Author Topic: TRO/ROOT KIT? (Read 10885 times)

DAV2 · « **on:** January 09, 2012, 11:12:35 PM »

Avast rescue disk says I have a Trojan. I remove it and it reappears. Avast rescue disk says I have a Trojan with 6 mo. newer data base. I remove it and the same Trojan reappears. Comodo CCE says I have a root kit. I remove it and it reappears. Comodo CCE with updated data base says I have a root kit. I remove it and same one reappears. Mbam and Avast IS scan clean. SFC says clean and all drivers are digitally signed. I posted OTL and aswMBR. RKreport to follow. Any help would be appreciated

DAV2 · « **Reply #1 on:** January 09, 2012, 11:13:50 PM »

NEXT FILE

DAV2 · « **Reply #2 on:** January 09, 2012, 11:14:54 PM »

NEXT FILE

DAV2 · « **Reply #3 on:** January 09, 2012, 11:18:47 PM »

NEXT FILE

DAV2 · « **Reply #4 on:** January 10, 2012, 02:08:04 PM »

Any scan done inside Win does not show the Trojan. Only a boot disk scan with the "SAME" Avast data base that scans clean inside Win shows the Trojan from outside Win. I posted yesterday. Where is anybody? Any help would be appreciated. Thanks.

DavidR · « **Reply #5 on:** January 10, 2012, 02:37:33 PM »

Note for the future - You can attach up to 4 files per post, provided the total doesn't exceed 200KB.

What would have been helpful, is the file name, location and full malware name of the detection.

You say that you used the Avast rescue disk to scan:
Why did you feel it necessary to do this ?
Before you did that did you have the latest virus definitions ?

DAV2 · « **Reply #6 on:** January 10, 2012, 03:15:59 PM »

David... thanks for the response. Yes, I am far from perfect. Sorry. The rescue disk came with its own data base out of the box. It showed the Trojan. I removed it and next day it was not there. I then scanned with the updated "Advast" data base that scanned clean with Avast IS and the rescue disk again found the same Trojan a few days later. I am simply monitoring the computers since they are always doing unexplainable things. Like showing a Win security breach that magically goes away all by itself a week or so later.

DavidR · « **Reply #7 on:** January 10, 2012, 03:33:03 PM »

The file name, location and malware name help us to help you, e.g. it gives us an idea what it is that we might be dealing with. So can you give the details of the detection for Comodo CCE and Avast rescue disk, the file name, location and malware name given ?

I don't know how it is that you actually get the latest virus definitions for the Avast rescue disk, but the one that comes with it is likely to be a little out of date and if this is a false positive then it may have been corrected, then we are only chasing the comodo cce detection, but in any case the above information help us.

DAV2 · « **Reply #8 on:** January 10, 2012, 03:47:03 PM »

David, yes the Avast rescue disk is about 6 mo. outdated out of the box, but it gives an option to update the data base and I updated it to the same version that Avast IS was running and it found the same Trojan. Unfortunately, I thought I wrote it down, but may have only done typed Google searches of it. It was something like ???sorry I can not guess very well???. I will have to repeat the scans. As far as Com.. scan, it filled a directory of "quarantine" and said "C:\## aswSnx private storage"

DavidR · « **Reply #9 on:** January 10, 2012, 04:48:01 PM »

Well that is the location of the private storage of the avast sandbox, so I would expect it to be hidden.

So my guess is that comodo cce goes, it got it wrong in taking hidden as somehow a rootkit.

DAV2 · « **Reply #10 on:** January 10, 2012, 08:43:12 PM »

David, thanks. I just do not have the expertise to understand how the same Avast data base can show a Trojan when scanned outside Win and not see it inside Win. I also do not understand how Win takes a "security tampered" hash mark changed file and turns it into a non hash mark changed file without any restore being done on it. Also I am trying to understand how the "Trojan" and Com... scan results reappear days later, after initial results confirm that they were gone. I assume that the 4 files that were too big to post all at once, were not helpful. (Could you please confirm this.) I am glad that there are experts like you that understand all this. Thanks.

essexboy · « **Reply #11 on:** January 10, 2012, 09:09:33 PM »

Nothing untoward showing in the logs and as David stated the file location is the safe zone area

If you have no apparent problems then I would ignore the report of a rootkit

DavidR · « **Reply #12 on:** January 10, 2012, 09:10:44 PM »

Quote from: DAV2 on January 10, 2012, 08:43:12 PM

David, thanks. I just do not have the expertise to understand how the same Avast data base can show a Trojan when scanned outside Win and not see it inside Win. I also do not understand how Win takes a "security tampered" hash mark changed file and turns it into a non hash mark changed file without any restore being done on it. Also I am trying to understand how the "Trojan" and Com... scan results reappear days later, after initial results confirm that they were gone. I assume that the 4 files that were too big to post all at once, were not helpful. (Could you please confirm this.) I am glad that there are experts like you that understand all this. Thanks.

I'm not familiar with what the Avast rescue disk is actually looking for over and above the standard AV scan. However, since it also runs outside of windows the C:\## aswSnx private storage would be visible, where it is hidden when windows is running.

But as essexboy says it looks like your system is clear.

DAV2 · « **Reply #13 on:** January 11, 2012, 07:58:37 PM »

Ess... and Dav..., thanks. I am learning with your help. Maybe it was Com... that fixed Win security breach. All I know is that it loaded the directory "quarantine" with many files and scripts that Win refused to empty from the wastebasket. Said that their names were too long to empty from trash. The persistent find is "WIN32:Small-HUF [Trj]".
I did a rescan and it still returns. Both with 6 mo old data base and current data base. File is too large to upload to virus total. It is pagefile.sys. How it was able to scan clean for awhile before, I do not know. All I know now is that it reloads every time. Since it persists with both data bases that are 6 mo. different, says to me that it could not be a false positive. After all, how could a false positive remain for over 6 mo.?
Whatever Com... removed, it sped up the computer noticeably in one case and slowed down another noticeably. Same program and same data base.
Avast can see the hidden directory and reports nothing other than the one above. Com... places a lot into Quarantine directory and does not see what Avast reports

essexboy · « **Reply #14 on:** January 11, 2012, 09:33:26 PM »

Pagefile.sys is a system swap file. You can clear it by setting no virtual memory and then rebooting, MS has a fixit here that will do it for you http://support.microsoft.com/kb/314834
About halfway down is a fixit button press that and allow the programme to run

Author Topic: TRO/ROOT KIT? (Read 10885 times)

DAV2

TRO/ROOT KIT?

DAV2

Re: TRO/ROOT KIT?

DAV2

Re: TRO/ROOT KIT?

DAV2

Re: TRO/ROOT KIT?

DAV2

Re: TRO/ROOT KIT?

DavidR

Re: TRO/ROOT KIT?

DAV2

Re: TRO/ROOT KIT?

DavidR

Re: TRO/ROOT KIT?

DAV2

Re: TRO/ROOT KIT?

DavidR

Re: TRO/ROOT KIT?

DAV2

Re: TRO/ROOT KIT?

essexboy

Re: TRO/ROOT KIT?

DavidR

Re: TRO/ROOT KIT?

DAV2

Re: TRO/ROOT KIT?

essexboy

Re: TRO/ROOT KIT?