Avast WEBforum
Other => Viruses and worms => Topic started by: irrelevant on October 19, 2011, 06:55:12 PM
-
Hi all.
I have a full scan scheduled for 2am daily. Three times over the last month, it's reported multiple instances of "Threat: Rootkit hidden process" with a result of "Error: access is denied(5)", alternating between two different PIDs.
Doing a manual scan picks up nothing. Running an f-secure boot-cd brought up no infections. MBAM showed no infections.
Should I be worried, or is this a false positive?
Thanks
rob
-
follow the guide here, attach the log`s an let Essexboy have a look...he will enter the forum soon...
http://forum.avast.com/index.php?topic=53253.0
-
Quick scan said nothing found. Full scan didn't find anything relevant, just a couple of files I knew were there.
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7982
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
19/10/2011 20:28:42
mbam-log-2011-10-19 (20-28-31).txt
Scan type: Full scan (C:\|L:\|Q:\|)
Objects scanned: 516628
Time elapsed: 2 hour(s), 13 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Burn\smartftp\smartftp_4.0_build_1097_32_64\smartftp 4.0 build 1097_32_64\ap-stfp4xv2\smartftp.v4.x.universalpatch.v2\!patch\ap-stfp4xv2.exe (RiskWare.Tool.HCK) -> No action taken.
c:\program files (x86)\fairuse4wm\mirakagi.exe (RiskWare.Tool.CK) -> No action taken.
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-19 22:20:46
-----------------------------
22:20:46.570 OS Version: Windows x64 6.1.7601 Service Pack 1
22:20:46.570 Number of processors: 2 586 0x170A
22:20:46.572 ComputerName: TIFFANY UserName: robert
22:20:48.569 Initialize success
22:20:48.987 AVAST engine defs: 11101901
22:29:05.199 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:29:05.203 Disk 0 Vendor: Hitachi_ FB4O Size: 305245MB BusType: 3
22:29:05.207 Disk 0 MBR read error 0
22:29:05.211 Disk 0 MBR scan
22:29:05.215 Disk 0 unknown MBR code
22:29:05.219 MBR BIOS signature not found 0
22:29:05.223 Service scanning
22:29:05.998 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
22:29:06.054 Service Vsdatant C:\Windows\system32\DRIVERS\vsdatant.sys **LOCKED** 32
22:29:06.602 Modules scanning
22:29:06.610 Disk 0 trace - called modules:
22:29:06.644 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys sppm.sys hal.dll
22:29:06.652 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004cf1400]
22:29:06.662 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004b30050]
22:29:07.701 AVAST engine scan C:\Windows
22:29:24.414 AVAST engine scan C:\Windows\system32
22:29:34.424 AVAST engine scan C:\Windows\system32\drivers
22:29:44.435 AVAST engine scan C:\Users\robert
22:29:54.447 AVAST engine scan C:\ProgramData
22:29:54.457 Scan finished successfully
22:49:50.839 Disk 0 MBR has been saved successfully to "L:\temp\MBR.dat"
22:49:50.919 The log file has been saved successfully to "L:\temp\aswMBR.txt"
-
Essexboy is in bed now so you have to wait untill he is back tomorrow
he is usually in here around 08:00pm - 11:59pm UK time....
-
Essexboy is in bed now so you have to wait untill he is back tomorrow
he is usually in here around 08:00pm - 11:59pm UK time....
Okies, thank you. I'll be patient!
-
It seems like rootkits and malware keeps getting more advanced I had one recently that couldn't be detected by avast malwarebytes or any other program.Ragnarok (http://www.existencero.com/?v=ragnarokprivateserver)It killed safe mode and infected my bios forcing my PC to keep resetting I formated the hard drive by hooking it to USB and had to reset the CMOS and reload the bios it was a CNA Training (http://www.cnatrainingdotcom.com) friggen nightmare.
-
The log appears clean - as the detections are referencing PID, I assume you are using a memory scan. Which leads me to suspect that you are detecting signatures loaded into memory by an antimalware programme
Are you experiencing any unusual symptoms ?
-
I'm getting the "Threat: Rootkit hidden process" message too...and I never use Memory Scans.
-
0
The log appears clean - as the detections are referencing PID, I assume you are using a memory scan. Which leads me to suspect that you are detecting signatures loaded into memory by an antimalware programme
Are you experiencing any unusual symptoms ?
Thanks for the help! It's an avast full system scan that's picking it up, so I presume it's doing a memory scan. I've also got Zonealarm installed, so maybe it's picking that up. I'm not experiencing anything particularly unusual.. Hope it's just the AV being over-cautious then..
-
1. It's an avast full system scan that's picking it up, so I presume it's doing a memory scan.
2. I've also got Zonealarm installed, so maybe it's picking that up.
3. Hope it's just the AV being over-cautious then..
1. That's right.
2. I think so.
3. Yes, nothing to worry about. :)
-
Greetings!
I found this thread via a search after my avast complete scan caught several memory loaded spyeye, downloader, dialer, et al. in it's web. The fine insight provided for this other gentleman's query has me believing that's what happened with mine.
A quick question:
I run Avast Pro, Malwarebytes pro and win defender simultaneously. Is it OK in anyone's opinion? Should one be disconnected?
Also, if one cannot install Win7 SP1 would that be indicative of hanky panky?
Thanx,
griff
-
Welcome to the forum griff..!
Please start a new topic. Thanks.
-
Will do! Thx...
griff