PDA

View Full Version : Rootkit Deep Scan Results



Twirly
2014-12-13, 09:21
Hello, I have Avast Antivirus and Malwarebytes on my computer and do regular scans and have never had any infections before, even in scans as recently as today.

A few days ago I downloaded a free program called "Any Video Converter" from download.cnet.com (prior to installing it, I scanned it using Avast and Malwarebytes, as well as the online scanner at virustotal.com). They all said it was clean.

After installing that program, I ran scans again because I am paranoid, and they all still came back clean.

However, it seems like ever since then my computer just seems to be slower than usual at most things. For example, when I open iTunes it takes a long time to open and then will often become non-responsive and I get impatient and close it. When searching for things in Chrome, it seems like the search results take a bit longer to populate also. Just random things like that. I'm not sure if there is a correlation with me installing that "Any Video Converter" program or not?

So I downloaded Spybot after reading about adware and spyware that sometimes come in on free programs. Wanted to see if it would catch anything that Avast and Malwarebytes missed. The regular scan didn't show anything bad/in red, it was basically just a few usage tracks. Then I ran a Rootkit scan...

So this is the full result of my Rootkit Deep Scan. I don't really know how to interpret it, hoping someone can tell me if anything looks bad. I did read that many things aren't necessarily malware, but I hope someone can take a look to be sure. Looks like a lot of them are pictures, but there are a few weird looking things, like "C:\Dellt! s". FYI, the E: drive is my Western Digital external hard drive that I have plugged in for backup (the software it uses is called "SmartWare" to automatically back things up)... it seems like a lot of the results are located on that E: drive.

I'm using Windows 7 64-bit SP1, and Chrome as my browser (but I do have IE and Firefox also installed).

Thanks for taking a look!

:: RootAlyzer Results
File:"Invisible to Win32","E:\Extras sandb"
1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.paypalobjects.com\settings.sol"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.bb.contentdef.com\settings.sol"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#i3.bb.contentdef.com\settings.sol"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5WJDHUEZ\i3.bb.contentdef.com\assets\common\swf\flowplayer.commercial.3.2.10.swf"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5WJDHUEZ\i3.bb.contentdef.com\assets\common\swf\flowplayer.commercial.3.2.10.swf\org.flowplayer.sol"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\f"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\group.dat"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\id.dat"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\f\krb.txt"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\g\o0ix4jipd532wjp4nlfmf502ppt24jbn1dxr0mpntl03zkcp1laaafba\id.dat"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\g\o0ix4jipd532wjp4nlfmf502ppt24jbn1dxr0mpntl03zkcp1laaafba\quota.dat"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\g\o0ix4jipd532wjp4nlfmf502ppt24jbn1dxr0mpntl03zkcp1laaafba\quota@4e98e1b0732c4e418f1fb79425a72859.dat"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\g\o0ix4jipd532wjp4nlfmf502ppt24jbn1dxr0mpntl03zkcp1laaafba\used.dat"
File:"Invisible to Win32","E:\WD SmartWare.swstor\Owner-PC\Volume.6cdcb045.b4dd.11e1.9ee6.806e6f6e6963\avast! sandbox\S-1-5-21-3836965969-56342752-2157042032-1001\sfzone\C\Users\Owner\AppData\LocalLow\Microsoft\Silverlight\is\ogx0he3x.fa3\3nnn05jo.zob\1\g\o0ix4jipd532wjp4nlfmf502ppt24jbn1dxr0mpntl03zkcp1laaafba\used@6f77c70e71474964954fccb35cf46127.dat"
File:"Invisible to Win32","C:\Dellt! s"
File:"No admin in ACL","C:\System Recovery"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-1-19 Ice Storm\DSCN0820.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-1-19 Ice Storm\DSCN0824.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-1-19 Ice Storm\DSCN0825.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-1-19 Ice Storm\DSCN0839.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-1-19 Ice Storm\DSCN0840.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-07-01\088.MOV:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-07-01\096.MOV:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-07-01\101.MOV:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-07-01\118.MOV:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-07-01\204.MOV:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-06-30\001.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-06-25\064.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-04-20\075.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-04-20\077.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-03-22\445.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2012-03-22\446.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-09-05 003\MVI_4363.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-09-05 003\MVI_4364.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-09-05 001\MVI_4366.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-09-05 001\MVI_4368.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-09-05 001\MVI_4369.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-09-05 001\MVI_4370.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-09-05 001\MVI_4371.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-09-05 001\MVI_4372.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2011-07-22\009.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 004\MVI_0388.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 004\MVI_0389.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 003\MVI_0383.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 003\MVI_0385.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 003\MVI_0386.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 002\MVI_0375.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 002\MVI_0376.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 002\MVI_0377.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 001\MVI_0371.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2010-08-29 001\MVI_0372.AVI:TOC.WMV:$DATA"
File:"Unknown ADS","C:\Users\Owner\Pictures\2009-09-24 001\Flicker Birds Clip.AVI:TOC.WMV:$DATA"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"

