PDA

View Full Version : RootAlyzer Results



SiM99
2010-02-04, 23:38
I left RootAlyzer running last night and would like some help with the results, if possible ;)


// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","I:\windows_profiles\Ian\Local Settings\Application Data\desktop.ini:722b2b1c349a06abf0e866180e5a7e63:$DATA"
File:"Unknown ADS","C:\WINDOWS:6C711FAC8B22E47A:$DATA"
File:"Unknown ADS","C:\Program Files\FontExpert\FontExpert.exe:{8DC3F14F-FF96780B-59FE6BB0-7F1B8350}:$DATA"
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\","System\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!

Just FYI - I have windows profiles redirected to my I: drive.

I'm pretty sure that I could just delete the desktop.ini file, but I was wondering if this may be an indication of something bigger - SpyBot S&D isn't finding any spyware on my system. (Ad-Aware has found some overnight, but I haven't looked at the results yet)

The second entry rather confuses me. I wouldn't have thought that a directory could have an ADS... but then, why not? hmm... Anyway, I assume that wouldn't be expected (as it's not white listed) so would you say I need to do something about it?

Regarding the zero character in the registry entry; I have used previously O&O Defrag, but no longer do so I am wondering how I would get rid of this entry. I have read that you can do so using RootAlyzer, but just can't see how it would be done. Can anyone help? :)

I just assume that FontExpert.exe is supposed to have an ADS - I haven't had it installed for that long so wouldn't think there was time for anything to "attack" it, lol ;)


Thanks all!

Matt
2010-02-05, 17:28
Hi SiM99,

do you have signs of Malware (http://www.virusvault.us/signs1.html) ?

SiM99
2010-02-05, 18:04
Hi SiM99,

do you have signs of Malware (http://www.virusvault.us/signs1.html) ?

I'm not getting redirected to websites I didn't want to visit, getting any unexpected popups or getting blocked from accessing software update sites.

I've not got any extra icons on the desktop or anything running in the system tray trying to get me to download/buy any irus scanners or any other software.

Nothing (as far as I know) has been installed that I haven't personally installed. I can check for sure once I get home from work.

However, my computer has been stopping responding every now and then for no apparent reason. It's usually when I access an explorer window (running explorer.exe or clicking a "browse" button on something like the "Run" dialog or when saving a file on a web browser) but has also happened when running NewsLeecher, for example. When the problem seems to be caused by explorer.exe I can still acess other running programs as normal, by using alt+tab to switch to them, only the Window desktop/taskbar/system tray/explorer windows etc. will cease to respond. Viewing Task Manager usualyl reveals that explorer.exe is taking as uch CPU as it can - it's been up to about 99% on occasion.

Come to think of it, explorer.exe taking lots of CPU will mean that NewsLeecher stops responding as well (when running par2 checks or extracting files) but setting the priority of explorer.exe to "Below Normal" or the one below that (can't remember the exact name) gets NewsLeecher responding (almost) normally.


The results of my Ad-Aware scan didn't actually reveal anything big. I said that I had to check that because there were quite a few reports of malware displayed, but it turned out to be some random files I had downloaded a while back. I haven't executed any of these files and most of them were contained in archives (rar files) so I shouldn't have gotten infected by them. I've now deleted all of the files that were listed.

I'm going to continue investigations when I get home from work later. If you have any further recommendations, please let me know.

Thanks :)

P.S. If I don't find anything obvious then I will most likely post a hijackthis log and request help before I go to bed...

tashi
2010-02-05, 19:05
Hello SiM99,

P.S. If I don't find anything obvious then I will most likely post a hijackthis log and request help before I go to bed...

If you do that please see "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) and post the log in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Best regards. :)