Author Topic: Anti-Rootkit review, please?  (Read 7894 times)

0 Members and 1 Guest are viewing this topic.

January 28, 2015, 05:20:05 AM

Twister201

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Anti-Rootkit review, please?
« on: January 28, 2015, 05:20:05 AM »
A recent "hidden file found" result from an Avira anti-virus scan prompted me to break out my trusted RogueKiller.  Can you take a look at the RKreport attached and tell me if I'm looking at a false positive, or if if I'm trouble?  MBAM was unable to detect anything out of the ordinary, if that helps.  Thank you!

Reply #1January 28, 2015, 09:10:57 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Anti-Rootkit review, please?
« Reply #1 on: January 28, 2015, 09:10:57 PM »
Hi Twister201,

Welcome to Adlice.com Forum.
Is Sandboxie installed on your system ?

Additional rootkit scan
  • Please download TDSSKiller and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your next reply.

Regards.

Reply #2January 29, 2015, 01:38:37 AM

Twister201

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Anti-Rootkit review, please?
« Reply #2 on: January 29, 2015, 01:38:37 AM »
Thanks for your time and effort with this.  Yes, I did have Sandboxie installed when I ran that first RK, but have since uninstalled.  I've attached a new RK report (in case uninstalling Sandboxie had an impact), as well as the results of the TDSSKiller run (no threats detected).

Reply #3January 29, 2015, 05:29:48 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Anti-Rootkit review, please?
« Reply #3 on: January 29, 2015, 05:29:48 PM »
Hi Twister201,

I suspected these hooks to be created by Sandoxie driver.
Quote
[SSDT:Addr(Hook.SSDT)] NtRequestWaitReplyPort[299] : Unknown @ 0x99b8bd40
[SSDT:Inl(Hook.SSDT)] NtTraceEvent[376] : Unknown @ 0x8310ac82
Since theses lines are no longer present in RogueKiller's report, this confirmed I was right. You can reinstall Sandoxie anytime.

Regarding these lines :
Quote
16:12:59.0493 0x07cc  AV detected via SS2: Avira Desktop, C:\Program Files\Avira\AntiVir Desktop\wsctool.exe ( 14.0.7.440 ), 0x40000 ( disabled : updated )
16:12:59.0493 0x07cc  AV detected via SS2: Immunet 3, C:\Program Files\Immunet\3.1.13\sfc.exe ( 3.1.13.9671 ), 0x41000 ( enabled : updated )
16:12:59.0712 0x07cc  FW detected via SS2: COMODO Firewall, C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe ( 8.0.0.4344 ), 0x61010 ( enabled )

You are using more than one anti-virus program. Please read this quote from quietman7 :

Quote from: [email]quietman7@bleepingcomputer.com[/email]
The primary concern with using more than one anti-virus program is due to conflicts that can arise when they are running in real-time mode simultaneously. However, even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice.

The IRP hooks on iaStorV.sys are most likely harmless.

Regards.

Reply #4January 30, 2015, 01:10:13 AM

Twister201

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Anti-Rootkit review, please?
« Reply #4 on: January 30, 2015, 01:10:13 AM »
Thanks,  Curson.  Good to know the hooks are harmless.  As for using two a/v's at once, it's not normally something I would do, but Immunet is touted as being one of the few that "plays nice" with a list of other a/v's, including Avira.  I gather that you and quietman7 might disagree with that statement, then.  Thanks, again, for all of your help!

Reply #5January 30, 2015, 01:48:44 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Anti-Rootkit review, please?
« Reply #5 on: January 30, 2015, 01:48:44 AM »
Hi Twister201,

If you encounter no conflicts, it's alright.

I'm glad I was able to help you.
All the best.