tashi
2014-12-15, 21:55
Hello Twirly,

I don't see anything popping out but a rootkit scan will not show common malware.



However, it seems like ever since then my computer just seems to be slower than usual at most things. For example, when I open iTunes it takes a long time to open and then will often become non-responsive and I get impatient and close it. When searching for things in Chrome, it seems like the search results take a bit longer to populate also. Just random things like that. I'm not sure if there is a correlation with me installing that "Any Video Converter" program or not?

If you have concerns please see the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) sticky which includes guidelines and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Then start a new topic in that forum providing the logs so a volunteer analyst can guide you. :)

Best regards.

Twirly
2014-12-16, 00:45
Thank you very much for taking a look, Tashi!

If I already have Avast and Malwarebytes installed and neither have shown an infection, should I still download and use "Farbar Recovery Scan Tool" and "aswMBR," as well as download the registry backup tool that is shown in the forum post you directed me to?

I definitely will if you still suggest it, but I just was afraid to download more unknown (to me) programs if it might not be necessary since I already have those other two programs.

Thank you again for your time and expertise!

tashi
2014-12-16, 01:00
Hi Twirly,

The preliminary tools used in the malware forum have been used safely by countless users but it is your choice to start a topic in there, or not. :)

The link given was in response to your comment,

http://forums.spybot.info/images/misc/quote_icon.png Originally Posted by Twirly http://forums.spybot.info/images/buttons/viewpost-right.png (http://forums.spybot.info/showthread.php?p=460190#post460190)

However, it seems like ever since then my computer just seems to be slower than usual at most things. For example, when I open iTunes it takes a long time to open and then will often become non-responsive and I get impatient and close it. When searching for things in Chrome, it seems like the search results take a bit longer to populate also. Just random things like that. I'm not sure if there is a correlation with me installing that "Any Video Converter" program or not?



I don't see anything popping out but a rootkit scan will not show common malware.

If you have concerns...

Best regards. :)

Twirly
2014-12-16, 01:17
I guess what I meant was, will these other virus/malware scanners that are suggested show anything different than what my Avast and Malwarebytes have already shown? Just curious if it is overkill or unnecessary to download those other programs and do scans if my Avast and MBAM have already shown my system to be clean.

But I guess if they are showing it to be clean and things still seem slow on my computer, it wouldn't hurt to try those other scanners too? I just realized that's probably why you suggested those other programs.

I will follow the instructions and get the logs.

Thanks again.

tashi
2014-12-16, 01:25
Hello Twirly,


I guess what I meant was, will these other virus/malware scanners that are suggested show anything different than what my Avast and Malwarebytes have already shown? Just curious if it is overkill or unnecessary to download those other programs and do scans if my Avast and MBAM have already shown my system to be clean.


They are tools used by volunteer helpers to take a look at the system. :)

Topics in the malware forum show those logs if you want to see what they look like.

All the best.

Twirly
2014-12-16, 02:01
Ah, geez, sorry! I see what they are now. :) I was thinking they were just another brand of virus/malware scanners. I see now that they just show information and are very different from the logs I get in Avast or MBAM.

Thanks again!

tashi
2014-12-18, 00:00
Hi Twirly,

Ken responded: http://forums.spybot.info/showthread.php?71799-Any-fishy-Running-slow-lately

:greeting:

Twirly
2014-12-18, 10:52
Thank you, Tashi! :)