A week ago Avast reported a rootkit found in /system32/drivers/nvatabus.sys (one of the nForce chipset drivers). It was apparently unable to delete or do anything to it . Boot time scan didn’t find any rootkits.
I booted the computer into Linux and sent the driver file to Virustotal - no reports of malware.
aswMBR displayed the driver module as suspicious and showed some other information related to it. The logfile can be found here:
I also used some other tools including GMER, GMER’s MBR tool, TDSSkiller, Combofix and Rootkit Unhooker but none of them found anything rootkit-related.
Yesterday I used the computer again. Avast updated the definitions and didn’t show alerts anymore. aswMBR still marks the file as suspicious but it seems that it haven’t been updated.
@ ormu Ignore the previous advice if you saw it before its removal
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.
No need to repeat the aswMBR.exe, though you could attach the log file though and proceed with the OTL scan.
####
There is a possibility that this is a false positive detection, given what you said about having checked it at VirusTotal (VT) if you can re scan this file at VT and post the link to the VT Results page.
When is this detection happening ?
If around 8 minutes after boot, that is the anti-rootkit scan.
Send the sample to avast as a possible False Positive:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form, a link to this topic wouldn’t hurt and submit, the file will be uploaded during the next update.
Thanks, I’m pretty sure that these alerts started after updating Zonealarm. But now that Avast has updated its definitions it doesn’t alert anymore.
As DavidR thought those alerts are made by the anti-rootkit engine. I checked the daily antirootkit logfile and there were some information about it. I can’t remember what it exactly said but it was mostly the same as aswMBR’s results.
I can’t send the sample from the chest because Avast did nothing to the file. Scanning the drivers folder manually or doing a boot time scan didn’t find anything related to that file or rootkits. (Actually the alert is about the kernel module, not the file itself, at least in aswMBR’s results.) The file is visible in that folder, not hidden or anything. I sent it to Avast via email. I also scanned the folder with MBAM and it didn’t find anything either.
I can’t re-send the file to Virustotal or scan with OTL now but I already checked Combofix log which contains pretty much the same information and there wasn’t anything suspicious. None of the scanners in Virustotal reported about malware.
Well deletion (even if it were to work, probably being blocked) isn’t a good first option and should only be undertaken after investigation.
So as I said you should continue to select Ignore. Each time that you do that I believe the information is passed via the CommunityIQ feature to avast, have you been doing that ?
Hopefully that would result in this being analysed and corrected.
Does it allow for it to be reported as an FP in your alert window (advanced) ?
Hm, I can’t remember if there was an option for reporting but there are no alerts anymore. I also checked the scheduled anti-rootkit log and there wasn’t anything either. So probably it has been already fixed.
Edit: I sent the file to Virscan.org and Jotti again (Virustotal is laggy as hell right now) and nothing was found.
The avast CommunityIQ function may well be reporting this alert information back to avast for collation and analysis. If found to be incorrect or they also receive reports on the detection from users, that could result in the detection routine being modified.