In a full Rootkit scan, Ais found 3 rootkits. I’ve clicked the “remove” button, or whatever it’s called, avast showed up a message that a bootscan is recommend, so I’m running a bootscan right now.
Should this be enough, or will the rootkit still be active or something?
They are located in the avast sandbox, private storage, so it is somewhat stragne that avast thinks these are rootkits.
Did you recently update flash player ?
If so did the AutoSandBox pop-up suggest that you ran this in the sandbox ?
I believe this to be the likely scenario and you ran that in the sandbox, rather than electing to run normally ?
Essentially there is no downside to having deleted these other than you probably still have an old version of flash player installed, as the sandbox installs it virtually and not on the system to effectively test if it were malicious.
I did not recently update flash player, I only do that when Youtube requires to do an update.
As far as I know, Avast did not ask to run flash player in the sandbox.
Was this a false-positive and nothing to worry about?
Yesterday during a scan avast! found what it identified as root-kit on my x32 computer. It was located in c:Windows\Prefetch. That will teach me for not cleaning my computer when I am done using it.
avast! took care of it and recommended a boot-scan which I had it do and everything came up fine.
Got to remember to continually clean all those temporary file locations.
OK, it may gust have been that you were running your browser sandboxed and during a session flash player was used ?
If this ‘full’ rootkit scan was part of a custom scan (not the one 8 minutes after boot) it might just be that that is more sensitive/thorough than normal. So I honestly can’t say if it is an FP, it is most certainly strange as I wouldn’t have expected these files to be considered rootkits.
This however, may happen if you happened to be running your browser sandboxed at the time of the rootkit scan, then I believe these executable processes would effectively hidden (in the sandbox private storage) from the normal windows APIs and look like rootkit activity. That is my best guess as to why they might have been considered as rootkits or displaying rootkit behaviour.