Hi, I need just some confirmation not to worry about some
things emerged from a scan with rootrepeal and combofix.
Well, I imagined you know these tools. However
they scan for hooks in the SSDT, check driver signature
and look for hidden files, processes, etc.
So I scanned my pc ( I usually do that once a week )
and rootrepeal found two hidden drivers. At first
I suspected a rootkit, then I remembered I had installed
avast a couple of days before.
So I tried to uninstall avast and as I suspected
these hidden driver disappears ( they are a duplicated
version of tcpip.sys and ntfs.sys ).
Then I reinstalled avast and they reappeared.
Could you confirm that this is a standard behavior
for avast (all the antivirus had to use similar techniques
… ) ?
After that however I made a scan with combofix that
uses gmer technologies and other tools.
During the scan it found out
a modification of NTDLL
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 14:14
Windows 5.1.2600 Service Pack 3 NTFS
actually I am worried about what rootrepeal and gmer found
not viceversa.
Can you confirm that avast put in place two hidden
driver (ntfs.sys and tcpip.sys … ) and
hooks two ntdll functions (ZwClose, ZwOpenFile) ?
[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg
Click the image to enlarge it
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop. CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.
well, I made some test today.
I uninstalled avast on that machine and hidden drivers disappeared. So they are definitely
from avast.
Then I uninstalled comodo too … and ntdll code modification disappeared.
So, the system was absolutely clean … that entry came from avast
and comodo.
Darn you beat me to it - I saw the Comodo elements there as well. Avast was doing its job monitoring the at risk files and Comodo ws just hooking them for no reason that I could see a firewall would
However I think Avast should hilight
the hidden drivers issue because
people could get scared about that
and reinstall windows.
From what I saw avast act like that
not just with tcpip and ntfs, but from
time to time also with other drivers
creating a double.
Nowdays it is inevitable for a good
antimalware to use techniques very similar
to rootkits’ ones … so there is nothing
to hide … you do what you have to do
to protect the system.
Which is why whenever I use GMER I add this proviso
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Self protection means the drivers must be hidden, AVG does not do this and I have had 3 instances in the last two weeks where the TDL3 rootkit has infected the main AVG driver !