Rootkit Heuristics

Hey, I need some advice. All a sudden after an update and a thorough scan, Avast rootkit heuristics detected over 200 system files as potential hidden rootkits. Is this even possible? Is it an over sensitive heuristics at work? I have submitted the samples for analysis. What do you all think?

An update of what ?

Please provide some examples of the file names and their locations, e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (C:\Program Files\Alwil Software\Avast4\ashLogV.exe), Warning section, this contains information on all avast detections.

You could also check some of the offending/suspect files at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

I did a rescan and here are some of the infected files

C:\WINDOWS\system32\CONFIG.TMP\systemprofile\Local Settings\Temp\RtkBtMnt.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\CONFIG.TMP\systemprofile\Local Settings\Temp\RtkBtMnt.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\CONFIG.NT\systemprofile\Local Settings\Temp\RtkBtMnt.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\CONFIG.NT\systemprofile\Local Settings\Temp\RtkBtMnt.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\3\Brlfx05a.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\2\ppbiUif.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\2\ppbiNT.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\ppbiNT.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\ppbiUif.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\pport_res.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolsv.exe\prtprocs\w32x86\ppbiPr.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\3\Brlfx05a.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\2\ppbiUif.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\2\ppbiNT.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\ppbiNT.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\ppbiUif.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\pport_res.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\system32\spoolss.dll\prtprocs\w32x86\ppbiPr.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN4401\AGRSM.sys [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN4401\agrsmdel.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN4401\AGRSMhom.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN4401\AGRSMMsg.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN4401\agsetup1.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN4401\agsetup2.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN4401\setup.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN5789\AGRSM.sys [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN5789\agrsmdel.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN5789\AGRSMhom.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN5789\AGRSMMsg.exe [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN5789\agsetup1.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\LAN5789\agsetup2.dll [L] Rootkit: hidden file (0)

there are more, LOL

What’s the exact build of avast! you have installed?

is this from the avast antirootkit standalone or from the one included in the antivirus?

Igor’s question is important the latest version of avast is 4.8.1290, what version do you have.
If you don’t have this version do a manual program update, right click the avast ‘a’ icon, select Updating, Program Update.

The file names beginning AGR may be Lucent Technology files/drivers, so do you have a Lucent winmodem, etc. (Drivers for V.92/56k PCI Lucent winmodems.)

http://www.modem-drivers.com/drivers/48/48431.htm
http://spywarefiles.prevx.com/RRFBCD16313/AGRSMDEL.EXE.html
http://www.threatexpert.com/files/agsetup1.dll.html

I am currently using the recently updated built 4.8.1290 with VPS 081120-0. I do a full thorough system scan every week. And all a sudden popped up over 200+ potential rootkits? Besides those listed files, I can list down some more:

C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\7.0.5000.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a\CustomMarshalers.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\Accessibility\1.0.5000.0__b03f5f7f11d50a3a\Accessibility.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\1.0.5000.0__b03f5f7f11d50a3a\System.Configuration.Install.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.Design.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\IIEHost\1.0.5000.0__b03f5f7f11d50a3a\IIEHost.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\ISymWrapper\1.0.5000.0__b03f5f7f11d50a3a\ISymWrapper.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\mscorcfg\1.0.5000.0__b03f5f7f11d50a3a\mscorcfg.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll [L] Rootkit: hidden file (0)
C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll [L] Rootkit: hidden file (0)

Update your avast. Try scanning against rootkits again:

XP: Windows Start > Run
“C:\Program Files\Alwil Software\Avast4\ashQuick.exe” “SUPERQUICK”

Vista: Windows Start > write “cmd” without quotes > click CTRL+SHIFT+ENTER
Anwswer ‘Yes’ to UAC question.
Write down (or paste):
“C:\Program Files\Alwil Software\Avast4\ashQuick.exe” “SUPERQUICK”
Click Enter

Howdy yearcalendar,

Are you by the way on an acer machine? These are all acer files, and in that case we are considering a FP.
There were more mentions of these particular files in this webforum,

polonus

Yep. I am using an Acer machine.

I just relised that Avast did not sent out the files for analysis. According to the log, it encounter some technical problems. What do you all advise? Thanks

wait for the program update…

// back to the original topic
yearcalendar: update your Avast installation to the latest version and watch your PC for (positive) changes… did the update make any difference in the rootkit reporting?

I experience the same problem and also have an Acer Notebook. Avast also demands me to execute a scan before windows starts up. When I do this the scan finds nothing, but when I repeat the scan in windows the ‘problem’ remains.
The notebook works perfect and other anti virus programs don’t find anything on my notebook.

These are the 81 lines that I get when Avast scans the Acer notebook:

http://users.telenet.be/jonasontwerpt/rootkit1.JPG

http://users.telenet.be/jonasontwerpt/rootkit2.JPG

http://users.telenet.be/jonasontwerpt/rootkit3.JPG

Jonas_BE: what’s your exact avast build?

build= NOV2008(4.8.290), it’s the home edition.

Hijackthis gave this as output:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:50:41, on 27/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\lindy espeel\Bureaublad\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.carbel.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [LaunchApp] Alaunch
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Arcade\PCMService.exe”
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Lokale service’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Netwerkservice’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Statusvenster.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe


End of file - 6291 bytes

Invoke a program update, please.

Problem stays unfortunately.

Did you restart the computer after the update?

Yes I did.