Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Curcat Need help on this scan

Oct 22, 2008 7:43AM PDT

Would you assign this to "Sherlock" I am unable to find any info
Scan is by Sophos anti- rootkit

Area: Local hard drives
Description: Unknown hidden file
Location: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP290\A0161340.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)


Area: Local hard drives
Description: Unknown hidden file
Location: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP289\A0156543.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

A scan with rootkit revealer show all system clean
When it brought the scan past the two rp numbers it only show \snapshot\repository\fs

Search of the registry showed the key with the values
Name=compatibility Type= reg_dword Data= 0x00000400 (1024)
Google search of 0x00000400 possible trojan but the key numbers are different.

Unable to find any info at Sophos as the scan indicates

Search for exe files with Windows shows no files listed
Run command also comes up blank

Are these remnants of prior malware ,Trojans,spyware,etc.

Yes I know how to delete system volume information. But why would Sophos tag these particular files.

Ray

Discussion is locked

- Collapse -
Re: Need help on this scan
Oct 22, 2008 5:06PM PDT

Ray..

I'm flattered you singled me out, but I don't believe in the list of my nicknames you've ever seen "Rootkit Resolver". Since it's not, this is the best I could find and know to suggest.

I'm unable to find very much, specifically related to Sophos Anti-Rootkit. I did find a lot of infections reported within those restore points, with no thanks to Sophos. I presume you're questioning it because Sophos recommends not removing the files. Confused According to the Sophos Anti-Rootkit Manual, it's because they don't recognize the files. See their release notes, as to why they don't. I personally feel they should have suggested it and included not to remove them "without further investigation", which is what you might be doing.

If you're looking to gain access to System Volume Information folder, you're going to have to "unhide" your files and folders and also the protected opertaing system files.

"Name=compatibility Type= reg_dword Data= 0x00000400 (1024)"
The only time I found where the Compatibility Flag value was a problem, was when there was another value after it. Although this user only posted a partial CLSID #, see this thread. Maybe it will explain it, in part.

As far as the "exe's" you were looking for and their location in the System Volume Information folder, you'll see plenty of them in this thread as an example. And also many more.

I'm not sure why you're asking, but did you scan with F-Secure's Blacklight to see what it reported? (More here)">http://windowssecrets.com/2008/05/22/05-Top-free-tools-for-rooting-out-rootkit-spies]here) I know you're fully aware of the fact, that you can flush your restore points and scan again. I wish I was able to tell you why it tagged those specific files, but I can't. Sad

Ray, it's only my guess that because it's in the restore points, and no where else, the points were never cleaned after an infection. Please don't act upon my "guess". If you're dealing with a problem, and not sure how to proceed, I would suggest getting another opinion. That is not to say, I don't appreciate your confidence in my "searching abilities". I came up a little short this time. Plain

Carol, etc.

- Collapse -
Info on scan results
Oct 22, 2008 8:01PM PDT

Carol

First of all the info you provided was helpful

I tried running f-secure blacklight but got a not valid win 32 application error

As much as I dislike Panda software I then decided to run their anti-rootkit and it was clean

Searched and found ms kb/309531 How to gain access to system volume information. When I got to the cacls portion I ended up with a help file with dozens of switches that could be used. Abandoned that project and went into safe mode and accessed system volume information folder.

In rp289 file A0156543.exe is a snapshot of file hippo.com update checker
In rp290 file A0161340.exe is a snapshot of Keepass password safe
Both of these are files I use and have used for sometime. Sophos has never tagged them before this scan.

My next step is to try and scan these files with Jotti or Virus Total???

Now that I have gotten this far what is your next suggested plan of attack?

You are not going to get away with begging off until I am completely satisfied these are not rootkits.

Ray

- Collapse -
Re: Info on scan results
Oct 23, 2008 6:34AM PDT

Hi Ray..

So you decided to let me work for my money? Devil

As far as Blacklight's "not valid Win32 error", it may be as simple as cleaning your cache and trying to install it again - or not! (You might even try a different browser)

FWIW .. I've always had programs such as Keepass, detected by some of my scanners. They were also located in the System Volume Information folder. SmitFraudFix, and a password finder being only two examples. These were utilities or programs I installed myself and know to be safe. In my case, I let them be. As far as Sophos having found them before, are you using a newer/different version?

If you've scanned with "all you know" and the system is clean, but still remain leary, did you consider either contacting Sophos technical support? Or submitting the files to them for analysis? If at any point a log is necessary, you need only "run" %TEMP%\sarscan.log.

I think you know me well enough by now, to know I could ask a slew of questions. I'm going to limit them. I am curious to know if you're specifically questioning whether or not to flush your restore points, or if you think what's in your restore points, is indicative of a deeper problem. Were you able to upload the files to Jotti or Virus Total? Did you upload the KeePass.exe?

Be sure to let me know when you're satisfied. I do a have personal opinion about it, but you're the one who needs to sleep "worry-free" Happy

Carol

- Collapse -
Scan info
Oct 23, 2008 8:12AM PDT

Carol

Ran both Keepass.exe and File Hippo.com update checker in the exe and the setup's both were clean.

Ran Sophos and had it check only the registry and it turned up clean.

I feel now this is a Sophos false positive.

My main concern was what the two files in system volume information were and was the registry key a Trojan. After finding the info,thanks to your help, I am no longer concerned about the scan.

My main objective was to have you working and not doing laps. (Evil character ain't I)

Now I can devote my time to teaching you the manly art of self defense.

Thanks for the help I really really appreciate it.

Ray

- Collapse -
Re: Scan info..
Oct 23, 2008 8:59AM PDT

Ray..

Nice of you to leave a smile on my face ( Happy ), before I leave this "computer stuff" alone. Does this mean I can get some sleep and also partake in the meals I missed? I gather that would be a "yes".

I too felt it might not have been something to be concerned about, but as you, I would have needed a lot of convincing. I didn't know you were beta testing these days. Not knowing what the "FileHippo.com Update Checker" was, my curiosity got the better of me. I also wanted to make sure it's wasn't something evil. Seems harmless enough.

You're quite welcome, Ray. Feel free to ask, but please keep it "non rootkit-related" next time! Now you owe me some boxing lessons, or the method of your choice! I'm flexible. (Sometimes)

Enjoy your weekend..
Carol