Comodo cant read a file to send as a suspect "\\.\com8.vki" (chkdsk bitmap err.)

I cannot send a file to comodo nor comodo detects it.
note comodo tells me file is unreadable: “\.\com8.vki” lol
file is c:\windows\system32\com8.vki 151kb size from details in explorer row, but on property show 0 lenght both on disk and file.
microsoft security essentials has detected this as troyan w32.stresid
also chkdsk keep detecting free allocated space on MFT partition table, and many indexing errors, bitmap errors, those errors keep coming out every reboot but i have to run chkdsk at boot to see it, till i got delayed writing on mft failed (i think because there was no more space on mft for allocate new writings because of mft virus. Also the partition table is 380mb, and 98% used, weird
anyway even with w32.stresid removed by microsoft, the disk keep develop errors on bitmat mft and so on.
This sistem was infected with linkoptimizer rootkit, and i cant really get it to be clean.
The bad is that i tried all: even cluster resize, partition defrag, defrag of mft, nothing to do, the disk keep develop problems with bitmap and index attributes on mft. Filesystem ntsf is ok, i tried all sort of disk utilities, gparted show no problems with mft (mft is identicalt to mirror).

I changed psu, ram, harddisk, which i cloned using smart option on ghost, but still the infection persist.

This infection seems to be resident in the ntfs itself, i tried to wipe out the disk writing all zero, and then smart copying only data with ghost (no sector by sector copy), to get rid of ■■■■■■ virus on the mft.

I suspect this virus hide itself in the clusters which are not fully used, no antivirus can detect it. I scanned with all antirootkits, antispyware, trend micro, comodo, norton, but i cant understand how it execute its code, and why antivirus programs cant detect it.

I believe now the only way to wipe it is to fresh reinstall xp, and reinstall all.

Moved.

sorry about posting in the wrong section, i’m new to this forum…

Does anyone can tell me why comodo can’t read this file \.\com8.vki in system32 folder? That folder shouldn’t be allowed to be created by windows systems but it exist, and cannot be read! I suppose if i run a ftp server on system32 folder then i use the right way to access those kind of folders i will be able to read the folder and the file. That com reseverved name is an old exploited bug, aint it?

After i replaced the hdd, copied the partition without bad clusters, and cleaned the file with microsoft essentials… that pc seems ok, even it still laggy on some folder change, and browser operations, i suppose still there must be some kind of hidden malware because chkdsk keep reporting this at each reboot, i have to program a chkdsk on the reboot since the volume cant be locked, running chkdsk on read mode would likely give many false positives:

• CHKDSK has detected free disk space labeled as allocated on the mft bitmap.
• CHKDSK has detected free disk space labeled as allocated on volume’s bitmap.

ignoring these messages, and using the pc for few hours, running the chkdsk again will show a long list of minor errors:
Cleaned minor incongruences on the unit.
Clean of 8 unused entries from index $SII of file 0x9.
Clean of 8 unused entries from index $SDH of file 0x9.
Clean of unused protection descriptors 8.

internal information:
50 8d 00 00 47 7f 00 00 91 9b 00 00 00 00 00 00 P…G…
58 00 00 00 02 00 00 00 01 03 00 00 00 00 00 00 X…
8c e0 a9 02 00 00 00 00 92 ed 3b 0d 00 00 00 00 …;…
b4 78 c9 04 00 00 00 00 00 00 00 00 00 00 00 00 .x…
00 00 00 00 00 00 00 00 38 a7 87 1b 00 00 00 00 …8…
50 21 d1 b2 00 00 00 00 b0 39 07 00 f2 73 00 00 P!..9…s…
00 00 00 00 00 30 87 1c 02 00 00 00 4a 0b 00 00 …0…J…

sometimes the list in very long (like 20-30 entryes)

Some one have any ideas? I had to repair also some user rights messed with a sid user number instead of the real user name. Also i discovered that even if i were using an admin user, when i right click on an executable windows shows me the option to run as admin… this should happen only when i’m not an admin, so even this kind of behavior must come out from a compromised protection setting somewhere, like in user rights, also to run advanced chkdsk from third parties i was asked to run as admin even if i were admin, i had to add debug privilegie (the virus removed the default security settings)

I know i should format all, but i need that system working, meanwhile im reading the old disk which developed bad sectors to investigate it, that way i discovered that comodo av cant read the file .\com8.vki and i reported it here. I bet those bad clusters are fake… i will format it after a clone using low level format…

Any help or idea is welcomed, for example can some one tell me how to recover default permissions on win xp, maybe using a script?

i found this very interesting, i will follow all indications:

http://support.microsoft.com/kb/831374/en-us

it says chkdsk in on error and if it repair the errors the user permissions should be verified and corrected using a tool:

"Even when this hotfix is installed, it is still possible for Chkdsk to reset permissions back to default settings. You can use the Vrfydsk.exe utility to determine whether real Security Descriptor file corruption occurs on a volume. You can save the Vrfydsk.exe utility output to a text file. If the resulting output file contains the following repair entry, the default security may be set on some files and directories.

HKDSK is verifying security descriptors (stage 3 of 3)… Repairing the security file record segment. <----- REAL CORRUPTION OCCURRED Deleting an index entry with Id #### from index $SII of file 9. Deleting an index entry with Id #### from index $SII of file 9."

I never stop to learn…

is this forum dead? nobody can tell me how to send this file to comodo labs?

c:\windows\system32\.\com8.vki

please i want to know why microsoft essentials find this file while comodo not, also i want to wipe out it.

A little bit of homework would have brought you

• Submit Malware Here To Be Blacklisted - 2011 (NO LIVE MALWARE!)
• Submit Files to Comodo for Analysis
• View Active Process List
• Web-Interface for Malware and False-Positive Submissions

And I probably forgot one or two…

well problem is that “com8” name is a special name for windows and cant be created (try to create a folder or a file with that name and it wont allow you!), so even online submit refuse it because see 0 bytes lenght, and block it. The file is 151kb but since it cannot exist win explorer report 0 bytes on properties with right click but on details view shows 151kb. This is an old exploited bug on windows, however comodo dont even detect it, also it is on a secondary disk so the infection is not running (eg. protecting or hiding the file size). Simply the file is there, and is a symptom of an infection, i would comodo can analyze this, but if it cant even read to submit how to do?
??? ??? ??? ???