twindad
2013-12-14, 03:12
Hello,
It looks like one or more rootkits are on my machine. It's a new box that I bought November 4th, An Asus X55U notebook with Windows 8.0 pre-installed. I immediately downloaded and installed Spybot 2.2, ZoneAlarm 12.0.104.000 (Free), Clamwin 0.98, and CCleaner 4.08. All are current. For the first three or four weeks all seemed well.
However, a week or so ago I noticed that ZoneAlarm does not start correctly; the task bar balloon continuously says "initialization is in progress". Also, from some wifi locations I can't log into my gmail account and other secure (https / ssl) sites.
As a workaround I have enabled the built-in Windows firewall. I have also run the command-line ipconfig utility, with all relevant options. I also regularly clear my Chrome history and other junk files, using the free browser extension History Eraser, version 3.9.5 (see http://hotcleaner.com/history-eraser-chrome-extension-app.html).
After reading the "before you post" thread here, I have backed up my registry with ERUNT. Here are the results of my Spybot RootAlyzer deep scan:
// info: Rootkit removal help file
// copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.
:: RootAlyzer Results
File:"No admin in ACL","D:\c\ch\checkpoint-et-al\za-log.txt"
File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log"
File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Data\BACKUP.NDB"
File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Data\THIS-BOX.ldb"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\","Svc"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\InputMethod\Jpn\","DuState"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc\","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Jpn\","DuState"
My aswMBR.txt log is ready in case you need it. I tried running DDS but it doesn't seem to work with Windows 8.1. After reading further on bleepingcomputer.com, I learned that the Farbar Recovery Scan Tool (FRST) works with Win 8.1 and produces info similar to DDS. FRST generated two logs. In my case the first one is about 1000 lines and the second is ~ 335 lines.
I have stayed offline as much as possible since learning my machine may be compromised, but I have not tried anything else to repair my system. If you need them, I will upload the aswMBR and FRST logs. I'd prefer to use .7z format instead of .zip if that is okay?
Thank you kindly for your help!
PS: The bits of personally identifying info in the logs and RootAlyzer output have been obfuscated already, for safety reasons.
It looks like one or more rootkits are on my machine. It's a new box that I bought November 4th, An Asus X55U notebook with Windows 8.0 pre-installed. I immediately downloaded and installed Spybot 2.2, ZoneAlarm 12.0.104.000 (Free), Clamwin 0.98, and CCleaner 4.08. All are current. For the first three or four weeks all seemed well.
However, a week or so ago I noticed that ZoneAlarm does not start correctly; the task bar balloon continuously says "initialization is in progress". Also, from some wifi locations I can't log into my gmail account and other secure (https / ssl) sites.
As a workaround I have enabled the built-in Windows firewall. I have also run the command-line ipconfig utility, with all relevant options. I also regularly clear my Chrome history and other junk files, using the free browser extension History Eraser, version 3.9.5 (see http://hotcleaner.com/history-eraser-chrome-extension-app.html).
After reading the "before you post" thread here, I have backed up my registry with ERUNT. Here are the results of my Spybot RootAlyzer deep scan:
// info: Rootkit removal help file
// copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.
:: RootAlyzer Results
File:"No admin in ACL","D:\c\ch\checkpoint-et-al\za-log.txt"
File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log"
File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Data\BACKUP.NDB"
File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Data\THIS-BOX.ldb"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\","Svc"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\InputMethod\Jpn\","DuState"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc\","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Jpn\","DuState"
My aswMBR.txt log is ready in case you need it. I tried running DDS but it doesn't seem to work with Windows 8.1. After reading further on bleepingcomputer.com, I learned that the Farbar Recovery Scan Tool (FRST) works with Win 8.1 and produces info similar to DDS. FRST generated two logs. In my case the first one is about 1000 lines and the second is ~ 335 lines.
I have stayed offline as much as possible since learning my machine may be compromised, but I have not tried anything else to repair my system. If you need them, I will upload the aswMBR and FRST logs. I'd prefer to use .7z format instead of .zip if that is okay?
Thank you kindly for your help!
PS: The bits of personally identifying info in the logs and RootAlyzer output have been obfuscated already, for safety reasons.