Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Comodo says I have aprox 1320 rootkit hidden dir in my backups


  • Please log in to reply
9 replies to this topic

#1 Angus_McAngry

Angus_McAngry

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 18 August 2014 - 02:47 PM

I am in middleof u/g from xp to win 7 and have had some strange events on computer  , had some infections that Avast said it killed . Was doing second opinion scan when searching all drives Comodo says I have this rootkit . Has Avast let me down ?  Thereis def something going on as I cannot seem to open the files that are supposed to be infected . This is horrible it says there are 13203 threats found . What do I do delete all the back ups ? Help!
After a bit of digging i think these could be falsepositives .


Edited by Angus_McAngry, 18 August 2014 - 03:26 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:54 AM

Posted 18 August 2014 - 03:44 PM

Not all rootkits/hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

Hooking is one of the techniques used by a rootkit to alter the normal execution path of the operating system. Rootkit hooks are bascially installed modules which intercept the principal system services that all programs and the OS rely on. By using a hook, a rootkit can alter the information that the original OS function would have returned. There are many tables in an OS that can be hooked by a rootkit and those hooks are undetectable unless you know exactly what you're looking for.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If you are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) be aware that they use rootkit-like techniques techniques to hide from other applications and can interfere with investigative or security tools. This interference can produce misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CD Emulators.

Generally when a system is infected with a malicious rootkit, there are other indications (signs of infection) something is wrong such as very poor system performance, high CPU usage, browser redirects, BSODs, etc.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Angus_McAngry

Angus_McAngry
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 18 August 2014 - 04:02 PM

Hi ,thankyou for such fast reply  . I guess I should soldier on with u/g then ....



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:54 AM

Posted 18 August 2014 - 04:33 PM

Yes unless you're actually having issues with malware infection.

If you believe so and want a more detailed look at your system, then more advanced tools are needed to investigate as Many of the scanning we use in this forum are not capable of detecting (repairing/removing) all malware variants. Before that can be done you will need to create and post a DDS log for further investigation. If you wish to pursue that avenue...let me know and I will provide instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Angus_McAngry

Angus_McAngry
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 18 August 2014 - 06:09 PM

I will carry on with u/g thank you friend . Will come back to you if anything pops . Thanks



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:54 AM

Posted 18 August 2014 - 06:12 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Angus_McAngry

Angus_McAngry
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 19 August 2014 - 09:46 AM

hI Again Quietman , eset online scanner has detected kRyptik.mlw.32 trojan var times 2 .Is that a rootkit ? 

I think it has cleaned it up and i want to overwrite this disk with Win 7 next . Do any further actions need to be done before I do upgrade >? Thanks
PS. what  If its in my back ups , usb drives . Why do virus scanners struggle with things inside archives on ext drives ?


Edited by Angus_McAngry, 19 August 2014 - 09:49 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:54 AM

Posted 19 August 2014 - 02:16 PM

Win32/Kryptik.MLW

Detailed description for this variant is currently not available.


It appears to be a variant of a Generic detection which are usually a heuristics engine detection of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus. Generic detections are generally seen having numerous variants, ending with different alpha/numerical characters representing additional information.

* Eset: Heuristic Analysis—Detecting Unknown Viruses
* Kaspersky: What is heuristic analysis

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "false positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware. Packed files use a specially compressed (protected) file that may have been obfuscated or encrypted in order to conceal itself and often trigger alerts by anti-virus software using heuristic detection because they are resistant to scanning (difficult to read). Sometimes lowering the program's heuristic settings and rescanning may provide more accurate results but then that increases the possibility for new malware to infect your system.

There is no way to know more about the detection unless the file is submitting to the vendor's lab for further analysis.
 

Why do virus scanners struggle with things inside archives on ext drives ?

It is not unusual for an anti-virus or anti-malware scanner to have problems with or be suspicious of compressed, archived, .cab, .rar, .jar, .iso, and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files or just ignore (skip) them. Certain files in the System Volume Information Folder like the Tracking.log (created by the Distributed Link Tracking Service to store maintenance information) have also been reported as a source causing some scanners to hang.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Angus_McAngry

Angus_McAngry
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 21 August 2014 - 03:52 PM

Hi and thanks again , I am now confident of getting rid of everything except  a Trojan in an archive on a usb drive inside a back up which i have been unable to delete . I searchd and trawled the Seagate forum for days ! I should have just come back here ! its detected as html redir-inf gen tr . Some suggest this is false positive can you confirm please ? . Thank you friend .



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:54 AM

Posted 21 August 2014 - 05:03 PM

Anytime you come across a suspicious file, a possible false positive or suspect a detection may be a false positive, get a second opinion. Go to one of the following online services that analyzes suspicious files:In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users