Do I have a rootkit?

Discussion in 'malware problems & news' started by Tarnak, Jul 28, 2013.

Thread Status:
Not open for further replies.
  1. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
    I just had a new motherboard installed a few days ago, an ASRock suitable for socket 775.

    I have just done a check with AVZ v4.41 and am seeing something I have never seen before.

    ScreenShot_AVZ_Process Manager_01.gif

    ScreenShot_AVZ_Process Manager_02.gif
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    Have you scanned your computer with Malwarebytes or Hitman Pro? You should scan it using both. http://www.malwarebytes.org/ http://www.surfright.nl/en/home/ If you have not then please scan your computer, and update us on what you find. Are you currently using Kaspersky on the computer in question?
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
    I don't have Kaspersky installed. I do use TdssKiller occasionally.

    I completed scans as follows:

    ScreenShot_HMP_scan today_01.gif

    ScreenShot_HMP_scan today_02.gif

    ScreenShot_MBAM_scan today_01.gif
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Wow, what a tray. Anyways, if avz.exe is from AVZ 4.41, then there's only DivX.dll to worry about. Upload it to VirusTotal, Comodo File Verdict Service, and Anubis to see if anything's truly suspicious. If unsure, upload to AV vendors and see their response.
     
  5. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
    @ j L


    Hi,

    I not worried about that DivX.dll, because it has been on my computer for years. Why HMP, flags it suddenly, I don't know. :D

    As to AVZ.exe being suspicious, I am not concerned about that. I trust AVZ and Kaspersky.

    As to my tray, nothing gets past! ;)
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Re: HMP

    You can use the drop down menu (click at the upside down triangle besides the 'ignore' on your picture) when a binary is reported by HitmanPro and scan it with Virus Total. After you have scanned it with VT, you can trust this binary and tell HMP it is safe. It won't show in next scans.

    Regards Kees
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Perhaps because it has been modified by malware? Make sure you check its hash value, etc. Also Webroot flags it as malicious but they also tend to do that with a lot of stuff.

    Did you try to find PID 13436 using Process Explorer and check it out? I have never seen a 5 digit PID on my PC so that alone is suspicious.

    There also could be a MBR component to this which would make online detection difficult. Try a scan with Avast's aswMBR scanner. You can download it from here: http://www.bleepingcomputer.com/download/aswmbr/ or the Avast web site.

    You might have to have to use one of the boot CD/USB AV scanners to catch one and that's a maybe since the rootkit will not be loaded in an off line scan.

    Have you tried a scan with MBAM's free rootkit scanner? http://www.malwarebytes.org/products/other_tools/. It is pretty good at detecting latest rootkits.

    Did you load your chipset drivers for the new m/b from the Asrock CD? In the past, more than one of the manufacturers CD's have contained malware.

    Also I see your using Emisosft Anti-malware paid? They should be able to help you out with this.
     
    Last edited: Jul 28, 2013
  8. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    try running a few boot disk scans to be on the safe side. rootkits cant defend themselves this way
     
  9. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
    @ Kees - Thanks for the Tip

    @ itman - I ran a MBAM anti-rootkit scan. It was clear. I got a computer shop to do the motherboard install and load the chipsets. Those PID's never showed in Process Explorer.


    @ treehouse786 - Thanks for the tip, but I don't have any boot disc that I can use.


    The good news is after a reboot, AVZ is no longer showing those red entries. Just a little anomaly, I guess.
     
Loading...
Thread Status:
Not open for further replies.