Author Topic: Need help identifying false positives and suspicious rootkits  (Read 5317 times)

0 Members and 1 Guest are viewing this topic.

February 10, 2015, 02:21:41 AM

KaInEvIL

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Need help identifying false positives and suspicious rootkits
« on: February 10, 2015, 02:21:41 AM »
Hi, i need help identifying false positives. I've thoroughly scanned my computer with tons of antimalware tools from bleepingcomputer.com and eset online scanner and nothing was found anymore, but Roguekiller is still finding some weird stuff like some suspicious IRP Hook, and some redirect stuff. I already blocked chrome from all tracking third party cookies since they kept adding themselves for some weird reason. I'm a little paranoid as of right now since i'm having some small hard drive stuttering issues and i can't seem to identify the cause. Also, aswMBR crashes every single time it tries to scan some specific directory so i'm suspicious of that one too:





Thanks a lot in advance  :-\
« Last Edit: February 10, 2015, 05:36:48 AM by KaInEvIL »

Reply #1February 10, 2015, 02:53:13 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Need help identifying false positives and suspicious rootkits
« Reply #1 on: February 10, 2015, 02:53:13 PM »
Hi KaInEvIL,

Welcome to Adlice.com Forum.
The IRP hooks detections on mountmgr.sys are probably harmless.
Quote
IAT     C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort]     [fffff880010d3e94] \SystemRoot\System32\Drivers\sptd.sys [.text]
AswMBR crash on atapi.sys which is hooked by sptd.sys, Daemon Tools driver.
Please try running Defogger to temporarily disable it before running aswMBR again.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.

Reply #2February 11, 2015, 02:01:31 AM

KaInEvIL

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Need help identifying false positives and suspicious rootkits
« Reply #2 on: February 11, 2015, 02:01:31 AM »
Thanks a lot for your reply. It seems that Defogger didn't work since aswMBR keeps crashing, must be something else. I tried killing all processes, but same thing. Dunno what the issue is really. I ran another scan and Roguekiller doesn't show any orange irp hooks anymore. It seems to be gone, which is a good thing right?.



Reply #3February 11, 2015, 12:33:16 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Need help identifying false positives and suspicious rootkits
« Reply #3 on: February 11, 2015, 12:33:16 PM »
Hi KaInEvIL,

Your report is clean.
I have no clue why aswMBR crash anymore. If you absolutely wish to investigate the cause, I advise you to open a new thread on the Avast forum. They will be better able than I to help you with this.

Regards.