Solved Large file named 'Rootkit' scanned with anti-virus. 4 boot records

mrirondream

New member
Member
Local time
10:49 AM
Messages
47
Hi

So today I was running a quick scan with my anti-virus/malware software (Bt Netprotect + in association with McAfee) and happened to glance at the screen to see this:

The file being scanned was labelled Rootkit
The quick scan was 99% complete
0 issues had been detected
0 issues has been fixed
My computer was secure, no action required. (according to the software)

The scan was taking quite a while over this mystery rootkit file, leading me to become obviously concerned.

FYI, no viral symptoms have been noticed in the hour or two after I first noticed this file in the scan. I've checked running processes, installed programs, run Ccleaner and multiple custom and complete virus scans using McAfee. I also searched the registry using regedit for any instances of 'bootrecord', although I didn't really know what the 3 returned items meant because I don't know what I'm doing in the registry - which is why i quit regedit and left it alone after that!

Nothing so far suggests I have an infection except the name, the file scan length and one other thing...

McAfee returns a result in its system scans which has led to much confusion in the past. I intend to also post this on to the McAfee community to try and determine exactly what they mean by it, but so far I'll just tell you what I know.

At the end of a scan of critical system files McAfee with return a result for 'Boot Records'. As I understand it this is likely linked to boot sectors, perhaps logging the number of times a set of files for booting a drive are stored.

Until today it used to return 3 boot records.
Today, the same day that 'rootkit' appeared, it returned 4.

Now I will advise you that the McAfee software underwent a graphical (and presumably virus definition) update in the last day or two also.

So...

My questions to you are:

1) Is 'rootkit' a rootkit, or a harmless file/folder?

I saw in regedit a branch for anti-virus stuff which contained the 3 returned items when I searched rootkit, is it possible it's a bit like having a folder for storing information about rootkits, called rootkit, but isn't actually a rootkit?

If it was a rootkit, how likely is it it would have been let through as safe by McAfee?


Why have my boot records gone up?

I've asked about boot records before and it seems to confuse non-McAfee people, but if you know anything about this please do help clarify. If it means I have files in the boot sector for 4 drives...why? Can I bring it back down to 3?

Can I locate, or even remove this file somehow?

I don't know anything about it, thanks to McAfee not providing anything other than the name 'rootkit' [which could be the file name but could equally be some nickname McAfee slapped on] I can't find anything on it's properties, location or file type.


FYI again; I run a pretty tight ship in terms of PC security, and I've no idea where this would have come from in regards to recent browsing. I checked browser history to make sure I hadn't been somehow redirected to a bad page and didn't spot anything.


That's all I can think of for now.

Thanks in advance.
MID
 

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
Additional information:

Just remembered that recently my facebook account was in some was compromised. I discovered one morning a vulgar message left on my wall that I certainly didn't write.

The nature of the message led me to believe that it was someone I know however (one of my 'friends').

I'm doubtful that my account would have been accessed simply through another device being left logged, mainly because I only use two devices to sign in (this laptop and my phone) both of which were nowhere near the main bulk of people I know at the time.

I do know friends studying computer programming courses, if that helps.

I'm highly doubtful they'd have anything to do with a rootkit though
 

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
A print screen taken during scan
Rootkit-scan-411373577


McAfee usually shows files with their directory (shortened if very long)
- eg.

C:\...\Canon_Background.png

which i have just copied directly from a scan i am currently running

This one was simply 'Rootkit' (as shown in image).

[is this because it's a registry file?]
 

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
In case the image didn't work before;

Also uploaded an image showing the 4 boot records field at the end of my system scan
 

Attachments

  • rootkit prt sc.png
    rootkit prt sc.png
    252.5 KB · Views: 4
  • mcafee results.png
    mcafee results.png
    46.8 KB · Views: 1

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
Do you have any logs?

Personally, anything associated with McAfee isn't exactly the best security program to say the least, my personal method and recommended combination is here:

Install and perform full scans with:
   Information
Remember to install the free version of Malwarebytes not the free trail; untick the free trial box during installation. MSE is the most lightweight and compatible with the Windows 7 operating system

You can also view this thread for a complete free and lightweight security protection combination:
Additional Scanner:

Please upload any log files produced, namely TDSS and Malwarebytes.

I'll read through your posts in more detail tomorrow morning, and answer those other questions.
 

