Jump to content
lalittle

Rootkit.Cloaked/Service-GEN not found on second scan.

Recommended Posts

I just did a full scan which reported the following:

SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 12/10/2008 at 09:03 PM

Application Version : 4.21.1004

Core Rules Database Version : 3671
Trace Rules Database Version: 1650

Scan type       : Complete Scan
Total Scan Time : 00:35:30

Memory items scanned      : 341
Memory threats detected   : 0
Registry items scanned    : 4339
Registry threats detected : 1
File items scanned        : 24292
File threats detected     : 239

Rootkit.Cloaked/Service-GEN
HKLM\system\controlset001\services\PciBus
C:\WINDOWS\SYSTEM32\DRIVERS\PCIBUS.SYS

I did some research on the PCIBUS.SYS file and was left uncertain as to whether or not this was a false positive. I therefore did NOT check this item when I continued. Later I was considering letting SAS do it's thing on this file, so I did a second scan on just this folder (as well as the registry.) This scan, however, turned up nothing. I'm not sure what to make of this. Why did the second scan not give me the same result as the first given that I did not check the box for this item the first time?

I've since updated SAS to the newest version, and will try a new scan, but this behavior has me confused. Does SAS ignore items that were not checked on the first pass?

Thanks for any feedback on this,

Larry

PS. Is it possible that this was a false positive? I checked a couple other systems and they all have this file, which appears to have been created when I installed windows.

Share this post


Link to post
Share on other sites

I just did a full scan with the newest version of SAS and it found nothing. I'm confused about what happened. SAS no longer finds Rootkit.Cloaked/Service-GEN even though it was not removed. I'm concerned about the security of my system now.

Thanks again for feedback,

Larry

Share this post


Link to post
Share on other sites
Something could have been blocking that file and we saw it was hidden, but now it's not.

Just to clarify, are you saying that it is only detected as a problem when it IS hidden? Do you know what could have caused it to change from hidden to not hidden on an immediate second pass? I didn't change anything -- I just ran SAS again.

Thanks,

Larry

Share this post


Link to post
Share on other sites
Something could have been blocking that file and we saw it was hidden, but now it's not.

Just to clarify, are you saying that it is only detected as a problem when it IS hidden? Do you know what could have caused it to change from hidden to not hidden on an immediate second pass? I didn't change anything -- I just ran SAS again.

Thanks,

Larry

It's hard to know exactly what happened when we don't have control of the system.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×