Hello, I was wondering if someone here could help me with a potential (strange) Rootkit problem. My OS is Windows XP SP3 Media Center Edition. I should also mention that every time I scan my PC I disconnect myself from the internet first.

On December 20th, 2015 I ran Trend Micro’s HouseCall v1.62.0.1123 on Full Scan and it supposedly found a Rootkit. Here’s the info from the scan:

File: NULL
Threat: HIDDEN FILE
Type: Rootkits
Risk: (2 out of 3 red bars)

Clicking on HIDDEN FILE brought up this link: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HIDDEN_FILE

I clicked on FIX, reran the scan and once again was told I was infected with this Rootkit. I decided to leave it unfixed this time and ran my other anti-malware programs.

First I ran Trend Micro RootkitBuster v5.0.0.1198 and it said my system is clean
Second I ran Avast! v2015.10.0.2208 (thorough scan w/Rootkits option checked) and it said my system is clean
Third I ran MalwareBytes Anti-Malware v2.2.0.1024 (thorough scan w/Rootkits option checked) and it said my system is clean
Fourth I updated Avast to version 2015.10.3.2233 and tried again and it said my system is clean

After a couple of days of trying to find out was was going on I decided I didn’t want to deal with this BS anymore so I backed up all my files (to be safe, after I backed up my files I scanned my portable hdd with all my anti-malware programs, including HouseCall), ran Dell PC Restore and restored my PC to its original self. I removed all junkware, reinstalled all system updates and all security programs. I ran HouseCall again and the same dang Rootkit message came up. I chose not to remove it again.

I decided to run my PC in SafeMode and scan with HouseCall one more time. I was hoping maybe the Rootkit could be completely removed this time. I ran the scan… and nothing. It said my PC is clean. After exiting SafeMode and booting back into normal mode I ran HouseCall again… and I’m infected with a Rootkit.

I’ve just about had it. Can anyone tell me what’s going on? Is this just a false positive from HouseCall? Or an actual Rootkit?

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Hello, Asyn.

Sorry, I’m unable to generate the logs right now as I have to get to bed. I’ll have to do it tomorrow.

Thank you for replying. I can’t believe I forgot about the diagnostic logs.

Fourth I updated Avast to version 2015.10.3.2233

What is the file name and location that is being reported

Hello, sorry for the wait. Here are the logs.

It was when I downloaded it sometime last week.

Trend Micro hasn’t given a location of the file. If I could find it I would have sent it to VirusTotal. It’s file name is NULL I guess. I have no idea.

Hi,

I do not see signs of malware in your reports, but let’s make one more check:

https://sites.google.com/site/cannedfixes/combofix/51a5bf3d99e8a-ComboFixlogo16.png
Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/combofix/51a5bf3d99e8a-ComboFixlogo16.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Accept the disclaimer and agree if prompted to install Recovery Console.
[*]Do not take any actions while ComboFix goes through your System - it may cause it to stall!
[]This scan may take some time!
[]When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.

http://forum.programosy.pl/images/smilies/icon_idea.gif
If you’ll encounter any issues with internet connection after running ComboFix, please visit this link.

http://forum.programosy.pl/images/smilies/icon_idea.gif
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

Hello again, here’s the ComboFix log.

Also, I may have made a mistake with ComboFix. I disconnected from the internet before I started the scan. Do I need to run the scan again with an internet connection? I already have the Recovery Console installed from my XP CD.

Now that I think about it, FRST and aswmbr were also ran with no internet connection as well. Do I need to rescan?

It is okay. Your PC seems clean.

Alright, so is it safe to assume this “Rootkit” is a false positive? I just ran another scan with HouseCall and it appeared again.

Does anyone know how to actually find the file so I can take a closer look at it. The info I posted in my first post is all the information HouseCall would give me.

Since this has nothing to do with avast, I suggest you go ask Trend Micro Systems.

Can you make a picture how it looks like?

Do you mean take a picture with Print Screen?

I was thinking of doing this earlier but I didn’t because the picture really doesn’t give any more information than the text I typed in my first post:

File: NULL
Threat: HIDDEN FILE
Type: Rootkits
Risk: 2 out of 3 red bars
Action: Fix/Ignore (forgot to add Action in first post)

(Clicking on HIDDEN FILE brought up this link: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HIDDEN_FILE)

^That’s pretty much it for information.

I don’t know what is going on, but we checked your PC for rootkits and other malware with 3-4 tools and it doesn’t seem to be infected. As Eddy suggested, you should contact Trend Micro support for clarification.

Hello everyone,

Thank you to all the people who helped me with this problem. I’m sorry for the late thank you, I should have said this sooner.

Update:

I believe that whatever “Rootkit” I have, isn’t really a rootkit. Whatever Trend Micro is detecting, it has been on my PC since atleast 2006 (it still shows up when I use Dell PC Restore, which formats the hdd and reinstalls everything to it’s Original Factory Installation) and like TwinHeadedEagle posted we’ve used 3-4 trusted anti-malware tools and they’ve found nothing. I tried using the Housecall Custom Scan to see if I could pin point the problem. It took a couple of hours but the rootkit message never appeared. However, if I ran the other two scan options: Quick and Full, the rootkit message would pop up again. So I believe this is just some weird bug with Housecall. Man, what a waste of time this has been >:(