Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2x Rootkits....?


  • Please log in to reply
11 replies to this topic

#1 YesImOtto

YesImOtto

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 17 March 2012 - 09:21 AM

I have a problem (apparently)

I ran AVG rootkit,and... it came up with 2x rootkits.

This is what it looks like


====

Scan "Anti-Rootkit scan" completed.
Rootkits;"2";"0";"2"

Scan started:;"Saturday, 17 March 2012, 9:43:11 PM"
Scan finished:;"Saturday, 17 March 2012, 9:44:55 PM (1 minute(s) 44 second(s))"
Total object scanned:;"147738"
User who launched the scan:;"SYSTEM"

Rootkits
;"File";"Infection";"Result"
;"<unknown>";"Corrupted section ntkrnlpa.exe[PAGE] IoCheckShareAccess+0x10D5, size 4 bytes";"Object is hidden"
;"<unknown>";"Corrupted section ntkrnlpa.exe[PAGE] SeSetAccessStateGenericMapping+0x144, size 4 bytes";"Object is hidden"
====

I dont understand. I have Avast, a very decent AV, and I did full scan and it was clean. I used MBAM, it was clean. I used Avast's Bootscan before windows start up, it was clean. I did ESET onlinescanner, it was clean..

So, is this just an error from AVG? What can I do to remove these 2 rootkits?


Should I try running in safe mode and full scan with SuperSAS? EDIT: Done that, no infection at all. Also ran TDSSKiller, and its fine.

So...is this only AVG?

Edited by sumosalad, 17 March 2012 - 10:52 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:10 PM

Posted 17 March 2012 - 12:30 PM

Does this concern the same computer as the topic here: http://www.bleepingcomputer.com/forums/topic446429.html ?

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 17 March 2012 - 07:37 PM

No, that one has been solved by boopme, and I am waiting for the response team in the Malware team - this is a different topic :)

So....somebody? Or what about you, Orange Blossom :P

#4 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 18 March 2012 - 12:43 AM

Could this be because I have more than 1 AV, and the AVG (which I used for rootkit scan) sees other AVs as rootkits? This is what boopme told me.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:10 PM

Posted 18 March 2012 - 08:20 AM

Oh, so this IS the same computer?

Note, you should only have one AV on your computer. Having more than one actually decreases your level of security.

Given that this is the same COMPUTER as discussed in your log topic, please wait for assistance from the Team. They are trained in identifying and removing rootkits along with other malware.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 18 March 2012 - 10:49 AM

When you say log topic , you mean the one where boopme told me to post? THe Malware section right?

If so, I will wait for them.

As for AV....I have

MBAM
SuperSAS
AVG
AVAST

And other things like Spyware blaster, ESET online scanner, but these are fine, no?

As for those 4 however.... I always thought Avast was free. I downloaded it, used it, it is very nice, but at the bottom of the main page in the interface, there is a long yellow bar saying when it will expire. Why? In my case its 27 days. Why, I downloaded the free version...

If I can use Avast even after 27 days then I will delete AVG, what do you think Orange?

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:10 PM

Posted 18 March 2012 - 02:19 PM

When you say log topic , you mean the one where boopme told me to post? THe Malware section right?


Yes

As for AV....I have

MBAM
SuperSAS
AVG
AVAST


MBAM is an antimalware product, not an AntiVirus product. It's fine to have this along with an AV.

SuperAntiSpyware also is not an Antivirus but is an antispyware product. Also good to have on hand, but I would suggest having it as an on demand scanner only.

AVG and AVAST are both Antivirus products. You must choose one to keep and one to uninstall.

And other things like Spyware blaster, ESET online scanner, but these are fine, no?


These are fine. I would suggest when running the ESET online scanner, that you disable your active AV protection while the scan is running and NOT to use the internet for any purpose other than that scan while it is in action. Once it's complete, reactivate your real-time AV protection.

I always thought Avast was free. I downloaded it, used it, it is very nice, but at the bottom of the main page in the interface, there is a long yellow bar saying when it will expire. Why? In my case its 27 days. Why, I downloaded the free version...


AVAST is free, but they require that you register it each year you have it.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 18 March 2012 - 07:49 PM

So, that long yellow bar showing how many days I have (26days) is nothing to worry about, Orange? If so, I may proceed and uninstall AVG.

So.....its really true having more than 1 AV can reduce security...?

AVG is quite good though, it picked up these 2 rootkits, where no other AV, MBAM, or SuperSAS did.

I would love to hear your suggestion, Orange :)

So what are these 2 rootkits? Are they just, like boopme says, 2 AVs seeing each other as rootkits?

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:10 PM

Posted 19 March 2012 - 08:00 AM

I have asked quietman7 to take over on this topic as he is more knowledgeable than I. Please be patient and await his reply.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:10 PM

Posted 19 March 2012 - 08:51 AM

Hello sumosalad

First of all, you need to understand what a rootkit is before jumping to any conclusions in regards to a detection.

Rootkits are powerful system-monitoring programs that are almost impossible to detect and difficult to remove. Rootkits are not an infection in and of themselves but are used by backdoor Trojans and Botnets to conceal their presence. Legitimate programs can also use rootkits for legitimate reasons so it's presence is not always indicative of a malware infection. When used for malicious reasons, a rootkit's purpose is to hide itself from view in order to prevent detection of an attacker's software and make removal more difficult.

Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

The AVG Anti-rootkit module detects rootkit-like characteristics and behavior but since many legitimate programs use rootkit techniques, a detection does not always mean it's bad. ntkrnlpa.exe is the kernel image for Windows NT operating systems and a legitimate file. The scan indicates corruption in the ntkrnlpa.exe file but does not provide enough information. An AVG Mod has said this detection could have been caused due to multiple active resident security programs used. See this AVG forum discussion thread.

IMO avast is a much better anti-virus and I would trust it's results more than AVG. Malwarebytes' Anti-Malware uses a proprietary low level driver similar to some anti-rootkit (ARK) scanners to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free offers technology to deal with rootkit infections as well.

If you want to learn more about rootkits, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 19 March 2012 - 09:56 AM

Ah.....so rootkits by themselves are not bad, quietman? So an example would be a knife - in itself they are neutral/not harmless. In the hands of a chef (legitimate programs), it becomes good, used for cutting food, but in the hands of a bad person (trojan, malware,etc.) it becomes bad, am I correct here?

If so, then I will not worry about them, however I think the 2 rootkits came up as soon as I installed Avast, which makes me think that like boopme told me, 1 AV may see the other as a threat. So perhaps that is why AVG reports me having rootkits. They are probably just Avast.

Soon I will delete AVG.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:10 PM

Posted 19 March 2012 - 10:17 AM

So an example would be a knife - in itself they are neutral/not harmless. In the hands of a chef (legitimate programs), it becomes good, used for cutting food, but in the hands of a bad person (trojan, malware,etc.) it becomes bad, am I correct here?

Yes, you could phrase it that way.

Soon I will delete AVG.

The correct way to remove any program is to use Add/Remove Programs from the Control Panel or Programs and Features in Vista/Windows 7 first, then restart the computer and delete the Program folder if it still exists. If you just delete the folder, the program would still be listed in Add/Remove as an orphan entry along with all it's associated registry entries. To remove it and the leftovers, you would either have to edit the registry or use a third party utility.

If normal removal methods do not work, you can download and use AVG's uninstall/cleanup utility.

AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc. AVG Remover is the last option to be used in case the AVG uninstall / repair installation process has failed repeatedly.

AVG Remover
AVG Remover downloads for 32-bit, 64-bit systems
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users