Rootkit problems found

rdman · January 1, 2011, 5:47pm

Hey ,just installed the latest Comodo Internet Security 5.3.174622.I set up the same as the previous .When i ran the first Full scan it found 18904 problems (rootkit.hiddenvalue@0),when i tried ti disinfect them at the end it said most couldn’t be removed.I ran again and it found the same amount again!Then i tried to just clean them and no luck.I’ve run Super-Antispyware and Malwarebytes and nothing is found.Any ideas ,should i just check scan for rootkits in manual scanning ? Thanks !!

Valentinchen · January 1, 2011, 6:03pm

Hey and warm welcome to comodo’s forums!

I don’t know if you have 32 bit or 64bit OS so I can you both of them.

CCE is something you should try and see happens.CCE 32bit or CCE 64bit

Extract it and run a custom scan. Here you select the 4th and 5th option.

You can also try with Hitman pro 32 bit or Hitman pro 64 bit

Keep hitman pro even when the 30days license is over; will scan your computer but it won’t remove the found malware

Enjoy your stay here at comodo forums and take care!

Regards,
Valentin N

Chiron494 · January 1, 2011, 7:56pm

I would also warn you that the rootkit scanner in CIS is new. Therefore I’d advise you not remove anything until you confirm it is actually a rootkit.

Can you please scan with Sophos Anti-Rootkit and see if it finds a rootkit as well?

Valentinchen · January 1, 2011, 8:09pm

If you do scan with Sophos please make sure that you don’t delete wrong things; many of the things are no rootkits (I seem them more as hidden objects).

I also think that you should show us the rootkit logo from CIS.

try avira’s and avast’s rootkit scanners (I will add the exe file in zip format)

Regards,
Valentin

rdman · January 1, 2011, 11:03pm

Thanks,i ran the Sophos and the ones it found weren’t recommended to remove so i left as is. Then ran Hitman 32 and nothing found. Also ran M.S. Malicious Software and nothing also.Looks like a bug in Comodo,so i unchecked Scan Rootkits and ran a full scan with nothing found.Still makes me wonder !

Valentinchen · January 1, 2011, 11:11pm

Have you ran malwarebytes and superantispyware?

Regards,
Valentin N

rdman · January 1, 2011, 11:25pm

Yes and nothing either. I have Super Anti Pro,wish they made an AV/FW as good as the spyware is !

Valentinchen · January 1, 2011, 11:30pm

Cloud you show us what the scan result? Try Gmer and see if Gmer shows something suspicious.

Regards,
Valentin N

Chiron494 · January 2, 2011, 3:31am

Also, can you report the detection as a false positive to Comodo?

egemen · January 3, 2011, 6:18pm

Can you please save the scanning results and attach here?

Thanks,
Egemen

Chiron494 · January 4, 2011, 3:09am

I did a full system scan with CIS V5.3 (and heuristics on high) and it found four rootkits. I’m almost positive these are false positives. I’m running Windows 7 x64.

I am unable to report them as false positives, quarantine them, or delete them. I then tried to save the results from the scan and I got the warning that “There are no more files.” I get the same error when I try to export my antivirus events from the logs. I’m not sure what caused those errors, but it could be linked.

If you like I can make a bug report for this. Thanks.

egemen · January 4, 2011, 3:11am

In the scanning results screen, there is a Save Results link, please use it and paste here so that we can check,

Chiron494 · January 4, 2011, 3:32am

Like I said, for whatever reason I can’t save the file. I’m not sure why. Possibly it’s related to this problem and possibly it’s just something else I’ve done. I can’t say for sure at the moment.

However, I can write the results that were saved in the Antivirus Events (although I can’t export them to a file).

Location Malware Name

c:\ADSM_PData_0150_avt Rootkit.HiddenFile@0
c:\ADSM_PData_0150\DragWait.exe Rootkit.HiddenFile@0
c:\ADSM_PData_0150\DB Rootkit.HiddenFolder@0
c:\ADSM_PData_0150\ Rootkit.HiddenFolder@0

I believe these specific ones are ASUS files, but I can’t be sure.

topofmurrayhill · January 7, 2011, 4:29am

I am seeing the same thing. The following 5 items fail to be removed when I choose “Clean” or any other option:

2011-01-06 18:23:54
HKEY_LOCAL_MACHINE\Software\Classes\CLSID{F9F9DEBB-68B5-F470-73ABBBDFE6B7698C}{2DE0854A-58E2-477C-18CA38B62B72F56E}{B78F9583-EE49-B075-5FB6B2640AC6C572}\KGHQ1WVPMWYCTK5FHYUB2KQRGA1
Rootkit.HiddenValue@0
Remove
Failure

2011-01-06 18:23:54
HKEY_LOCAL_MACHINE\Software\Classes\CLSID{40886FA5-87BC-FDA7-0C1FAC01C243999B}{19E564B2-522B-7AA8-1ACCCD0705265332}{1F2DE655-6E2E-2DD5-8638E8D01A513D14}\KGHQ1WVPMWYCTK5FHYUB2KQRGA1
Rootkit.HiddenValue@0
Remove
Failure

2011-01-06 18:23:54
HKEY_LOCAL_MACHINE\Software\Classes\CLSID{F9F9DEBB-68B5-F470-73ABBBDFE6B7698C}{2DE0854A-58E2-477C-18CA38B62B72F56E}{B78F9583-EE49-B075-5FB6B2640AC6C572}\KGHQ1WVPMWYCTK5FHYUB2KQRGA1
Rootkit.HiddenValue@0
Remove
Failure

2011-01-06 18:23:54
HKEY_LOCAL_MACHINE\Software\Classes\CLSID{3C314B03-F43E-BA89-952BA1DFD2D5EFE8}{7539A87C-0FED-33C5-609B84E8BF01550C}{B9902A55-37BA-35DE-AA3E0A7380F9249D}\KGHQ1WVPMWYCTK5FHYUB2KQRGA1
Rootkit.HiddenValue@0
Remove
Failure

woody81 · March 11, 2012, 7:24pm

Same problem here and i have no internet connection tried at least 5 antivirus removers, and LSPfix, winsockxpfix, ran multiple rootkit removers and still nothing from them the two files are invisible to most other virus removers except for dr. web and cce it is in window/$uninstall or something like that it is just b4 the assembly folder.

languy99 · March 11, 2012, 10:31pm

try running dr. web live cd and see if that can remove it http://www.freedrweb.com/livecd/?lng=en

Chiron494 · March 11, 2012, 10:45pm

If that doesn’t work please see How to Clean An Infected Computer.