Author Topic: Avast detect a virus on vga.sys when restart video is off and nothing on screen  (Read 8836 times)

0 Members and 1 Guest are viewing this topic.

alfregil

  • Guest
Hi, I'm new here. I have a problem, when I start the PC avast detected a virus named win32:vantik (no information in english on internet about it) and then when the PC restart the video doesn't work, so the computer is on, I can see it on the LAN and the Lan printer attached to the computer is working, but the screen is totally black. The only solution I found is to reinstall windows and repair the actual installation. That's take like half an hohur but at least the computer go back an work well. Then avast detect the virus again on this file (thi file is on windows/system32, the OS is WindowsXP SP2) and everything happen again. The worst is that the computer can't be on all the time, so have to be shut down every day. How can I solve this.

ardvark

  • Guest
Hi....

From what I am able to find out, W32 Vantik appears to be a rootkit. What it does for whom, I have no clue.

If I am understanding you correctly, Avast again found the virus a second time after you reinstalled windows, am I right? If so, a couple questions:

1. Was Avast the very first program you installed after reinstalling Windows? If not, what did you install between the two?
2. Is your copy of Windows XP legal and genuine and on a factory issued CD? Or is it a burned copy you received from a friend or relative?

Best Regards...






alfregil

  • Guest
1. Avast was the first program I install after the reinstall windows
2. The windows Cd is a burned copy, but used many times without problems, also the PC had more than 6 months with the last installation, before the problem appear
The log with the alarm say:
File name:C:\WINDOWS\system32\drivers\vga.sys
Malware name: Win32:Vanti-BK [Rtk]
Type: Rootkit
VPS version: 080523-0, 23/05/2008

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

No detection of anything on mine, XP Pro SP2.
« Last Edit: May 23, 2008, 08:36:43 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

alfregil

  • Guest
I follow your instructions, thi is what I found
 
Análisis del archivo vga.sys recibido el 23.05.2008 22:44:33 (CET)
Estado actual: análisis terminado
Resultado: 0/32 (0.00%)
Compactar Compactar       Imprimir resultados Imprimir resultados
Motor antivirus    Versión    Última actualización    Resultado
AhnLab-V3    2008.5.22.1    2008.05.23    -
AntiVir    7.8.0.19    2008.05.23    -
Authentium    5.1.0.4    2008.05.23    -
Avast    4.8.1195.0    2008.05.23    -
AVG    7.5.0.516    2008.05.23    -
BitDefender    7.2    2008.05.23    -
CAT-QuickHeal    9.50    2008.05.23    -
ClamAV    0.92.1    2008.05.23    -
DrWeb    4.44.0.09170    2008.05.23    -
eSafe    7.0.15.0    2008.05.22    -
eTrust-Vet    31.4.5815    2008.05.23    -
Ewido    4.0    2008.05.23    -
F-Prot    4.4.4.56    2008.05.23    -
F-Secure    6.70.13260.0    2008.05.23    -
Fortinet    3.14.0.0    2008.05.23    -
GData    2.0.7306.1023    2008.05.23    -
Ikarus    T3.1.1.26.0    2008.05.23    -
Kaspersky    7.0.0.125    2008.05.23    -
McAfee    5302    2008.05.23    -
Microsoft    1.3520    2008.05.23    -
NOD32v2    3127    2008.05.23    -
Norman    5.80.02    2008.05.23    -
Panda    9.0.0.4    2008.05.23    -
Prevx1    V2    2008.05.23    -
Rising    20.45.42.00    2008.05.23    -
Sophos    4.29.0    2008.05.23    -
Sunbelt    3.0.1123.1    2008.05.17    -
Symantec    10    2008.05.23    -
TheHacker    6.2.92.318    2008.05.23    -
VBA32    3.12.6.6    2008.05.23    -
VirusBuster    4.3.26:9    2008.05.23    -
Webwasher-Gateway    6.6.2    2008.05.23    -
Información adicional
File size: 20992 bytes
MD5...: 8a60edd72b4ea5aea8202daf0e427925
SHA1..: 0aa68f6fbe29e8359942d2cdefe7e9b8527568ab
SHA256: ed0624b285e4f64e07e30c12490873a2090f9dfd6a91a2eda7a1082b88a8199e
SHA512: 88f6a457daf60dfc7ba2a46e46bbe5dea1f45fc0a229f7f64bf48577d6c5c3c3
06d110477ef74b0f6a277f800e5bfe32300a8b93335d96b0d358a2012de1773f
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14642
timedatestamp.....: 0x41107d0a (Wed Aug 04 06:07:06 2004)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x3d0 0x400 6.11 7f9d3555fc0fa39e6c35e04f62968ea5
.rdata 0x780 0x134 0x180 2.69 68c533c5ab20eb8bbd4df6edcde875b5
.data 0x900 0xc 0x80 0.38 0c41a08c90a7d5e81bf065649ebabedc
PAGE 0x980 0x36e0 0x3700 6.29 1e701edde3d8b50fb912912ae1b1944f
PAGE_DAT 0x4080 0x4d2 0x500 2.75 7f80608610eea5275fc62df4c81ecc35
INIT 0x4580 0x510 0x580 5.12 64952cd39bfd619bae392603d8bb401f
.rsrc 0x4b00 0x3f0 0x400 3.38 7afff939e936aef204b8ff5c95cc9f57
.reloc 0x4f00 0x2ba 0x300 5.70 ff2779d16f2b082837239428beae8eae

