[LedFloyd]

Hi.
I have recently noticed two hidden rootkits in "System32/Drivers" found only by AVG Anti-rootkit(on 8.0.237) and UnHackMe. AVG would not allow any action to be taken with these rootkits however UnHackMe would. After removing with UnHackMe you need to restart to "complete removal". Upon restarting I scanned AVG again and found a different two rootkits(names were both 8.3, random letters and numbers, file type *.sys) I have tested with around twenty different Rootkit finders and removers(in safe mode,normal and dos) that were not able to find the rootkits AVG showed. I removed SecuROM just to make sure, it wasnt that. I googled for some research on programs with random generated names for its files. And found out that both Alcohol120 and DemonTools use a random name generated hidden file to avoid detection by legit programs. I had a brainwave...uninstalled Alcohol120, scanned AVG..only one rootkit found. Uninstalled DemonTools, scanned AVG...no rootkits found.
These rootkits by both Alcohol and Demon are unharmful and are required for the function of a virtual drive. AVG wastes another 8 hours or so hours of my life. Thought this might save someone doing the same as I was supprised about the lack of info regarding this problem. If anyone knows anymore programs that use this technique could you please let me know?
Thanks

[perfume]

Dear LedFloyd,
Congratulations on a fantastic job done! Rootkits are going to proliferate like no one's business and you have found that "Unhack Me" tool helped you and in the process i have learnt too! Many thanks!

[Gizzy]

Hello,

So not actually rootkits, just false positives by avg?

[IMiteBable2help]

AVG is known for quite a few false positives. It will often flag clean files as "potentially unwanted". Furthermore, even the best rootkit detectors out there are bound to have a few false positives. (If they didn't have false positives, they aren't any good) They only look for the signs that a rootkit COULD be there, and report it. There are legit reasons to find a "sign" of a rootkit present. It doesn't mean you have a rootkit.

Be careful when you go about deleting, and removing, and slashing and dashing at files and programs. There's a very high potential that doing so would make you the number one threat to you PC, especially if you interpret every result from your scanning software to mean that you're infected.

[rainforest123]

It is unusual for a rootkit to appear, when using "windows explorer" or drilling down, with "my computer".

As previously noted, I agree with the rise of rootkits, as well as false - and false + results. That is why, I think, that it is dangerous to clean up a computer without a lot of knowledge.

These sites were noted in a post of this sub forum, within the past 2 weeks.
http://www.f-secure.com/weblog/archives/00001610.html
http://invisiblethings.org

RF123

[LedFloyd]

Quote:

Originally Posted by Gizzy

Hello,

So not actually rootkits, just false positives by avg?

Just to clarify, yes they were false positives.

[rainforest123]

2 to 3 yrs ago, Sony included a rootkit on a group of CDs, which installed themselves when a music lover played the CD on a PC. The American state of TX sued, successfully, Sony.

I keep some malware removal tools / utilities on my PC. Over the yrs, Zone Alarm Internet Security, Panda Internet Security & AVG Internet Security have identified some of these utilities as malware.

False +s occur because the way, in this case, AVG determines if a file is a rootkit co-incide with the way the file was written. False +s occur in any test, from tasting blueberry pies to diagnosing medical conditions.

RF123

[IMiteBable2help]

Sounds to me like the OP was trying to get rid of files that were part of the OS. If that's the case, they are just going to come back. I'm pretty darn sure that these were false positives. Like I said, rootkit scanners just look for the signs of a rootkit and report it. It doesn't claim you actually have one.

[rainforest123]

Different rootkit scanners use different methods of determining whether or not a rootkit file is present, in the same way that different AV scanners determine whether or not an infection is present in a particular file.
virusscan.jotti.org , for example, gives one the opportunity to scan individual files with many different search engines.
Sometimes an infected file, shortly after release, will be determined to be infected by a virus, by only a few. Could this be a false +? Yes. Are the scans that do not detect an infection incorrect? Maybe. Perhaps false negatives.

RF123

[rainforest123]

LF:
[ By the way, which one's Pink? ]

Here is an example of a false +.
http://www.ocbase.com/perestroika_en/index.php

RF123