Potentially rootkit masked files

OKay, so I have a doozy. I did a spyware scan with spy sweeper, and it pulled up something called a potentially rootkit masked file. I clicked on it, and it went on and on about how its monitoring my system and can grab everything, blah blah blah. So, I looked at its location, and its oddly in my firefox temp cache. This is pretty weird, because I had just emptied it with CCLeaner, and had only gone on youtube since, so its not like I went to a sketch site, and its not like the cache is a location for rootkits anyway, right? I ran spysweeper again, and it was gone. BUT, during the first spyware scan, I had forgotten it was running and ran CCleaner again, so that file was gone, and it couldn't be re-checked. I'm thinking that maybe the fact that I ran CCleaner during the scan caused this problem? I know you're not supposed to, but I just forgot and wasn't thinking...

Should I be worried? I didn't think that the temp cache was a place rootkits hid...

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

Usually this detection is a false positive, however just to be safe I would recommend following the below instructions.


http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gifWhen you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy Log - only for Windows XP, 2K, & NT users
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• Bitdefender Log - from step 6
• Panda Scan Log - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis Log

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

I know that what you just showed me is a blanket answer, but I don't really... need? that right now. It was in the cache, and its def gone now, because I used CCleaner to get rid of it. I just want to know if I caused a false positive, or if something more sinister is afoot. Then I'll def run those scans.

 

Like I said, previously those have been false positives however not every case has been. Rootkits are the most dangerious type of malware due to there nature. Unlike spyware, hijackers and adware, rootkits targer usernames, passwords, bank account numbers, etc; Spyware in general does this but not like Rootkits.

At the core of the term "rootkit" are two words- "root" and "kit". Root refers to the all-powerful, "Administrator" account and kit refers to a set of programs or utilities that allow someone to maintain root-level access to a computer. However, one other aspect of a rootkit, beyond maintaining root-level access, is that the presence of the rootkit should be undetectable.

A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the the computer system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on the target machine, as well as accessing log files or monitoring activity to covertly spy on the user's computer usage.

When a rootkit is suspected, I ALWAYS recommend the initial scans just to confirm there is nothing present. It's always better to be safe and sure than it is to be sorry.

It's up to you but I would recommend it just to be certain.

 

okay, phew, I'm glad its usually a false positive. However, I will def follow your advice because I know that rootkits are dangerous, like you said. Thanks for your help!

 

Will be awaiting your results!