Dear all,
I have CIS installed on a win7 x64 PC. When I perform a normal scan there is nothing wrong with my computer (according to the CIS) but the RAM usage is abnormally high, right now about 3gb with just firefox and chrome open. This used to be no more than 1.5 gb a couple of months ago. I used CCE to scan my computer and it found more than 13000 rootkits in just one folder, many of files that are found using CCE are neither created by me nor are accessible to me (They are not normal hidden or system files, in case they were I should have seen them.) I have found other infected folders and these files with same file name exist there. The formats are usually php or xml.
The problem is that CCE is unable to clean them I have also tried the safe mode with no luck!
What shall I do?
Thanks
Hello…
Is there anybody out there?
What are the name(s) of the rootkit(s) being reported? Can you post screenshot(s)?
Hi, Thank you.
Some of the infected files as you see in the picture are those of mine that are infected by root kits. However, the majority(not shown in this picture) are those php files that are not visible to me using the windows explorer(even by changing the setting for system or hidden files). They are usually .php or .xml files and they are named in a way that I somehow think each one is doing a particular task. They exist in various folders with the same structure. And as I said earlier my ram usage goes unnaturally high as the computer is idle and after doing some simulations with high ram usage (for example for half an hour) the ram usage falls down to 1gb (compared with 3gb while idle!)
[attachment deleted by admin]
Are these files visible when using Windows Explorer? Judging by the phrases in the paths and file names you are using some sort of math program for graphical simulations or so. Is that program active when doing the scan? If so these may be false positives.
A strategy to determine hidden files is to do two consecutive reads. One using the standard Windows API to read the file system and one using a raw read. When there is system activity in between the two reads you will get false positives.
However, the majority(not shown in this picture) are those php files that are not visible to me using the windows explorer(even by changing the setting for system or hidden files). They are usually .php or .xml files and they are named in a way that I somehow think each one is doing a particular task. They exist in various folders with the same structure. And as I said earlier my ram usage goes unnaturally high as the computer is idle and after doing some simulations with high ram usage (for example for half an hour) the ram usage falls down to 1gb (compared with 3gb while idle!)Can you post a screenshot of those detections? This is just to get a bit of an idea what we are looking at.
It is the high RAM usage when idle that has my attention here. You might be infected with some sort of bitcoin mining malware. Can you see what process is eating RAM resource? Also scan with Hitman Pro, Super AntiSpyware and Malwarebytes Antimalware to check for possible infection. Please add the latter two to the exclusions of CIS AV for a faster scan.
Well, no they are not visible using windows explorer. And no other program is running except CCE while scanning. I performed another scan and the number increased to 14000 and then 16000. The funny thing, as you can see in the picture, is that it has started to create files and folders, again invisible to me using windows explorer, mimicking the names of mine which are elsewhere on the computer. For instance, “T12-6.cdb” or folder “T12”, they are my simulations for test no. 12, why should I save them in “ArtTemp” where I save articles temporarily!
No nothing is shown in the task manager. If I leave the computer for a couple of minutes, the RAM usages goes up and as soon as I move the mouse it drops.
Ed.:
And I scanned computer using all 3 softwares but just some cookies were found.
[attachment deleted by admin]
Just to further wrap my head around it. You seem to have a system with multiple partitions. What is on your c and partition? Are there other partitions as well?
Are you using indexing software of some sort?
Can you run the following two rootkit scanners: TDSS Killer and gmer.
Thank you again. I have previously used TDSS and the other one and they found nothing.
Yes I have multiple partitions.
C–> Windows+installed programs
D–> Documents&Simulations
F–>OS X
I do not know about indexing softwares! You mean for desktop searching?
if that is the case, I just have Bing!
I looked up what Bing desktop does but it does not seem to index your hard drive from what I understand. I know Nero suite has or had an indexer function. Do you have Nero? I am still wondering whether (part of) what we see is the result of an indexer running in the background.
Can you post a screenshot of the detection with the .php and .xml detections? When needed maximize the screen of CCE to be able to see the full paths of what’s happening. Are the paths visible when booting the computer in Safe Mode?
I do not have Nero. I performed the scan again and the php and xml files are gone! instead just these files are at the same folder where the ph and xmls were!
[attachment deleted by admin]
I asked the other mods to share their wisdom on this topic.
Could you in the meanwhile scan with Hitman Pro, Malwarebytes Antimalware and Super Antispyware to widen the net a bit?
Thank you EricJH.
I have scanned my computer with these softwares and they just found some cookies. I have moved the files to an external HDD and formatted windows drive and the one with infected files. The RAM usage is now normal. But the number of infected files in the external hard drive has increased drastically. (till now, 50000 out of 208000 scanned files!)
I have two external HDDs and to reduce the scan time I chose custom scan for individual folders that I know are infected, I just let CCE to scan for hidden files and folders (out of possible options). The interesting part is that CCE has found these 52K (yes, they increased as I am typing) in a folder in the other HDD that it was not supposed to scan!
Can it be just a false positive?
Are the files that are being flagged as rootkit visible with Explorer? Are there files being flagged that cannot be seen with Explorer? Can you post screenshots of the detections? Can you maximize the CCE screen so we have a bigger chance of seeing the full paths?
Hi EricJH,
- There are both invisible and visible files in the detections (using widows explorer)
- I have already posted a screenshot of the detections with maximized screen in the previous posts, the folder path is visible there.
I am at a loss here. I am inclined to believe these are false positives but I cannot make it stick. I sent a pm to herbzhang from Comodo asking to share his wisdom.
Hi mate, can you please try WinHex, see if you can find these reported files in Tools->Open Disk->D?
Or you can ping me at skype (herb_zhang@hotmail.com) if i can login your system with remote control to have a check.
Thanks
Regards
Haibo
Thank you for stepping in Haibo.