Rootkit?

Discussion in 'Computer Software and Operating Systems' started by 3bbb7, Sep 8, 2013.

  1. 3bbb7
    OP

    3bbb7 GBAtemp Advanced Fan

    Member
    794
    70
    Jun 28, 2012
    United States
    I just installed Windows 8 earlier today, have gone to no malicious websites, installed avast/mbam/steam/chrome/few other legitimate programs.

    I was updating my amd drivers and this pops up...

    [​IMG]
     


  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,506
    9,319
    Nov 21, 2005
    From the other thread it sounded like you went to Microsoft's actual website, downloaded the iso and used your existing key/a new key to activate it and did it all.

    Could well be a false positive. If it was actually running from there then I would say something but it looks like it just found a file there (maybe even an extracted version for the driver installer, though I would have thought it would have its own directory) and apparently it is only a heuristics thing rather than an actual detection.
     
  3. 3bbb7
    OP

    3bbb7 GBAtemp Advanced Fan

    Member
    794
    70
    Jun 28, 2012
    United States
    Yep, I used microsofts official Windows 8 installer program. Used my key to activate it.
    Thanks, i'll just delete it and move on
     
  4. PityOnU

    PityOnU GBAtemp Advanced Fan

    Member
    907
    327
    Jul 5, 2012
    United States

    A quick Google search (which you probably could have done) yields that the file in question is part of your AMD graphics drivers.

    Just saying "fuck it" and deleting potential threats is just as bad as doing nothing. Most modern antivirus programs use heuristics to detect and flag activity that looks like it might be a virus. The result of this is that they sometimes have false positives.

    Removing/deleting false positives can cause problems, make you lose files, and in extreme cases totally fuck your system (like, I dunno, removing a component of your graphics driver).

    If you are proactive, observant, and not an idiot about using your PC, I would recommend removing Avast! and simply using Windows Defender, which comes standard with Windows 8 and is antivirus developed by Microsoft for Microsoft, so it won't do stupid shit like this.

    It won't catch everything, but it also won't go around telling you to delete parts of your system.
     
  5. Dimensional

    Dimensional GBAtemp Advanced Fan

    Member
    601
    84
    Dec 7, 2008
    United States
    Texas
    Because the sys file is in the users temporary folder should raise some questions. If it's part of AMD's driver, it should be in the system folder, not a temporary folder. Avast doesn't just use Heuristics. It also uses a list of known safe locations and a virus database. I happen to be using Avast right now and have updated said database a few times. I'm also using an AMD system with an ATI graphics card, and never found that particular file in my temporary folder, so it must be a virus written and saved to look like a legitimate file. His safest option was to delete it.

    And to say it's part of AMD's graphics drivers is incorrect when a virus is written into a file that is labeled the same as a legitimate file, as to confuse the user. It's well known that viruses mask themselves as system files. So a Google search won't always yield the right information when you just search for the file name and not the location of said file.

    Edit: I checked for more information, and it does appear to be a legitimate file, but I'm surprised Avast would have it on a list of known bad programs. Then again, it could have characteristics similar to a rootkit, and that's what it was detecting. In any case, that means Avast must update their records again, and fix this apparently stupid mistake.

    Oh, and while Microsoft Security Essentials does seem good, it doesn't detect half the viruses that ended up on my computer. It only detected the ones that it's database had. And while MS does update the program a lot, they don't have the resources, nor the willingness to spend tons more money to get more resources, to be able to track every known malicious piece of code, every false positive, and every proper way to combat them. MS Security Essentials isn't the worst scanner out there. By far its not the worst, but it's not the best either.

    You can't let a scanner do all the thinking for you, because it doesn't see everything going on and won't have all the right answers, hence user interaction. I would rather have some false positives that I can look up instead of having a program that ends up with a ton of false negatives. That's also why I use more than one scanner, and only have 1 of them be the active/passive scanner and the others just running when I need a second or third opinion. That I've done a lot and never once came across any problems.

    While running more than one scanner at the same time can be a problem, thats only when you run them together in the background as real time protection. Running 1 as real time protection is great, and having the others running as on demand scanners helps out a lot more. I recommend stuff like ClamAV, which has no real time capabilities. Also use Spybot Search and Destroy's Immunization feature to change some of your system's settings, such as your host file, to prevent you from going onto known bad sites. Trust me, that alone saved me a ton of headaches.
     
