Rootkit Removal - Mystery File

Discussion in 'Malware Help (A Specialist Will Reply)' started by hrothgar, Apr 7, 2008.

  1. hrothgar

    hrothgar Private E-2

    After running AVG's Anti-Rootkit Free it detected a "hidden file". The rootkit path is C:WINDOWS\system32\com1. C:WINDOWS\system32\com1 has also been listed after defragmentations as being a 150 KB "unmovable file". Is it friend or foe?

    Needless to say, it hasn't been identified as a threat by my other anti-virus and anti-malware applications.

    AVG's Anti-Rootkit's standard warning message about running the risk of not being able to reboot after removing a rootkit, if that is what this thing is, has me a little concerned. Can be safely removed?

    Thanks for your time.
     
    hrothgar, Apr 7, 2008
    #1
  2. abri

    abri MajorGeek

    Hi hrothgar,
    Welcome to the Malware Forum!

    There are many hidden files on the computer and most of them are legitimate. This may be for the com1 port. You might run a couple more rootkit scans at the Alternate Scans and see what kinds of information they pick up. There may be one that would identify it better.

    abri
     
    abri, Apr 7, 2008
    #2
  3. hrothgar

    hrothgar Private E-2

    Thanks abri, it could indeed be legit although I haven't yet been able to identify what its function is. Strangely, the file can't be located through "search" (XP Professional) but its presence/existence has always been indicated after defrags as an unmovable file.
     
    hrothgar, Apr 7, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 9, 2008
    #4
  5. abri

    abri MajorGeek

    Okay hrothgar,
    I don't know if you read the link Chaslang posted, but I believe he is suggesting that you run Trend Micro's online scan called Housecall. You can find a link to that at the Alternate Scans by scrolling down to the Free Online Scanning tools. That particular scan is the last one in the list. Let me know what you come up with.
    abri
     
    abri, Apr 9, 2008
    #5
  6. hrothgar

    hrothgar Private E-2

    OK, I ran a second scan with Panda because I couldn't get Trend Micro to install. Panda also identified an "unknown" rootkit using file path C:WINDOWS\system 32\com4.rnx exactly as AVG had. It gave me an option to "clean" (without warnings) so I went ahead and did so. Whether "clean" means wiping a (possibly legitimate) file or only the surgical removal of a rootkit hidden somewhere is beyond me. I ran an anti-virus scan afterwards and no threats were found. So far everything functions as it should.

    My thanks to abri and Chaslang. I'll check back to see if either of you has any additional comments.
     
    hrothgar, Apr 10, 2008
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds