Rootkit scan results - advice please

Sunnyday
Sunnyday Posts: 3,855 Forumite
Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
Hi peeps,

i hope that someone can offer some advice please.

I ran the AVG antirootkit scanner and these are the results.

Scan "Anti-Rootkit scan" completed.
Rootkits;"15";"0";"15"

Scan started:;"11 April 2011, 16:36:33"
Scan finished:;"11 April 2011, 16:38:03 (1 minute(s) 29 second(s))"
Total object scanned:;"54380"
User who launched the scan:;"SYSTEM"

Rootkits
;"File";"Infection";"Result"
;"<unknown>";"IRP hook, ver\AFD DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\Tcpip DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\i8042prt DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\Mouclass DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\Kbdclass DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, eSystem\Ntfs DriverStartIo -> 0x6C00690046005C";"Object is hidden"
;"<unknown>";"IRP hook, ver\PCIIde DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, eSystem\RAW DriverStartIo -> 0x6C00690046005C";"Object is hidden"
;"<unknown>";"IRP hook, ver\Disk DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\PCI DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\atapi DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\PartMgr DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, eSystem\FltMgr DriverStartIo -> 0x6C00690046005C";"Object is hidden"
;"<unknown>";"IRP hook, eSystem\sr DriverStartIo -> 0x6C00690046005C";"Object is hidden"
;"<unknown>";"IRP hook, ver\ACPI DriverStartIo -> 0x00440085";"Object is hidden"


AVG does not seem able to remove whatever it is that it has found so i`m off in a mo to run it in safe mode and i will be back shortly when its done its stuff.

Does anyone have any idea what has been found?

SD
Planning on starting the GC again soon :p

Comments

  • closed
    closed Posts: 10,886 Forumite
    Full Scan with malwarebytes, post a hijackthis log
    !!
    > . !!!! ----> .
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    I think theyre all false positives
    :idea:
  • Sunnyday
    Sunnyday Posts: 3,855 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    aliEnRIK wrote: »
    I think theyre all false positives

    Thankyou both for your replies, i did have a quick scout around for anyone else with the same results but nothing that i read seemed to match the ones that were found on mine.

    The rootkit scanner won`t run in safe mode but i`ve done a full virus scan and when i get back into normal mode i`ll look at the 3 warnings that have been given, i`m running spybot in safe mode atm just to be on the safe side but its taking forever. I`ll run the rootkit scanner again when i`m back in normal mode.

    SD
    Planning on starting the GC again soon :p
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Id leave AVGs rootkit scanner completely alone if I were you
    :idea:
  • Sunnyday
    Sunnyday Posts: 3,855 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    aliEnRIK wrote: »
    Id leave AVGs rootkit scanner completely alone if I were you

    Thanks, can you recommend anything else instead?

    I`ve recently opened an online bank account so i`m a little bit paranoid atm :o

    SD
    Planning on starting the GC again soon :p
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    As closed said in post #2

    Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_malwarebytes_anti_malware/
    Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM QUICK SCAN then click SCAN
    Remove everything thats found (needs to be ticked)
    Post the COMPLETE log here AFTER youve deleted everything it finds
    If anything was found then do the exact same but run a FULL scan

    reboot
    Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_hijackthis/
    Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
    (do NOT do anything else with Hijack but scan and post the FULL log)
    If you get a message that you cant write to the hosts file then Press the SHIFT key, and whilst holding it RIGHT CLICK and select RUN AS (admin)
    :idea:
  • RussJK
    RussJK Posts: 2,359 Forumite
    Sunnyday wrote: »
    Thanks, can you recommend anything else instead?

    I`ve recently opened an online bank account so i`m a little bit paranoid atm :o

    SD

    Rootkits are hard to find because they load with the OS (Windows) and hide themselves well. The problem with rootkit scanners like AVG, Sophos, etc, is that the results can be hard for most 'advanced' users to interpret let alone the average user. If someone really thought they had a rootkit and didn't have any luck with removing it using Malwarebytes/HijackThis!, then the best advice would be to format and reinstall Windows (unless they were lucky enough to know an expert who knew how to root them out).

    First start with Malwarebytes and Hijackthis as above.

    Here are some other suggestions since you asked:

    1. You could try scanning the computer from outside of Windows with a bootdisk antivirus scanner if you are worried about rootkits. Try some from this thread:

    https://forums.moneysavingexpert.com/discussion/comment/41653210#Comment_41653210

    I'd recommend the first three.

    The disadvantage of this approach is that they take hours to complete depending on how many files there are to scan, and so mostly you can't use your computer for anything else. Dr Web at least lets you browse the web while it scans which is handy.


    2. If you don't want to use that approach, then these programs have varying levels of rootkit scanning:

    AVZ (no install needed, needs unzipping, can update)
    http://www.softpedia.com/progDownload/AVZ-Antiviral-Toolkit-Download-113572.html

    NoVirusThanks Anti-rootkit (requires install, wants registry entry)
    http://www.novirusthanks.org/product/novirusthanks-anti-rootkit/

    Sophos Anti-Rootkit scanner (requires install, run program as administrator)
    https://secure.sophos.com/products/free-tools/sophos-anti-rootkit/eula/

    Hijack Hunter (portable or installed, run as admin)
    http://www.novirusthanks.org/product/hijack-hunter/

    Kapersky TDSSKiller (very quick! no install needed, for TDSS rootkit, can make OS unbootable so safer to just use the scan and ask for help if it finds anything)
    http://support.kaspersky.com/downloads/utils/tdsskiller.exe
  • Sunnyday
    Sunnyday Posts: 3,855 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    Thanks everyone, i`d just started running the malware bites scan after looking for the instructions, it has done the quick scan and found nothing :j i`m doing the full scan just to see what happens as i`m nosy but it will mean nothing to me when i see the results but i shall post them anyway.

    RussJK - Thanks for all the links that you posted, i`ve bookmarked them for reading when i have a bit more time.

    SD
    Planning on starting the GC again soon :p
  • Sunnyday
    Sunnyday Posts: 3,855 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    The full scan log looks the same as the quick scan log, i was expecting a long list of running items as i`ve seen when others post theirs so i hope that i`ve done it right.


    Malwarebytes' Anti-Malware 1.50.1.1100
    https://www.malwarebytes.org

    Database version: 6334

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/04/2011 19:46:15
    mbam-log-2011-04-11 (19-46-15).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 187696
    Time elapsed: 33 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Strange to see IE8 listed as the browser as i don`t use it - only Chrome these days.

    Looks as if i can rest easy now and run this prog instead of the AVG rootkit scanner.

    Thanks again everyone.

    SD
    Planning on starting the GC again soon :p
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.2K Banking & Borrowing
  • 252.8K Reduce Debt & Boost Income
  • 453.1K Spending & Discounts
  • 243.1K Work, Benefits & Business
  • 597.5K Mortgages, Homes & Bills
  • 176.5K Life & Family
  • 256.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.