Do I have a rootkit?

I just had a new motherboard installed a few days ago, an ASRock suitable for socket 775.

I have just done a check with AVZ v4.41 and am seeing something I have never seen before.

 

Have you scanned your computer with Malwarebytes or Hitman Pro? You should scan it using both. http://www.malwarebytes.org/ http://www.surfright.nl/en/home/ If you have not then please scan your computer, and update us on what you find. Are you currently using Kaspersky on the computer in question?

 

I don't have Kaspersky installed. I do use TdssKiller occasionally.

I completed scans as follows:

 

Wow, what a tray. Anyways, if avz.exe is from AVZ 4.41, then there's only DivX.dll to worry about. Upload it to VirusTotal, Comodo File Verdict Service, and Anubis to see if anything's truly suspicious. If unsure, upload to AV vendors and see their response.

 

@ j L


Hi,

I not worried about that DivX.dll, because it has been on my computer for years. Why HMP, flags it suddenly, I don't know.

As to AVZ.exe being suspicious, I am not concerned about that. I trust AVZ and Kaspersky.

As to my tray, nothing gets past!

 

Re: HMP

You can use the drop down menu (click at the upside down triangle besides the 'ignore' on your picture) when a binary is reported by HitmanPro and scan it with Virus Total. After you have scanned it with VT, you can trust this binary and tell HMP it is safe. It won't show in next scans.

Regards Kees

 

Perhaps because it has been modified by malware? Make sure you check its hash value, etc. Also Webroot flags it as malicious but they also tend to do that with a lot of stuff.

Did you try to find PID 13436 using Process Explorer and check it out? I have never seen a 5 digit PID on my PC so that alone is suspicious.

There also could be a MBR component to this which would make online detection difficult. Try a scan with Avast's aswMBR scanner. You can download it from here: http://www.bleepingcomputer.com/download/aswmbr/ or the Avast web site.

You might have to have to use one of the boot CD/USB AV scanners to catch one and that's a maybe since the rootkit will not be loaded in an off line scan.

Have you tried a scan with MBAM's free rootkit scanner? http://www.malwarebytes.org/products/other_tools/. It is pretty good at detecting latest rootkits.

Did you load your chipset drivers for the new m/b from the Asrock CD? In the past, more than one of the manufacturers CD's have contained malware.

Also I see your using Emisosft Anti-malware paid? They should be able to help you out with this.

 

try running a few boot disk scans to be on the safe side. rootkits cant defend themselves this way

 

@ Kees - Thanks for the Tip

@ itman - I ran a MBAM anti-rootkit scan. It was clear. I got a computer shop to do the motherboard install and load the chipsets. Those PID's never showed in Process Explorer.


@ treehouse786 - Thanks for the tip, but I don't have any boot disc that I can use.


The good news is after a reboot, AVZ is no longer showing those red entries. Just a little anomaly, I guess.