Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: RootKit Analyzer Deep Scan Results, do I have a RootKit?

  1. #1

    Default RootKit Analyzer Deep Scan Results, do I have a RootKit?

    Heres my scan logs, I have no idea if any of this is bad:

    :: RootAlyzer Results
    File:"Unknown ADS","C:\Users\Matt\Local Settings:P4B9xHBUVoEcIaPw0ywC:$DATA"
    File:"Unknown ADS","C:\Users\Matt\AppData\Local:P4B9xHBUVoEcIaPw0ywC:$DATA"
    File:"Unknown ADS","C:\Users\Matt\AppData\Local\3xAHBiaTTG:zH4MA7j5SOc4Svn6w0D9Q:$DATA"
    File:"Unknown ADS","C:\Users\Matt\AppData\Local\Application Data:P4B9xHBUVoEcIaPw0ywC:$DATA"
    File:"Unknown ADS","C:\ProgramData\Microsoft:9Oyhl36j8JRO1OR8haiHu:$DATA"
    File:"Unknown ADS","C:\ProgramData\Microsoft:viBoRxnQpSb51qm7FuRetaUqE:$DATA"
    File:"Unknown ADS","C:\ProgramData\Microsoft\YfPUvE4qBtufJQ:U8BnASnuhOFScTeU:$DATA"
    File:"No admin in ACL","C:\cygwin64\usr\share\doc\Cygwin\ctags-5.8.README"
    File:"No admin in ACL","C:\cygwin64\usr\share\doc\ctags-5.8\ctags.html"
    File:"No admin in ACL","C:\cygwin64\home\Matt\.bash_history"
    File:"No admin in ACL","C:\cygwin64\etc\inittab"
    File:"No admin in ACL","C:\cygwin64\etc\rebase.db.x86_64"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\","Flyout"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\","Svc"


    also, I closed the Analyzer without deleting these entries, do I have to rerun a complete Deep Scan again if I do actually need to delete any of these items?
    Last edited by tashi; 2014-10-06 at 08:09. Reason: Removed code box

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello matthewjumpsoffbuilding,

    In general all items found by the RootAlyzer are not necessarily malicious but shows items it believes to be out of the ordinary and may give a hint for an infection.

    Sometimes even legitimate software uses rootkit technologies. How is the computer running, was there a particular reason for running the scan?

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3

    Default

    It hasnt been running particularly badly.

    The main reason for the scan was Clamwins memory scan reported something while I was running Chrome

    C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\chrome.dll: W32.Virut.Gen.D-148 FOUND

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello matthewjumpsoffbuilding,

    Quote Originally Posted by matthewjumpsoffbuilding View Post
    The main reason for the scan was Clamwins memory scan reported something while I was running Chrome

    C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\chrome.dll: W32.Virut.Gen.D-148 FOUND
    Possibly a false positive, however it might be best for someone to take a look at the system. Please see the Malware Removal Forum sticky which includes guidelines and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

    http://forums.spybot.info/showthread.php?t=288

    Then start a new topic in that forum providing the logs so a volunteer analyst can guide you, also provide a link back to this thread please.

    Best regards.
    Last edited by tashi; 2014-10-06 at 23:52. Reason: clarify
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5

    Default

    I will check that out, thanks.

    Some more info.

    I browsed to the location and found there were 2 versions of Chrome, C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124, and C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.120.

    I scanned chrome.dll in 37.0.2062.120 with Clamwin, Windows Security Essentials, MalwareBytes AntiMalware, and they all returned clean.

    I scanned chrome.dll in 37.0.2062.124 with the same tools, and all but Clamwin returned clean.

    I then uninstalled Chrome completely, and reinstalled it fresh and rescanned chrome.dll in the 37.0.2062.124 folder (now the only folder in there), and Clamwin still reported the same virus.

    Does that make it more likely a false postive?

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hi matthewjumpsoffbuilding,

    Quote Originally Posted by matthewjumpsoffbuilding View Post
    Does that make it more likely a false postive?
    Could be but Virut is nasty.

    I see you reported it at the Clamwin forums: http://forums.clamwin.com/search.php...psoffbuildings
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  7. #7

    Default

    I downloaded Farbar and scanned it with Clamwin, and got

    "C:\Users\Matt\Desktop\FRST64.exe: Win.Trojan.Expone FOUND"

  8. #8

    Default

    I uninstalled Chrome and installed the 64 bit version, in offline mode. Now Clamwin isnt reporting anything?

  9. #9
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello matthewjumpsoffbuilding,

    Quote Originally Posted by matthewjumpsoffbuilding View Post
    I uninstalled Chrome and installed the 64 bit version, in offline mode. Now Clamwin isnt reporting anything?
    Clamwin would need to help you with any questions regarding their software at their site.

    You could either wait for Clamwin to respond to your topic over there or do as I suggested here in post #4 above.

    "Please see the Malware Removal Forum sticky which includes guidelines and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

    http://forums.spybot.info/showthread.php?t=288

    Then start a new topic in that forum providing the logs so a volunteer analyst can guide you, also provide a link back to this thread please."

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  10. #10
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello matthewjumpsoffbuilding,

    I see you posted in your topic at the Clamwin forums.

    "Farbar was recommended to me by "tashi", an employee on the spybot S&D forums."

    To clarify, what I actually did say was,

    "Please see the
    Malware Removal Forum sticky which includes guidelines and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

    http://forums.spybot.info/showthread.php?t=288

    Then start a new topic in that forum providing the logs so a volunteer analyst can guide you, also provide a link back to this thread please."


    That information was given so a volunteer analyst could provide their advice if you started a topic in the malware forum; not to use the tools without supervision or invite negativity.

    Hopefully you resolve your issue with the detections made by Clamwin.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •