Author Topic: Possible rootkit  (Read 3612 times)

0 Members and 1 Guest are viewing this topic.

tigerstriper

  • Guest
Possible rootkit
« on: April 20, 2012, 01:15:11 PM »
Heeeeyyy everybuddy  8)

Avast found several files infected with a rootkit, but access is denied, so it can't do anything with them.

 I did a boot scan with avast, it found nothing.

I downloaded Malwarebytes, ran a scan it didn't detect anything.

So, what am I missing here?

« Last Edit: April 20, 2012, 01:18:28 PM by tigerstriper »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Possible rootkit
« Reply #1 on: April 20, 2012, 01:26:49 PM »
What scan was this found on (anti-rootkit scan 8 minutes after boot or other) ?
Is there any reason given for the access denied ?

What is the infected file name, where was it found ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jeffce

  • Guest
Re: Possible rootkit
« Reply #2 on: April 20, 2012, 11:51:41 PM »
Monitoring if needed...

tigerstriper

  • Guest
Re: Possible rootkit
« Reply #3 on: April 21, 2012, 05:18:16 PM »
What scan was this found on (anti-rootkit scan 8 minutes after boot or other) ?
Normal daily scan

Is there any reason given for the access denied ?
Error: Access Denied (5)

What is the infected file name, where was it found ?
c:/windows/winsxs...
Threat Rootkit: Hidden File


Puzzling ain't it?  :o

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Possible rootkit
« Reply #4 on: April 21, 2012, 05:22:19 PM »
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Possible rootkit
« Reply #5 on: April 21, 2012, 05:39:27 PM »
@ tigerstriper
Well still puzzling as the file name is still a mystery, the path you show doesn't include the actual file name, the WinSxS (Windows Side-by-Side) directory/folder can be massive, so it could be like looking for a needle in a haystack without the details. See http://blog.tiensivu.com/aaron/archives/1306-Demystifying-the-WinSxS-directory-in-Windows-XP%2C-Vista-and-Server-20032008.html and http://www.winvistaclub.com/f16.html.

The detection isn't saying for certain that it is a rootkit, but a hidden file and there could well be a legit reason for that but no one can say if that might be the case as we don't have the full path and file name. You should be able to expand the column width (drag the column separator to the right or double click on the column separator) so you can see the full details.

So it is entirely possible that considering the nature of the WinSxS folder, there may well be a hidden .dll file running, but that can't be confirmed as we don't know the full folder location and file name.
Quote from: IinVisatClub extract
In short, Winsxs, which stands for ‘Windows Side By Side’, is Windows native assembly cache. Libraries which are being by multiple applications are stored there. This feature was first introduced, in Windows ME and was considered as Microsoft’s solution to the so-called ‘dll hell’ issues that plagued Windows 9x.

I'm not sure this needs specialist intervention until it is identified if there is a problem and 'hidden file' as opposed to a definitive detection isn't a clear cut infection.
« Last Edit: April 21, 2012, 05:42:35 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security