Results 1 to 4 of 4

Thread: Softomate once again...

  1. #1
    cbinc11 Guest

    Default Softomate once again...

    Softomate: coupled with another (rootkit perhaps)???

    I've been following the Softomate threads over the past few days. One of our machines has also been "infected" with the Softomate trojan, as detected by ZAAS (via ZA Security Suite). Upon deletion/quarantine using ZAAS, it too would come back but not every day, and certainly not immediately with every reboot.

    The return pattern on this problem XP Pro machine was it would reappear (according to ZAAS) after 2-4 days, perhaps dependant upon the number of cold boots the machine goes through during this time frame...or perhaps not...but it doesn't seem to be tied to the system clock or calendar since it was inconsistent on the amount of time that would elapse prior to when ZA AS said W32.Softomate finally would come back.

    What does seem to happen when it re-emerges on this machine is this: when starting the machine up, the computer would start normally showing the manufacturer's splash screen (Dell) before going into the Windows XP Professional logo screen. It's about at this point the bootup would then go sideways; the screen would go blank (like it should), but instead of then showing the mouse cursor just before showing the Windows logon screen the computer would 'flash' the screen one or two times with hints of a cursor or fragments of photons displaying something (I couldn't make it out), then go BACK to the Windows XP Pro logo screen, only NOW the display would no longer be in color, only monochrome.

    The computer then goes into the Safe Mode bootup screen. Initially in handling this, I elected to continue to boot into Windows normally. The computer boots into XP Pro as it should. When I ran ZAAS immediately afterwards, VIOLA!...W32.Softomate is found once again. This is a bootup behaviour that only started happening in the past three weeks or so.

    Unfortunately I didn't cancel ZAAS right then and there and run any other other spyware detection software like others posting have done, so I can't confirm what others have found (that no other package seems to detect Softomate). Rather, I surmised that--for this machine--the Windows bootup went back to an earlier Restore Point and completed the bootup using that date there, and that's how W32.Softomate kept coming back onto the computer. I also suspect that subsequent Restore Points created automatically by this machine were timed such that THEY were also saved with the W32.Softomate trojan included, so at least when this machine hiccupped during bootup, Softomate would be retrieved, just in case it had been detected and removed previously.

    In my case, I had intentionally turned off System Restore during the debugging process, which in turn deleted all the old Restore Points previously saved on this computer. I went through and ran ZAAS and deleted Softomate once again (after cold booting into Safe Mode and starting ZASS manually). Only afterwards did I think to use another AS app to see if it could detect anything. I used Spybot S&D, Ad-Aware, Windows Defender Beta, and Ewido...none detected anything. My Hijack This log files showed nothing out of the ordinary; all processes listed appear to be legit (which is why I started thinking 'rootkit', though running the latest version of Rootkit Revealer didn't show anything unusual).

    Yet four days later (today), the machine AGAIN hiccupped during a cold boot (just like as described above). But this time there was a difference: there were no System Restore Points to go back to (especially since I haven't turned on System Restore again yet). After the machine finally booted into Windows XP Pro, when I ran ZA AS this time no W32.Softomate was found.

    I don't know if Softomate is really a false positive as some have claimed, or if it's really a trojan. I DO know system resourses seem to be badly dragged down during those times ZA AS said Softomate was on-board. Apps run slow and jerky; Windows Explorer gets cantankerous and reports itself as 'Not Responding' quite a bit. Screen refreshes go totally awry as well. Most noticeable for a machine that's usually quite fast. And Googling 'Softomate' certainly isn't reassuring: F-Secure, among many others, doesn't seem to think very positively about Softomate, either the reported trojan/malware or the so-called 'company' that created it.

    It STILL would be nice, though, if another AV or AS app detected it as malware.

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.5

  2. #2

    Default Re: Softomate once again...

    It's either a very smart trojan or false alarm ... hard to tell at the moment.

  3. #3
    exbrummie Guest

    Default Re: Softomate once again...

    I had this detected on the 5th. by Z/A but haven't had it come back since. (Fingers crossed). I did a deep scan with Ewideo and also with a2 free version and neither found anything and those two are supposed to be at the top end for 'Trojan hunting'. I still can't make my mind up about this one.

  4. #4
    cbinc11 Guest

    Default Re: Softomate once again...

    A couple of things to add...

    When I finally updated this problem machine to ZAISS 6.5.737, ZA informed me that there were STILL multiple items in Quarantine that had yet to be deleted, even though when in operation 6.5.722 indicated that all identified items it placed in Quarantine had been deleted. What exactly those items were in Quarantine are unknown, since 722 didn't show anything in the Quarantine box, either for spyware or viruses, and reported that when I had deleted all items that this procedure had been successfully been done. Apparently not, and even now I'm not sure they've truly been deleted.

    We may try another re-install of 737 just to see if ZA finds items during the ZAISS shutdown in Quarantine yet again (737's Quarantine panel shows nothing currently, just like 722 did).

    We've also had a second XP Pro machine develop the Softomate problem; however, since we had our experiences with this on the first problem computer, I immediately turned off System Restore as described in my earlier post and went through the cleanup procedure. On this second machine, I DID scan with other AS apps (Windows Defender, Spybot S & D--these were the only two already installed on the computer), but neither program found anything. I deleted using ZA AS in ZAISS (this time in regular Windows XP, instead of in Safe Mode); so far Softomate has not come back and this machine has not developed the bootup hiccup like the first machine did. Fingers crossed that this one is now 'clean' as well.

    As for the first machine, I think we'll be looking at trying to 'repair' Windows in an attempt to fix the bootup issue; if that doesn't work and the suspected rootkit behaviour still exists...I think it's time to take Problem Child No. 1 out of commission, order up a new HD and re-install Windows.

    Joy of joys...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •