PDA

View Full Version : Rootkit analysis request



Danii
2013-06-26, 14:53
Hello and thank you for your attention

I have done a ROOTKIT Scan on my computer with Spybot (free edition - Version 2.0.12.0 / Start Center 2.0.12.126) and because I have no ideas about the results, it would be very kind if you could check them and let me know.

Please the 'RootAlyzer.130625-1220.txt' results below:

// info: Rootkit removal help file
// copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Windows:nlsPreferences:$DATA"
File:"Unknown ADS","C:\Windows\PLA\System\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Windows\Cursors\arrow_n.cur:NEDTA.DAT:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\9 - GESTION DES IMPRIMANTES - A FAIRE\Installation des imprimantes locales et réseau en Win 2008R2.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\6 - GESTION DES DISQUES - A FAIRE\Gestion Des Disques.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\5 - ACCES AUX RESSOURCES\EXERCICE 2\Exo 2 - Correction.asf:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\5 - ACCES AUX RESSOURCES\EXERCICE 2\old\Acces Aux Ressources Windows 2008 Exercice 2.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\5 - ACCES AUX RESSOURCES\EXERCICE 1\OLD\Acces Aux Ressources Windows 2008 Exercice 1.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\5 - ACCES AUX RESSOURCES\COURS\Acces Aux Ressources Windows 2008.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\4 - OUTILS DE GESTION ACTIVE DIRECTORY\Creation d'objet - Active Directory 2008R2.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\3 - INSTALLATION ACTIVE DIRECTORY\Installation de Active Directory 2008R2.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\2 - INSTALLATION DU DNS\Installation DNS 2008 R2.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\PWPT VAE\7. RETOUR LUX\LLLC\5. LLLC WIN SERVER INTRO\1 - INSTALLATION DE WINDOWS SERVER 2008 R2\1x01 - Install Windows 2003 Server.wmv:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\Photos\Sample Album\Boston City Flow.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\Photos\Sample Album\Costa Rican Frog.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Dropbox\Photos\Sample Album\Pensive Parakeet.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\Damien\Documents\Scanned Documents\Bienvenue.jpg:3or4kl4x13tuuug3Byamue2s4b:$DATA"
File:"No admin in ACL","C:\Users\Damien\AppData\Local\Temp\~DF14A1107B6ECDA24D.TMP"
File:"No admin in ACL","C:\Users\All Users\Real\setup\config.ini"
File:"No admin in ACL","C:\Users\All Users\Nero\OnlineServices"
File:"No admin in ACL","C:\Users\All Users\Nero\OnlineServices\controldata_145.bin"
File:"No admin in ACL","C:\Users\All Users\Nero\OnlineServices\usagestatdata_145.bin"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices"
File:"No admin in ACL","C:\ProgramData\Real\setup\config.ini"
File:"No admin in ACL","C:\ProgramData\Nero\OnlineServices"
File:"No admin in ACL","C:\ProgramData\Nero\OnlineServices\controldata_145.bin"
File:"No admin in ACL","C:\ProgramData\Nero\OnlineServices\usagestatdata_145.bin"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\DAMIEN-PC_20130221-000002\report.xml:Qgrg2rf1Znaluncm1kfl1xla5h:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\DAMIEN-PC_20120912-000001\report.xml:Qgrg2rf1Znaluncm1kfl1xla5h:$DATA"


Please find RootkitQuickScan.log results below:

RootAlyzer Quick Scan Results

Files in Windows folder
----------------------------------------
147 files were tested.
No hidden files detected.
========================================

Files in System folder
----------------------------------------
2390 files were tested.
No hidden files detected.
========================================

Global run entries
----------------------------------------

No hidden entries detected.
========================================

Winlogon entries
----------------------------------------

No hidden entries detected.
========================================

Invisible processes (from handles)
----------------------------------------
0 handle process IDs for 100 processes.
No hidden processes detected.
========================================

Invisible processes (from threads)
----------------------------------------
100 processes tested.
No hidden processes detected.
========================================

Master Boot Records
----------------------------------------
2 MBRs checked.
No unknown MBRs detected.
========================================

In advance, I thank you very much for your help.

Kind regards

Danii

spybotsandra
2013-06-26, 18:05
Hello Danii,

The found items are no Rootkits.
They belong to Windows, Dropbox, Real and Nero.
Nothing to worry.

Malware sometimes uses rootkit technology to hide itself at system level.
This makes it undetectable by standard tools. Our plugins help Spybot – Search & Destroy to detect this form of malware.
Our Rootkit Scanner tool shows anything that uses certain rootkit technologies. But items with rootkit properties detected here are not necessarily malware. Sometimes, legit software uses rootkit technologies to hide registration data or other things it does not want the user to see in any case. So please keep in mind that the Rootkit Scanner only flags suspicious stuff, not identifying just bad stuff.

Best regards
Sandra
Team Spybot