Hi, my Avast antivirus discovered that the file o1.com which is situated in my windows folder is infected by Rootkit. Avast is giving to me only two options : delete the file o1.com or ignore it. Avast recommands to ignore it, but the problem is that my computer works really bad now…It restarts itself very often and needs 30 minutes to get started… Can someone help me? If I delete this file will my windows system get damaged or will it fix the problem?
Thank you
Well it would also have given the option to send the file to avast for analysis, did you allow it.
The reason for the caution is that a) this is an heuristic styles scan and the detection is in a system folder so it is airing on the side of caution with its recommendation. The o1.com is no system file that I am aware of and google doesn’t think so either. A search effectively only finds this topic, http://www.google.co.uk/search?q=“windows\o1.com” and if it were a legit file in that location I would expect to find many hit.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
You could bite the bullet and delete it but airing on the side of caution you could try to rename it kill-o1.com. However it is likely to be in use and as such protected, so trying to upload it to virustotal may give you enough information to choose deletion.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
Thank you very much for your answer, I’ll try to run these anti-rootkit programs you suggested me, if I’m still facing the same problem I will write here again.
Thank you a lot for your help
You’re welcome, though I would also try the virustotal issue first as that has 36 different scanning engines and if multiple AVs detect this then with avast also seeing this as a rootkit, I would tend to reboot and delete it the next time avast detects it.
But don’t do anything without posting a URL to the VirusTotal results.
Hi again, now Avast detected it again and it suggests me to delete the file imediatly( giving me only 2 options : ignore or delete (recomended), but I’m still scared that if I delete it it could damage my system. Do you think it’s ok to delete this file as Avast suggests?
In a word yes
Did you submit the file to virus total as David asked before? If not, do not delete the file (yet).
I submitted the file to virustotal.com and that’s the result I got ( I have no idea what this means, I’m sorry if I’m sending something useless ):
File O1.COM-071CF234.pf received on 11.29.2008 21:43:53 (CET)
Current status: finished
Result: 0/37 (0.00%)
Compact CompactPrint results Print results
AntivirusVersionLast UpdateResult
AhnLab-V32008.11.28.22008.11.29-
AntiVir7.9.0.362008.11.29-
Authentium5.1.0.42008.11.29-
Avast4.8.1281.02008.11.29-
AVG8.0.0.1992008.11.29-
BitDefender7.22008.11.29-
CAT-QuickHeal10.002008.11.29-
ClamAV0.94.12008.11.29-
DrWeb4.44.0.091702008.11.29-
eSafe7.0.17.02008.11.27-
eTrust-Vet31.6.62342008.11.28-
Ewido4.02008.11.29-
F-Prot4.4.4.562008.11.29-
F-Secure8.0.14332.02008.11.29-
Fortinet3.117.0.02008.11.29-
GData192008.11.29-
IkarusT3.1.1.45.02008.11.29-
K7AntiVirus7.10.5382008.11.29-
Kaspersky7.0.0.1252008.11.29-
McAfee54492008.11.29-
McAfee+Artemis54482008.11.28-
Microsoft1.41042008.11.29-
NOD3236502008.11.28-
Norman5.80.022008.11.28-
Panda9.0.0.42008.11.29-
PCTools4.4.2.02008.11.29-
Prevx1V22008.11.29-
Rising21.05.52.002008.11.29-
SecureWeb-Gateway6.7.62008.11.29-
Sophos4.36.02008.11.29-
Sunbelt3.1.1832.22008.11.27-
Symantec102008.11.29-
TheHacker6.3.1.1.1662008.11.28-
TrendMicro8.700.0.10042008.11.28-
VBA323.12.8.92008.11.29-
ViRobot2008.11.29.14922008.11.29-
VirusBuster4.5.11.02008.11.29-
Additional information
File size: 3014 bytes
MD5…: 504594379fd3a5087e41dd949f293b4b
SHA1…: 46d35f40cb809bbb4da97d4b8753a0640f215a05
SHA256: 5f6ef73e6c3be4eac01dfc2be1d587f25dc13ca3739c4f078f850f38127a23be
SHA512: 2c3a872054cb590b0cf2d5bd88b0247078d91706f9cd1f309fd45e1a2067f692
b3647d99b765d477131d206b0a945754ba1c80aa9bdd131807b7fe0612d2a1e6
ssdeep: 48:mlVfF9i4TIXL1ylz+0mqo3Rnfg7T7Qdalk9PK:mi4TIXLwVNo3m7Tk8lk9K
PEiD…: -
TrID…: File type identification
Microsoft Windows XP Prefetch file (98.9%)
LTAC compressed audio (v1.71) (1.0%)
PEInfo: -
I hope this can be usefull to solve this problem, because Avast suggests me to delete the file immediatly, but I’m still not sure if I should.
Also, I runed the Panda Rootkit Cleaner that David suggested me, but it didn’t find any Rootkit on my computer, while Avast found many RootKits ( rootkits names : explorer.exe, kamsoft.exe etc )
Thank you so much for your help
Do not delete the file, open avast Chest, go to User folder, right click it and in the context menu choose Add. Browse to that file and add it to Chest.
Then you could delete it.
Although, Virus Total shows it is clean, the name and folder are suspicious.
Thank you very much, I’ll try to do it now
As essexboy said, yes.
It is entirely possible that the previous detection was uploaded for further analysis and confirmed as bad, so now the decision on the recommended action has changed.
As I said in my first post if this were my system it would already be gone, based on the basic information, google search, etc. But when talking of another users system I apply a little more caution.
In this instance it serves no purpose to attempt to send it to the chest, IMHO.
you’ve sent an different file to VT analysis… the prefetch is “always” clean… send the com file to our viruslab 
Thanks Maxx, I missed that it was a .pf file, which isn’t the actual file but the reference to it on the HDD.