Rootkit utewnje4.sys

Viruses and worms
1

Avast just found utewnje4.sys on my system. It cannot be deleted or moved to the Chest.

The only thing I could find on the web is this: http://doctus.org/showthread.php?t=50380&p=429707#post429707

What to do?

2

To only find one hit for a .sys file is somewhat suspicious in its own right, what folder is it in ?

Was it the avast anti-rootkit scan (run automatically 8 minutes after boot) that detected this or another scan ?

3

Thanks for your quick reply! According to Avast it is a high severity threat, located in C:\Windows\System32\drivers. I found it during a manually induced quick system scan. Otherwise, my system has always been OK.

4

are you able to upload it to www.virustotal.com and test with 40+ scanners

when you have the result, post the link here for us to see

5

The file is invisible - it’s a rootkit - so it is not possible to upload it to Virustotal. I’ll be happy to run a rootkit scanner on it, but the question is, which one?

6

follow this guide and attach (not copy and paste) malwarebytes / OTL / aswMBR logs
http://forum.avast.com/index.php?topic=53253.0

7

Even more suspect given the location.

What errors were given when you tried to move it to the chest (deletion not a good first choice) ?

8

Error: The request is not supported (50)

9

Weird I would have expected to see something like file in use (if it were active), the request is not supported is more likely see when an infected file is inside an archive.

If you can open the avastUI, Scan Computer, Scan logs, and select the log for the scan that detected it and select View results, that should give the full information on the detection, file name, full location and malware name.

If this were an active rootkit, then I would expect it to have been detected by the avast anti-rootkit scan.

10

File name C:\Windows\System32\drivers\utewnje4.sys
Severity: High
Status Threat: Rootkit: hidden service
Action: Delete
Error: Error 0xA0000101. (-1610612479)

MBAM full scan just finished, didn’t find anything…

11

I don’t know if this is an isolated remnant of a previous infection, have you had an infection previously ?

You could try running the analysis tools link given by Pondus in Reply #5 above.
But if this were an active infection I would expect it to be showing some more symptoms, commonly trying to connect to malicious sites and being blocked by the avast Network Shield.

12

Hi have you run TDSSKiller, AVP or AVZ from Kaspersky ?

13

TDSSKiller and AVZ didn’t find anything either. So I guess we can file this under ‘weird Avast false positive’.

Thanks for the help, guys :slight_smile:

14

No the detection is of a Kaspersky driver, commomnly used in AVP and TDSSKiller