Author Topic: Rootkit scan shows positive results (Read 5010 times)

jagobruford · « **on:** May 20, 2012, 01:23:45 PM »

Hi - I have jsut upgraded to avast internet security from the free version and I am also running AVG full version.
I have just done a anti rootkit scan in AVG which has revealed between 6 and 16 rootkits which cannot (or will not) be removed.

These are:

"";"<unknown>";"Corrupted section win32k.sys[.text] EngCopyBits+0xA519, size 7 bytes";"Object is inaccessible."
"";"<unknown>";"Corrupted section win32k.sys[.text] XLATEOBJ_iXlate+0x7EF9, size 7 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] EngSetLastError+0x4825, size 7 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] EngRestoreFloatingPointState+0x3368, size 8 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] EngRestoreFloatingPointState+0xB109, size 7 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] EngRestoreFloatingPointState+0x13B68, size 8 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] EngRestoreFloatingPointState+0x1B654, size 14 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] memmove+0xA234, size 8 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] memmove+0x141B9, size 13 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] EngQuerySystemAttribute+0xF6C, size 8 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] XLATEOBJ_cGetPalette+0x3B59, size 7 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] XLATEOBJ_cGetPalette+0x451C, size 14 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] XLATEOBJ_cGetPalette+0x5619, size 7 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] XLATEOBJ_cGetPalette+0x5669, size 7 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] XLATEOBJ_cGetPalette+0xC4D8, size 8 bytes";"Object is hidden"
"";"<unknown>";"Corrupted section win32k.sys[.text] XLATEOBJ_cGetPalette+0xF749, size 7 bytes";"Object is hidden"

I have read through a few of the other similar forum posts and which gives me some comfort insofar as my system is and has not shown any suspicious activity or instability.

Can I or should i try and remove these entries using avast or any other utiltiy.

Any help and comments would be much appreciated.
Thankyou.

Asyn · « **Reply #1 on:** May 20, 2012, 01:26:49 PM »

Quote from: jagobruford on May 20, 2012, 01:23:45 PM

Hi - I have jsut upgraded to avast internet security from the free version and I am also running AVG full version.

Can I or should i try and remove these entries using avast or any other utiltiy.

Before you do anything, please drop either AIS or AVG...!!!

AdrianH · « **Reply #2 on:** May 20, 2012, 01:29:45 PM »

As Asyn says DO NOT DO ANYTHING until you have uninstalled one of the antivirus products. You cannot run 2 AV's at the same time.

Pondus · « **Reply #3 on:** May 20, 2012, 03:39:37 PM »

as already stated....running multiple AV will give you all kind of windows errors and false positive detections, so any detection can not be trusted before you remove one AV

you also need to run a removal tool for the AV you uninstall so any leftover files that may conflict is gone
run and reboot - http://singularlabs.com/uninstallers/security-software/

maybe i am blind...or dont understand the AVG log.....but i dont see the word "rootkit" in the scan result you posted above ?
to me that looks like a scan error report, as it say corrupted ?....and that is not the same as detection

jagobruford · « **Reply #4 on:** May 20, 2012, 09:07:55 PM »

Hello

Thankyou all for your replies. The results were obtained after a rootkit scan on AVG and it maybe that these are just minor corruptions to my registry. And in any case they could also be the "false positives" you refer to. So yes I will uninstall and try it again. The scan was just done at random and not in response to any specific issues that were occuring in my system.

It maybe that I am worrying unduly and that the Avast should pick up anything amiss. As I saythere are no ill effects. Should I expect Avast to deal with these potential threats during the initial boot up scan?

Pondus · « **Reply #5 on:** May 20, 2012, 09:20:00 PM »

if you think you are infected this is how to find out
attach (not copy and paste) logs from Malwarebytes quick scan / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0
then one of the malware removers will check the logs and give you a verdict

jagobruford · « **Reply #6 on:** May 20, 2012, 10:12:28 PM »

Thanks - Malwarebytes Quick Scan done and results attached - there appears to be no infections. So guess it was a false negative result from AVG!

Author Topic: Rootkit scan shows positive results (Read 5010 times)

jagobruford

Rootkit scan shows positive results

Asyn

Re: Rootkit scan shows positive results

AdrianH

Re: Rootkit scan shows positive results

Pondus

Re: Rootkit scan shows positive results

jagobruford

Re: Rootkit scan shows positive results

Pondus

Re: Rootkit scan shows positive results

jagobruford

Re: Rootkit scan shows positive results