Rootkit scan results - advice please

Sunnyday

Hi peeps,

i hope that someone can offer some advice please.

I ran the AVG antirootkit scanner and these are the results.

Scan "Anti-Rootkit scan" completed.
Rootkits;"15";"0";"15"

Scan started:;"11 April 2011, 16:36:33"
Scan finished:;"11 April 2011, 16:38:03 (1 minute(s) 29 second(s))"
Total object scanned:;"54380"
User who launched the scan:;"SYSTEM"

Rootkits
;"File";"Infection";"Result"
;"<unknown>";"IRP hook, ver\AFD DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\Tcpip DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\i8042prt DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\Mouclass DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\Kbdclass DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, eSystem\Ntfs DriverStartIo -> 0x6C00690046005C";"Object is hidden"
;"<unknown>";"IRP hook, ver\PCIIde DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, eSystem\RAW DriverStartIo -> 0x6C00690046005C";"Object is hidden"
;"<unknown>";"IRP hook, ver\Disk DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\PCI DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\atapi DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, ver\PartMgr DriverStartIo -> 0x00440085";"Object is hidden"
;"<unknown>";"IRP hook, eSystem\FltMgr DriverStartIo -> 0x6C00690046005C";"Object is hidden"
;"<unknown>";"IRP hook, eSystem\sr DriverStartIo -> 0x6C00690046005C";"Object is hidden"
;"<unknown>";"IRP hook, ver\ACPI DriverStartIo -> 0x00440085";"Object is hidden"


AVG does not seem able to remove whatever it is that it has found so i`m off in a mo to run it in safe mode and i will be back shortly when its done its stuff.

Does anyone have any idea what has been found?

SD

closed

Full Scan with malwarebytes, post a hijackthis log

aliEnRIK

I think theyre all false positives

Sunnyday

aliEnRIK wrote: »

I think theyre all false positives

Thankyou both for your replies, i did have a quick scout around for anyone else with the same results but nothing that i read seemed to match the ones that were found on mine.

The rootkit scanner won`t run in safe mode but i`ve done a full virus scan and when i get back into normal mode i`ll look at the 3 warnings that have been given, i`m running spybot in safe mode atm just to be on the safe side but its taking forever. I`ll run the rootkit scanner again when i`m back in normal mode.

SD

aliEnRIK

Id leave AVGs rootkit scanner completely alone if I were you

Sunnyday

aliEnRIK wrote: »

Id leave AVGs rootkit scanner completely alone if I were you

Thanks, can you recommend anything else instead?

I`ve recently opened an online bank account so i`m a little bit paranoid atm

SD

aliEnRIK

As closed said in post #2

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM QUICK SCAN then click SCAN
Remove everything thats found (needs to be ticked)
Post the COMPLETE log here AFTER youve deleted everything it finds
If anything was found then do the exact same but run a FULL scan

reboot
Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)
If you get a message that you cant write to the hosts file then Press the SHIFT key, and whilst holding it RIGHT CLICK and select RUN AS (admin)

RussJK

Sunnyday wrote: »

Thanks, can you recommend anything else instead?

I`ve recently opened an online bank account so i`m a little bit paranoid atm

SD

Rootkits are hard to find because they load with the OS (Windows) and hide themselves well. The problem with rootkit scanners like AVG, Sophos, etc, is that the results can be hard for most 'advanced' users to interpret let alone the average user. If someone really thought they had a rootkit and didn't have any luck with removing it using Malwarebytes/HijackThis!, then the best advice would be to format and reinstall Windows (unless they were lucky enough to know an expert who knew how to root them out).

First start with Malwarebytes and Hijackthis as above.

Here are some other suggestions since you asked:

1. You could try scanning the computer from outside of Windows with a bootdisk antivirus scanner if you are worried about rootkits. Try some from this thread:

https://forums.moneysavingexpert.com/discussion/comment/41653210#Comment_41653210

I'd recommend the first three.

The disadvantage of this approach is that they take hours to complete depending on how many files there are to scan, and so mostly you can't use your computer for anything else. Dr Web at least lets you browse the web while it scans which is handy.


2. If you don't want to use that approach, then these programs have varying levels of rootkit scanning:

AVZ (no install needed, needs unzipping, can update)
http://www.softpedia.com/progDownload/AVZ-Antiviral-Toolkit-Download-113572.html

NoVirusThanks Anti-rootkit (requires install, wants registry entry)
http://www.novirusthanks.org/product/novirusthanks-anti-rootkit/

Sophos Anti-Rootkit scanner (requires install, run program as administrator)
https://secure.sophos.com/products/free-tools/sophos-anti-rootkit/eula/

Hijack Hunter (portable or installed, run as admin)
http://www.novirusthanks.org/product/hijack-hunter/

Kapersky TDSSKiller (very quick! no install needed, for TDSS rootkit, can make OS unbootable so safer to just use the scan and ask for help if it finds anything)
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Sunnyday

Thanks everyone, i`d just started running the malware bites scan after looking for the instructions, it has done the quick scan and found nothing :j i`m doing the full scan just to see what happens as i`m nosy but it will mean nothing to me when i see the results but i shall post them anyway.

RussJK - Thanks for all the links that you posted, i`ve bookmarked them for reading when i have a bit more time.

SD

Sunnyday

The full scan log looks the same as the quick scan log, i was expecting a long list of running items as i`ve seen when others post theirs so i hope that i`ve done it right.


Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org

Database version: 6334

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/04/2011 19:46:15
mbam-log-2011-04-11 (19-46-15).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 187696
Time elapsed: 33 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Strange to see IE8 listed as the browser as i don`t use it - only Chrome these days.

Looks as if i can rest easy now and run this prog instead of the AVG rootkit scanner.

Thanks again everyone.

SD