Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I Have A Rootkit Virus?


  • Please log in to reply
3 replies to this topic

#1 nool

nool

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 13 October 2007 - 12:16 PM

Hi i am running XP and have avg free and Zonealarm firewall. i run spybot and avg often and have had no problems so far. I was reading about rootkit viruses and how they are invisible to anti-virus software. While googling rootkit virus i came across a post on the website castlecops.com which linked a program called ice sword that was supposed to be able to detect root kit viruses. When i unzipped it after downloading avg immediately came up with two back door trojans detected. one was the filename eovnpx.sys. I know it was stupid to not scan the file before i opened it but i thought it would be safe coming from that website.
Just earlier i left the computer for a few minutes and when i came back the windows search was open and zonealarm was asking if explorer.exe could access the internet. I thought this was a bit wierd so i denied it.
Am i being paranoid? Is there any way to check if am infected?

Thanks very much for any help you can give me.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:55 PM

Posted 13 October 2007 - 02:07 PM

Did you do a search of your system for eovnpx.sys? You can use Windows Search feature > More advanced options to locate it.
To do this, go to Start -> Search -> All files and folders -> More advanced options. Checkmark these options:
  • "Search system folders"
  • "Search hidden files and folders"
  • "Search subfolders"
Type in the name of the file and then click "Search" to look for the file(s).

IceSword is a stand-alone tool that shows you program components (processes) in memory, Ports, API hooking, Services, Startups and more. It will not actually tell you if you are infected or not unless you know what you're looking for. If you don't, you're probably better off with something like AVG Anti-Rootkit.
  • Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
  • Accept the license and follow the prompts to install.
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with four buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, a small window will open so you can view the results.
  • Right click and select "Save Result To File".
  • By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file)
  • Copy and paste the results in your next reply.
  • If anything was found, click "Remove selected items"
  • If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.
Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 nool

nool
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 13 October 2007 - 04:42 PM

The search for the trojan was negative so i think avg must have got it. I ran both scans of the anti rootkit and it did not find anything so i assume im safe. I was just a bit worried about getting a trojan from what i thought was a reputable site and thought there might have been something else in there aswell.
Cheers for all your help!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:55 PM

Posted 13 October 2007 - 06:05 PM

CC is a reputable site and that's where I downloaded my version of Ice Sword as provided by MVP Larry Stevenson (Prince_Serendip). Keep in mind the direct download link is not hosted by the CC site but points to a url address at the author's site. You should advise Prince_Serendip of your experience so he can follow up and investigate.

Its also possible, AVG provided a false alarm. Anyway, I'm glad to hear you scans came up clean.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users