A file of length zero bytes is totally and completely empty. If it's really empty, there's no way it can harm you, and there's no purpose for it to remain on your system.
Now since you began this discussion with a rootkit warning from Webroot, you could wonder whether the zero bytes is a real or faked report. One way to disable many rootkits is to boot into safe mode, and from there see if you get a different size report. You could also run a rootkit detecting program. There are several available: http://www.sysinternals.com/Utilities/rootkitrevealer.html http://www.f-secure.com/blacklight/ http://www.resplendence.com/hookanalyzer Another possibility is that the file has an alternate data stream, which wouldn't be reported in the size. You can check that with LADS or STREAMS: http://www.sysinternals.com/Utilities/Streams.html http://www.heysoft.de/Frames/f_sw_la_en.htm If you're still afraid of deleeting it (I wouldn't be), you can always delete it to the Recycle bin and if needed you can restore it from there. Carl -----Original Message----- From: Windows Home/SOHO [mailto:[EMAIL PROTECTED] On Behalf Of K. F. Sent: Wednesday, November 30, 2005 12:56 PM To: [email protected] Subject: Subject: Re: What is cavag7bp ? Carl, I have McAfee resident on my computer and scan every day plus once a week I scan with NOD. Neither of these found cavag7bp. I did what you advised with this result: C:\Documents and Settings\KF\Desktop>DIR /A cav*.* Volume in drive C has no label. Volume Serial Number is 40BF-F864 Directory of C:\Documents and Settings\KF\Desktop 01/04/2005 02:27 AM 0 cavag7bp 1 File(s) 0 bytes 0 Dir(s) 24,804,261,888 bytes free I see it has been there since January, so I'm not sure I am ready to delete it. What does it mean when the file is zero bytes? Thanks again, Karen ---------------------------------------------------------------------- Date: Tue, 29 Nov 2005 00:32:00 -0500 From: Carl Houseman <[EMAIL PROTECTED]> Subject: Re: What is cavag7bp ? If you can see this file while Windows is running in normal mode (not safe mode), it is not rootkit-masked. Is it an executable file? Do this if you're not sure: 1. Open a CMD prompt window. 2. Type: CD /D %userprofile%\desktop and press Enter. 3. Type: DIR /A cav*.* and press Enter. Now you can see the full name of the file. The name sounds like one that was randomly generated in order to avoid detection. The fact that Webroot doesn't identify this as some specific threat suggests that it is new enough to not be included in their signatures yet, or the thing specifically knows how to avoid detection by Webroot. You might try a scan of the desktop folder with your antivirus software, and another anti-spyware program. Make sure all such scanning software is up-to-date on signatures. Finally, back at the CMD prompt where we left off above, 4. Type: ATTRIB -S -H -R cav*.* and press Enter. 5. Type: DEL CAVAG7BP.* and press Enter. 6. If (5) is successful, Type: DIR /A and press Enter. Check for the appearance of a new file of strange name on the desktop. If one appears you have some kind of malware on the system. Carl -- ---------------------------------------- The WIN-HOME mailing list is powered by L-Soft's renowned LISTSERV(R) list management software. For more information, go to: http://www.lsoft.com/LISTSERV-powered.html
