PDA

View Full Version : Help with rootalyzer results please



gordonw
2008-07-01, 22:33
I run an FSC using Vista Home Premium and have just run a Rootalyzer deepscan and would like help with the results. (A quick scan came up with no problems.) Here is the log.

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"No admin in ACL","C:\Windows\Internet Logs\tvDebug.log"
File:"Unknown ADS","C:\Users\Gordon\Desktop\To go to data drive\Malta 2007\December Holiday - MHB confirmation.eml:OECustomProperty:$DATA"
File:"Unknown ADS","C:\Users\Gordon\Desktop\To go to data drive\Malta 2007\Malta booking_files\December Holiday.eml:OECustomProperty:$DATA"
File:"Unknown ADS","C:\Users\Gordon\Desktop\To go to data drive\Malta 2007\Malta booking_files\Travel Confirmation EPUJZO.eml:OECustomProperty:$DATA"
File:"No admin in ACL","C:\Users\Gordon\AppData\Local\Temp\~DF64A8.tmp"
File:"Unknown ADS","C:\Users\Gordon\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\44D915DC-00000001.eml:OECustomProperty:$DATA"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\HpuFunction.dll"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\hpwuSchd2.exe"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\Session.dat"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\Updates.dat"
Directory:"No admin in ACL","C:\Windows\Internet Logs"
Directory:"No admin in ACL","C:\Users\All Users\Symantec\SRTSP\SrtETmp"
Directory:"No admin in ACL","C:\ProgramData\Symantec\SRTSP\SrtETmp"
Directory:"No admin in ACL","C:\Program Files\HP\HP Software Update"

Looking at other threads about Rootalyzer results, I assume that as I have an HP printer and use Norton, the entries referring to HP and Symantec can be ignored. I also recognise those referring to December holiday and Malta, which leaves the ones below:

File:"No admin in ACL","C:\Windows\Internet Logs\tvDebug.log"

File:"No admin in ACL","C:\Users\Gordon\AppData\Local\Temp\~DF64A8.tmp"
File:"Unknown ADS","C:\Users\Gordon\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\44D915DC-00000001.eml:OECustomProperty:$DATA"
Directory:"No admin in ACL","C:\Windows\Internet Logs"

Any help/advice would be appreciated. I'm using version 0.2

Thank you.

debbieclord
2008-08-07, 10:00
I myself had just downloaded the RootAlyzer late last night. My computer is a Vista Home Premium, a year old this August. I did a deep scan and I don't know how to annualized the results either. Could you please let me know when you find out.
Part of my results went like this:

File:"Unknown ADS","C:\Users\Debbie\AppData\Local\VirtualStore\ProgramData\TEMP:DFC5A2B2:$DATA"
File:"No admin in ACL","C:\Users\Debbie\AppData\Local\Temp\FFWSGINST\crawlersrch.xml"
File:"Unknown ADS","C:\Users\Debbie\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\03145043-00000001.eml:OECustomProperty:$DATA"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat"
File:"No admin in ACL","C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crawler Toolbar\More Crawler Products.lnk"

I would appreciate it if you could let me know what the answer is. Thanks.

PepiMK
2008-08-12, 15:28
The second Unknown ADS looks somewhat regular, I've added OECustomProperty to the whitelist (Outlook Express email files also have a legit other data stream named OEStandardProperty).

The first one is imho a known legit one, too.

The Office Data file should be in the whitelist and not appear at all. Which version does RootAlyzer show?

Not sure about the two Crawler Toolbar entries.

honda12
2008-08-16, 01:04
Well Crawler Toolbar comes bundled with Spyware Terminator

so @debbieclord if you have Spyware Terminator that would explain it

Patius
2009-11-22, 08:12
This is the first time I've used it, since I know I've got a trojan that S&D isn't picking up. I'm sort of nervous about editing the registry because I don't want to mess up my computer.

:: RootAlyzer Results
File:"No admin in ACL","C:\Windows\Internet Logs\tvDebug.Zip"
File:"No admin in ACL","C:\Windows\Internet Logs\vsmon_2nd_2009_06_15_22_26_04_small.dmp.zip"
File:"Unknown ADS","C:\Users\Patius\Videos\Gundam Wing (Complete)\Gundam Wing - 49.avi:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Patius\Music\drag-flames.mp3:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Patius\Music\DragonForce\Dragonforce - Discography\2006 - Inhuman Rampage\01 - Through The Fire And Flames.mp3:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Patius\Downloads\drag-flames.mp3:TOC.WMV:$DATA"
File:"No admin in ACL","C:\Users\Patius\Desktop\Adobe Reader 9 Installer\AcroRead.msi"
File:"No admin in ACL","C:\Users\Patius\Desktop\Adobe Reader 9 Installer\Setup.exe"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\81602.bpc"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat"
File:"Unknown ADS","C:\Users\All Users\Hewlett-Packard\Media\DVD\001.FCL:001.FCL:$DATA"
File:"No admin in ACL","C:\Users\All Users\avg9\Log\history.xml"
File:"Unknown ADS","C:\ProgramData\Hewlett-Packard\Media\DVD\001.FCL:001.FCL:$DATA"
File:"No admin in ACL","C:\ProgramData\avg9\Log\history.xml"
Directory:"No admin in ACL","C:\Windows\Internet Logs"
Directory:"No admin in ACL","C:\Users\Patius\Desktop\Adobe Reader 9 Installer"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\","Flyout"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\","Svc"

honda12
2009-11-29, 02:43
Hi Patius,

... I know I've got a trojan that S&D isn't picking up.
Consider posting in the Malware Removal forum (http://forums.spybot.info/forumdisplay.php?f=22) and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Best regards,

honda