My Computer My Computer

Computer type
Laptop
Thanks for your advice.

Do i need to do anything with McAfee to stop it conflicting with malwarebytes when i'm running a scan?

thanks,
MID
 

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
Windows Defender and TDSS came up clean.

TDSS log attached
 

Attachments

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
Are you sure Rootkit is a file or is McAfee telling you it is scanning for rootkits?

Jim :cool:
 

My Computer My Computer

At a glance

Windows 8.1 Pro w/Media Center 64bit, Windows...Phenom II X6 1100TCrucial Balistic 8gb DDR3-1866 CL9MSI R6850 Cyclone IGD5 PE
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home Built
OS
Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
CPU
Phenom II X6 1100T
Motherboard
ASUS M5A99X EVO
Memory
Crucial Balistic 8gb DDR3-1866 CL9
Graphics Card(s)
MSI R6850 Cyclone IGD5 PE
Sound Card
On Board
Monitor(s) Displays
ASUS VE258Q 25" LED with DVI-HDMI-DisplayPort
Screen Resolution
1920 x 1080
Hard Drives
Two WD Cavier Black 2TB Sata III, WD My Book Essential 2TB USB 3.0
PSU
Seasonic X650 80 Plus GOLD Modular
Case
Corsair 400R
Cooling
Antec Kuhler H2O 620, Two 120mm and four 140mm
Keyboard
Logitech K120
Mouse
Logitech Marble Mouse USB, Logitech Precision Game Pad
Internet Speed
15MB
Antivirus
Norton IS 2013, Malwarebytes Pro Beta 2
Browser
IE-11, FF-27
Other Info
APC UPS ES 750, Netgear WNR3500L Gigabit & Wireless N Router with SamKnows Test Program, Motorola SB6120 Gigabit Cable Modem. Brother HL-2170W Laser Printer, Epson V300 Scanner
Just remove McAfee completely with the McAfee Removal Tool, I know the program your using isn't strictly McAfee, but it's some likely complied with the exact same code. I've never seen anyone recommend using McAfee.

Malwarebytes won't conflict, since the free version is a on-demand scanner.

To be honest, I don't think that folder is actually a Rootkit, I've never seen a malware developer call their Rootkit a Rookit. Have you checked the contents of the folder?

TDSS didn't find anything either.
 

My Computer My Computer

Computer type
Laptop
Ok guys I've had this through from one of the guys at McAfee to help clarify the situation:

Code:
Moved this from Community Interface Help (ie problems with the site) to Home & Home Office / Virus and Spyware Protection / VirusScan.
 
Two things here : "Scanning Rootkit" and boot Records.
 
The wording of that Rootkit message is misleading. We've already had a go at McAfee about this. It means "Scanning for rootkits", not that it's found one. Don't panic. Eventually they'll get around to changing the wording. In the meantime a lot of people get alarmed needlessly.
 
As for boot records : it's checking the MBR. If it finds an extra record there you should investigate the reason. Run this program and it will tell you what it finds on the MBR - I've downloaded it and tested it. On mine it found only one record.
 
[url=http://www.majorgeeks.com/files/details/mbrcheck.html]Download MBRCheck - MajorGeeks[/url]
 
 
Edit - alternatively there are many other MBR-checkers in the thread at [url=http://malwaretips.com/Thread-MBR-check-tools]MBR check tools[/url]. Use at your own risk, needless to say : I always download this sort of file to a safe place in Chrome, without running it, then upload the file to VirusTotal for checking.
 
Last edited:

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
Are you sure Rootkit is a file or is McAfee telling you it is scanning for rootkits?

Jim :cool:

I was always sceptical that a rootkit would be labelled 'rootkit'.

McAfee have confirmed that the screen shown is a function of the scan that searches for rootkits, NOT that it is scanning a rootkit.

Many have complained to them about this.
 

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
They recommended Google Chrome, since it's meant to have a sandboxing feature, however, malware can still escape a sandbox so it's still not 100% safe.
 

My Computer My Computer

Computer type
Laptop
They recommended Google Chrome, since it's meant to have a sandboxing feature, however, malware can still escape a sandbox so it's still not 100% safe.

I'd heard that before, which is why I've been using chrome for a little while now.

I like the way it works too :)

MID
 

My Computer My Computer

At a glance

windows 7 home premium
OS
windows 7 home premium
Back
Top