Rootkit warning, nothing detected?

Viruses and worms
1

Hi all.

I have a full scan scheduled for 2am daily. Three times over the last month, it’s reported multiple instances of “Threat: Rootkit hidden process” with a result of “Error: access is denied(5)”, alternating between two different PIDs.

Doing a manual scan picks up nothing. Running an f-secure boot-cd brought up no infections. MBAM showed no infections.

Should I be worried, or is this a false positive?

Thanks

rob

2

follow the guide here, attach the log`s an let Essexboy have a look…he will enter the forum soon…
http://forum.avast.com/index.php?topic=53253.0

3

Quick scan said nothing found. Full scan didn’t find anything relevant, just a couple of files I knew were there.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7982

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

19/10/2011 20:28:42
mbam-log-2011-10-19 (20-28-31).txt

Scan type: Full scan (C:\|L:\|Q:\|)
Objects scanned: 516628
Time elapsed: 2 hour(s), 13 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Burn\smartftp\smartftp_4.0_build_1097_32_64\smartftp 4.0 build 1097_32_64\ap-stfp4xv2\smartftp.v4.x.universalpatch.v2\!patch\ap-stfp4xv2.exe (RiskWare.Tool.HCK) -> No action taken.
c:\program files (x86)\fairuse4wm\mirakagi.exe (RiskWare.Tool.CK) -> No action taken.


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-19 22:20:46
-----------------------------
22:20:46.570    OS Version: Windows x64 6.1.7601 Service Pack 1
22:20:46.570    Number of processors: 2 586 0x170A
22:20:46.572    ComputerName: TIFFANY  UserName: robert
22:20:48.569    Initialize success
22:20:48.987    AVAST engine defs: 11101901
22:29:05.199    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:29:05.203    Disk 0 Vendor: Hitachi_ FB4O Size: 305245MB BusType: 3
22:29:05.207    Disk 0 MBR read error 0
22:29:05.211    Disk 0 MBR scan
22:29:05.215    Disk 0 unknown MBR code
22:29:05.219    MBR BIOS signature not found 0
22:29:05.223    Service scanning
22:29:05.998    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
22:29:06.054    Service Vsdatant C:\Windows\system32\DRIVERS\vsdatant.sys **LOCKED** 32
22:29:06.602    Modules scanning
22:29:06.610    Disk 0 trace - called modules:
22:29:06.644    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys sppm.sys hal.dll 
22:29:06.652    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004cf1400]
22:29:06.662    3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004b30050]
22:29:07.701    AVAST engine scan C:\Windows
22:29:24.414    AVAST engine scan C:\Windows\system32
22:29:34.424    AVAST engine scan C:\Windows\system32\drivers
22:29:44.435    AVAST engine scan C:\Users\robert
22:29:54.447    AVAST engine scan C:\ProgramData
22:29:54.457    Scan finished successfully
22:49:50.839    Disk 0 MBR has been saved successfully to "L:\temp\MBR.dat"
22:49:50.919    The log file has been saved successfully to "L:\temp\aswMBR.txt"
4

Essexboy is in bed now so you have to wait untill he is back tomorrow
he is usually in here around 08:00pm - 11:59pm UK time…

5

Okies, thank you. I’ll be patient!

6

It seems like rootkits and malware keeps getting more advanced I had one recently that couldn’t be detected by avast malwarebytes or any other program.RagnarokIt killed safe mode and infected my bios forcing my PC to keep resetting I formated the hard drive by hooking it to USB and had to reset the CMOS and reload the bios it was a CNA Training friggen nightmare.

7

The log appears clean - as the detections are referencing PID, I assume you are using a memory scan. Which leads me to suspect that you are detecting signatures loaded into memory by an antimalware programme

Are you experiencing any unusual symptoms ?

8

I’m getting the “Threat: Rootkit hidden process” message too…and I never use Memory Scans.

9

0

Thanks for the help! It’s an avast full system scan that’s picking it up, so I presume it’s doing a memory scan. I’ve also got Zonealarm installed, so maybe it’s picking that up. I’m not experiencing anything particularly unusual… Hope it’s just the AV being over-cautious then…

10
  1. That’s right.
  2. I think so.
  3. Yes, nothing to worry about. :slight_smile:
11

Greetings!

I found this thread via a search after my avast complete scan caught several memory loaded spyeye, downloader, dialer, et al. in it’s web. The fine insight provided for this other gentleman’s query has me believing that’s what happened with mine.

A quick question:

I run Avast Pro, Malwarebytes pro and win defender simultaneously. Is it OK in anyone’s opinion? Should one be disconnected?

Also, if one cannot install Win7 SP1 would that be indicative of hanky panky?

Thanx,

griff

12

Welcome to the forum griff…!
Please start a new topic. Thanks.

13

Will do! Thx…

griff