I just finished a SAS scan, my last one being about 6 days ago, and it turned up “Rootkit.Agent/Gen-Rx”, there are 5 items flagged they are: Program files\Epox\eptp\epcpuid64.sys, Program files\Epox\eptp\getbinfile64.sys, Program files\Epox\eptp\hwmdr.sys, Program files\Epox\eptp\scanmemory64.sys and Windows\system32\driver\hwmdr.sys. I’ve quarantined them and all, and I’m running a second scan now, I’m just look for some advise, I haven’t visited any insecure websites that I know of, nor installed anything in since my SAS scan, I run avast scans daily and they haven’t detected anything, should I do anything else? Could this be a false positive?
Hmmm… the only way to know would be extracting the files from SAS quarantine and submit them to www.virustotal.com
I’m not sure SAS allows this action (extract), only restore (what could be dangerous).
No, you’re right, only remove or restore, and I wouldn’t exactly be thrilled to risk doing so.
I’ve done a quick scan and it’s clean (apart from a cookie), I’ve submitted a HijackThis logs to the scanner and they’re clean, both before an after the quarantine. I’ve just started a full SAS scan (usually takes 1.5 hours) and after that I’ll do a Malwarebytes’ scan too. Spybot S&D didn’t turn up anything earlier either, and I’m using SpywareBlaster too which is up to date. is there anything else I should be doing?
Well, as you probably know, Epox is a computer component manufacturer.
My guess is that the files are legitimate, although whether they are necessary for the computer to run, I wouldn’t know. If you Google the file names, there aren’t many hits, which is a bit suspicious. Possiblt could be explained if there are very few of these computers in circulation, yet. Is yours brand new?
Have you tried asking about these at the SAS forum? If they are FP’s hopefully someone there could say so, authoritatively.
Epox is the brand of my motherboard, a EPoX EP-9NPA+ Ultra, which is quite a few years old now. If the files are legit, then they don’t appear to be vital, I had to do a reboot after the quarantine and everything started up fine, I’ve had no errors or anything. My Malwarebaytes’ came back fine, as did the full SAS scan I was running during the previous post, and I’m doing a thorough avast scan now.
I’ve made a thread over at SAS forums asking for help too, but so far I’ve had no replies.
Finally got a reply from someone on SAS forums and was advised they were probably legit and to restore and submit FP report, to be on the safe side I also sent them to VirusTotal, could someone take a look at the results please? I’m not quite sure what I’m looking at…
Program Files\Epox\EPTP\EPCPUID64.SYS
Program Files\Epox\EPTP\GETBINFILE64.SYS
Program Files\Epox\EPTP\hwmdr.sys <-This one concerns me as one lists it as a Trojan.
Program Files\Epox\EPTP\SCANMEMORY64.SYS
Windows\system32\drivers\hwmdr.sys <-This one concerns me as one lists it as a Trojan.
I would say without a doubt that were those files on my machine, I would be happy to restore them, based on those reports.
(All the files show clean, except for two files as indicated, both by Sunbelt, both flagged as Trojan.Win32.Generic!BT)
There is a facility to submit a false positive to Sunbelt, but I cannot in all conscience suggest you use it, as below the submission form, this is printed:
NOTE: By submitting this form, you agree to allow Sunbelt Software to make your information public
(What sort of shonky outfit does this? ???)
Basically the results are telling you that one out of the 41 AV companies think that two of your submitted files might be malware. (“Might” because the description of the threat includes “Generic”, which you can think of as “looks like it belongs to this family”, or words to that effect.)
Statistically and practically, it is almost certainly a false positive.
BTW, although my reply above may suggest it, I mean no disrespect to the technical ability of the Sunbelt security program/s, or to the work of the research lab. From what I’ve read and understood, their work is usually of a high standard; it just appears they made a mistake this time. Like any security program can.
(I do think their indicated lack of privacy leaves a lot to be desired.)
It looks pretty clear it was an FP now, I restored the files and I ran SAS scan again so that I could submit them as FPs, but now they’re not even being flagged. I had an update for SAS after the initial scan flagged them, so I’d guess the FP was corrected in it anyway.
Anyway, thanks a lot for the help!