Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found These With My Avg Antirootkit


  • Please log in to reply
14 replies to this topic

#1 RknRusty

RknRusty

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:01:20 AM

Posted 21 March 2008 - 09:08 PM

They're all in C:\Program Files\Common Files\Symantec Shared\VirusDefs. Does anyone know if I should delete these?

Posted Image

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:20 AM

Posted 21 March 2008 - 10:09 PM

Hi can you expand that PATH section as I'm not certain if it sees a Synantec virus Data base or you have a serious rootkit infection. Do you have Symantec (Norton) Installed ?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 RknRusty

RknRusty
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:01:20 AM

Posted 22 March 2008 - 01:23 AM

Maybe this will help. Yes, I have NIS 2008.

Posted Image

#4 RknRusty

RknRusty
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:01:20 AM

Posted 22 March 2008 - 01:34 AM

When I Googled NAVENG.SYS, I ended up here: http://www.bleepingcomputer.com/startups/NAVENG-18010.html. It looks like it's legitimate, but AVG never detected anything before this. I run it about once a week.

EDIT: I just realized none of the folders in the AVG report match the ones in the search, nor do they match the ones in Explorer when I navigate to "C:\Program Files\Common Files\Symantec Shared\VirusDefs."
I have Folder Options set to show hidden and system files.

Edited by RknRusty, 22 March 2008 - 01:42 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:20 AM

Posted 22 March 2008 - 07:21 AM

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 RknRusty

RknRusty
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:01:20 AM

Posted 22 March 2008 - 09:42 AM

The fact that those files had never been detected before now is what worried me.
Is there anywhere I can submit these to have them analyzed, and should I post an HJT log?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:20 AM

Posted 22 March 2008 - 01:12 PM

You can submit files to these two locations. You may then post the results they send back here.

Jotti Malware Scan
And/or
Virustotal

Edited by boopme, 22 March 2008 - 01:14 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 RknRusty

RknRusty
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:01:20 AM

Posted 22 March 2008 - 10:42 PM

Well it sounded like a good idea, but these folders do not exist anywhere in explorer. Hidden files and system files are shown.

There are 7 similar folders such as this one, eg.: "C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080322.003." They even contain NAVENG.SYS and NAVEX15.SYS, but I figure these are legitimate Symantec files. I submitted a couple of each to the websites you sugested and they found nothing.

I wish I could figure out where the folders containing the files that AVG found are hiding.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:20 AM

Posted 23 March 2008 - 07:18 AM

Report the AVG ARK findings to Symantec Support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 RknRusty

RknRusty
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:01:20 AM

Posted 23 March 2008 - 07:12 PM

I'll open a chat with Symantec tonight and ask them about these files. If they offer e-mail communication I haven't found it.

And... guess what! I scanned again with AVG ARK and it found nothing. Twice. Hmmmmm

I think I'll prepare an HJT log for the Bleepin' Wizards to look at, just for the hell of it.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:20 AM

Posted 24 March 2008 - 12:10 PM

Your hijackthis log is posted here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 03 April 2008 - 12:22 PM

I've reopened this topic as there is no additional info in your HJT log or any signs of malware present. This is actually the proper forum for this issue.

As QM7 has explained, many legit security products cold be potentially flagged as rootkits. If you notice, the type of "rootkit" is "hidden drivers", which is basically what many rootkits are--drivers that are hidden for good reason.

I can't tell you with certainty why AVG flagged those this time when it didn't before. Best guess is that you performed the scan while Norton was in the process of updating. As long as the .sys files are in the correct location/folder (which they are and will explain why next) you have nothing to worry about.

The reason you're thinking the folders don't exist is because the AVG app's output listed them using the tilde (~) to abbreviate long file/folder names. You posted that you are able to view the following folder:

C:\Program Files\Common Files\Symantec Shared\VirusDefs

That is the same parent folder listed in the AVG output (upper or lower case doesn't matter):

C:\Progra~\Common~\Symant~1\VirusD~

If you want to test this for yourself, copy the above file path that includes the tilde and paste it into your Run box and hit enter. The VirusDefs folder should open.

For more info on how long file names works and why there are sometimes numerals included along with the tilde, see the following article from MS: http://support.microsoft.com/kb/142982

The thing about people

is they change

when they walk away.--Mipso


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:20 AM

Posted 04 April 2008 - 09:43 AM

I'll open a chat with Symantec tonight and ask them about these files.

Did they respond yet?

I have to agree with Papakid. You probably performed your scan while Norton was updating itself. That action can certainly impact the results of ARK scans.

There are various reasons for ARK tools to encounter problems during a scan resulting in misleading or inaccurate results. Thus, before performing future scans it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 RknRusty

RknRusty
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:01:20 AM

Posted 04 April 2008 - 10:50 AM

Thanks to the HJT crew for analyzing my log. Papakid and quietman, the possibility that Norton was in the process of updating while I ran the rootkit scan had not occurred to me. In retrospect, it sounds like a no brainer, especially since further scans never detected them again. But then I'm much better at retrospection than forward thinking.

Symantec said they were probably legitimate files but did not know why AVG flagged them and then no longer detected them. He also said AVG was possibly undependable. Big help.

From now on, I'll do as you suggest and unplug the cable, and disable everything that may try to start up during a scan.

Thanks,
Rusty

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:20 AM

Posted 04 April 2008 - 03:07 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users