Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
14278 Views 30 Replies Latest reply: Apr 11, 2008 2:53 AM by GaryCooper RSS 1 2 3 4 Previous Next
Newcomer 3 posts since
Mar 4, 2008
Currently Being Moderated

Mar 4, 2008 11:57 AM

VirusScan Enterprise 8.5i on-demand scan found alterations to code or data (rootkit?)

Today I ran an on-demand scan (memory & local drives).

During the memory scan a console message displayed "The On-Demand Scan found alterations to code or data which may indicate that a rootkit is attempting to hide files, registry keys, processes or other items. If this scan fails to find anything then the computer should be scanned with McAfee PreScan or booted into Safe Mode and this scan run again".

The scan continued to completion and the log reported zero detections.

Since PreScan does not support Vista I re-ran in Safe Mode - no console messages were displayed and the log reported zero detections.

Was this a false positive/lack of Vista compatibility or should I be doing more diagnostics?

Any advice much appreciated.

Thanks,

Jim Daykin

Client system:
3 GB RAM
Windows Vista Home Premium (latest Microsoft updates ex SP1) – not an upgrade
Windows Firewall on and Windows Defender running
VirusScan Enterprise 8.5i + patch 4 – not an upgrade/no previous versions on system
Broadband

Last full scan in October 2007 - no console messages displayed and log reported zero detections.
  • Apprentice 11,659 posts since
    Sep 29, 2002
    We've seen a couple other users with this issue.. Some more info might help us figger it out..

    Which DAT number is installed?

    And do you mean SP1 for Vista IS installed?

    Grif
  • Newcomer 2 posts since
    Mar 4, 2008
    Currently Being Moderated
    2. Mar 4, 2008 10:51 PM (in response to Grif)
    Same situation
    Yesterday I had the same message when I ran an on-demand scan. I had not run a full scan for some time. The full scan completed and did not find anything - I rebooted the system into safe mode and ran another full scan - again, nothing was found.

    I am also running VirusScan 8.5.0i with no installed patches. The DAT version is 5244.0000

    My system is a Dell XPS 420 running Windows Vista Home Premium.
    3 GB RAM
    Also have Windows Firewall on with Windows Defender. I ran a check with Windows Defender and it did not find anything.

    I have done a few System Restores in the past few weeks; wondered if the detection had anything to do with the system being changed due to the restore. Any information/assistance would be much appreciated. I was working with Dell on a sound card problem - as part of his troubleshooting procedure, the tech started an anti-virus scan. When this message popped up, he dropped the case like a hot potato and said that they would not work any further on a system that reported any kind of infection. So now I have a system with a non-functional sound card and can't get any further support with it.
  • Jubo Volunteer Moderator 33,772 posts since
    Sep 19, 2002
    Currently Being Moderated
    3. Mar 5, 2008 12:59 AM (in response to MarkRicketson)
    RE: Same situation
    Anyone tried RootkitRevealer v1.71?
  • tonyb99 Champion 3,844 posts since
    Apr 10, 2006
    Currently Being Moderated
    4. Mar 5, 2008 3:01 AM (in response to Jubo)
    RE: Same situation
    or the mcafee rootkit detective

    http://vil.nai.com/vil/stinger/rkstinger.aspx


    McAfee Maniac (Volunteer Moderator)
    x1 4.5.4 ePolicy Orchestrator Server (Build 1082)
    x1 5.0.1 ePolicy Orchestrator Server (Build 228)
    x1 4.6.3 ePolicy Orchestrator Server (Build 197)
    x1 4.6.6 ePolicy Orchestrator Server (Build 176)
    Mcafee Agent 4.6.0.2292/4.6.0.2935/4.8.0.887
    Groupshield 7.0
    VSE 8.8.0.975 & 8.7.0.570 x 20000
    DLP Endpoint 9.2.1
    EEPC 6.2.1.315/7.0.1.354
    HIPS 8
    EMM 10.2
    x70 Sophos 10.2 Endpoint Security & Control





  • Apprentice 11,659 posts since
    Sep 29, 2002
    Currently Being Moderated
    7. Mar 6, 2008 11:32 AM (in response to JimDaykin)
    RE: Same situation
    So,

    With the newest DAT which is 4245 or 4246, depending on when you see this message, does a full system On-Demand scan find the same thing now?

    Just curious.

    Grif
  • Newcomer 1 posts since
    Mar 6, 2008
    Currently Being Moderated
    8. Mar 6, 2008 2:12 PM (in response to Grif)
    Same Problem
    I've been receiving the same message under similar circumstances.

    OS: Windows Vista Business 32bit
    VirusScan Enterprise 8.5i
    Engine: 5200.2160
    DAT: 5245.0000
    1 patch installed

    I get the message:
    "The On-Demand Scan found alterations to code or data which may indicate that a rootkit is attempting to hide files, registry keys, processes or other items. If this scan fails to find anything then the computer should be scanned with McAfee PreScan or booted into Safe Mode and this scan run again"

    From what I understand there is no "PreScan" for Vista. I've tried scanning in Safe Mode and nothing is detected AND the above message is not displayed.

    As far as root kit scanners:
    McAfee rootkit detective doesn't support Vista
    and
    RootKitRevealer also has trouble with Vista (dectects 400,000+ discrepancies)

    Any ideas?
  • Newcomer 7 posts since
    Mar 11, 2008
    Currently Being Moderated
    9. Mar 11, 2008 7:26 PM (in response to BTriplett)
    Same problem here
    Hi All!

    I'm having the same problem described above. I'm running McAfee VirusScan Enterprise 8.5i, I believe with DAT 5249 (that's what I saw when I opened the log file of the dialup update). My OS is windows Vista Business, running on a hp dv6000 Pavilion Laptop (Intel Core Duo 2 7200@2.00GHz, 2GB RAM, etc ) .

    I update and run a full scan daily, and everything used to be ok until I started receiving the infamous message:


    "The On-Demand Scan found alterations to code or data which may indicate that a rootkit is attempting to hide files, registry keys, processes or other items. If this scan fails to find anything then the computer should be scanned with McAfee PreScan or booted into Safe Mode and this scan run again"

    around 2 weeks ago.

    Some of the things I have tried (and none of them solved it):

    -running Avg anti-rootkit
    -running the McAfee full scan in safe mode
    -running Spybot search and destroy both in normal and safe mode
    -running adAware both in normal and safe mode
    -reinstalled windows Vista from the HP recovery partition on disc D:\ that came with laptop
    -reinstalled windows Vista from a windows/hp recovery DVD that came with laptop

    As the other user above said, when I run the on-demand full scan in safe mode I don't get the message; but I get it always in normal mode. Also, after reinstalling Windows I ran the McAfee scan before installing any other software (except mozilla firefox) and the message is always there.

    I should also add that the scan seems to stop and pop-up the window with the message always at the same point, when it is scanning a file named:

    IRP_MJ_SYSTEM_CONTROL



    I'm lead to think that the problem is one of the following 2:

    a) My computer is clean and the message is just Virusscan being paranoid after some update that McAfee made on their files some weeks ago. I base this hypothesis in that it seems to be working just fine.

    b) The rootkit is somehow in my recovery partition, so that even reinstalling Vista does not solve the problem. If this is true...well...I guess everything is lost (doesn't it?)

    PLEASE HELP! Any suggestions, info, etc will be highly appreciated. This issue is really driving me nuts.

    By the way, I'm pretty ignorant about this stuff, so please if you need me to send any additional details/info describe where to get it in computers-for-dummies language.

    I would be very grateful if you could give me any help.

    Thanks a lot in advance!!
1 2 3 4 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)