Avast Rootkit FP?

Status
Not open for further replies.
I

Ink

Administrator
Thread author
Verified
Jan 8, 2011
22,318
2
55,055
8,379
EDIT: Posted in Avast Forums

I am using Windows 8 RP 64-bit.

I installed Avast 7 Free about 10 minutes ago, custom installation with Web and Network Shield only.

Changes to Avast Free (Web and Network Shield only):

- Linked to my.avast.
- Activated free license.
- Enabled PUP detection on Web Shield.
- Disabled Social/Recommended features.
- Disabled Generate monthly report.
- Disabled start-up rootkit scan.

Action Center reported that Avast and Windows Defender were both turned off.

Manually switched on Windows Defender.

I get an avast pop-up saying rootkit detected (see screenshot).

I chose Ignore.

Generate a log file (extracted from aswAr.log):
Code: 
Service WdBoot [C:\WINDOWS\system32\drivers\WdBoot.sys]  **HIDDEN**
Service WdFilter [C:\WINDOWS\system32\drivers\WdFilter.sys]  **HIDDEN**
Service WinDefend [C:\Program Files]  **HIDDEN**

I can only assume these are False Positives?

Any help appreciated. I have to dig up my Avast Forums username.
 

Attachments

  • avast7-rootkit.png
    avast7-rootkit.png
    31.7 KB · Views: 827
Aint service WinDefend the windows defender one? as well as the 2 sys files?

I still believe it is a False Positive. Anyway you can upload the files to Avast and inform them of False Positive?
 
Indeed looks like a FP...
Did you try to upload the files to https://www.virustotal.com/ ?
 
Just checking, I shall report this to Avast, when I find my login details. :)

WdFilter.sys
https://www.virustotal.com/file/c66383e690ee77591bc37aa7b5e0111f3802cd439e97fe053f87369abc5ae84b/analysis/1340309044/

WdBoot.sys
https://www.virustotal.com/file/2ad5767e8272c3c8dfe76a4a6a60580d609d4a58c35a9a7ea96bdd3b03cb40c6/analysis/1340309046/
 
The worst part is that the recommended action is DELETE... A inexperienced user would just allow this request and basically remove some much need it Windows files.
 
I Had the same rootkit warning on MBAM Service when I recently bought MBAM Pro....The warning was on mbamswissarmy.sys that MBAM creates when it scans something...I searched the avast forums and did find that it was also seen by many more people...never the less..its the power of GMER that avast has :P...so make exclusions in your additional anti-malware applications and in avast...it must supress these alerts then:)
 
Status
Not open for further replies.

You may also like...