View Full Version : unsure about rootkit scan results

2013-04-12, 04:10
Hello to the Spybot-Team,

that's my first thread, so I hope to give all required Information in acceptable English.

I'm using an Intel Duel Core 2.16 GHz, 3 GB RAM, Win7 Ultimate 32 Bit SP1, Avira Free Antivirus, MBAM Pro and of course Spybot - Search & Destroy 2 (
I did a deep rootkit scan and that is the matching Logfile:

// info: Rootkit removal help file
// copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Hidden file","C:\Windows\MSIECO"
File:"Hidden file","C:\Windows\Œõ"
File:"Unknown ADS","C:\Windows\Cursors\arrow_n.cur:NEDTA.DAT:$DATA"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\81608.bpc"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat"
File:"Unknown ADS","C:\Users\Ales\Documents\Scanned Documents\Begrüßungsscan.jpg:3or4kl4x13tuuug3Byamue2s4b:$DATA"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
RegyValue:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\","LogonSoundPlayed"[/CODE]I read about "No admin in ACL" and "Unknown ADS" and now in my opinion lines 4 -7 and line 9 are no malware and the RebyValue is needed by windows.
Lines 1 an 2: I've got no idea :confused:
Line 3: I'm unsure... maybe truly a needed ADS for my mouse-coursor :scratch:
Line 8: the picture exists, but I was wondering what means ":3or4kl4x13tuuug3Byamue2s4b:$DATA" :confused:

I hope you clear up my confusion. Thanks in advance!

2013-04-15, 18:08

I would maybe delete the first two.

The others are definitely no Rootkits.
Just some Windows files belonging to Office and cursors and sounds.

But the deletion is final and can not be recovered through the Quarantine.
If you still want to remove the found items it is strongly recommend to create a system restore point (http://windows.microsoft.com/en-US/windows-vista/System-Restore-frequently-asked-questions) before doing that.

Best regards
Team Spybot