So today I was running a quick scan with my anti-virus/malware software (Bt Netprotect + in association with McAfee) and happened to glance at the screen to see this:
The file being scanned was labelled Rootkit
The quick scan was 99% complete
0 issues had been detected
0 issues has been fixed
My computer was secure, no action required. (according to the software)
The scan was taking quite a while over this mystery rootkit file, leading me to become obviously concerned.
FYI, no viral symptoms have been noticed in the hour or two after I first noticed this file in the scan. I've checked running processes, installed programs, run Ccleaner and multiple custom and complete virus scans using McAfee. I also searched the registry using regedit for any instances of 'bootrecord', although I didn't really know what the 3 returned items meant because I don't know what I'm doing in the registry - which is why i quit regedit and left it alone after that!
Nothing so far suggests I have an infection except the name, the file scan length and one other thing...
McAfee returns a result in its system scans which has led to much confusion in the past. I intend to also post this on to the McAfee community to try and determine exactly what they mean by it, but so far I'll just tell you what I know.
At the end of a scan of critical system files McAfee with return a result for 'Boot Records'. As I understand it this is likely linked to boot sectors, perhaps logging the number of times a set of files for booting a drive are stored.
Until today it used to return 3 boot records.
Today, the same day that 'rootkit' appeared, it returned 4.
Now I will advise you that the McAfee software underwent a graphical (and presumably virus definition) update in the last day or two also.
My questions to you are:
1) Is 'rootkit' a rootkit, or a harmless file/folder?
I saw in regedit a branch for anti-virus stuff which contained the 3 returned items when I searched rootkit, is it possible it's a bit like having a folder for storing information about rootkits, called rootkit, but isn't actually a rootkit?
If it was a rootkit, how likely is it it would have been let through as safe by McAfee?
Why have my boot records gone up?
I've asked about boot records before and it seems to confuse non-McAfee people, but if you know anything about this please do help clarify. If it means I have files in the boot sector for 4 drives...why? Can I bring it back down to 3?
Can I locate, or even remove this file somehow?
I don't know anything about it, thanks to McAfee not providing anything other than the name 'rootkit' [which could be the file name but could equally be some nickname McAfee slapped on] I can't find anything on it's properties, location or file type.
FYI again; I run a pretty tight ship in terms of PC security, and I've no idea where this would have come from in regards to recent browsing. I checked browser history to make sure I hadn't been somehow redirected to a bad page and didn't spot anything.
That's all I can think of for now.
Thanks in advance.
Just remembered that recently my facebook account was in some was compromised. I discovered one morning a vulgar message left on my wall that I certainly didn't write.
The nature of the message led me to believe that it was someone I know however (one of my 'friends').
I'm doubtful that my account would have been accessed simply through another device being left logged, mainly because I only use two devices to sign in (this laptop and my phone) both of which were nowhere near the main bulk of people I know at the time.
I do know friends studying computer programming courses, if that helps.
I'm highly doubtful they'd have anything to do with a rootkit though
The previous were extracts from my post on the windows seven forums.
Forgive me not changing the wording, but i'm pretty tired now.
Top: 4 boot records
Bottom: 'rootkit' being scanned
Moved this from Community Interface Help (ie problems with the site) to Home & Home Office / Virus and Spyware Protection / VirusScan.
Two things here : "Scanning Rootkit" and boot Records.
The wording of that Rootkit message is misleading. We've already had a go at McAfee about this. It means "Scanning for rootkits", not that it's found one. Don't panic. Eventually they'll get around to changing the wording. In the meantime a lot of people get alarmed needlessly.
As for boot records : it's checking the MBR. If it finds an extra record there you should investigate the reason. Run this program and it will tell you what it finds on the MBR - I've downloaded it and tested it. On mine it found only one record.
Edit - alternatively there are many other MBR-checkers in the thread at http://malwaretips.com/Thread-MBR-check-tools. Use at your own risk, needless to say : I always download this sort of file to a safe place in Chrome, without running it, then upload the file to VirusTotal for checking.Message was edited by: Hayton on 03/11/13 23:44:56 GMT
Also the scanning for rootkits does take a while we also mentioned this to Mcafeeon 04/11/13 6:20:14 EST AM
Ok, thanks Hayton!
I'm going to look into the 4 boot records issue as soon as; i'll let you know how things progress.
As Hayton says, the Quick Scan has scanned for rootkits and there were none found on your machine. So no need to worry.
The scan results screen summary just gives an account about what was scanned during the Quick Scan that you had triggered.
In this case, the results say that 4 Boot records were scanned doesn't mean that there was any infection with the Boot Records.
"4 Boot records were scanned doesn't mean that there was any infection with the Boot Records".
Ok, this is helpful.
Now i'm trying to find out WHY I have 4 boot records, when a few days ago I had 3.
Hayton suggested I download that majorgeeks file to check the MRB, but am I right in thinking the '4 boot records' scanned by McAfee represent records other than the MBR as well?
Also I'd rather avoid downloading things to intefere with MBR's if at all possible. I'm not doubting Hayton when he said the file was fine but if there's another way then I'd be happy
I hope that made sense :/
mbrcheck doesn't interfere with anything. It reads the MBR and tells you what it finds there. As a bonus you get a desktop file detailing all running processes and currently active drivers. I've seen other threads where McAfee reports a fluctuating number of boot records, but I don't know if it's reading the MBR incorrectly. With mbrcheck you can see the records for yourself.
"mbrcheck doesn't interfere with anything. It reads the MBR and tells you what it finds there. As a bonus you get a desktop file detailing all running processes and currently active drivers. I've seen other threads where McAfee reports a fluctuating number of boot records, but I don't know if it's reading the MBR incorrectly. With mbrcheck you can see the records for yourself"
Out of curiosity, what do the scans read for you guys.
Just 1 boot record?
NOTE: i'm aware there should only be 1 MBR, but I think I'm right in saying that there are other boot records?
Here is everything you never really knew you wanted to know about
The Master Boot Record - present on a partitioned hard drive
The Volume Boot Record - present on an unpartitioned hard drive
See also this short discussion from TomsHardware (a useful little forum)
Whew! this discussion helps greatly in relieving fears. I'm up to 38 RootKits in both Full and/or Custom scans.
What's wierd..is that I am into NO Social Media, No Banking, No File-sharing, No on-line gaming.
Mainly my GMail and Site-Advisor Browsing.