Sophos Anti-Rootkit. Rootkit Detected [Solved]

Avast Free Antivirus / Premium Security
1

Ok there are a number rootkits detected but before proceeding any farther I must know what I should do
I need to also know if these are real or just false positives.

C:\Users\Kyle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content IE. 5\T3XMIYOH and then a huge url, this is found like 30 times

Also SPTD.sys in the system32 folder is also noted on here as a rootkit. Is this program legit? Should I be worried or listening to this?

2

This is the log so far

3

You should ask this question to the Sophos guys… :wink:
Everything in ‘Temporary Internet Files’ can be deleted.
Best is to run CCleaner. http://www.piriform.com/
You can recheck the other files at http://www.virustotal.com/
asyn

4

In addition to running CCleaner, you can also do the following for deleting temp. internet files related to malware:

Download TFC by OldTimer to your desktop.

http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
· Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
· It will close all programs when running, so make sure you have saved all your work before you begin.
· Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
· Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

In addition, you can also run an Avast Boot-time scan since you have a 32-bit machine. Any infected items put in the Virus Chest where they will be safe. You can upload them to Avast for analysis during the next update of definitions. But follow the above posted suggestion first of uploading them to Virus Total (VT) prior to sending to Avast. Thank you.

5

@ Bigbear_0488
Why did you feel the need to run this program, it isn’t something you run on a regular basis, but for a specific purpose ?

You do know avast does a rootkit scan 8 minutes after boot don’t you ?

Were you or had you been on-line playing a game recently as given the reference to Game in the path, emo=D;u=gen-game when you ran this ?

Not to mention the listing isn’t saying this is a rootkit, but an Unknown Hidden File, there is a big difference.

6

Ok no I was unawre that Avast scanned for rootkits… The only thing i found a little weird is when I tried to look the folder up (Temporary Internet Files) It didn’t even exist.
I must plead the fifth as I randomly scanned this myself. I thought Rootkit scans could be excerised as part of my regular security check.

7

Sptd.sys is part of your CD emulator and is legit

8

When you start digging deep, looking for honey, don’t be surprised when you find bees ;D

Or rather use tools that may dig up something which you don’t understand as if you take a wrong decision it could do serious harm to your system, as in what essexboy mentioned.

If you are going to run these type of scans, it may be best to clear out temp files with ccleaner, etc. before running the scan.

9

I understand. CCleaner was just ran, the folder these temp files are in doesn’t exist. I tried going to the directory but it wasnt available. How did it find these files in a folder non existing?
I like that line

When you start digging deep, looking for honey, don’t be surprised when you find bees ;D
[/quote]
Beautiful way of putting it~

10
  1. Now you know. :wink: Btw, the rootkit scan done at every startup is a fast one, a complete rootkit scan can be done, if you add it to a custom scan with avast.
  2. It exists, but you can’t see it, if your settings are on default for your system. :wink:
    asyn
11

+1
Dave can get rather poetic, sometimes…! :slight_smile:
asyn

12

No they are not default setting though. I have Show hidden files and folders checked off.

13

Thank you for the information on the SPTD.sys essexboy.

14

So before running the temp file remover can I just use sopho’s to delete the temp files it found?
One other thing, when or how would I or anyone know when is the time to run an anti-rootkit program? Since I made a boo boo I can learn from it :slight_smile:

15

TFC will clear all your temp files - so no need to use sophos to kill them

A rootkit scan is a last resort when the system slows down or just generally misbehaves ;D

16

Okay thank you I’ll use the Temp cleaner thanks to all.

17

You’re welcome…!
Btw, I would forget about the Sophos Tool… :wink:
asyn

18

Already uninstalled. I will just, from now on come here and download what Is asked to download if necessary.

19

Have a nice weekend…! :slight_smile:
asyn