Hello,

I did the first scan with RootAlyzer here are the results:

// info: Rootkit removal help file
// copyright: (c) 2008-2014 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"
File:"No admin in ACL","C:\ProgramData\Microsoft\SLDL\8ac2e19a-b1f0-4bff-ae65-1019f510f093\36dde836-5584-4eae-9f09-a8bbc6421ade"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\3ed8a0d3d8a08b2b.dat:731d6002-20c7-467b-94f8-8c3f3962f851:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\740a0cd30a0c93f0.dat:0180a828-dc72-4f31-9756-b24f78754e1a:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\7c4c5f144c5ec912.dat:0e879a76-dd62-4257-b231-347cdf8e0f7f:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\80421afe421af91c.dat:c27f763b-8d33-4e11-97d5-cf5830fb9f7b:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\c2b28f1eb28f15d7.dat:061a2408-a67c-4668-adf7-251dfd88d378:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\c2b28f1eb28f15d7.dat:38781673-54a8-4b66-b7d4-6d52e5770828:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\d8f6b962f6b94194.dat:0394f954-dd39-4b1d-b9cd-881890c2d01a:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\dac0ecc4c0eca849.dat:8c66e948-e9a7-436b-9f14-3c57c1965238:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\e08f86a08f851e7.dat:2fc04870-e464-4971-a8b0-a520c69dbc12:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\f080f35c80f3282c.dat:52821631-4481-411d-a724-3030a770914c:$DATA"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\","LogonSoundPlayed"


Anything I should worry about?

Thank you !


Jorge

Hello JorgeGonzalez, :greeting:

Most entries are your AVG 10 anti virus.

Regarding,
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"

Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom

How is the computer running? :)

Best regards.

Hello JorgeGonzalez, :greeting:

Most entries are your AVG 10 anti virus.

Regarding,
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"

Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom

How is the computer running? :)

Best regards.


Hi tashi,

Thanks for your answer!

My computer is running ok. No problems.

yes. regarding Zylom I found the same information. I will probably delete those files.

Actually, I was worried about this:

File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"

because I read about some usual rootkits that use the Recycle Bin files.
Is there a way to find if those are rootkits?

Thanks!

Jorge

Hello Jorge,




Actually, I was worried about this:

File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"

because I read about some usual rootkits that use the Recycle Bin files.
Is there a way to find if those are rootkits?


Have you tried to empty your recycle bin? :)

Best regards

Hello Jorge,



Have you tried to empty your recycle bin? :)

Best regards

Yes. An it was empty when I run the analysis. (and generaly I use the Eraser to empty it, so I'm pretty sure there were no files :) )

Just in case, let me clarify that though the log indicates both results as "File:" :

File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"

when the results of the analysis first appear, they were under the "Folder" category.

Hi JorgeGonzalez,

See post #1 in this thread: https://answers.yahoo.com/question/index?qid=20080727110053AApVNAm

Might make things clearer. :)

Best regards,

Hi JorgeGonzalez,

See post #1 in this thread: https://answers.yahoo.com/question/index?qid=20080727110053AApVNAm

Might make things clearer. :)

Best regards,


Thank you.
That answered my question.

All doubts cleared.

Thanks for your help!!

Best regards

Good to know, :thanks:

Good to know, :thanks:


Hi tashi,

UPDATE: here's an update regarding some things I found. Hopefully, you'll be able to help me figure out if the Zylom items are related to a rootkit or not.

Here's a detail, step by step, of what I did and found.


1) I deleted the following items using the RootAlyzer:

File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"

2) Run the scan again, and the .tmp was deleted, but the zylom items appeared again in the scan results.

3) I unhid both hidden and system files, and try to find the two items in "C:\Users". They didn't show in the search.

