Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - Not on (C:) Drive


  • Please log in to reply
11 replies to this topic

#1 Remag VII

Remag VII

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 23 November 2013 - 12:35 PM

When I run a full scan of my laptop with McAfee, nothing is ever found. No news is good news right? The thing that bugs me is this: before getting to the (C:) Drive or External Drives on my laptop, McAfee scans a location called "Rootkit". Does that mean that there could be an actual Rootkit somewhere in my laptop?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 AM

Posted 23 November 2013 - 03:13 PM

More information is needed.

Is this a folder named Rootkit?
Did McAfee save a log with the specific location?

Usually when a computer is infected with malware there will be indications (signs of infection) something is wrong.

McAfee has a McAfee Rootkit Remover tool. How do you use RootkitRemover.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Remag VII

Remag VII
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 23 November 2013 - 04:40 PM

It's not a folder. I think it's a process. Unfortunately, the log that McAfee generates doesn't go into any real detail about the scan. As far as signs of infection, I've had none; but I'm more worried about a rootkit that I wouldn't notice such as one designed to steal personal info. I'm not 100% sure, but I doubt that I would notice any difference in speed because my laptop is an i7 with 16 gigs of ram and an SSD. I've read about those rootkit removers, but I've heard that they have a reputation for false positives. Is that true? Nonetheless, I'll give them a go if those are my only options. Thanks a ton for your quick response by the way!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 AM

Posted 23 November 2013 - 04:46 PM

Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If you are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) be aware that they use rootkit-like techniques techniques to hide from other applications and can interfere with investigative or security tools. This interference can produce misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CD Emulators.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Remag VII

Remag VII
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 23 November 2013 - 05:00 PM

Ahh! That helps! Thanks again!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 AM

Posted 23 November 2013 - 05:02 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:05:47 AM

Posted 23 November 2013 - 05:07 PM

See reply by "Hayton" Moderator @ McAfee Communities: https://community.mcafee.com/message/309536

 

...Two things here : "Scanning Rootkit" and boot Records.

 

The wording of that Rootkit message is misleading. We've already had a go at McAfee about this. It means "Scanning for rootkits", not that it's found one. Don't panic. Eventually they'll get around to changing the wording. In the meantime a lot of people get alarmed needlessly...

 

Hope this helps.
"U_T"



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 AM

Posted 23 November 2013 - 05:16 PM

Misleading indeed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Remag VII

Remag VII
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 23 November 2013 - 05:36 PM

See reply by "Hayton" Moderator @ McAfee Communities: https://community.mcafee.com/message/309536

 

...Two things here : "Scanning Rootkit" and boot Records.

 

The wording of that Rootkit message is misleading. We've already had a go at McAfee about this. It means "Scanning for rootkits", not that it's found one. Don't panic. Eventually they'll get around to changing the wording. In the meantime a lot of people get alarmed needlessly...

 

Hope this helps.
"U_T"

Wow, I spent hours looking for this in various forums. I even called McAfee and the two Tech guys that I spoke to told me that I "probably" have a rootkit. I hung up when they asked me to pay them to check my computer. Thanks for setting my mind at ease. =)



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 AM

Posted 23 November 2013 - 05:48 PM

Sometimes the volunteers know more than the support techs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Remag VII

Remag VII
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 23 November 2013 - 05:57 PM

Hah =) Well I appreciate both of ya!



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 AM

Posted 23 November 2013 - 08:40 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users