Hello -

I’m posting in part to alert others to the possibility of a(nother) false positive for rootkit, as well as to try to confirm what I suspect and allay my fears. Forgive me if this is redundant, but in researching this forum, I could not find any FP instances relating to this time frame (mid-Feb '12).

I have been using the free version on my desktop and lappy for some time, with nary an untoward peep. I run daily full scans on both machines, the lappy running Windows Vista Home, and the PC running Windows 7. In casually looking at the logs for the lappy’s scans last night (22 Feb), I just happened to notice a report of a virus detection (in red) from 16 Feb. It was reported as a rootkit, threat level High. I tried to move the instances to Chest and delete, but access was denied in the Avast tool. Sadly, I had to delete Avast from the lappy in order to run other detection software (Kaspersky TDSSKiller, Windows Malicious Software Removal Tool, Windows Defender, all of which reported negative for infections), but there were about 15-20 files, win32k.sys and afd.sys as I recall, all in the Windows/winsxs folder. There was no obvious malfunction of the lappy.

Out of curiosity, I thought it might be useful to check the logs of the PC for similar indications. Lo and behold, a 15 Feb (one day before the lappy’s log entry!) reported a rootkit in the same folder… just on a different machine this time. There are eight files in this case, half of which are win32k.sys, while the rest are afd.sys, again in the Windows/winsxs folder. All are similarly inaccessible when Action options are tried, though I can open the winsxs folder… just can’t do anything with the “infected” files in Avast. (It is critical to note that these two machines share the same router to connect to the internet, but that they do not talk to each other.) Similarly, all scans with several utilities are negative for infections. No infections were found by Avast or any other scan utility after these isolated instances.

I find it highly unlikely that two machines that are inaccessible by/to one another and are used for entirely different tasks/roles/browsing would contract a rootkit within 24 hours of one another. When I came back from vacation on the 15th, I booted the PC first, and then the lappy a bit later, so I’m wondering whether the virus definitions (which the machines updated within hours of one another) in a particular update might have caused Avast to somehow flag the referenced files on each computer as rootkit-related.

I would feel more secure if others could possibly corroborate my theory, or otherwise suggest a cause/solution for this. I don’t want to take any extreme action on either machine if there is a reasonable chance that there is no problem to solve.

Thank you in advance.

Welcome to the forums masi,

If possible, please submit any of those detected files to VirusTotal and provide a link to the analysis report so we could see if it was really a false positive, or perhaps, a maliciously infected file.

On a side note, you seem to have quite a deep vocabulary.

Thank you very much for your reply, and for the link. I’m not at home at the moment, but I’ll try to do as you suggest. (I can do it for the PC, but sadly I lost the log for the lappy when I had to uninstall Avast to run other virus software. I do still have all the files in the “affected” folder, though. Can I submit them all?) Am I correct in assuming that doing so will be just a matter of going into the winsxs folder and copying the files to VT? I’m just not at all familiar with VT.

Once again, the more I think about this, coincidence of this incident with definition updates, and the fact that these two machines do mot talk to each other, seem to point less to an actual infection and more toward some anomalous event: the definitions update.

(Oh, and I should add that Avast says the files in question are “hidden”, but when I mouse over the files in the log, their entire paths show. I’ll have to look again at home, but I’m unclear as to how to submit the files to VT.)

I should also like to clarify that I am still using Avast on the PC, and may return to it on the lappy once I’m satisfied that this incident was the result of an update issue rather than an actual infection.

Thank you again.

Hello again…

Here are the URLs for the eight files that I had scanned. Several files had been previously scanned, as noted below. Results were negative for infection. So I suppose I now have more compelling evidence to respectfully suggest that this incident was a false positive.

These files, incidentally, are from the PC. As stated earlier, I sacrificed the log from the lappy when I had to uninstall Avast from it. There were a few more suspect files on that machine, but all from the same (winsxs) folder, so I suspect I’d have obtained the same results from scans.

Hope this helps:

1. https://www.virustotal.com/file/cdc939de9bea350244233edc41c66db735db0b56c2fcef4c00b8060d6c971a20/analysis/1330119175/

(NOTE: file had been previously analyzed)

2. https://www.virustotal.com/file/6199209979931c7436b8ca2379a87dd301627d6cb31e37b344175334bd44d07d/analysis/1330119645/

3. https://www.virustotal.com/file/3a4051654d25e27db211af3e2809c2966a176507b882065797888e517b98f9d9/analysis/1330119855/
   
   (NOTE: file had been previously analyzed)

4. https://www.virustotal.com/file/848bcb36551632e591f4e0376dd70927b57472e3462858df8389972e7f091541/analysis/1330120035/

5. https://www.virustotal.com/file/a4a0b2acbfe311c20ef9f06a49dbe02ce90433c2364b292f6e8f78f6c274df88/analysis/1330120347/

(NOTE: file had been previously analyzed)

6. https://www.virustotal.com/file/5d38ca0d6006d13afc28f525a0051de2f1515a3222bb65c5d1be6bc05da4b0c1/analysis/1330120533/

7. https://www.virustotal.com/file/83f963d7e636532b1ad30b1e727ec429317ca540f6eb3bb268fcc0b163b67767/analysis/

(NOTE: file had been previously analyzed)

8. https://www.virustotal.com/file/4d6088362a6c7b99f394754073426e630003d6f2f3a0419763a2288320bae3fa/analysis/1330121050/

Well yes… Few days ago I had Comodo as FP and to date I have Rapport software as trojan… Strange…

It, indeed, appears to be a false positive. But what’s odd is that it only happened on your PC. avast’s scan results in VirusTotal did not return any malware alert.

All I could think for now is that this incident could just be a hiccup in your PC–probably detected by the behavior shield. Does the alert still persist up to now or was it just a one-time only incident?

Thanks for replying.

Actually (maybe I was not clear above), it happened on my PC and lappy, within hours of each other, the common denominator being Avast, the update, the internet connection, and subsequent scan. This was indeed a one-time occurrence. Neither Avast, Kaspersky, Malwarebytes, Defender, MMSRT nor any other utility has thrown any alerts since this isolated incident on two machines that do not talk to each other and see different traffic. The logic suggests that it has to be something to do with that day’s definitions update.

Also, I am given to understand that, in order to be of any use to an attacker, rootkits have to be installed on machines that have been compromised at the Admin level. We use those machines on subordinate accounts only, so I’m having trouble seeing how both machines could have been compromised at the Admin level in spite of the fact that both machines use the same internet connection. On top of that, each user on each machine would have had to visit the same site and take the same action. That’s another argument against an actual rootkit infection.

Summing up, since this was an isolated case (and problem with definitions seem improbable because no other user have reported case(s) similar to this), the only probable cause as of now is a heuristic false positive.

Heuristic scanning engines work on the principle that viruses will usually use certain "tricks" or methods of infecting, and therefore if a program looks like it might be using those tricks, there is a possibility that the program is a virus.

Since heuristics is a hypothetical detection, false positives may occur. And this might be the case. A sudden unexpected behavior of the files in the WINSxS might have triggered avast’s heuristics to throw an alert.

Ah, I see what you’re saying… makes sense in that context!

Thanks very much for taking the time and effort to assist… very much appreciated. Learn something new every day.

Either ways, I learned from you as well.

Should there be any other inquiries, feel free to post in the forums.

Thank you once again!