Rootkit after Windows Update?

Hi,

I’ve just got a rootkit alert seconds after Windows Update completed installing KB2735855 (System update), KB2736233 (ActiveX), KB80830 (Malware removal) and KB915597 (Definition Updates).

I said “ignore”, and then proceeded to reboot the computer to finish the updates.
I suppose it was a false positive? I’m fairly sure my OS is clean.

Also, I can’t seem to find any log of this detection to post here…

What’s Your OS?
Just finished WIndows Update on my XPSP3 with no issues/ or Alerts. :slight_smile:

Windows 7 Professional SP1 (x64)

EDIT: Just finished a quick scan with 0 detections. Avast, what’s gotten into you? :stuck_out_tongue:
I suppose a full system scan wouldn’t be necessary to detect an active rootkit?

If you are concerned, you could do a ‘Boot Time Scan’(never hurts) although, I believe Avast scans for rootkits several seconds into boot. :slight_smile:

Oh well, I think I’ll pass, these full scans take forever. :stuck_out_tongue:

Everything in this computer is always up-to-date, and I know what I’m doing (computer science undergraduate), so I’m guessing avast’s heuristics got confused there somehow…

Avast does a rootkit scan 8 minutes after boot, so basically it depends on how many times you switch your system on.

Every day. I don’t keep it on at night.

Is there a place where I can see the history of detections? I can’t seem to find that detection logged anywhere…

I guess it’s aswAr.txt in the log folder.

aswAr.log is already replaced with a newer version, with 0 detections… :frowning:
aswAr.txt, I can’t find this one. I suppose you confused the extension?

I have a theory here:

avast Anti-rootkit was running at the EXACT same time as Windows Update replaced a critical file. avast AR asked Windows what file was supposed to be running, but because WU just changed it, it read a different file and that triggered the alert.
Now it doesn’t trigger anymore because the new file is already registered.

Is that possible?

yeah, sorry!

If in doubt, try a simple full system scan. It won’t take long and the rootkit scan will be “deeper”.

This update might be the reason to false alert: http://support.microsoft.com/kb/2735855 (Windows Filtering Platform Update for Windows 7), because Avast Web Shield uses Windows Filtering Platform. At least I think so.