Results 1 to 6 of 6

Thread: Possible rootkit

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Jan 2013
    Posts
    2

    Question Possible rootkit

    Hi,

    The Rootkit Quick Scan found a evidence suggesting a possible rootkit infection, in the following location:

    C:\WINDOWS\system32\termcap

    When I Start a Deep Scan, nothing is found!!!

    What should I do?

    Windows XP SP3, ESS, MBAM, Spybot 2

    Thank in advance for any information you can provide me




  2. #2
    Member Lancer's Avatar
    Join Date
    Feb 2008
    Posts
    40

    Default

    I get the same result on XP SP3 so I think it's normal. Upload the file to https://www.virustotal.com/ to verify. Still concerned? Download, update and scan with Malwarebytes Antirootkit. It's still in beta testing but very stable and functional.

  3. #3
    Junior Member
    Join Date
    Jan 2013
    Posts
    2

    Exclamation

    Quote Originally Posted by Lancer View Post
    I get the same result on XP SP3 so I think it's normal. Upload the file to https://www.virustotal.com/ to verify. Still concerned? Download, update and scan with Malwarebytes Antirootkit. It's still in beta testing but very stable and functional.
    Thank you Lancer, the file termcap is clean, check it at virustotal and running Malwarebytes Antirootkit, but I don't think it's normal, we don't have to get the same result on XP SP3...

    In my case, I paid for anual subscription and I am getting FP...

    Spybot has to fix this issue ASAP!

    BTW Thank you for reply and for provide me the Malwarebytes Antirootkit Link

    Peace
    Last edited by jedikeeper; 2013-01-30 at 07:00.

  4. #4
    Senior Member
    Join Date
    Oct 2005
    Location
    Germany
    Posts
    5,263

    Default

    Hello,

    It's not a false positive.
    The quick scan also searches for hidden files in the system folder.
    termcap is such a hidden file.

    The deep scan searches for real abnormalities and did recognize that the file belongs there.

    Our Rootkit Scanner tool shows anything that uses certain rootkit technologies. But items with rootkit properties detected here are not necessarily malware. Sometimes, legit software uses rootkit technologies to hide registration data or other things it does not want the user to see in any case. So please keep in mind that the Rootkit Scanner only flags suspicious stuff, not identifying just bad stuff.

    Best regards
    Sandra
    Team Spybot

  5. #5
    Member Lancer's Avatar
    Join Date
    Feb 2008
    Posts
    40

    Default

    You're welcome, jedikeeper. Glad to help.

  6. #6
    Junior Member
    Join Date
    Apr 2013
    Posts
    16

    Default

    Quote Originally Posted by spybotsandra View Post

    Our Rootkit Scanner tool shows anything that uses certain rootkit technologies. But items with rootkit properties detected here are not necessarily malware. Sometimes, legit software uses rootkit technologies to hide registration data or other things it does not want the user to see in any case. So please keep in mind that the Rootkit Scanner only flags suspicious stuff, not identifying just bad stuff.
    Mhh I read that somwhere else many times.

    I've got the same Phenomen on my XPSP3

    C:\WINDOWS\system32\termcap

    Deep scan takes a hell of time, so I'm not going to do that as it giong to find nothing last time I did the deepscan.


    Somewhere else I've found that:

    Termcaps.exe file information

    The file itself provides very little indication as to its creator.
    However, here are some useful tips about termcaps.exe.

    Description: The file termcaps.exe is located in the folder C:\Windows\System32.
    The file size on Windows 7/XP is 14,640 bytes.

    There is no description of the program.
    File termcaps.exe is located in the Windows folder, but it is not a Windows core file. The program is not visible. Program starts when Windows starts

    (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).

    Program listens for or sends data on open ports to a LAN or the Internet. The file is not a Windows core file.

    termcaps.exe is able to hide itself and monitor applications.
    Therefore the technical security rating is 100% dangerous, however also read the users reviews.

    User Comments:
    Spyware TheMatrixHasyou.exe

    found on file.net/process/termcaps.exe.html
    So at least the file size does not match to @jedikeeper's screenshot
    Last edited by frienlyfire; 2013-04-14 at 23:45.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •