ntfs.sys tcpip.sys rootrepeal combofix and avast.

Hi, I need just some confirmation not to worry about some
things emerged from a scan with rootrepeal and combofix.

Well, I imagined you know these tools. However
they scan for hooks in the SSDT, check driver signature
and look for hidden files, processes, etc.

So I scanned my pc ( I usually do that once a week )
and rootrepeal found two hidden drivers. At first
I suspected a rootkit, then I remembered I had installed
avast a couple of days before.

So I tried to uninstall avast and as I suspected
these hidden driver disappears ( they are a duplicated
version of tcpip.sys and ntfs.sys ).

Then I reinstalled avast and they reappeared.

Could you confirm that this is a standard behavior
for avast (all the antivirus had to use similar techniques
… ) ?

After that however I made a scan with combofix that
uses gmer technologies and other tools.

During the scan it found out
a modification of NTDLL

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 14:14
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

Is that caused by avast too?

     Thanks in advance

Avast will check GMER while it does its thing - nothing to worry about

actually I am worried about what rootrepeal and gmer found
not viceversa.
Can you confirm that avast put in place two hidden
driver (ntfs.sys and tcpip.sys … ) and
hooks two ntdll functions (ZwClose, ZwOpenFile) ?

Those are two files that are hooked by the latest TDL3 variant rootkit

We could run a full GMER and then see what that says

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

done … thanks in advance.

PS: I had to zip it … so change the name to ark.zip and unzip it :wink:

well, I made some test today.
I uninstalled avast on that machine and hidden drivers disappeared. So they are definitely
from avast.
Then I uninstalled comodo too … and ntdll code modification disappeared.

So, the system was absolutely clean … that entry came from avast
and comodo.

Darn you beat me to it - I saw the Comodo elements there as well. Avast was doing its job monitoring the at risk files and Comodo ws just hooking them for no reason that I could see a firewall would

However I think Avast should hilight
the hidden drivers issue because
people could get scared about that
and reinstall windows.

From what I saw avast act like that
not just with tcpip and ntfs, but from
time to time also with other drivers
creating a double.

Nowdays it is inevitable for a good
antimalware to use techniques very similar
to rootkits’ ones … so there is nothing
to hide … you do what you have to do
to protect the system.

Which is why whenever I use GMER I add this proviso

CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

Self protection means the drivers must be hidden, AVG does not do this and I have had 3 instances in the last two weeks where the TDL3 rootkit has infected the main AVG driver !