1 2 3 4 Previous Next 30 Replies Latest reply: Apr 11, 2008 2:53 AM by GaryCooper RSS

    VirusScan Enterprise 8.5i on-demand scan found alterations to code or data (rootkit?)

      Today I ran an on-demand scan (memory & local drives).

      During the memory scan a console message displayed "The On-Demand Scan found alterations to code or data which may indicate that a rootkit is attempting to hide files, registry keys, processes or other items. If this scan fails to find anything then the computer should be scanned with McAfee PreScan or booted into Safe Mode and this scan run again".

      The scan continued to completion and the log reported zero detections.

      Since PreScan does not support Vista I re-ran in Safe Mode - no console messages were displayed and the log reported zero detections.

      Was this a false positive/lack of Vista compatibility or should I be doing more diagnostics?

      Any advice much appreciated.

      Thanks,

      Jim Daykin

      Client system:
      3 GB RAM
      Windows Vista Home Premium (latest Microsoft updates ex SP1) – not an upgrade
      Windows Firewall on and Windows Defender running
      VirusScan Enterprise 8.5i + patch 4 – not an upgrade/no previous versions on system
      Broadband

      Last full scan in October 2007 - no console messages displayed and log reported zero detections.
        • 1. RE: VirusScan Enterprise 8.5i on-demand scan found alterations to code or data (rootkit?)
          We've seen a couple other users with this issue.. Some more info might help us figger it out..

          Which DAT number is installed?

          And do you mean SP1 for Vista IS installed?

          Grif
          • 2. Same situation
            Yesterday I had the same message when I ran an on-demand scan. I had not run a full scan for some time. The full scan completed and did not find anything - I rebooted the system into safe mode and ran another full scan - again, nothing was found.

            I am also running VirusScan 8.5.0i with no installed patches. The DAT version is 5244.0000

            My system is a Dell XPS 420 running Windows Vista Home Premium.
            3 GB RAM
            Also have Windows Firewall on with Windows Defender. I ran a check with Windows Defender and it did not find anything.

            I have done a few System Restores in the past few weeks; wondered if the detection had anything to do with the system being changed due to the restore. Any information/assistance would be much appreciated. I was working with Dell on a sound card problem - as part of his troubleshooting procedure, the tech started an anti-virus scan. When this message popped up, he dropped the case like a hot potato and said that they would not work any further on a system that reported any kind of infection. So now I have a system with a non-functional sound card and can't get any further support with it.
            • 3. RE: Same situation
              Jubo
              Anyone tried RootkitRevealer v1.71?
              • 4. RE: Same situation
                tonyb99
                or the mcafee rootkit detective

                http://vil.nai.com/vil/stinger/rkstinger.aspx
                • 5. RE: VirusScan Enterprise 8.5i on-demand scan found alterations to code or data (rootkit?)


                  - I've got VirusScan updating daily (I think the 4th March DAT was 5243)
                  - ex SP1 meaning excludes SP1


                  It's an HP Pavilion A6250 (UK spec) with an Intel Core 2 Quad Q6600 (Vista Home Premium is 32-bit).

                  Please let me know if there are other details I should provide.

                  Thanks,

                  Jim Daykin
                  • 6. RE: Same situation



                    - It seems Vista isn't one of the supported operating systems.

                    Regards,

                    Jim Daykin
                    • 7. RE: Same situation
                      So,

                      With the newest DAT which is 4245 or 4246, depending on when you see this message, does a full system On-Demand scan find the same thing now?

                      Just curious.

                      Grif
                      • 8. Same Problem
                        I've been receiving the same message under similar circumstances.

                        OS: Windows Vista Business 32bit
                        VirusScan Enterprise 8.5i
                        Engine: 5200.2160
                        DAT: 5245.0000
                        1 patch installed

                        I get the message:
                        "The On-Demand Scan found alterations to code or data which may indicate that a rootkit is attempting to hide files, registry keys, processes or other items. If this scan fails to find anything then the computer should be scanned with McAfee PreScan or booted into Safe Mode and this scan run again"

                        From what I understand there is no "PreScan" for Vista. I've tried scanning in Safe Mode and nothing is detected AND the above message is not displayed.

                        As far as root kit scanners:
                        McAfee rootkit detective doesn't support Vista
                        and
                        RootKitRevealer also has trouble with Vista (dectects 400,000+ discrepancies)

                        Any ideas?
                        • 9. Same problem here
                          Hi All!

                          I'm having the same problem described above. I'm running McAfee VirusScan Enterprise 8.5i, I believe with DAT 5249 (that's what I saw when I opened the log file of the dialup update). My OS is windows Vista Business, running on a hp dv6000 Pavilion Laptop (Intel Core Duo 2 7200@2.00GHz, 2GB RAM, etc ) .

                          I update and run a full scan daily, and everything used to be ok until I started receiving the infamous message:


                          "The On-Demand Scan found alterations to code or data which may indicate that a rootkit is attempting to hide files, registry keys, processes or other items. If this scan fails to find anything then the computer should be scanned with McAfee PreScan or booted into Safe Mode and this scan run again"

                          around 2 weeks ago.

                          Some of the things I have tried (and none of them solved it):

                          -running Avg anti-rootkit
                          -running the McAfee full scan in safe mode
                          -running Spybot search and destroy both in normal and safe mode
                          -running adAware both in normal and safe mode
                          -reinstalled windows Vista from the HP recovery partition on disc D:\ that came with laptop
                          -reinstalled windows Vista from a windows/hp recovery DVD that came with laptop

                          As the other user above said, when I run the on-demand full scan in safe mode I don't get the message; but I get it always in normal mode. Also, after reinstalling Windows I ran the McAfee scan before installing any other software (except mozilla firefox) and the message is always there.

                          I should also add that the scan seems to stop and pop-up the window with the message always at the same point, when it is scanning a file named:

                          IRP_MJ_SYSTEM_CONTROL



                          I'm lead to think that the problem is one of the following 2:

                          a) My computer is clean and the message is just Virusscan being paranoid after some update that McAfee made on their files some weeks ago. I base this hypothesis in that it seems to be working just fine.

                          b) The rootkit is somehow in my recovery partition, so that even reinstalling Vista does not solve the problem. If this is true...well...I guess everything is lost (doesn't it?)

                          PLEASE HELP! Any suggestions, info, etc will be highly appreciated. This issue is really driving me nuts.

                          By the way, I'm pretty ignorant about this stuff, so please if you need me to send any additional details/info describe where to get it in computers-for-dummies language.

                          I would be very grateful if you could give me any help.

                          Thanks a lot in advance!!
                          1 2 3 4 Previous Next