Avast Rootkit FP?

Status
Not open for further replies.

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,394
EDIT: Posted in Avast Forums

I am using Windows 8 RP 64-bit.

I installed Avast 7 Free about 10 minutes ago, custom installation with Web and Network Shield only.

Changes to Avast Free (Web and Network Shield only):

- Linked to my.avast.
- Activated free license.
- Enabled PUP detection on Web Shield.
- Disabled Social/Recommended features.
- Disabled Generate monthly report.
- Disabled start-up rootkit scan.

Action Center reported that Avast and Windows Defender were both turned off.

Manually switched on Windows Defender.

I get an avast pop-up saying rootkit detected (see screenshot).

I chose Ignore.

Generate a log file (extracted from aswAr.log):
Code:
Service WdBoot [C:\WINDOWS\system32\drivers\WdBoot.sys]  **HIDDEN**
Service WdFilter [C:\WINDOWS\system32\drivers\WdFilter.sys]  **HIDDEN**
Service WinDefend [C:\Program Files]  **HIDDEN**

I can only assume these are False Positives?

Any help appreciated. I have to dig up my Avast Forums username.
 

Attachments

  • avast7-rootkit.png
    avast7-rootkit.png
    31.7 KB · Views: 706
P

Plexx

Aint service WinDefend the windows defender one? as well as the 2 sys files?

I still believe it is a False Positive. Anyway you can upload the files to Avast and inform them of False Positive?
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Indeed looks like a FP...
Did you try to upload the files to https://www.virustotal.com/ ?
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,394
Just checking, I shall report this to Avast, when I find my login details. :)

WdFilter.sys
https://www.virustotal.com/file/c66383e690ee77591bc37aa7b5e0111f3802cd439e97fe053f87369abc5ae84b/analysis/1340309044/

WdBoot.sys
https://www.virustotal.com/file/2ad5767e8272c3c8dfe76a4a6a60580d609d4a58c35a9a7ea96bdd3b03cb40c6/analysis/1340309046/
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
The worst part is that the recommended action is DELETE... A inexperienced user would just allow this request and basically remove some much need it Windows files.
 

malwarekiller

New Member
Mar 30, 2012
688
I Had the same rootkit warning on MBAM Service when I recently bought MBAM Pro....The warning was on mbamswissarmy.sys that MBAM creates when it scans something...I searched the avast forums and did find that it was also seen by many more people...never the less..its the power of GMER that avast has :p...so make exclusions in your additional anti-malware applications and in avast...it must supress these alerts then:)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top