Rootkit detection in C:\## aswSnx private storage?

Viruses and worms
1

I did a full rootkit scan (sensitivity normal)with avast and got the following detection:

File C:## aswSnx private storage\webStorage\image\Users\user\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll HIDDEN

Severity High, Threat rootkit, hidden file.

Boot time scan shows nothing.

(I did the scan because I’d been getting a few mbam IP block alerts, and a couple of crashes - but the alerts have stopped with last mbam update)

This being safezone/sandbox storage I expect (and sincerely hope) it is a FP (I gather there is legitimate file in chrome of this name, but not sure why this is classed as hidden when other aswSnx files aren’t)

  • but how to send it virustotal for checking? - I can’t even see ## aswSnx private storage on the C drive, even with ‘show hidden files’ selected.

(I know I’ve seen it before - I’ve even deleted it before on pk’s advice to fix a safezone problem).

Any thoughts?

Thanks

2

I’ve managed to submit to VT - using Linux to access it.

Result - 0/39.

I’ve also noted from the avast log that this is the only .dll file scanned in C:## aswSnx private storage.

Perhaps that explains the alert?

3

It isn’t actually saying it is a rootkit, but that it is HIDDEN and that is essentially correct as that is what the avast sandbox/safezone private storage is meant to do. This is why you can’t see it from the normal windows explorer.

I didn’t think VT would find anything as it can’t replicate the anti-rootkit scan and avast anti-rootkit was only saying it was HIDDEN.

Whilst I don’t have avast Pro or AIS, this appears to be a component of the avast safe browser (based on the Chromium browser).

4

Thanks David.

You’re right it is a Chromium browser file.

The same file was also scanned outside ## aswSnx private storage as a Chrome file (without detection):

File C:\Users\user\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll.

So I still suspect it’s the fact that it’s the only hidden .dll in ## aswSnx private storage that is prompting the alert.

5

You’re welcome.

Not so much an alert as a notification in this instance.