avast 2014 finds Rootkit - is this a FP?

Viruses and worms
1

infected file name = c:\avast! sandbox\S-1-5-21-27103323430-3931005909…\sfzone\c\Users\Mycomputer\AppDta\LocalTemp.…\ChromeRecovery…

Theres also other paths names ending with 25RBXOp+.exe.part, GoogleUpdate,Setup.exe, … avast gives the option to delete but im going to move to the chest and run scan with virus total. If i move to the chest, how do i find the file to submit scan with VT so i can dubmit post here ?

Attempted to move to chest but the result says " The request is not supported (50)"

so i guess im left to select “repair” - it worked

where do i go to find these files, im not seeing them ?

2

can somebody tell me where these files would be located on my pc ? i do not see any folder/file starting with c:\avast! … And when selecting “repair” after an infection is found, what does that do exactly?

3

"c:\avast! sandbox" means the files where there when you where using the Sandbox.
If you close the sandbox, the files will be deleted.
They don’t exist outside the sandbox.

A repair does exactly what is says. It repairs a file.
E.G. if a virus attaches itself to a legitimate file, a repair will remove the virus from it leaving the original legitimate file as it should be.

Let’s say your hair is 10mm long (=original file) but it grows to 15mm (=infected file)
A repair cuts off the extra 5mm (=the infection), leaving you with the length as you want it (=clean, original legitimate file)

4

I’ve only ever downloaded any updates directly from the Google chrome settings so I doubt this was a true infection. Did avast think this was an infection because the files were hidden from the system and in the sandbox location? I’m still puzzled because wouldnt terminating or clearing the sandbox storage destroy these files? I do this every time. … how do I find these files to scan them with vt?

5

As I said, the files only existed within the Sandbox. Since they are not there anymore you can’t submit them to Virustotal (or any other site).

6

Understood. How would I have a rootkit in my system if I close amd always terminate all sandboxed sessions after using any application sandboxed?

7

I suspect it was just a false positive.

8

You don’t have a rootkit in your system, Avast detected file in protected environment, that couldn’t harm the system. Sometimes system is clear, but for example few monts ago, there were viruses, and they are now present in System Restore points. Virus is inactive, but AV that scanned restore points found the virus. Hope you now understand.

Or it was a FP :slight_smile: