Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sophos Anti-Rootkit finding lots of hidden files


  • Please log in to reply
1 reply to this topic

#1 Guppie

Guppie

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 09 May 2010 - 07:05 PM

Hello everyone,

I've been doing some maintenance on my parent's PC, and I suspect it may be infected with something. I'd be surprised if it wasn't, since they often do things like open slideshows e-mailed to them, or visit lots of Chinese websites using IE. :thumbsup: I don't have any direct evidence of an infection, except that it seems unusually slow. Norton found a few things sitting quiescently in e-mail attachment directories, which it deleted. Running the various antivirus programs from a Boot CD (UBCD) found nothing. Also ran a few things like Spybot and Malwarebytes, which I think found some minor items. RootKitRevealer, and GMER found nothing.

However, when I used EZPCFix/Rootkitty to do a comparative scan between running under the installed Windows XP, and running from a Windows UBCD, I got a mile-long log that lists much of the contents of the drive. Originally I thought I must have targeted the wrong drive or something, but after repeating the scan a few times, I seem to be following the scanner's directions correctly. So either it's not working right, or this could be a strategy to defeat this sort of differential examination, by tweaking a huge number of files so it can hide among them.

Sophos Anti-Rootkit finds 90-some hidden files when run, all listed as Unknown, with cleaning not recommended. I've repeated it a few times, and while there are some items that come and go, most of the entries consistently appear. I can't seem to save a log though. The instructions say the log is saved in "%TEMP%", but I can't find them anywhere, and a global file search comes up with nothing.

Many of the files identified as hidden are in various windows uninstall directories. Stuff like:

\$NTUninstallKB828035$\
\$NTUninstallKB826939$\
\$NTUninstallKB824141$\
\$NTUninstallQ828026$\
\$NTUninstallKB828028$\

Etc, etc... So, are these uninstall directories normally hidden, or does it look like I have some sort of infection? I'd rather not nuke the system and re-install, as there are a lot of software installed (Like Adobe Pagemaker, which I know my Dad bought retail), for which I can't find original disks or keys.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:04 PM

Posted 09 May 2010 - 11:13 PM

Hello not malware... When you install updates from Windows Update, backup folders are created for the files that were replaced during the update. These are created so that you can easily uninstall a particular Hotfix, if it causes problems with your system. If your system is running stable and you don't need to uninstall the hotfixes, then you can safely remove the backup files to free up disk space.

See Doug Knox
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users