  6. Rydian

    Rydian Resident Furvertâ„¢

    Member
    27,883
    8,110
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    It's not on the list of bad programs, that's a heuristics result. That is, it's flagging the file/process based on it's behavior, not signatures.
     
  7. Dimensional

    Dimensional GBAtemp Advanced Fan

    Member
    601
    84
    Dec 7, 2008
    United States
    Texas
    Yeah. It needs to be added to a list of files that are known to be good, complete with a signature and other things so to ensure that the file is the actual good one and not an actual virus. And Avast might need to tweak their heuristics a bit. XD
     
  8. Lacius

    Lacius GBAtemp Guru

    Member
    6,104
    2,436
    May 11, 2008
    United States
    1. Why are you downloading so much malware?
    2. Microsoft Security Essentials' real-world protection rate is something like 95%, vs. avast's 99%. The dirty little secret about most antivirus programs is that, as long as they're kept up to date, their effectiveness is pretty much the same. You're right, however, that a computer's first line of defense is the user's common sense.
     
  9. Dimensional

    Dimensional GBAtemp Advanced Fan

    Member
    601
    84
    Dec 7, 2008
    United States
    Texas
    Who said I was downloading a bunch of malware, let alone any on purpose? I just know that sometimes I get a file that's been altered. I've been using a lot of signatures, checksums, etc to keep things from going bad. You wouldn't believe how many files I've downloaded that had bad checksums and signatures. And maybe 3 of them were still good. Problem on the distributor's end. But anyways, I also sometimes test my computer's security by having a bunch of virus scanners checking various files and use an online batch virus scanner like VirusTotal to help me confirm things. Can't be too paranoid! :lol:
     
  10. Lacius

    Lacius GBAtemp Guru

    Member
    6,104
    2,436
    May 11, 2008
    United States
    You said you downloaded enough malware to be able to gauge real-world effectiveness rates. I didn't say it was on purpose. In fact, it sounded to me like there was a problem with your computer's first line of defense. I suppose then it's a good thing you're using all those scanners. It's not paranoia if your computer habitually downloads malware.
     
    Sicklyboy likes this.
  11. PityOnU

    PityOnU GBAtemp Advanced Fan

    Member
    907
    327
    Jul 5, 2012
    United States
    As a be all and end all to this thread here (as it is quickly devolving into uselessness):

    There is no "silver bullet" security solution. Not any one application will detect 100% of viruses/malware/whatever else is on your system.

    With things like antimalware and antivirus, there are two main ways of performing detection: heuristics and signature based.

    Signature based is good in that it always correctly identifies known viruses/malware. It is bad in that in never identifies unknown viruses/malware (yet to be documented and added to the database, that is).

    Heuristics is good in that it can identify previously unknown viruses/malware based on their behavior. It is bad in that it is not perfect, and some legitimate files/applications can look/function similarly to a virus/malware (like Skype), causing the heuristics to label them as a virus/malware/threat.

    Signature based schemes suffer from false negatives (not seeing a virus/malware when there is one). Heuristics suffers from false positives (identifying something is a virus when it is not).

    Good antivirus and antimalware solutions utilize a mixture of the two methods above. Finding the "zen" between the two is effectively what determines the accuracy of a solution.

    ------------------------------------------------

    What choosing a antivirus/antimalware system comes down to is: how do you use your computer, and how often to you encounter threats?

    If you are similar to one of the users who posted in this thread, and download/install/execute/whatever a lot of extremely questionable material from questionable sources, you might be alright with the decent amount of extra daily system overhead incurred by using a very powerful antivirus/antimalware solution with crazy heuristic algorithms and tons of system monitoring. This would also be okay if you were in some sort of enterprise or high-security (government) organization. In such cases, you are also probably okay with false positives from time to time, as you will take the time to research them, determine if it is okay, and then take the appropriate action.

    For the average user, who wants things to "just work" and answers every dialog box with "OK" without reading because he/she has better things to do than debug and research his/her OS and system applications, and who doesn't really encounter threats very often, it may be a better idea to use a simpler, lighter antivirus/antimalware so that the system works better in the general case, and just take proactive steps to minimize threats.

    The OP sounds like they fall into the latter case (consider how he performed his install and lack of Google-age), and that's just fine. Not everyone is a techno-mancer. All I'm saying is that, in his/her case, having a potentially confusing and file destroying (things like cracks, keygens, system files, etc.) antivirus and antimalware solution may not be the best idea.

    Using the one that comes bundled with Windows, and using an ad-blocker in the browser of choice, is probably the most user-friendly and lowest overhead solution in this case, will function just fine to protect them in the majority of cases.
     
  12. 3bbb7
    OP

    3bbb7 GBAtemp Advanced Fan

    Member
    794
    70
    Jun 28, 2012
    United States
    I've been using Avast for years now, and while I may have better compatibility with mse or something I like avast and what it offers more. Then again I have MBAM pro so I think Avast might be too much.

    I ended up deleting the file, I got 1 error message when I restarted my computer, not sure what it was but it had AMD as the title. I restarted again and everything seemed to be fine.
    I will probably just update my drivers and if that message occurs again whitelist it.

    I have used 1 crack for a software on this system, once when I originally had windows 8, windows 7, and windows 8. I've scanned it and checked it with sandboxie and everything's ok.

    But the file that avast did pick up was in the temporary folder? Why is AMD saving the stuff there and wouldnt running a cleaner like ccleaner just remove that anyway?
     
  13. sandytf

    sandytf GBAtemp Regular

    Member
    121
    50
    May 5, 2013
    United States
    When in doubt, try using the online service from www.virustotal.com. This website will let you upload a suspicious file and have it checked by 45 different antivirus programs.
     
  14. Lacius

    Lacius GBAtemp Guru

    Member
    6,104
    2,436
    May 11, 2008
    United States
    There's no reason to switch from avast. As I already stated, most antivirus programs (if kept up to date) accomplish effectively the same thing.

    If you deleted the file during the installation of your AMD software, there might be issues (e.g. the error message you mentioned). If you deleted the file after installation of your AMD software, then there should be no issues. As you noted, it was just a temp file. As for why it was in a temp folder, setups often extract things to temp folders and then pull data from there during installation. Setup files themselves are typically compressed.
     
  15. 3bbb7
    OP

    3bbb7 GBAtemp Advanced Fan

    Member
    794
    70
    Jun 28, 2012
    United States
    It was detected and I deleted it after the AMD driver installation was done. Thanks
     
  16. Lacius

    Lacius GBAtemp Guru

    Member
    6,104
    2,436
    May 11, 2008
    United States
    It's possible the file was quarantined and rendered inaccessible during installation before you deleted it.
     
  17. 3bbb7
    OP

    3bbb7 GBAtemp Advanced Fan

    Member
    794
    70
    Jun 28, 2012
    United States
    well the message took a while to pop up. I was done with the installation and was playing a game and it randomly popped up. This was about 5-10 minutes after
     
  18. Lacius

    Lacius GBAtemp Guru

    Member
    6,104
    2,436
    May 11, 2008
    United States
    Odds are you're fine, particularly if you didn't receive any error messages during the actual installation.
     
  19. jonthedit

    jonthedit GBAtemp Advanced Maniac

    Member
    1,691
    438
    May 30, 2011
    Bangladesh
    You are fine. Avast has been going down the shitter since they updated their interface for Avast! 7 and Avast! 8.
    Submit a false positive report to help others who will come across this.

    FYI Avast's tech support totally sucks now, and their in-program registration button is BROKEN on 90% of the machines I have installed Avast! on. It's a pain to use the email confirmation method instead of just registering like normal! (The team has been aware of this bug since Avast! 7, which is about 6 months ago!)
     
  20. 3bbb7
    OP

    3bbb7 GBAtemp Advanced Fan

    Member
    794
    70
    Jun 28, 2012
    United States
    The registration has worked for me everytime i've installed it.
    Are there any free alternative anti virus programs that you prefer instead?
    I was looking at the eset nod32 beta 7 because its free but I don't want to use it because after its out of beta it will probably go paid.