can it be that CTM is identified as a threat when scanning with Hitman Pro 3.6?

[Guest]

[finn1313]

I ran a scan today with Hitman Pro 3.6, and at the end I got the result shown in the enclosed file here (result.txt)

I would like to know please if its possible that Hitman pro was false-positively identifying my CTM 2.9 Beta as a threat or is it that I do have a serious threat on my MBR?

thanks a lot!

[Ronny]

I'd say yes it flags it because of CTM.

The 'infected' sectors clearly show CTM_ loader is there, the rest is crypted.

Code:

0000  FA E9 EB 00 F8 EC 68 23 43 54 4D 5F 00 00 00 00  úéë.øìh#CTM_....

Normally MBR infectors cause issues when overwriting existing changed MBRs, take a Truecrypt MBR or a CTM MBR it would break TC or CTM.
If a TC MBR is changed you can't boot your system and if a CTM one is I think it won't boot or else at least the 'home' button feature should fail to work.

[finn1313]

thank you for dispelling my worry!

I would like to reassure myself (by your permission) that I have fully understood your explanation -
do you mean that since my computer boots fine (an infector would have rendered my boot kaput)
and since the CTM_ letters can be clearly traced within the Hex - therefore it must have been  a FP on behalf of Hitman Pro?

[Ronny]

thank you for dispelling my worry!

I would like to reassure myself (by your permission) that I have fully understood your explanation -
do you mean that since my computer boots fine (an infector would have rendered my boot kaput)
and since the CTM_ letters can be clearly traced within the Hex - therefore it must have been  a FP on behalf of Hitman Pro?

I'd say 99% chance on a FP, it's such a specific product that I don't expect the MBR Rootkit to be tweaked to fly under the radar of a CTM MBR.
You can chose to make a second opinion with a tool like GMER who can detect rootkits also. It will also flag the MBR because of CTM but might rule out other findings like hidden drivers etc.

[Ronny]

do you mean that since my computer boots fine (an infector would have rendered my boot kaput)

Yep, I have tested that with a TrueCrypt MBR and that fails to boot once the infector has changed it.
I'm not aware (that doesn't mean they don't exist or course) of mass infecting rootkits that can live with a non default MBR like TC/CTM.

[finn1313]

I appreciate your comprehensive treatment of my plight
thank you

[Ronny]

thank you

Your welcome

[Gramor]

Just to confirm that I am also using CTM and after a scan, it was also flagged up as Win32\MBR Bootkit on my system by Hitman Pro 3.6 and I am relieved as I know confirm about this being a false positive.

[Tags:]