Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I have a rootkit or is it just false alarm?


  • Please log in to reply
2 replies to this topic

#1 Gudfadern111

Gudfadern111

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 21 November 2010 - 02:57 PM

Today i was scanning my computer making sure it was clean. I made a full scan with Mbam, a quick scan with avast internet security, a quick scan with superantispyware and some scanning with spybot s and d. I finished off by using blacklight anti rootkit tool just for the sake of conscience really.
Then blacklight said It has found 2 hidden files...

I found out these files were files belonging to the sandbox of Avast Internet Security.

Are these files harmless being in the sandbox or should i delete them or rename them??

here is the scan by blacklight:

11/21/10 19:11:50 [Info]: BlackLight Engine 2.2.1092 initialized
11/21/10 19:11:50 [Info]: OS: 5.1 build 2600 (Service Pack 3)
11/21/10 19:11:50 [Note]: 7019 4
11/21/10 19:11:50 [Note]: 7005 0
11/21/10 19:11:53 [Note]: 7006 0
11/21/10 19:11:53 [Note]: 7011 400
11/21/10 19:11:53 [Note]: 7035 0
11/21/10 19:11:53 [Note]: 7026 0
11/21/10 19:11:53 [Note]: 7026 0
11/21/10 19:11:58 [Note]: FSRAW library version 1.7.1024
11/21/10 19:12:03 [Info]: Hidden file: c:\## aswSnx private storage\snx_rhive
11/21/10 19:12:03 [Note]: 10002 3
11/21/10 19:12:03 [Info]: Hidden file: c:\## aswSnx private storage\snx_rhive.LOG
11/21/10 19:12:03 [Note]: 10002 3

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:13 PM

Posted 22 November 2010 - 08:11 AM

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

I believe those hidden files are related to avast anti-virus (C:\Windows\SysNative\drivers\aswSnx.sys). Most references I found are on Finnish, German or Italian forums where users have avast installed but it is mentioned as an avast file at Widlers Security forums.

What specific issues are you having that require a request for assistance with malware removal? Please describe any problem(s) in detail as they could provide a clue as to whether your issues are malware related or not.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Gudfadern111

Gudfadern111
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 22 November 2010 - 04:01 PM

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

I believe those hidden files are related to avast anti-virus (C:\Windows\SysNative\drivers\aswSnx.sys). Most references I found are on Finnish, German or Italian forums where users have avast installed but it is mentioned as an avast file at Widlers Security forums.

What specific issues are you having that require a request for assistance with malware removal? Please describe any problem(s) in detail as they could provide a clue as to whether your issues are malware related or not.


Thanks for a quick reply.

I've heard that there are legitimare anti virus software that use rootkits to protect the system. I was unsure though whether the two hidden files represented the sandbox itself or if they were the tracks of rootkit related malware in the sandbox.

I don't have any issues on my computer really. As I can see everything seems clean. That's why I was surprised when blacklight found 2 hidden potential rootkits..I am very aware of what I do on the net, always monitoring new programs and checking the task manager regularly to watch which processes are active. I know rootkits use stealth related technique to hide themselves from the victim's machine so I just wanted to make sure my computer wasn't infected without my knowledge..

Anyway, I am relieved to hear that the files are a part of the sandbox service of AIS.

Thanks for your time!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users