how can i find the path to a detection in AntiVir?

i've got antivir and it says it found a rootkit using a sig, but the path it gives looks a bit like this c:\users\ice60\appdata\local\...\xxxxxxx i did a search for the file but i can't find it so i have no idea what it's flagging how am i suppose to know what ... is?? what am i suppose to do? it could be a rootkit, or a security program or a pentesting program. what do people normally do in this situation, i don't know what i'm suppose to do!!

 

so can antivir see files windows explorer can't? because i can't find that file so maybe it is a rootkit

 

since you are a linux user, you could boot into linux and see if the file can be seen from there. a file invisible to windows explorer is usual a sign of a rootkit. also make sure that the detected item isn't stored in an ADS (can be seen if : is used in the bath for example c:\windows:xxx.sys means that the sys file is stored in a stream attached to the windows folder)

 

As already mentioned , you need to removed the rootking in a non-Windows environment because the rootkit is not visible for Windows API.

You may also try (in Windows environment) the MS Rootkit Revealer or post for more help in AVIRA AntiVir's forums

 

i don't know if it's a rootkit or not because i've no idea what the path is. i don't know how the vista search works to know if the file is hidden or if the search is looking somewhere else. maybe antivir changed the permissions i'll never know unless i know what ... is suppose to mean

how am i suppose to find out the path?

 

it's done it again!!!!! when i search for the file it's not there again!!!! and i don't have permission to search all the locations in AppData. how can i search within AppData\Local? i even ran the program as admin, but i still didn't have permission to search there.

how am i suppose to know what the flagged file is? it doesn't show the full path to the file!!!!!!!!!

 

I agree with you Iceni60, it is not very helpfull.
But if you set the alert to ignore, you can later see in scan report the file path.
Like this:
C:\RECYCLER\S-1-5-21-1960408961-1637723038-682003330-1005\Dc10.zip
[0] Archive type: ZIP
--> eicar.com
[DETECTION] Contains code of the Eicar-Test-Signature virus
[WARNING] The file was ignored!
C:\RECYCLER\S-1-5-21-1960408961-1637723038-682003330-1005\Dc11.zip
[0] Archive type: ZIP
--> eicar.com
[DETECTION] Contains code of the Eicar-Test-Signature virus
[WARNING] The file was ignored!

Also that alert does not show even if it is just eicar, but some other thing, but then you can move that alert window a bit aside and look the other window. Still does not help about the file path that you can see later in the scan reports.
Jarmo

 

ok, i found out where the path is shown, in events. and it's in the obvious place - the temp folder. i denied access to that file before so it's not there now. next time i get an alert i hope i can find the file before i make a decision

 

Yes, if something is get from real time guard, it will be shown in 'Events'.
On demand scand results on 'Reports'.
At least it will not be a black box for you from now on.

 

The screenshot shows you have a trojan , not a rootkit . Well , sorry for the stupid question , but have you tried booting in Safe Mode and performing full scan with your AV , then let it delete the threat

Vista Safe Mode
http://windowshelp.microsoft.com/Windows/en-US/Help/d063548a-3fc9-4723-99f3-b12a0c4354a81033.mspx

http://windowshelp.microsoft.com/Windows/en-US/Help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx

 

Hello,

If you hold your mouse over the partial path given on the antivir warning, doesn't it show the full path? I think it does on mine.

 

i've had quite a few popups about malware, but i'm not that worried because they must be F/Ps, unless there's something wrong with vista?? i put the heuristics up to the highest level, is that screenshot an heurisitc alert?

i haven't done anything wrong but, i just downloaded a eicar file to that temp folder so i can see if i can find the path if antivir finds it

 

Yes , AVIRA produced more FPs than the competition . Anyway , turn back this heuristic level to Medium , boot in Safe Mode and perform full scan with it

 

You have to be able to detect, before you can produce a FP.

 

So how many people put their heuristics on high? I have been using the default settings on the paid version.

 

iceni60, when detection pops up again simply put your mouse over the incomplete path shown and a small yellow box will show you the full path to the file.

Now, if you have this file in your quarantine choose to restore it to your desktop, then go to http://analysis.avira.com/samples/index.php and submit the file to Avira's VLab. You'll receive the analysis report in couple of hours. They will tell you if the file is infected or not. Good luck!

 

An example of not the best UI design. The programmers should be much more aware that path info etc. for such software are of utter importance and design their UI accordingly.

In addition, too many developers neglect the fact that people use different screen resolutions and zoom factors (I mean the nice possibility in Windoze XP and up where you can adjust the screen dpi and introduce some kind of zoom factor) where real funny things can happen on the monitor (clipped text, unreachable because out of screen buttons etc.)...

Andreas

 

mine are set to high except on the mailguard and no problems.