Hi, I’m new here. I have a problem, when I start the PC avast detected a virus named win32:vantik (no information in english on internet about it) and then when the PC restart the video doesn’t work, so the computer is on, I can see it on the LAN and the Lan printer attached to the computer is working, but the screen is totally black. The only solution I found is to reinstall windows and repair the actual installation. That’s take like half an hohur but at least the computer go back an work well. Then avast detect the virus again on this file (thi file is on windows/system32, the OS is WindowsXP SP2) and everything happen again. The worst is that the computer can’t be on all the time, so have to be shut down every day. How can I solve this.
Hi…
From what I am able to find out, W32 Vantik appears to be a rootkit. What it does for whom, I have no clue.
If I am understanding you correctly, Avast again found the virus a second time after you reinstalled windows, am I right? If so, a couple questions:
- Was Avast the very first program you installed after reinstalling Windows? If not, what did you install between the two?
- Is your copy of Windows XP legal and genuine and on a factory issued CD? Or is it a burned copy you received from a friend or relative?
Best Regards…
- Avast was the first program I install after the reinstall windows
- The windows Cd is a burned copy, but used many times without problems, also the PC had more than 6 months with the last installation, before the problem appear
The log with the alarm say:
File name:C:\WINDOWS\system32\drivers\vga.sys
Malware name: Win32:Vanti-BK [Rtk]
Type: Rootkit
VPS version: 080523-0, 23/05/2008
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.
If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
No detection of anything on mine, XP Pro SP2.
I follow your instructions, thi is what I found
Análisis del archivo vga.sys recibido el 23.05.2008 22:44:33 (CET)
Estado actual: análisis terminado
Resultado: 0/32 (0.00%)
Compactar Compactar Imprimir resultados Imprimir resultados
Motor antivirus Versión Última actualización Resultado
AhnLab-V3 2008.5.22.1 2008.05.23 -
AntiVir 7.8.0.19 2008.05.23 -
Authentium 5.1.0.4 2008.05.23 -
Avast 4.8.1195.0 2008.05.23 -
AVG 7.5.0.516 2008.05.23 -
BitDefender 7.2 2008.05.23 -
CAT-QuickHeal 9.50 2008.05.23 -
ClamAV 0.92.1 2008.05.23 -
DrWeb 4.44.0.09170 2008.05.23 -
eSafe 7.0.15.0 2008.05.22 -
eTrust-Vet 31.4.5815 2008.05.23 -
Ewido 4.0 2008.05.23 -
F-Prot 4.4.4.56 2008.05.23 -
F-Secure 6.70.13260.0 2008.05.23 -
Fortinet 3.14.0.0 2008.05.23 -
GData 2.0.7306.1023 2008.05.23 -
Ikarus T3.1.1.26.0 2008.05.23 -
Kaspersky 7.0.0.125 2008.05.23 -
McAfee 5302 2008.05.23 -
Microsoft 1.3520 2008.05.23 -
NOD32v2 3127 2008.05.23 -
Norman 5.80.02 2008.05.23 -
Panda 9.0.0.4 2008.05.23 -
Prevx1 V2 2008.05.23 -
Rising 20.45.42.00 2008.05.23 -
Sophos 4.29.0 2008.05.23 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.23 -
TheHacker 6.2.92.318 2008.05.23 -
VBA32 3.12.6.6 2008.05.23 -
VirusBuster 4.3.26:9 2008.05.23 -
Webwasher-Gateway 6.6.2 2008.05.23 -
Información adicional
File size: 20992 bytes
MD5…: 8a60edd72b4ea5aea8202daf0e427925
SHA1…: 0aa68f6fbe29e8359942d2cdefe7e9b8527568ab
SHA256: ed0624b285e4f64e07e30c12490873a2090f9dfd6a91a2eda7a1082b88a8199e
SHA512: 88f6a457daf60dfc7ba2a46e46bbe5dea1f45fc0a229f7f64bf48577d6c5c3c3
06d110477ef74b0f6a277f800e5bfe32300a8b93335d96b0d358a2012de1773f
