4 Rootkits, cant check them if these files are bad/good

_0M0D0 · February 14, 2012, 5:05pm

Hello:

I did a smartscan and in less than 15 minutes it finished founding 4 threats which are rootkits (according to CIS):

2012-02-14 10:46:14  	c:\WINDOWS\$NtUninstallKB12472$\1140427966\L\jhvoizqb  	Rootkit.HiddenFile@0
2012-02-14 10:46:15  	c:\WINDOWS\$NtUninstallKB12472$\1140427966\L  		Rootkit.HiddenFolder@0
2012-02-14 10:46:15  	c:\WINDOWS\$NtUninstallKB12472$\1140427966\@  	Rootkit.HiddenFile@0
2012-02-14 10:46:15  	c:\WINDOWS\$NtUninstallKB12472$\1140427966\U  		Rootkit.HiddenFolder@0

Im not able to send this files to Valk, VirusTotal or Anubis, since I cannot locate them with Windows Explorer.
Its like the files dont exist. But they are always detected by CIS.

So how or what can I do to test these to see if they are bad or if they are just false-positives?

_0M0D0 · February 15, 2012, 6:53pm

CAV found other 2 threats:

C:\System Volume Information\_restore{2AC3F150-276E-41FC-B419-EEE0635F846E}\RP142\A0023198.data|7.eml|Setup_NIS05.exe
C:\System Volume Information\_restore{2AC3F150-276E-41FC-B419-EEE0635F846E}\RP142\A0023198.data|10.eml|Setup_NIS05.exe

Due to the location of all files (included in the previous post), I am not allowed to access those system folders (due to system permissions/restrictions). Thus, I cannot upload to Valkyrie, VirusTotal or any other online scanner.

Any idea how can I achieve that to report all this as false-positives or suspicious?
I think COMODO should allow the upload of the found threats within the CAV-UI, since they are already identified and located.

wasgij6 · February 15, 2012, 7:33pm

try enabling “show hidden files and folders” and unchecking “hide protected operating system files” in the folder optioms. take extreme caution when unchecking the second option. it would be best to recheck it once ur done.

_0M0D0 · February 15, 2012, 8:19pm

I did that already before, and it showed the folders… but like I said I cant enter the folders.
For example with this:

C:\System Volume Information\_restore{2AC3F150-276E-41FC-B419-EEE0635F846E}\RP142\A0023198.data|7.eml|Setup_NIS05.exe

I can navigate to C: and I can see the folder “System Volume Information”.
But when I double click there, I get the following message: YOU CANT ACCESS SYSTEM VOLUME INFORMATION. ACCESS DENIED.

I cannot navigate within that folder neither with valkyrie software, nor with other application.

Radaghast · February 15, 2012, 9:01pm

To access SysVol, modify the permissions on the folder and give your account full control permissions.

[attachment deleted by admin]

_0M0D0 · February 16, 2012, 2:19am

Machine is running Windows XP Home edition.
It doesnt have such feature to modify the permissions on the folder.

Radaghast · February 16, 2012, 3:30am

You should be able to access the advanced security tab in safe mode. Failing that, use the Cacls command.

[attachment deleted by admin]

_0M0D0 · February 16, 2012, 4:27am

Thank you! It worked!

I keep thinking this submission procedures should be a easy menu option available once the user is reviewing the files detected by CIS.

jay2007tech · March 7, 2012, 4:08am

Same scenario as above, but for windows 7
enabling “show hidden files and folders” and unchecking “hide protected operating system files” in the folder optioms. take extreme caution when unchecking the second option. it would be best to recheck it once ur done.

then add “Take ownership” option to it. Click on the .reg file that I had available

Now Find the problem you had in that case if you had windows 7
C:\System Volume Information <----right click on it, and click on “take ownership”
some screens will pop up and go away. Now you can access it and do what you want to it

[attachment deleted by admin]