View Full Version : RootAlyzer Results - Anything I should worry about?
JorgeGonzalez
2014-04-20, 13:56
Hello,
I did the first scan with RootAlyzer here are the results:
// info: Rootkit removal help file
// copyright: (c) 2008-2014 Safer-Networking Ltd. All rights reserved.
:: RootAlyzer Results
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"
File:"No admin in ACL","C:\ProgramData\Microsoft\SLDL\8ac2e19a-b1f0-4bff-ae65-1019f510f093\36dde836-5584-4eae-9f09-a8bbc6421ade"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\3ed8a0d3d8a08b2b.dat:731d6002-20c7-467b-94f8-8c3f3962f851:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\740a0cd30a0c93f0.dat:0180a828-dc72-4f31-9756-b24f78754e1a:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\7c4c5f144c5ec912.dat:0e879a76-dd62-4257-b231-347cdf8e0f7f:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\80421afe421af91c.dat:c27f763b-8d33-4e11-97d5-cf5830fb9f7b:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\c2b28f1eb28f15d7.dat:061a2408-a67c-4668-adf7-251dfd88d378:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\c2b28f1eb28f15d7.dat:38781673-54a8-4b66-b7d4-6d52e5770828:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\d8f6b962f6b94194.dat:0394f954-dd39-4b1d-b9cd-881890c2d01a:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\dac0ecc4c0eca849.dat:8c66e948-e9a7-436b-9f14-3c57c1965238:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\e08f86a08f851e7.dat:2fc04870-e464-4971-a8b0-a520c69dbc12:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\f080f35c80f3282c.dat:52821631-4481-411d-a724-3030a770914c:$DATA"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\","LogonSoundPlayed"
Anything I should worry about?
Thank you !
Jorge
Hello JorgeGonzalez, :greeting:
Most entries are your AVG 10 anti virus.
Regarding,
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"
Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom
How is the computer running? :)
Best regards.
JorgeGonzalez
2014-04-21, 16:13
Hello JorgeGonzalez, :greeting:
Most entries are your AVG 10 anti virus.
Regarding,
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"
Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom
How is the computer running? :)
Best regards.
Hi tashi,
Thanks for your answer!
My computer is running ok. No problems.
yes. regarding Zylom I found the same information. I will probably delete those files.
Actually, I was worried about this:
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"
because I read about some usual rootkits that use the Recycle Bin files.
Is there a way to find if those are rootkits?
Thanks!
Jorge
Hello Jorge,
Actually, I was worried about this:
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"
because I read about some usual rootkits that use the Recycle Bin files.
Is there a way to find if those are rootkits?
Have you tried to empty your recycle bin? :)
Best regards
JorgeGonzalez
2014-04-21, 23:37
Hello Jorge,
Have you tried to empty your recycle bin? :)
Best regards
Yes. An it was empty when I run the analysis. (and generaly I use the Eraser to empty it, so I'm pretty sure there were no files :) )
Just in case, let me clarify that though the log indicates both results as "File:" :
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"
when the results of the analysis first appear, they were under the "Folder" category.
Hi JorgeGonzalez,
See post #1 in this thread: https://answers.yahoo.com/question/index?qid=20080727110053AApVNAm
Might make things clearer. :)
Best regards,
JorgeGonzalez
2014-04-22, 02:32
Hi JorgeGonzalez,
See post #1 in this thread: https://answers.yahoo.com/question/index?qid=20080727110053AApVNAm
Might make things clearer. :)
Best regards,
Thank you.
That answered my question.
All doubts cleared.
Thanks for your help!!
Best regards
JorgeGonzalez
2014-04-22, 11:11
Good to know, :thanks:
Hi tashi,
UPDATE: here's an update regarding some things I found. Hopefully, you'll be able to help me figure out if the Zylom items are related to a rootkit or not.
Here's a detail, step by step, of what I did and found.
1) I deleted the following items using the RootAlyzer:
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"
2) Run the scan again, and the .tmp was deleted, but the zylom items appeared again in the scan results.
3) I unhid both hidden and system files, and try to find the two items in "C:\Users". They didn't show in the search.