PEiD…: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x14642
timedatestamp…: 0x41107d0a (Wed Aug 04 06:07:06 2004)
machinetype…: 0x14c (I386)
( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x3d0 0x400 6.11 7f9d3555fc0fa39e6c35e04f62968ea5
.rdata 0x780 0x134 0x180 2.69 68c533c5ab20eb8bbd4df6edcde875b5
.data 0x900 0xc 0x80 0.38 0c41a08c90a7d5e81bf065649ebabedc
PAGE 0x980 0x36e0 0x3700 6.29 1e701edde3d8b50fb912912ae1b1944f
PAGE_DAT 0x4080 0x4d2 0x500 2.75 7f80608610eea5275fc62df4c81ecc35
INIT 0x4580 0x510 0x580 5.12 64952cd39bfd619bae392603d8bb401f
.rsrc 0x4b00 0x3f0 0x400 3.38 7afff939e936aef204b8ff5c95cc9f57
.reloc 0x4f00 0x2ba 0x300 5.70 ff2779d16f2b082837239428beae8eae
( 2 imports )
ntoskrnl.exe: KeBugCheckEx, KeTickCount, memmove, _except_handler3
VIDEOPRT.SYS: VideoPortFreePool, VideoPortQueryServices, VideoPortFreeDeviceBase, VideoPortInitialize, VideoPortReadPortUshort, VideoPortWritePortBufferUshort, VideoPortWritePortUshort, VideoPortWritePortUchar, VideoPortReadPortUchar, VideoPortZeroDeviceMemory, VideoPortStallExecution, VideoPortInt10, VideoPortZeroMemory, VideoPortCompareMemory, VideoPortVerifyAccessRanges, VideoPortWriteRegisterBufferUchar, VideoPortAllocatePool, VideoPortSetTrappedEmulatorPorts, VideoPortMoveMemory, VideoPortReadRegisterUchar, VideoPortWriteRegisterUchar, VideoPortWritePortUlong, VideoPortGetDeviceBase, VideoPortGetDeviceData, VideoPortUnmapMemory, VideoPortMapMemory, VideoPortSynchronizeExecution, VideoPortReadPortUlong
Interesting that avast doesn’t find it in the VirusTotal (VT) scan, though there are times that VT VPS isn’t as up to date as the users system (or you aren’t using the latest VPS).
So first ensure you have the latest VPS, 080523-0 is the latest and scan the file on your system. If still found as infected send to avast for analysis as a false positive and exclude the file from scans, information on how to do this in the link in my first reply above.
Is it the rootkit detector that’s detecting this, not the AV engine?
Hello Staff and Users of Avast.
Greetings!
I’ve been using Avast (free) for almost three years now and I’m am very pleased with the product and I haven’t encountered a single problem (either home or office) until now. When inserted a flash drive (not mine by the way), Avast automatically detected this “rootkit” and offered a solution to either move it to the chest or delete it. Initially I selected it to move it to the chest since this has worked for me in the past. But this particular problem kept coming up every time I boot my computer.
I tried using the online scanners as well as other notable AV vendors and they all keep saying that they are not able to detect the rootkit. As stated by Überevangelist DavidR, I’ve added this file in my excluded list options and informed Avast.
Avast, please inform us, your loyal and humble users, on when can we expect a solution to this issue. Thank you very much in advance.
Cheerios,
Jay-r
Which version of avast are you using at the office?
Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
Im having the same problem with this… It keeps appearing everytime I open my usb flash drive.
edited:
oops… sorry, ive read that VGA.SYS is a file information on windows… so is it a false positive? (just a confirmation)
so is it a false positive?
Apparently not.
http://forum.avast.com/index.php?topic=35761.msg302364#msg302364
Search the board for Vanti-BK for more info.