Results 1 to 6 of 6

Thread: Please help with possible rootkit(s) - Running Windows 8.1, fully patched

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member twindad's Avatar
    Join Date
    Dec 2013
    Location
    California, USA
    Posts
    3

    Question Please help with possible rootkit(s) - Running Windows 8.1, fully patched

    Hello,


    It looks like one or more rootkits are on my machine. It's a new box that I bought November 4th, An Asus X55U notebook with Windows 8.0 pre-installed. I immediately downloaded and installed Spybot 2.2, ZoneAlarm 12.0.104.000 (Free), Clamwin 0.98, and CCleaner 4.08. All are current. For the first three or four weeks all seemed well.

    However, a week or so ago I noticed that ZoneAlarm does not start correctly; the task bar balloon continuously says "initialization is in progress". Also, from some wifi locations I can't log into my gmail account and other secure (https / ssl) sites.

    As a workaround I have enabled the built-in Windows firewall. I have also run the command-line ipconfig utility, with all relevant options. I also regularly clear my Chrome history and other junk files, using the free browser extension History Eraser, version 3.9.5 (see http://hotcleaner.com/history-eraser...nsion-app.html).

    After reading the "before you post" thread here, I have backed up my registry with ERUNT. Here are the results of my Spybot RootAlyzer deep scan:

    // info: Rootkit removal help file
    // copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"No admin in ACL","D:\c\ch\checkpoint-et-al\za-log.txt"
    File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log"
    File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Data\BACKUP.NDB"
    File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Data\THIS-BOX.ldb"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\","Svc"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\InputMethod\Jpn\","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc\","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Jpn\","DuState"

    My aswMBR.txt log is ready in case you need it. I tried running DDS but it doesn't seem to work with Windows 8.1. After reading further on bleepingcomputer.com, I learned that the Farbar Recovery Scan Tool (FRST) works with Win 8.1 and produces info similar to DDS. FRST generated two logs. In my case the first one is about 1000 lines and the second is ~ 335 lines.

    I have stayed offline as much as possible since learning my machine may be compromised, but I have not tried anything else to repair my system. If you need them, I will upload the aswMBR and FRST logs. I'd prefer to use .7z format instead of .zip if that is okay?


    Thank you kindly for your help!


    PS: The bits of personally identifying info in the logs and RootAlyzer output have been obfuscated already, for safety reasons.
    Last edited by twindad; 2013-12-14 at 03:18. Reason: fixed typos

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello twindad,

    Quote Originally Posted by twindad View Post
    It looks like one or more rootkits are on my machine.
    All items found by the RootAlyzer are not necessarily malicious, it may show ones which it believes to be out of the ordinary.

    Quote Originally Posted by twindad View Post
    I immediately downloaded and installed Spybot 2.2, ZoneAlarm 12.0.104.000 (Free), Clamwin 0.98, and CCleaner 4.08. All are current. For the first three or four weeks all seemed well.
    1) Do you have Spybot free version or Spybot +AV? http://www.safer-networking.org/private/

    Quote Originally Posted by twindad View Post
    However, a week or so ago I noticed that ZoneAlarm does not start correctly; the task bar balloon continuously says "initialization is in progress". Also, from some wifi locations I can't log into my gmail account and other secure (https / ssl) sites.
    2) Have you posted the problem at the Zone Alarm forums? https://www.zonealarm.com/forums/forum.php? You could have a firewall issue.

    Quote Originally Posted by twindad View Post
    My aswMBR.txt log is ready in case you need it.
    Not in this particular forum please. See: http://forums.spybot.info/showthread...-Assistance%29

    Best regards,
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member twindad's Avatar
    Join Date
    Dec 2013
    Location
    California, USA
    Posts
    3

    Default

    Quote Originally Posted by tashi View Post
    Hello twindad,
    All items found by the RootAlyzer are not necessarily malicious, it may show ones which it believes to be out of the ordinary.
    1) Do you have Spybot free version or Spybot +AV? http://www.safer-networking.org/private/
    2) Have you posted the problem at the Zone Alarm forums? https://www.zonealarm.com/forums/forum.php? You could have a firewall issue.
    Not in this particular forum please. See: http://forums.spybot.info/showthread...-Assistance%29
    Best regards,
    Hello tashi -

    Am using Spybot's free version since I already use Clamwin for my AV.

    I haven't posted on ZoneAlarm yet but if you think the mystery will be solved more quickly if both threads are going at once, then I'm open.

    Where do you want to begin, which RootAlyzer entry?

    - Thanks -

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello twindad,

    Quote Originally Posted by twindad View Post
    Am using Spybot's free version since I already use Clamwin for my AV.
    Thanks, just checking to make sure you didn't have two resident AV programs installed as ZoneAlarm 12.0.104.000 includes an anti virus engine.

    Quote Originally Posted by twindad View Post
    I haven't posted on ZoneAlarm yet but if you think the mystery will be solved more quickly if both threads are going at once, then I'm open.

    Where do you want to begin, which RootAlyzer entry?
    The log you posted here shows Zone Alarm, Microsoft and input device entries. Example: http://forums.spybot.info/showthread.php?68033-Are-these-rootkits

    Before starting a topic in our malware forum it might be best to post at the ZA forums first in case there is a firewall issue that can be resolved there.

    Best regards,
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Junior Member twindad's Avatar
    Join Date
    Dec 2013
    Location
    California, USA
    Posts
    3

    Lightbulb

    Hello tashi, thanks for your fast replies and suggestion ...

    Quote Originally Posted by tashi View Post
    The log you posted here shows Zone Alarm, Microsoft and input device entries. ...
    Before starting a topic in our malware forum it might be best to post at the ZA forums first in case there is a firewall issue that can be resolved there.
    I'll open up a thread on ZoneAlarm's forum with a link back to this one, and see where it goes. Will likely touch base with you again soon !

    ~ ~

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hi twindad,
    Quote Originally Posted by twindad View Post
    I'll open up a thead on ZoneAlarm's forum with a link back to this one, and see where it goes. !
    Please provide a link so we can follow.

    Cheers,
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •