OMG Issues with Avast 7 on x64 - False Positive Rootkit?

I have a potential disaster on my hands. I upgraded my desktop (Win 7 Pro x64) to Avast 7 Free a few days ago, and almost immediately, it reported a rootkit. The screen that popped up cut off the name and location of the rootkit. I let it delete and boot time scan, and the boot time scan reported nothing, but there was absolute mayhem on my system…many things no longer worked. I was going to restore, but discovered all of my restore points were wiped out. To reimage would require media I didn’t have…I got that machine from Office Depot on sale, and apparently they had upgraded the machine from Home Premium to Pro, and sold it to me as Pro, while what was on the recovery partition was Home Premium. I have a fledgling online business that requires daily attention, so I couldn’t be down, and went and bought a brand new laptop (Win 7 Home Premium x64) yesterday and spent all of last night getting it set up, which included installing a paid version of Avast 7 (full suite). This morning, after using for about an hour, up pops the same rootkit notice, again unreadable. I let it do its thing, and am not yet sure if there’s mayhem on this machine, too. I haven’t even had time to make the system disks, and this one has no restore partition, so if I’ve got damage here, too, I may just have gone out of business. I can’t find the Avast log files to get more information. The single point of contact between these machines is the files in my Dropbox, which I scanned thoroughly using a third machine with Avast 7 before touching it with this new laptop, and it scanned as clean.

Any clue what I should do next?

Update - Trend Micro Housecall just finished running and says everything is clean.

Keter.

Essexboy, Avast! specialist to remove malware, has been notified. You can follow this guide and do as much as you can.

http://forum.avast.com/index.php?topic=53253.0

Attach logs for malwarebytes’, OTL, and aswMBR.exe. Just Wait.

Will do, thanks. Malwarebytes Pro run on the other affected machine showed clean. So far, about 2/3rds finished, Malwarebytes Free is finding nothing on the new machine.

Monitoring ;D

I was trying to place the post in the correct forum according to the instructions I was given (Viruses) but it now seems to have gone even farther AWOL (no clue how that happened) and is in http://forum.avast.com/index.php?topic=96894.0. I will copy and repaste here with updates.

I have a potential disaster on my hands. I upgraded my desktop (Win 7 Pro x64) to Avast 7 Free a few days ago, and almost immediately, it reported a rootkit. The screen that popped up cut off the name and location of the rootkit. I let it delete and boot time scan, and the boot time scan reported nothing, but there was absolute mayhem on my system…many things no longer worked. I was going to restore, but discovered all of my restore points were wiped out. To reimage would require media I didn’t have…I got that machine from Office Depot on sale, and apparently they had upgraded the machine from Home Premium to Pro, and sold it to me as Pro, while what was on the recovery partition was Home Premium. I have a fledgling online business that requires daily attention, so I couldn’t be down, and went and bought a brand new laptop (Win 7 Home Premium x64) yesterday and spent all of last night getting it set up, which included installing a paid version of Avast 7 (full suite), other utilities I use, and starting to remove OEM installed crapware.

This morning, after using the new laptop for about an hour, up pops the same rootkit notice, again unreadable. I let Avast do its thing, and am not yet sure if there’s mayhem on this machine, too. I haven’t even had time to make the system disks, and this one has no restore partition, so if I’ve got damage here, too, I may just have gone out of business. I can’t find the Avast log files to get more information. The single point of contact between these machines is the files in my Dropbox, which I scanned thoroughly using a third machine (Vista, 32-bit, identical access to the Dropbox account) with Avast 7 before touching it with this new laptop, and it scanned as clean.

I had Malwarebytes Pro on the desktop system, and it said everything was clean. I downloaded and ran Malwarebytes (full trial) on the laptop, and it also reports clean (log attached).

Avast does not like OTL. It wants to put it into the sandbox. I forced it to run normally. Logs are attached. Ran aswMBR.exe, log attached.

===

Sorry, I’m not sure what happened… I posted originally in General because I wasn’t sure a possible false-positive rootkit issue belonged in with viruses and trojans. Following reading the instructions post you linked me to, I thought I copied, updated and reposted in the viruses forum with the logs attached. Now apparently the post is in the avast! Distributed Network Manager forum… ???confused???

The only new behavior I have to report is that 8 more Windows updates popped up last night and took an astonishing 2 hours to complete and shut down. This is a brand-new Toshiba Satellite L775D-S7132, on which I have installed only Avast, Advanced System Care, Firefox, Pokki (utility toolbar), Skype, Malwarebytes, and the diagnostic utilities mentioned in the instruction email. All but the diagnostic utilities are “old friends” that I use on my other two systems, including the Vista x86 box that has remained unaffected. Sometimes this new laptop runs like a Pentium 2 with 512MB of RAM.

One other symptom: I noticed this morning that some shortcut icons have disappeared, replaced with just the default icon. I noticed this same behavior on my x64 desktop following the “rootkit” removal. The more I think about this, the more I think that there never was a rootkit on either machine and that the new Avast is misidentifying files vital to x64 systems. I hope I am wrong. I’ve been an Avast user and advocate for many years.

I run a win7 64 bit and have received no alerts

This is what Avast was concerned about

20:00:06.557 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 15099 MB offset 1219340288

This is a hidden partition on your hard drive the 17 indicates that is most probably the TDSS file system boot sector. I would like to get a second opinion on it as it is about 100 times larger than normal

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

A couple of other items:

I just ran Kaspersky’s TDSS Killer with all options enabled and it found nothing.

I installed a piece of software that I wanted to try (I’m trying to find an easy and relatively competent web site creation program for a friend), EzGenerator 4, on the desktop computer and it would not run…it would start and then mysteriously disappear with no warning before I could do anything with it. I just installed it on this laptop, and guess what? Up pops Avast and kills it. (I got no such warning on the desktop, but the duration between warning and killing the program looks identical). I tried to set it such that it would run in the sandbox, but Avast still killed it. I forced Avast to let it open normally, and the program opened with no problem. SO…it looks like what was making me think I might have had some sort of infection on the desktop actually was Avast killing my programs but failing to put up the popup as it did on the laptop.

For clarification, I found TDSS Killer on my own a bit earlier and ran it as shown in your post, Essexboy. :slight_smile:

What can you tell me about that partition - did you hide it ?

Also set the avast autosandbox and behaviour shield to ask, you will then get the choice as to whether to run it or not

Could you attach the TDSSKiller log

I have done nothing on either affected machine with partitions. The desktop computer has a D: partition for system recovery, created by HP, the OEM, and I have literally never done anything with it except look at its contents. The laptop, the one I’m currently providing log files from, has no partition at all.

Arrgh…“autodecide” setting not in the main settings configuration. Now I gotta check each module to see what else is hiding.

I couldn’t find a log file from the earlier run, but I re-ran it and was able to get a “report” from this run which I copied into a text file. I think this is the same thing. If not, can you give me a hint where to look or what name to look for?

Here you go behaviour shield first and then autosandbox

And sandbox

Thanks. I found the first autosandbox setting on my own, but not the second. Interesting… I can’t wait to apply this to my desktop computer to see how much it revives.

A lot of the decision making that Avast does is based on the frequency of the programmes use, digital signature, where it came from etc…

So if it is an old programme that very few people use it will be viewed with suspicion until either it has a better handle on it or you confirm it is safe. But remember this is a double edged sword, if you told it that virut was safe, it would still block it but probably not until after some damage was done

I’m a very low risk user - I don’t surf weird places, I don’t do torrents or crack-ware, I’m the only user on the machines I use for business and do not network these computers together such that the only points of contact between machines are Dropbox, Skype, Xmarks and LastPass. But I also have to be very sure that I’m not infected because I provide simple electronic games in standalone .exe files. My intention was to let this laptop be my general use machine so I could dedicate the desktop entirely to production work, isolated from any potential sources of contamination outside of Dropbox. The Vista box is not a candidate because my husband uses it and he’s not all that savvy. So my little business is offline until I have a for sure resolution to this.

The hidden partition thing has thrown me for a loop…I have no idea where that might have come from. Right now, I’m poking a stick at Advanced System Care, which also has recent new version with a greatly expanded suite of utilities. Might it have created a partition for its own use? I know it creates restore points that don’t seem to show up in the normal system restore points.

These are the partitions found by aswMBR

20:00:06.401 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048 20:00:06.525 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 593880 MB offset 3074048 20:00:06.557 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 15099 MB offset 1219340288

The first 80 (A) 27 is the active partition and legit. The recovery console of Vista / 7

27 Windows RE hidden partition On MBR disks, type 0x27. On GPT disks, GUID: DE94BBA4-06D1-4D40-A16A-BFD50179D6AC. A hidden version of a Windows RE type 0x7 partition with NTFS. When this is installed, reboot and press F8 in order to boot into this Recovery Environment.

The second 00 07 is the windows partition that you boot to

07 Windows NT NTFS Filesystem introduced in Windows NT 3.1.

Now the third one is curious up until now I have only seen this in its hidden form with TDL4, although the normal max size is 10Mb
So do you have either Unix or Linux on this partition

IFS which can be OS/2's HPFS, Windows NTFS, Advanced Unix or QNX2.X(pre-1988). Type 0x07 is not hidden and type 0x17 is hidden.
IFS = Installable File System. The best known example is HPFS. OS/2 will only look at partitions with ID 7 for any installed IFS (that's why the EXT2.IFS packet includes a special "Linux partition filter" device driver to fool OS/2 into thinking Linux partitions have ID 07).

I don’t do anything with Linux or Unix.

Are you utilising the backup function in Advanced System Care

Although I cannot find much information about that element

Also what is the make of the laptop ? I can then see if there is a hidden recovery partition - which might fit those parameters

I did end up with a Mac file (which I think is a version of Unix?) in my Dropbox over a year ago when a client put one in there, but I disconnected from that shared Dropbox after the project was completed. I don’t recall using any programs ported from either of these OSes, with the possible exception of GIMP, which I think started on Linux (not sure, but I first saw GIMP on a friend’s Linux machine).

I am using the backup software (can’t remember the name, maybe Paragon?) that came with a Western Digital external HD on the desktop. I have not set up backup on the laptop yet as I don’t yet have a backup drive for it. I don’t use Advanced System Care to do backups, but it does create restore points for many of the things it does, as mentioned previously. The laptop is a Toshiba Satellite L775D-S7132. http://us.toshiba.com/computers/laptops/satellite/L770/L775D-S7132