Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit?


  • Please log in to reply
15 replies to this topic

#1 JBub2

JBub2

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 29 November 2014 - 07:57 AM

Hello! I have a possible problem, hopefully someone can help? I have an older desktop running XP SP3 with an HP printer. A few days ago, I turned the pc on and then the printer and as soon as I turned the printer on my avast AV popped up saying it moved a threat to the quarantine. The file being HPZipm12.exe from the C:\WINDOWS\system32 folder. It said it was a Win32:Rookit-gen[Rtk]. I did some searching and found out that's an HP file and it has been on my pc since I installed the printer around 10 years or so ago. I've never had any problems with it until now. I thought maybe it was a false positive and waited a few days but it's still scanning as a rootkit when I scan it in the quarantine. Also, the next day when I turned my pc on it sent another possible rootkit to the quarantine. This one being A0201566.exe from the C\System Volume Information\restore{30D07643-953... folder. Since then, it has not moved any more files when I turned the printer on, also the printer works fine with no problems that I have noticed. I'm afraid to restart the pc because with the system 32 file in quarantine am afraid it will cause problems. Could someone please instruct me as to what steps I should take to verify and/or fix the rootkit?? Really stressed about this because getting ready to move and will have to restart the pc eventually. Thanks in advance for any help!!



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 29 November 2014 - 08:22 AM

The detected _restore{GUID}\RP***\A0*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after 'RP' represents a sequential number automatically assigned by the operating system. The 201566 after 'A0' also represents a sequential number where the original file(s) were backed up and renamed except for its extension. This file most likely is the detected HPZipm12.exe file, especially since you indicated it was installed years ago.

If you suspect a file was falsely detected (a false positive) or appears suspicious, then you should submit a sample to the vendor so they can investigate and take corrective action if confirmed. Please refer to:You should also contact and advise the program vendor (HP) that one of their files is being detected as a threat. In many cases they will work with the anti-virus techs in an attempt to resolve the detection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JBub2

JBub2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 29 November 2014 - 09:11 AM

Thank you very much quietman7! I will contact Avast later today. Do you think it would be ok to restart the pc with that system 32 file in quarantine?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 29 November 2014 - 09:57 AM

When an anti-virus or security program quarantines a file (item) and moves it into a virus vault (virus chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through proprietary security routines which may copy, rename (usually by adding a .vir extension), encrypt and password protect the file as part of the process.

Quarantine is just an added safety measure which allows you to view and investigate the files while keeping them from harming your computer. One reason for doing this is to prevent the permanent deletion of a legitimate file that may have been incorrectly flagged (a "false positive") and placed in quarantine. This can occur if the scanner uses heuristic analysis technology which is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If the file is confirmed as legitimate, it can be safely restored from quarantine and added to the exclusion or ignore list.

When the quarantined file is known to be malicious, you can permanently delete it at any time by launching the program which removed it, going to the Quarantine tab, and choosing the option to delete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JBub2

JBub2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 29 November 2014 - 10:36 AM

Ok, thank you for all your help! Much appeciated!! :thumbup2:



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 29 November 2014 - 10:41 AM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 JBub2

JBub2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 29 November 2014 - 03:54 PM

I did end up scanning the file that was in the virus chest at virusscan.jotti.org and it was clean on all scanners there. Then I scanned same file at virustotal.com and it was clean on all scanners except for NANO-antivirus which showed Trojan.Dos.Hupigon.cyqiwi . I am still not sure whether it's a false positive or if it's a rootkit. I'm not even sure if I scanned the correct way as I uploaded it straight from the virus chest. Any suggestions? I did ask at the avast forum as well but no response as of yet.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 29 November 2014 - 04:09 PM

I would wait on an answer from avast since it is their installed scanning engine which initially made the detection but nothing by avast at found at virustotal or jotti. The detection by NANO-antivirus is most likely a false positive too.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 JBub2

JBub2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 29 November 2014 - 04:41 PM

Ok, thanks, I will check at avast again.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 29 November 2014 - 04:49 PM

Also keep updating the virus definitions. The labs don't always contact an individual to let them know a reported file has been removed from the database.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 JBub2

JBub2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 30 November 2014 - 02:40 PM

Thanks quietman7! I did send to the avast lab from the virus chest yesterday and have updated my definitions a few times but it's still scanning as a rootkit. I'm getting ready to move within the next week and will have to unplug the pc. I am concerned that perhaps the "missing" system 32 file may cause problems if try to rebbot pc. What should I do??


reboot that is..



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 30 November 2014 - 04:17 PM

In your first post you indicated the detected file( HPZipm12.exe) is related to your HP printer. A simple Google check confirms that. That file is not required for the Windows OS to operate or boot properly.

It would be no different than uninstalling the printer software if you decided to install a new Lexmark (and its software).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 JBub2

JBub2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 30 November 2014 - 04:39 PM

Thanks! Yes the file is for the printer, I just thought with it being in the system 32 folder it may affect the bootup somehow. I'm not that computer savvy as you can probably tell lol. I also scanned today with malwarebytes anti-malware and it showed a clean scan. Do you think it would be ok to go ahead and restore the file or should I wait on Avast longer? It is still scanning as a rootkit using avast when scanning it in the virus chest.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 30 November 2014 - 04:54 PM

Well the file has been on your system for years without a problem. If it is needed for your printer to work, then I would restore it and ignore the detection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 JBub2

JBub2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 30 November 2014 - 05:18 PM

Ok, my printer is still working with it in the quarantine,however at least the printing function part of it anyway. I haven't tried the scanning part of the printer as in a photocopy. Thanks for all of your help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users