Webroot Found Rootkit After Downloading MP3 Files

Discussion in 'other anti-malware software' started by DVD+R, Jan 22, 2007.

Thread Status:
Not open for further replies.
  1. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    I didnt realize untill today that this litle bugger was present on my computer, but after doing a Deep Scan for Rootkits with Spy Sweeper this is what it discovered:

    Name Potentially rootkit-masked files
    Unique Code H9GUFFP6
    Type System Monitor
    Severity Critical
    Description Potentially rootkit-masked files is a monitoring program that secretly tracks all activities of computer users.

    Characteristics Potentially rootkit-masked files may monitor and capture your computer activity, including recording all keystrokes, e-mails, chat room dialogue, instant message dialogue, Web sites visited, usernames, passwords, and programs run. This program may be capable of taking screen shots of your desktop at scheduled intervals, storing the information on your computer in an encrypted log file for later retrieval. These log files may be e-mailed to a pre-defined e-mail address. This program can run in the background, hiding its presence.

    Method of Infection Potentially rootkit-masked files may be installed via other threats, such as music downloads and Trojan downloaders.

    Consequences This system monitor may allow an unauthorized, third party to view potentially sensitive information, such as passwords, e-mail, and chat room conversation. Additional Comments: It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.

    Now I'm not sure what site this came from but it one of 2 that I use,and one is my ISP provider, and I will be notifiying them of this find too. Hurray for Spy Sweeper, it hunted it out and removed it. :D
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    So it was imbeded in mp3:blink: ?? Did you see the path?
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The flip side of that coin is that there's a good chance there is no "bugger" present on your computer.

    Webroot_SS Dan makes a few posts in the below thread @ Spysweeper Support.

    http://www.castlecops.com/p742558-S...rojanHunter_LiveUpdate_as_Rootkit.html#742558

     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,

    I find it unlikely that something of a rootkit was embedded in the actual mp3.
    More likely is a scenario where an exploit in the player or like is abused to download payload, which is then executed to download more payload and then in turn mask it ... requires a fair bit of time and more than one obvious or less so obvious symptom.

    You could run scans with 3-4 anti-viruses online, download 2-3 anti-spyware apps and such and see what they come up with. Only then you'll be able to tell with more accuracy if a found item is indeed a threat or FP.

    Mrk
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    once spysweeper here found a rootkit but turned out it was an fp and it got fixed in later updates.
    just becaue you downloaded mp3's today doesnt mean that it was because of that. i still say its an fp and do some other on demand scans.
    if it was the weekend still i would do a scan to comfirm it.
    loodore
     
  6. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Just for future reference and a healthy habit to get into....

    Upload any downloaded files/email attachments to an online malware checker such as VirusTotal.This will add another layer of defence against infections c/o downloaded files :)
    http://www.virustotal.com/en/indexf.html

    It is also a good way to check suspected f/p's against a given file(its like having 29 second opinions:D )
     
  8. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    In my experience with Webroot, most everything it detects is a false positive.
     
  9. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    I'm not 100% convinced about this, I have an external hard drive for my MP3 and data downloads, It was found on this drive,and couldnt be removed, it was only quarentined, when I deleted it from quarentine, it showed up again on the next 3 scans. So I moved my data back to C: Drive and formated the External Drive, and scanned again on C: Drive with Spy Sweeper. it found it again and this time removed it properly. So it must have embedded itself into my external drive,and the only way to remove it was to format :doubt: Ive scanned 3 more time to make sure,and it doesnt find it again.
     
  10. laylow21

    laylow21 Registered Member

    Joined:
    Jan 28, 2007
    Posts:
    36
    hi guys....

    i only joined this forum today for this topic only....

    as i had googled the same unique number as above....

    my spysweeper software scanner found the same rootkit but would only quarrantine it...and not remove it.....even after quarranteening....and then deleting all restore points...the next scan would find it again......

    i have read some of the replies about it being a false positive...but they are wrong it defo is a rootkit.....

    now the good news ...the reason i bothered joining this forum....

    download this rootkit remover from AVG...and it will locate and remove it no fuss....

    http://www.grisoft.com/doc/products-avg-anti-rootkit/lng/us/tpl/tpl01

    o.k. then guys be lucky bye...
     
    Last edited by a moderator: Jan 28, 2007
Loading...
Thread Status:
Not open for further replies.