4) I search the term "zylom" in the whole "C:\" drive, and found a Zylom folder (with some subfolders) both in "Allusers" and in "AAA" (this is my user). They seem to be like leftovers of an uninstalled software. So I deleted all of them.
(sorry I don't have more details about the folders, but at that moment I wasn't keeping a record of what I was doing)
5) Restarted Windows, and run the RootAlyzer scan. The zylom files appeared again on the scan results. I deleted them, run the scan but they appeared again.
6) Next, I tried to search in the registry. I opened the Regedit and search for the term "zylom" and I deleted everything I found.
In blue font, is a list of all the things I found and deleted:
HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom
HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom.1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1383603232-337481022-996218204-1000\Software\Zylom
HKEY_CURRENT_USER\Software\Zylom
---> subfolders
HKEY_CURRENT_USER\Software\Zylom\Games
HKEY_CURRENT_USER\Software\Zylom\Games\44
HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw
HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw\ads
HKEY_CURRENT_USER\Software\Zylom\Games\zgw
HKEY_CURRENT_USER\Software\Zylom\Games\zgw\prefill
HKEY_CURRENT_USER\Software\Zylom\MyZylom
HKEY_CURRENT_USER\Software\Zylom\MyZylom\Credentials
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe\44
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\55326525_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\9b6f68eb_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc39984d_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\c7c54a2_0
{0.0.0.00000000}.{3494111c-a709-4795-a778-2e25dbe8cedd}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\fe2e39a5_0
{0.0.0.00000000}.{afddb331-e105-4674-aa9d-4331b3273fae}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow
value name --> "*.zylom.com" ; value information --> 000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
value name --> "LastKey"
value information --> Equipo\HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ZylomGameITemp_RASAPI32
Valor 0
Nombre: EnableFileTracing
Tipo: REG_DWORD
Datos: 0
Valor 1
Nombre: EnableConsoleTracing
Tipo: REG_DWORD
Datos: 0
Valor 2
Nombre: FileTracingMask
Tipo: REG_DWORD
Datos: 0xffff0000
Valor 3
Nombre: ConsoleTracingMask
Tipo: REG_DWORD
Datos: 0xffff0000
Valor 4
Nombre: MaxFileSize
Tipo: REG_DWORD
Datos: 0x100000
Valor 5
Nombre: FileDirectory
Tipo: REG_EXPAND_SZ
Datos: %windir%\tracing
7) Then, I restarted Windows, opened Regedit, search for "zylom" and found nothing.
8) Run the RootAlyzer scan, and again found the zylom items:
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
9) I deleted them using the RootAlyzer, but the zylom items appeared again in the scan results.
That's as far as I got with this issue. And I still can't get rid of those zylom files :(
Of the things I found using the Regedit, there are two items that might indicate how the zylom files entered my pc:
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}
and
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}
They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it. :)
I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).
tashi, if you are still awake after reading all this :) I hope you can help figure out if this is a rootkit or not.
Thanks in advanced for your help.
Best regards
Jorge
Hello JorgeGonzalez,
They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it. :)
I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).
You confirmed what I asked,
Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom
The remnants of the game may be an annoyance but there appears to be no reason to think it is a rootkit. :)
Have you heard of Revo uninstaller?
I've seen quite a few users who report it worked for them, at your own risk of course: http://www.pcworld.com/article/231511/revo_uninstaller.html
Best regards.
JorgeGonzalez
2014-04-23, 05:28
Hello JorgeGonzalez,
You confirmed what I asked,
The remnants of the game may be an annoyance but there appears to be no reason to think it is a rootkit. :)
Have you heard of Revo uninstaller?
I've seen quite a few users who report it worked for them, at your own risk of course: http://www.pcworld.com/article/231511/revo_uninstaller.html
Best regards.
tashi,
Thank you for your answer.
Yes. When you asked regarding Zylom I didn't search for more information because I thought it would be easy to erase with the RootAlyzer. But it wasn't.
Regarding Revo, I been using it for many years. But since the Zylom software was uninstalled before, is not possible to use it now.
Anyway. Thanks.
Best regards
Jorge