Hello! I am new to the avast! Forum.
While I was doing a Full system scan, a rootkit was detected in C:/WINDOWS/Temp folder. When I attempted to delete it, I got an error (the file system could not find the path specified).
I canceled the avast! window, because I decided to scan the Temp folder. Avast recommended a boot scan, but it did not find anything. I scanned the Temp folder, nothing was detected. A full scan did not find anything, either.Was it a false positive?
What was the full path and file name of this detection ?
It is possible this could have been a security application update, what other security application do you have installed (anti-spyware, firewall, etc.) ?
I have no anti malware programs other than Windows Defender and avast!.I use to have MBAM installed, though (I immediately shut off real time protection).
I dont remember the full name(sorry!), but it was a bunch of letters and numbers.
It has been seen before in Windows Defender (WD) downloading its unencrypted signature updates into temp and being detected by avast. After all this is what avast is meant to be doing scanning for virus signatures and it seems to be what it has found.
Personally I would disable WD and enable the MBAM resident protection as that I feel is a much better level of protection than WD.
OK. Thanks. I found the file name.Its nmp.map
EDIT …In a folder with random numbers and symbols
Being in the temp folder and now it is gone it does appear to be an update of sorts and a strange place to be if this were a rootkit.
You cant actually see the file,though.Its hidden.I found the name out by looking at avast! reports.
The avast anti-rootkit scan runs 8 minutes after boot so if this were a rootkit and active I would have expected that to have found it, so I’m still airing on a WD update signature triggering this, but I’m no malware removal specialist.
If you want we can escalate this to use some analysis tools to check for the possibility of malware ?
OK. I really do not want to reinstall the OS. If it is a rootkit, that is.
I can’t say if it is a rootkit or not, but given the avast anti-rootkit scan doesn’t find it but a full system scan did (with a lessor degree of rootkit scan), I still air on this being a WD signature update, but as I’m no malware removal specialist and there isn’t that much information to work on.
I take it that you mean you want to check it out further:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
Thank you. I will post the logs as soon as possible.
I also did a custom scan with Rootkits(full) checked. Nothing detected.
Here are the logs: MBAM is missing I will attach that one later.
MBAM:
Does MBR.dat have anything to do with the logs?
I believe it is a programme updating on the system it may be one of your games, especially as it is self deleting
The logs all look clean
MBR.dat is only if I need to do a full look at the MBR
Are you experiencing any problems at all ?
Thanks for joining the topic essexboy.
@ TokenBC
Essexboy, in case you weren’t aware is a qualified malware removal specialist and trainer of others wishing to become malware removal specialists.
No, nothing strange is happening.
Can you explain what you meant about games?
Thanks for checking the logs.
Call of Duty and steam will try to update as soon as possible after the system starts along with java etc…
If they do get an update it will be stored in the temp folder whilst it is installed and then self delete. Some games do have drm protection so that will have apparent rootkit operations
Thank you all.
I was quite suprised that avast found a rootkit. I am careful when it comes to malware and the computer is less than a month old, so I was guessing it was a false positive.
Better safe than sorry ;D
Run OTL and press the cleanup button to remove it