Author Topic: Comodo Reporting Rootkit.hidden[at]0  (Read 4394 times)

Offline vflflyer

  • Newbie
  • *
  • Posts: 6
Comodo Reporting Rootkit.hidden[at]0
« on: April 16, 2011, 09:15:17 PM »
I have run a few scans with Comodo and it is reporting a rootkit virus, I am totally lost as how to get rid of this or if it is just a false positive.

Here are the results of the last scan:
Rootkit.HiddenFile[at]0 c:\Users\Vince\AppData\Roaming\Mozilla\Firefox\Profiles\c4drzawd.default\cookies.sqlite-journal
Rootkit.HiddenFile[at]0 c:\DkHyperbootSync

The scan before that was connected to a few index.dat files

Any help would be most appreciated!
Alienware MX17 R4 - 3820qm cpu - 32GB Ram - 680m GPU - 256 SSD - 500HD - Win7 64

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13404
  • Volunteer Moderator
Re: Comodo Reporting Rootkit.hidden[at]0
« Reply #1 on: April 17, 2011, 04:20:31 AM »
Hi vflflyer,

The second entry seems related to Diskeepers Hyperboot, do you have that installed? and if yes it's probably a false-positive, seems they are hiding this file from the public view.

The Firefox cookies.sqlite-journal is also highly likely to be a false-positive.

You seem to be running rootkit scans while working on the system, I'd advise to close as many apps, if not all before running a rootkit scan as they can cause FP's like in this case, just leave the system idle during rootkit scan.

What happens is the following, CIS is asking Windows API for a listing of files and is going to match that with the results it finds directly on disk, bypassing Windows normal API's using RawDisk access, now if in between a file get's deleted like the -journal file for example there will be a difference in results between the API call and the RawDisk read, when that happens something is probably hiding hence CIS reports rootkit activity for the file.

As -journal files are only short lived this is probably the reason this happened.
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline vflflyer

  • Newbie
  • *
  • Posts: 6
Re: Comodo Reporting Rootkit.hidden[at]0
« Reply #2 on: April 17, 2011, 12:37:41 PM »
Yes that is Diskeeper, I will close all apps and re-run the scan and see what I come up with
Alienware MX17 R4 - 3820qm cpu - 32GB Ram - 680m GPU - 256 SSD - 500HD - Win7 64

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek