Webroot Found Rootkit After Downloading MP3 Files

I didnt realize untill today that this litle bugger was present on my computer, but after doing a Deep Scan for Rootkits with Spy Sweeper this is what it discovered:

Name Potentially rootkit-masked files
Unique Code H9GUFFP6
Type System Monitor
Severity Critical
Description Potentially rootkit-masked files is a monitoring program that secretly tracks all activities of computer users.

Characteristics Potentially rootkit-masked files may monitor and capture your computer activity, including recording all keystrokes, e-mails, chat room dialogue, instant message dialogue, Web sites visited, usernames, passwords, and programs run. This program may be capable of taking screen shots of your desktop at scheduled intervals, storing the information on your computer in an encrypted log file for later retrieval. These log files may be e-mailed to a pre-defined e-mail address. This program can run in the background, hiding its presence.

Method of Infection Potentially rootkit-masked files may be installed via other threats, such as music downloads and Trojan downloaders.

Consequences This system monitor may allow an unauthorized, third party to view potentially sensitive information, such as passwords, e-mail, and chat room conversation. Additional Comments: It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.

Now I'm not sure what site this came from but it one of 2 that I use,and one is my ISP provider, and I will be notifiying them of this find too. Hurray for Spy Sweeper, it hunted it out and removed it.

 

So it was imbeded in mp3 ?? Did you see the path?

 

The flip side of that coin is that there's a good chance there is no "bugger" present on your computer.

Webroot_SS Dan makes a few posts in the below thread @ Spysweeper Support.

http://www.castlecops.com/p742558-S...rojanHunter_LiveUpdate_as_Rootkit.html#742558

 

Hello,

I find it unlikely that something of a rootkit was embedded in the actual mp3.
More likely is a scenario where an exploit in the player or like is abused to download payload, which is then executed to download more payload and then in turn mask it ... requires a fair bit of time and more than one obvious or less so obvious symptom.

You could run scans with 3-4 anti-viruses online, download 2-3 anti-spyware apps and such and see what they come up with. Only then you'll be able to tell with more accuracy if a found item is indeed a threat or FP.

Mrk

 

once spysweeper here found a rootkit but turned out it was an fp and it got fixed in later updates.
just becaue you downloaded mp3's today doesnt mean that it was because of that. i still say its an fp and do some other on demand scans.
if it was the weekend still i would do a scan to comfirm it.
loodore

 

You could try a rootkit scanner.

This site has a list of scanners and the 5 star scanners should be the better ones.

http://www.antirootkit.com/software/index.htm

 

Just for future reference and a healthy habit to get into....

Upload any downloaded files/email attachments to an online malware checker such as VirusTotal.This will add another layer of defence against infections c/o downloaded files
http://www.virustotal.com/en/indexf.html

It is also a good way to check suspected f/p's against a given file(its like having 29 second opinions )

 

In my experience with Webroot, most everything it detects is a false positive.

 

I'm not 100% convinced about this, I have an external hard drive for my MP3 and data downloads, It was found on this drive,and couldnt be removed, it was only quarentined, when I deleted it from quarentine, it showed up again on the next 3 scans. So I moved my data back to C: Drive and formated the External Drive, and scanned again on C: Drive with Spy Sweeper. it found it again and this time removed it properly. So it must have embedded itself into my external drive,and the only way to remove it was to format Ive scanned 3 more time to make sure,and it doesnt find it again.

 

hi guys....

i only joined this forum today for this topic only....

as i had googled the same unique number as above....

my spysweeper software scanner found the same rootkit but would only quarrantine it...and not remove it.....even after quarranteening....and then deleting all restore points...the next scan would find it again......

i have read some of the replies about it being a false positive...but they are wrong it defo is a rootkit.....

now the good news ...the reason i bothered joining this forum....

download this rootkit remover from AVG...and it will locate and remove it no fuss....

http://www.grisoft.com/doc/products-avg-anti-rootkit/lng/us/tpl/tpl01

o.k. then guys be lucky bye...