Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG found Hidden Rootkits


  • Please log in to reply
3 replies to this topic

#1 dnMichael

dnMichael

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 12 June 2012 - 09:52 AM

AVG Free 2012 found 53 rootkits that are listed as "Object is hidden" and it warns me they could actually be legit files.
The files mentioned in the scan results are hal.dll, ntoskrnl.exe, ACPI.sys, fltmgr.sys, Ntfs.sys, tcpip.sys, and win32k.sys.

TDSSKiller doesn't find anything when I scan with it, and I'm afraid I'll break everything if I tell AVG to go ahead and remove them.

I'm on Windows 7 Pro SP1 x64.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 PM

Posted 12 June 2012 - 10:24 AM

Not all hidden components detected by anti-rootkit (ARK)/anti-virus scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If you are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) be aware that they use rootkit-like techniques techniques to hide from other applications and can interfere with investigative or security tools. This interference can produce misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CD Emulators.

If your system is infected with malware, there most likely would be some signs of infection or symptoms such as slow performance, high CPU usage, browser redirects, BSODs, etc.

In most cases further investigation is required after the initial ARK scan. AVG Forum: How To Handle Suspicious False Positive Detection - Anti-Rootkit False Positives?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 eloisescarlett

eloisescarlett

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 13 June 2012 - 08:42 AM

"";"C:\Windows\System32\Drivers\spdc.sys";"atapi.sys, hooked import ataport.SYS AtaPortReadPortBufferUshort -> spdc.sys +0x2E35C";"Object is hidden"
"";"C:\Windows\System32\Drivers\spdc.sys";"atapi.sys, hooked import ataport.SYS AtaPortReadPortUchar -> spdc.sys +0x2E224";"Object is hidden"
"";"C:\Windows\System32\Drivers\spdc.sys";"atapi.sys, hooked import ataport.SYS AtaPortWritePortUchar -> spdc.sys +0x2EA24";"Object is hidden"
"";"C:\Windows\System32\Drivers\spdc.sys";"atapi.sys, hooked import ataport.SYS AtaPortWritePortBufferUshort -> spdc.sys +0x2EBA0";"Object is hidden"
"";"C:\Windows\System32\Drivers\spdc.sys";"Inline hook ataport.SYS DllUnload -> spdc.sys +0x654C0";"Object is hidden"
"";"C:\Windows\System32\Drivers\spdc.sys";"pci.sys, hooked import ntoskrnl.exe IoDetachDevice -> spdc.sys +0x696FC";"Object is hidden"



i don't know what any of this means but it scares me. i ran a scan because my computer has been playing up lately. avg found '6 potentially dangerous rootkits' and not all were removed. avg says 'object is hidden' but if it is why my computer is misbehaving i don't want them hidden i want them gone, i don't know what to do.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 PM

Posted 13 June 2012 - 10:59 AM

I did a search and found a few logs with spdc.sys but no indication that it is malicious or what program created it.

Get a second opinion. Go to one of the following online services that analyzes suspicious files:In the "File to Scan" (Upload or Submit) box, browse to the location of spdc.sys and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
-- Post back with the results of the file analysis.

pci.sys is related to Microsoft's PCI Bus Driver.
atapi.sys is related to Microsoft's IDE/ATAPI Port Driver.
ataport.sys is related to ATA Port Driver.
ntoskrnl.exe is the kernel image for Microsoft Windows NT operating systems.


Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!
-- The tool is frequently updated...if you used TDSSKiller previously, delete that version and download the most current one before using again.

Be sure to print out and follow these instructions for performing a scan.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
  • Alternatively, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If an update is available, TDSSKiller will prompt you to update and download the most current version. Click Load Update. Close TDSSKiller and start again.
  • When the program opens, click the Change parameters.

    Posted Image

  • Under "Additional options", check the boxes next to Verify file digital signatures and Detect TDLFS file system, then click OK.

    Posted Image

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If 'Suspicious objects' are detected, the default action will be Skip. Leave the default set to Skip and click on Continue.
  • If Malicious objects are detected, they will show in the Scan results - Select action for found objects and offer three options.

    Posted Image

  • Ensure Cure is selected...then click Continue -> Reboot computer for cure completion.

    Posted Image

  • Important! -> If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it to something else before beginning the download and saving to the computer or to perform the scan in "safe mode".


Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After the scan, make sure that everything is checked and then click the Remove Selected button to remove all the listed malware.
  • When done, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

Note: A 14-day trial of Malwarebytes Anti-Malware PRO is available as an option when first installing the free version so all users can test the real-time protection component for a period of two weeks. When the limited time period expires those features will be deactivated and locked. Enabling the Protection Module feature again requires registration and purchase of a license key that includes free lifetime upgrades and support. If you continue to use the free version, there is no requirement to buy a license...you can just use it as a stand-alone scanner.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users