Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Large file named 'Rootkit' scanned with anti-virus. 4 boot records

03 Nov 2013   #1

windows 7 home premium
Large file named 'Rootkit' scanned with anti-virus. 4 boot records


So today I was running a quick scan with my anti-virus/malware software (Bt Netprotect + in association with McAfee) and happened to glance at the screen to see this:

The file being scanned was labelled Rootkit
The quick scan was 99% complete
0 issues had been detected
0 issues has been fixed
My computer was secure, no action required. (according to the software)

The scan was taking quite a while over this mystery rootkit file, leading me to become obviously concerned.

FYI, no viral symptoms have been noticed in the hour or two after I first noticed this file in the scan. I've checked running processes, installed programs, run Ccleaner and multiple custom and complete virus scans using McAfee. I also searched the registry using regedit for any instances of 'bootrecord', although I didn't really know what the 3 returned items meant because I don't know what I'm doing in the registry - which is why i quit regedit and left it alone after that!

Nothing so far suggests I have an infection except the name, the file scan length and one other thing...

McAfee returns a result in its system scans which has led to much confusion in the past. I intend to also post this on to the McAfee community to try and determine exactly what they mean by it, but so far I'll just tell you what I know.

At the end of a scan of critical system files McAfee with return a result for 'Boot Records'. As I understand it this is likely linked to boot sectors, perhaps logging the number of times a set of files for booting a drive are stored.

Until today it used to return 3 boot records.
Today, the same day that 'rootkit' appeared, it returned 4.

Now I will advise you that the McAfee software underwent a graphical (and presumably virus definition) update in the last day or two also.


My questions to you are:

1) Is 'rootkit' a rootkit, or a harmless file/folder?

I saw in regedit a branch for anti-virus stuff which contained the 3 returned items when I searched rootkit, is it possible it's a bit like having a folder for storing information about rootkits, called rootkit, but isn't actually a rootkit?

If it was a rootkit, how likely is it it would have been let through as safe by McAfee?

Why have my boot records gone up?

I've asked about boot records before and it seems to confuse non-McAfee people, but if you know anything about this please do help clarify. If it means I have files in the boot sector for 4 drives...why? Can I bring it back down to 3?

Can I locate, or even remove this file somehow?

I don't know anything about it, thanks to McAfee not providing anything other than the name 'rootkit' [which could be the file name but could equally be some nickname McAfee slapped on] I can't find anything on it's properties, location or file type.

FYI again; I run a pretty tight ship in terms of PC security, and I've no idea where this would have come from in regards to recent browsing. I checked browser history to make sure I hadn't been somehow redirected to a bad page and didn't spot anything.

That's all I can think of for now.

Thanks in advance.

My System SpecsSystem Spec
03 Nov 2013   #2

windows 7 home premium

Additional information:

Just remembered that recently my facebook account was in some was compromised. I discovered one morning a vulgar message left on my wall that I certainly didn't write.

The nature of the message led me to believe that it was someone I know however (one of my 'friends').

I'm doubtful that my account would have been accessed simply through another device being left logged, mainly because I only use two devices to sign in (this laptop and my phone) both of which were nowhere near the main bulk of people I know at the time.

I do know friends studying computer programming courses, if that helps.

I'm highly doubtful they'd have anything to do with a rootkit though
My System SpecsSystem Spec
03 Nov 2013   #3

windows 7 home premium

A print screen taken during scan

McAfee usually shows files with their directory (shortened if very long)
- eg.


which i have just copied directly from a scan i am currently running

This one was simply 'Rootkit' (as shown in image).

[is this because it's a registry file?]
My System SpecsSystem Spec

03 Nov 2013   #4

windows 7 home premium

In case the image didn't work before;

Also uploaded an image showing the 4 boot records field at the end of my system scan

Attached Thumbnails
Large file named 'Rootkit' scanned with anti-virus. 4 boot records-rootkit-prt-sc.png   Large file named 'Rootkit' scanned with anti-virus. 4 boot records-mcafee-results.png  
My System SpecsSystem Spec
03 Nov 2013   #5
x BlueRobot


Do you have any logs?

