Author Topic: are thsi safe or not?  (Read 775 times)

Offline t5673

  • Newbie
  • *
  • Posts: 8
are thsi safe or not?
« on: May 17, 2016, 12:36:27 PM »
hello everyone,

comodo found five files ending in snapshot.etl in the system32 folder. Are this malware/viruses or traces of them or are they safe?

Thank you.

Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 133
Re: are thsi safe or not?
« Reply #1 on: May 17, 2016, 12:48:09 PM »
Hi

If you provide us the files, we'll analyze them. You may use  valkyrie.comodo.com to upload them.

Fatih

Offline t5673

  • Newbie
  • *
  • Posts: 8
Re: are thsi safe or not?
« Reply #2 on: May 17, 2016, 01:02:38 PM »
Will do that. thank you so much.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23567
Re: are thsi safe or not?
« Reply #3 on: May 17, 2016, 03:35:32 PM »
It's not a virus:
Quote
snapshot.etl is one of the vital files in the computer system, it is used to load up a number of system settings and execute the libraries of several system dlls.
Source

Offline t5673

  • Newbie
  • *
  • Posts: 8
Re: are thsi safe or not?
« Reply #4 on: May 17, 2016, 04:40:16 PM »
It's not a virus:Source

Wow.Thank you so much. Comodo found 5 of those files in the full scan. all in the system32 folder and all ending in snapshot.etl. i told it to do nothing. i read in an article that comodo finds false positives some times and that i should not delete anything before the file gets inspected by techs. i was so close to press clean. interestingly when i did a quick scan minutes later it did not find anything. only in the deep scan it found those files. i guess i should not do anything. what do you think?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23567
Re: are thsi safe or not?
« Reply #5 on: May 17, 2016, 07:10:37 PM »
I would leave them as they are and upload them to http://camas.comodo.com/cgi-bin/submit and leave the sha1 file hashes of the files here for Fatih.

Offline t5673

  • Newbie
  • *
  • Posts: 8
Re: are thsi safe or not?
« Reply #6 on: May 18, 2016, 08:11:03 PM »
Thank you fro your advice.

comodo also found a rootkit:hidden file.

it was this:

C:\Users\Therios\Documents\Αρχεια συγκετνρωτικο\Onedrive terry.spade\OneDrive\Eleftherios\Files from phones sd card\Files from dvds plus w8 n outlook 2007\Νέος φάκελος\Arxeia po to kinito 4-8-11 polles ihografiseis gia poker kai zoi kai fotografies\POKER\Docs apo to til\Eγχειριδιο.docx   Rootkit.HiddenFile   HIDDENFILE   Clean   UnKnown

What do you think that is? I went to the location of the file and it is not there. the folder is empty.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23567
Re: are thsi safe or not?
« Reply #7 on: May 18, 2016, 08:48:30 PM »
Do you know this document? Can you actually find it on your computer? I am wondering if this could be a false positive.

Offline t5673

  • Newbie
  • *
  • Posts: 8
Re: are thsi safe or not?
« Reply #8 on: May 18, 2016, 10:18:57 PM »
Ihave a document (that I created) with the same tiltle in a folder right above that folder. and I am aware of the folder that the "hidden rootkit" is. but when I open the folder the document is not there.

here is the log and a screenshot of the comodo result. thank you so much.

====== System Information ======

Computer Name:   TABLET-JSTJM13J

Log on User:   Therios

Memory Size:   3.91 GB.

Windows Directory:   C:\windows

Windows Version:   

CCE Version:   2.5.242177.201



Virus database version: 25029



[10:26:46] Scan started.

====== Cleanup results ======

C:\Users\Therios\Documents\Αρχεια συγκετνρωτικο\Onedrive terry.spade\OneDrive\Eleftherios\Files from phones sd card\Files from dvds plus w8 n outlook 2007\Νέος φάκελος\Arxeia po to kinito 4-8-11 polles ihografiseis gia poker kai zoi kai fotografies\POKER\Docs apo to til\Eγχειριδιο.docx   Rootkit.HiddenFile   HIDDENFILE   Clean   UnKnown



 

[attachment deleted by admin]

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23567
Re: are thsi safe or not?
« Reply #9 on: May 19, 2016, 11:07:08 AM »
So you have a file with that name in the POKER folder. Does that also happen with other files that got flagged as hidden file?

There are a lot detections in the same folders. I am truly wondering these are actually hidden files. May be Onedrive was synching and CCE was seeing discrepancies because of that. I would advice to restore the files and scan again and see if CCE detects them again or not. The detection is about hidden files not about hidden processes. Hidden processes are the scary detections.


Offline t5673

  • Newbie
  • *
  • Posts: 8
Re: are thsi safe or not?
« Reply #10 on: May 23, 2016, 12:30:39 PM »
I really do not know. The folder has no files in it. so there is no file in it to upload. i do not know if onedrive was uploading or not. i scanned it twice and it found the same detections. in the meantime i have rearranged some folders and deleted some files as part of a general file categorization. i will scan again now and check whtat it will find.

Thank you for your help so much. i will reply with the results.

Offline t5673

  • Newbie
  • *
  • Posts: 8
Re: are thsi safe or not?
« Reply #11 on: May 23, 2016, 04:46:49 PM »
ok. i have performed a full scan again (after i have deleted a few and moved a few others due to general file categorization that i have been doing the past days) and comodo has not found anything. "no threats detected".

So what is the verdict do you think? Is there anytning else that i should do?

Thanks again for the help.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23567
Re: are thsi safe or not?
« Reply #12 on: May 23, 2016, 07:10:53 PM »
When CCE doesn't detect hidden files any more and doesn't detect hidden processes I would say your system is clean. You could follow up with TDSS Killer en gmer to look for rootkit activity and Hitman Pro to go the extra mile. These scanners scan quickly. When they don't show hidden processes running or report a rootkit then I declare your system clean.

Offline t5673

  • Newbie
  • *
  • Posts: 8
Re: are thsi safe or not?
« Reply #13 on: May 24, 2016, 08:38:29 PM »
i scanned with tdss killer and with hitman pro and they did not find anything. so i guess the system is clean.

Thank you so much everybody for your kind help. i really appreciate it. you have a great forum and everybody has been so helpful.

Best regards everyone.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek