Comodo Reporting Rootkit.hidden[at]0

[Guest]

[vflflyer]

I have run a few scans with Comodo and it is reporting a rootkit virus, I am totally lost as how to get rid of this or if it is just a false positive.

Here are the results of the last scan:
Rootkit.HiddenFile[at]0 c:\Users\Vince\AppData\Roaming\Mozilla\Firefox\Profiles\c4drzawd.default\cookies.sqlite-journal
Rootkit.HiddenFile[at]0 c:\DkHyperbootSync

The scan before that was connected to a few index.dat files

Any help would be most appreciated!

[Ronny]

Hi vflflyer,

The second entry seems related to Diskeepers Hyperboot, do you have that installed? and if yes it's probably a false-positive, seems they are hiding this file from the public view.

The Firefox cookies.sqlite-journal is also highly likely to be a false-positive.

You seem to be running rootkit scans while working on the system, I'd advise to close as many apps, if not all before running a rootkit scan as they can cause FP's like in this case, just leave the system idle during rootkit scan.

What happens is the following, CIS is asking Windows API for a listing of files and is going to match that with the results it finds directly on disk, bypassing Windows normal API's using RawDisk access, now if in between a file get's deleted like the -journal file for example there will be a difference in results between the API call and the RawDisk read, when that happens something is probably hiding hence CIS reports rootkit activity for the file.

As -journal files are only short lived this is probably the reason this happened.

[vflflyer]

Yes that is Diskeeper, I will close all apps and re-run the scan and see what I come up with

[Tags:]