4 Rootkits, cant check them if these files are bad/good

[Guest]

[w-e-v]

Hello:

I did a smartscan and in less than 15 minutes it finished founding 4 threats which are rootkits (according to CIS):

Code:

2012-02-14 10:46:14  c:\WINDOWS\$NtUninstallKB12472$\1140427966\L\jhvoizqb  Rootkit.HiddenFile[at]0
2012-02-14 10:46:15  c:\WINDOWS\$NtUninstallKB12472$\1140427966\L  Rootkit.HiddenFolder[at]0
2012-02-14 10:46:15  c:\WINDOWS\$NtUninstallKB12472$\1140427966\[at]  Rootkit.HiddenFile[at]0
2012-02-14 10:46:15  c:\WINDOWS\$NtUninstallKB12472$\1140427966\U  Rootkit.HiddenFolder[at]0

Im not able to send this files to Valk, VirusTotal or Anubis, since I cannot locate them with Windows Explorer.
Its like the files dont exist. But they are always detected by CIS.

So how or what can I do to test these to see if they are bad or if they are just false-positives?

[w-e-v]

CAV found other 2 threats:

Code:

C:\System Volume Information\_restore{2AC3F150-276E-41FC-B419-EEE0635F846E}\RP142\A0023198.data|7.eml|Setup_NIS05.exe
C:\System Volume Information\_restore{2AC3F150-276E-41FC-B419-EEE0635F846E}\RP142\A0023198.data|10.eml|Setup_NIS05.exe

Due to the location of all files (included in the previous post), I am not allowed to access those system folders (due to system permissions/restrictions). Thus, I cannot upload to Valkyrie, VirusTotal or any other online scanner.

Any idea how can I achieve that to report all this as false-positives or suspicious?
I think COMODO should allow the upload of the found threats within the CAV-UI, since they are already identified and located.

[wasgij6]

try enabling "show hidden files and folders" and unchecking "hide protected operating system files" in the folder optioms. take extreme caution when unchecking the second option. it would be best to recheck it once ur done.

[w-e-v]

I did that already before, and it showed the folders... but like I said I cant enter the folders.
For example with this:

Code:

C:\System Volume Information\_restore{2AC3F150-276E-41FC-B419-EEE0635F846E}\RP142\A0023198.data|7.eml|Setup_NIS05.exe

I can navigate to C: and I can see the folder "System Volume Information".
But when I double click there, I get the following message: YOU CANT ACCESS SYSTEM VOLUME INFORMATION. ACCESS DENIED.

I cannot navigate within that folder neither with valkyrie software, nor with other application.

[Radaghast]

To access SysVol, modify the permissions on the folder and give your account full control permissions.

[w-e-v]

Machine is running Windows XP Home edition.
It doesnt have such feature to modify the permissions on the folder.

[Radaghast]

Machine is running Windows XP Home edition.
It doesnt have such feature to modify the permissions on the folder.

You should be able to access the advanced security tab in safe mode. Failing that, use the Cacls command.

[w-e-v]

You should be able to access the advanced security tab in safe mode.

Thank you! It worked!


I keep thinking this submission procedures should be a easy menu option available once the user is reviewing the files detected by CIS.

[jay2007tech]

Same scenario as above, but for windows 7
enabling "show hidden files and folders" and unchecking "hide protected operating system files" in the folder optioms. take extreme caution when unchecking the second option. it would be best to recheck it once ur done.

then add  "Take ownership" option to it.  Click on the .reg file that I had available

Now Find the problem you had in that case if you had windows 7
C:\System Volume Information  <----right click on it, and click on "take ownership"
some screens will pop up and go away.  Now you can access it and do what you want to it

[Tags:]