Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Did the rootkit survive my desinfect?


  • Please log in to reply
3 replies to this topic

#1 Acro

Acro

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 13 February 2011 - 11:34 AM

A few days ago, I started my computer. Nothing unusual. Then when my Avast activated itself, it gave me a message saying that a ROOTKIT had been found. I immediately
selected the 'remove infection' option. My computer is now showing some weird signs (which were also there before the rootkit discovery). Sometimes it will completely
freeze for about 1-2 minutes, then work again. Again, these signs were also there BEFORE the infection was found.

I am now scared that my computer is still infected, despite nothing being found when i scan. I still use Avast! free edition.

THE PROBLEM I FACE
I'm a frequent user of Portable Apps. (applications that can be downloaded to a portable drive and be used from that drive)
I want to download a new bunch of apps, but I am scared that the rootkit might still be in my system, in which case it might transfer itself to my usb-drive.
Since the applications are portable, I will be using them at school and on my friends' computers. I don't want to spread malware throughout my town :P.

If any more info is needed, please let me know.

Thanks in advance!
Acro

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 13 February 2011 - 12:31 PM

my Avast activated itself, it gave me a message saying that a ROOTKIT had been found. I immediately

What exactly did it detect? Was there a log generated, an object/file identified as a rootkit, etc?

Not all hidden components detected by security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Acro

Acro
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 13 February 2011 - 12:57 PM

my Avast activated itself, it gave me a message saying that a ROOTKIT had been found. I immediately

What exactly did it detect? Was there a log generated, an object/file identified as a rootkit, etc?

Not all hidden components detected by security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Quietman7,
I do not know the file name. it consisted of many seemingly random characters. I clicked 'desinfect' before noting down the name, relying that I would be able to get the name from my avast!scan logs. This however, does not happen to be true.

I have now talked in the IRC chat of Bleepingcomputer and I was told to download a program called USB vaccin. This solves my USB safety problem.
Many thanks for telling me about the hidden keys and components. I didn't know that.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:15 AM

Posted 14 February 2011 - 07:30 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users