Hi everybody, at my brother after he tried to connect to a server (Call of Duty United Offensive), avast popped up with two files as hidden rootkit (said that the recommended action is to delete and can be malicious) it was a red window (not a “virus detected”-like). I deleted the “Hidden rootkits”
I take it that this was part of the anti-rootkit scan ?: “A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.”
So it normally advises do nothing unless it is certain it is a rootkit.
Punk Buster’s PnkBstrB.exe & PnkBstr.sys are part of their anti-cheat function so are likely to be legitimately hidden.
Well as far as I’m aware avast doesn’t delete registry entries in isolation, if a detection is made and you select delete, etc. then and only then would it go to the registry for associated registry entries.
So I really don’t know what is going on as the resident shield doesn’t do a rootkit check, so the detection would have to be by signature. In which case you need to confirm the detection and submit to avast if an FP.
You could also check the offending/suspect file at: [url=http://www.virustotal.com/][b]VirusTotal - Multi engine on-line virus scanner[/b][/url] and [b]report the findings here[/b] the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called [b]Suspect[/b] in the [b]C:\[/b] drive. Now exclude that folder in the [b]File System Shield, Expert Settings, Exclusions, Add[/b], type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder.
####
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
- In the meantime (if you accept the risk), add it to the exclusions lists:
[b]File System Shield, Expert Settings, Exclusions, Add[/b] and
[b]avast Settings, Exclusions[/b]
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
I don’t know what you mean by Err… is this method enough?
Do nothing doesn’t allow it to run, it just doesn’t take any action, move to chest, delete, etc.
Personally I don’t believe using the “Do not warn me again” option is a wise one (in general terms) as I don’t know if there is a way to subsequently reverse that option.
But do yourself and other avast users a favour and upload the files to virustotal and confirm or deny the detection and if it is a false positive submit the samples to avast fr analysis.
They can then correct the detection in the virus signatures (if it is a false positive) benefitting all avast users that are using punk buster. That is why I went to the trouble of giving the full instructions, to not just help you but other avast users.
I don’t use any gaming software so haven’t got punk buster to check it, not to mention I’m just another avast user like yourself.
OK but I can exclude only FOLDERS from the scan, I tried it, but PunkBuster is located in Windows/system32/…
I’ve repeat avast! detected this as a hidden rootkit NOT AS A VIRUS.
OK but i’m 13 if gaming is not fun for me I go to write programs but if I haven’t got ideas I must play games, I have a 6 years old computer (Windows XP runs 3 years ago) and my computer’s processor is 1.83GHz, I can’t play Call of Duty 4 or something like this.
Or if I set the folder, write PnkBstrB.exe after the path name?
Change the * at the end of the path when you have selected the folder and change * to \PnkBstrB.exe then repeat the process adding another exclusion and this time \PnkBstr.sys at the end.
File has already been analysed:
MD5: 194b04ad84a4ff7e10188039451221d5
First received: 2007.12.31 18:34:29 UTC
Date: 2009.03.10 21:21:26 UTC [>428D]
Results: 0/39
Permalink: analisis/a77e67df59722ca56c8a65fc60022ddaf2f35101a7c6161be4656bdc247ee7ba-1236720086
Yesterday, avast! didn’t popped up with this “Hidden rootkit” problem. It could be a fresh database error or something like this, now avast! doesn’t pops up. I need to reinstall PunkBuster at my brother
DavidR an avast! Überevangelist has his system information in his signature so you could go to PROFILE then Modify Profile then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.