, both affected systems have calmed down, everything runs as it should, and the desktop system in particular immediately stopped thrashing the hard drive which, along with the malfunctioning programs, I oriiginally believed indicated an active infection.  Yet when I set Avast to ask before automatically sandboxing or terminating programs I start, and got through one round of it asking me how to run programs, then added the Malwarebytes file to the whitelist (Avast never asked about Malwarebytes, it just killed it on startup), the last of the bad behavior went away and the machine went back to its normal responsiveness.  Even the laptop had slowed to a crawl before I applied these changes and it now is working as expected.

So far, I have not needed to add any Avast exclusions to Malwarebytes on any machine.  One reason I have used these two programs together for so many years is that they have a long history of getting along.  In fact, when cleaning up other people's computers, I have run both Avast and Malwarebytes together as a "tag team" and watched one flush malware and the other one kill it.  I guess those days are over.

I am still considering the fact that this new version of Avast was flagging and stopping some of my game files, but not all of them.  They are made with all the same programs and processes and all so far on the same system (desktop x64), and none should be "familiar" to Avast since each is brand new.  This inconsistency worries me.

Keter

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #28 on: April 10, 2012, 06:25:29 PM »
Oh, and something even more interesting about that last point regarding my game files.  Game files that were flagged and stopped on one machine would often play on another...Avast wasn't flagging the same file every time across different computers, but Avast would consistely stop the same game files on the same system...either it would always run or never run on that particular machine.  Yet that same game file, also downloaded from my web site, would run fine on the other system.  As I mentioned, I run nearly identical setups and everything is kept synchronized with versions and updates...that inconsistency is really worrying.

bryank

  • Guest
Re: OMG Issues with Avast 7 on x64 - False Positive Rootkit?
« Reply #29 on: April 18, 2012, 07:11:46 PM »
I upgraded to Avast 7 and within hours my PC was toast. After installation it suggested a full scan. I let it and when it was done having found a few adware items it asked to do a boot scan. I agreed and after that proceeded my computer wouldn't go into windows again other than in safe mode. Avast had moved my restore points into the chest and even restoring them didn't help. I couldn't do a system restore back to any point. My system only came with a restore partition that I can't even use. When I try to restore to original its looking for a disk not the files on my D: drive. I can't restore directly from those files as they are password protected so I can't even access them. I was Running XP Home sp3. I had to install XP Pro I had from a previous PC in order to get my PC working again. When I put Avast 7 on this PC again it hung up and hardlocked my PC on reboot. I'm going to do a clean windows install and I'm sticking with Avast 6 till they get the bugs out of version 7.