Personally, anything associated with McAfee isn't exactly the best security program to say the least, my personal method and recommended combination is here:

Install and perform full scans with:
information   Information
Remember to install the free version of Malwarebytes not the free trail; untick the free trial box during installation. MSE is the most lightweight and compatible with the Windows 7 operating system

You can also view this thread for a complete free and lightweight security protection combination:Additional Scanner:
Please upload any log files produced, namely TDSS and Malwarebytes.

I'll read through your posts in more detail tomorrow morning, and answer those other questions.
My System SpecsSystem Spec
03 Nov 2013   #6

windows 7 home premium

Thanks for your advice.

Do i need to do anything with McAfee to stop it conflicting with malwarebytes when i'm running a scan?

My System SpecsSystem Spec
03 Nov 2013   #7

windows 7 home premium

Windows Defender and TDSS came up clean.

TDSS log attached

Attached Files
File Type: txt tdss log.txt (100.4 KB, 2 views)
My System SpecsSystem Spec
03 Nov 2013   #8
Phone Man

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit

Are you sure Rootkit is a file or is McAfee telling you it is scanning for rootkits?

My System SpecsSystem Spec
04 Nov 2013   #9
x BlueRobot


Just remove McAfee completely with the McAfee Removal Tool, I know the program your using isn't strictly McAfee, but it's some likely complied with the exact same code. I've never seen anyone recommend using McAfee.

Malwarebytes won't conflict, since the free version is a on-demand scanner.

To be honest, I don't think that folder is actually a Rootkit, I've never seen a malware developer call their Rootkit a Rookit. Have you checked the contents of the folder?

TDSS didn't find anything either.
My System SpecsSystem Spec
04 Nov 2013   #10

windows 7 home premium

Ok guys I've had this through from one of the guys at McAfee to help clarify the situation:

Moved this from Community Interface Help (ie problems with the site) to Home & Home Office / Virus and Spyware Protection / VirusScan.
Two things here : "Scanning Rootkit" and boot Records.
The wording of that Rootkit message is misleading. We've already had a go at McAfee about this. It means "Scanning for rootkits", not that it's found one. Don't panic. Eventually they'll get around to changing the wording. In the meantime a lot of people get alarmed needlessly.
As for boot records : it's checking the MBR. If it finds an extra record there you should investigate the reason. Run this program and it will tell you what it finds on the MBR - I've downloaded it and tested it. On mine it found only one record.
Download MBRCheck - MajorGeeks
Edit - alternatively there are many other MBR-checkers in the thread at MBR check tools. Use at your own risk, needless to say : I always download this sort of file to a safe place in Chrome, without running it, then upload the file to VirusTotal for checking.
My System SpecsSystem Spec

 Large file named 'Rootkit' scanned with anti-virus. 4 boot records

Thread Tools

Similar help and support threads
Thread Forum
separating a specific file from real-time protection of an anti-virus
Hello, I have a software. There is one file into that which the anti-virus considers it as a malware while it's not. And every time I want to run that software I have to disable the anti-virus temporarily and after exiting from that software again enable the anti-virus real-time protection. ...
System Security
BSOD 00x50 vipre anti-virus conflicting with new anti-virus
I did a bonehead move of installing PC tools anti-virus before uninstalling vipre on my wife who's out of town. The kids infected it playing flash games. long story short, Her Gateway (win7 home premium) is on a a start-up loop. All I can get to work with a recovery disk is get into the DOS prompt...
BSOD Help and Support
Anti-malware, Anti-virus, Anti-spyware
First of all i would like to apologize if this topic is in wrong category, or it should not even be asked on this site. And second of all, please be patience :) i'm a noob looking for answers :o So whats all about? Well i'm meeting new terms here and i have no idea what they mean and what they do....
System Security
Anti-Rootkit scanners for x64?
Hi everyone, A year and a half or so ago, I recall that there weren't many options available for rootkit scanning and detection on x64 flavors of Windows 7. In particular, Rootkit Revealer and GMER were non functional on x64 platforms. Time has passed, and I'm wondering what options are out...
System Security
Anti spyware/maleware/virus boot disk?
A few months back when I was reading these forums I remember one of the experts here recommending a free program to do this. Can one of you tell me the link to get this kind of a thing so I can create a boot disk to do this kind of stuff for Windows that won't run?
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:31.
Twitter Facebook Google+