( 2 imports )
> ntoskrnl.exe: KeBugCheckEx, KeTickCount, memmove, _except_handler3
> VIDEOPRT.SYS: VideoPortFreePool, VideoPortQueryServices, VideoPortFreeDeviceBase, VideoPortInitialize, VideoPortReadPortUshort, VideoPortWritePortBufferUshort, VideoPortWritePortUshort, VideoPortWritePortUchar, VideoPortReadPortUchar, VideoPortZeroDeviceMemory, VideoPortStallExecution, VideoPortInt10, VideoPortZeroMemory, VideoPortCompareMemory, VideoPortVerifyAccessRanges, VideoPortWriteRegisterBufferUchar, VideoPortAllocatePool, VideoPortSetTrappedEmulatorPorts, VideoPortMoveMemory, VideoPortReadRegisterUchar, VideoPortWriteRegisterUchar, VideoPortWritePortUlong, VideoPortGetDeviceBase, VideoPortGetDeviceData, VideoPortUnmapMemory, VideoPortMapMemory, VideoPortSynchronizeExecution, VideoPortReadPortUlong

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Interesting that avast doesn't find it in the VirusTotal (VT) scan, though there are times that VT VPS isn't as up to date as the users system (or you aren't using the latest VPS).

So first ensure you have the latest VPS, 080523-0 is the latest and scan the file on your system. If still found as infected send to avast for analysis as a false positive and exclude the file from scans, information on how to do this in the link in my first reply above.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Is it the rootkit detector that's detecting this, not the AV engine?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

jayr.lao

  • Guest
Hello Staff and Users of Avast.

Greetings!

I've been using Avast (free) for almost three years now and I'm am very pleased with the product and I haven't encountered a single problem (either home or office) until now. When inserted a flash drive (not mine by the way), Avast automatically detected this "rootkit" and offered a solution to either move it to the chest or delete it. Initially I selected it to move it to the chest since this has worked for me in the past. But this particular problem kept coming up every time I boot my computer.

I tried using the online scanners as well as other notable AV vendors and they all keep saying that they are not able to detect the rootkit. As stated by Überevangelist DavidR, I've added this file in my excluded list options and informed Avast.

Avast, please inform us, your loyal and humble users, on when can we expect a solution to this issue. Thank you very much in advance.

Cheerios,
Jay-r

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
I've been using Avast (free) for almost three years ... (either home or office)
Which version of avast are you using at the office?

But this particular problem kept coming up every time I boot my computer.
Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
The best things in life are free.

bibski

  • Guest
File name:C:\WINDOWS\system32\drivers\vga.sys
Malware name: Win32:Vanti-BK [Rtk]
Type: Rootkit
VPS version: 080523-0, 23/05/2008

Im having the same problem with this.. It keeps appearing everytime I open my usb flash drive.

edited:
oops.. sorry, ive read that VGA.SYS is a file information on windows.. so is it a false positive? (just a confirmation)
« Last Edit: July 20, 2008, 06:30:12 PM by bibski »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Quote
so is it a false positive?

Apparently not.

http://forum.avast.com/index.php?topic=35761.msg302364#msg302364

Search the board for Vanti-BK for more info.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog