Avast! internet security found 3 rootkits

Hello,

In a full Rootkit scan, Ais found 3 rootkits. I’ve clicked the “remove” button, or whatever it’s called, avast showed up a message that a bootscan is recommend, so I’m running a bootscan right now.
Should this be enough, or will the rootkit still be active or something?

Thanks for your reply!

Well deletion/remove isn’t a good first option, you have none left. Before you do that you should be 100% sure of what has been detected is a rootkit.

What were the file names and location of those detections ?

I’ve already deleted the rootkits, locations are:
C:## aswSnx private storage\webStorage\image\Windows\SysWOW64\FlashPlayerCPLApp.cpl
C:## aswSnx private storage\webStorage\image\Windows\SysWOW64\Macromed\Flash\FlashUtil10t_Plugin.exe
C:## aswSnx private storage\webStorage\image\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

Thanks in advance for your help!

They are located in the avast sandbox, private storage, so it is somewhat stragne that avast thinks these are rootkits.

Did you recently update flash player ?

If so did the AutoSandBox pop-up suggest that you ran this in the sandbox ?
I believe this to be the likely scenario and you ran that in the sandbox, rather than electing to run normally ?

Essentially there is no downside to having deleted these other than you probably still have an old version of flash player installed, as the sandbox installs it virtually and not on the system to effectively test if it were malicious.

I did not recently update flash player, I only do that when Youtube requires to do an update.
As far as I know, Avast did not ask to run flash player in the sandbox.

Was this a false-positive and nothing to worry about?

Thank you!

Yesterday during a scan avast! found what it identified as root-kit on my x32 computer. It was located in c:Windows\Prefetch. That will teach me for not cleaning my computer when I am done using it. :slight_smile: :slight_smile:

avast! took care of it and recommended a boot-scan which I had it do and everything came up fine.

Got to remember to continually clean all those temporary file locations. :slight_smile: :slight_smile:

OK, it may gust have been that you were running your browser sandboxed and during a session flash player was used ?

If this ‘full’ rootkit scan was part of a custom scan (not the one 8 minutes after boot) it might just be that that is more sensitive/thorough than normal. So I honestly can’t say if it is an FP, it is most certainly strange as I wouldn’t have expected these files to be considered rootkits.

This however, may happen if you happened to be running your browser sandboxed at the time of the rootkit scan, then I believe these executable processes would effectively hidden (in the sandbox private storage) from the normal windows APIs and look like rootkit activity. That is my best guess as to why they might have been considered as rootkits or displaying rootkit behaviour.