4) I search the term "zylom" in the whole "C:\" drive, and found a Zylom folder (with some subfolders) both in "Allusers" and in "AAA" (this is my user). They seem to be like leftovers of an uninstalled software. So I deleted all of them.
(sorry I don't have more details about the folders, but at that moment I wasn't keeping a record of what I was doing)

5) Restarted Windows, and run the RootAlyzer scan. The zylom files appeared again on the scan results. I deleted them, run the scan but they appeared again.

6) Next, I tried to search in the registry. I opened the Regedit and search for the term "zylom" and I deleted everything I found.
In blue font, is a list of all the things I found and deleted:

HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom

HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom.1

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1383603232-337481022-996218204-1000\Software\Zylom

HKEY_CURRENT_USER\Software\Zylom
---> subfolders
HKEY_CURRENT_USER\Software\Zylom\Games
HKEY_CURRENT_USER\Software\Zylom\Games\44
HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw
HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw\ads
HKEY_CURRENT_USER\Software\Zylom\Games\zgw
HKEY_CURRENT_USER\Software\Zylom\Games\zgw\prefill
HKEY_CURRENT_USER\Software\Zylom\MyZylom
HKEY_CURRENT_USER\Software\Zylom\MyZylom\Credentials
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe\44


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\55326525_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\9b6f68eb_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc39984d_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\c7c54a2_0
{0.0.0.00000000}.{3494111c-a709-4795-a778-2e25dbe8cedd}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\fe2e39a5_0
{0.0.0.00000000}.{afddb331-e105-4674-aa9d-4331b3273fae}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow
value name --> "*.zylom.com" ; value information --> 000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
value name --> "LastKey"
value information --> Equipo\HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ZylomGameITemp_RASAPI32
Valor 0
Nombre: EnableFileTracing
Tipo: REG_DWORD
Datos: 0

Valor 1
Nombre: EnableConsoleTracing
Tipo: REG_DWORD
Datos: 0

Valor 2
Nombre: FileTracingMask
Tipo: REG_DWORD
Datos: 0xffff0000

Valor 3
Nombre: ConsoleTracingMask
Tipo: REG_DWORD
Datos: 0xffff0000

Valor 4
Nombre: MaxFileSize
Tipo: REG_DWORD
Datos: 0x100000

Valor 5
Nombre: FileDirectory
Tipo: REG_EXPAND_SZ
Datos: %windir%\tracing

7) Then, I restarted Windows, opened Regedit, search for "zylom" and found nothing.

8) Run the RootAlyzer scan, and again found the zylom items:

File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"

9) I deleted them using the RootAlyzer, but the zylom items appeared again in the scan results.



That's as far as I got with this issue. And I still can't get rid of those zylom files :(


Of the things I found using the Regedit, there are two items that might indicate how the zylom files entered my pc:

{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

and

{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it. :)

I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).


tashi, if you are still awake after reading all this :) I hope you can help figure out if this is a rootkit or not.


Thanks in advanced for your help.

Best regards

Jorge

Hello JorgeGonzalez,



They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it. :)

I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).



You confirmed what I asked,



Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom


The remnants of the game may be an annoyance but there appears to be no reason to think it is a rootkit. :)

Have you heard of Revo uninstaller?
I've seen quite a few users who report it worked for them, at your own risk of course: http://www.pcworld.com/article/231511/revo_uninstaller.html

Best regards.

Hello JorgeGonzalez,




You confirmed what I asked,



The remnants of the game may be an annoyance but there appears to be no reason to think it is a rootkit. :)

Have you heard of Revo uninstaller?
I've seen quite a few users who report it worked for them, at your own risk of course: http://www.pcworld.com/article/231511/revo_uninstaller.html

Best regards.

tashi,

Thank you for your answer.

Yes. When you asked regarding Zylom I didn't search for more information because I thought it would be easy to erase with the RootAlyzer. But it wasn't.

Regarding Revo, I been using it for many years. But since the Zylom software was uninstalled before, is not possible to use it now.

Anyway. Thanks.

Best regards

Jorge