PDA

View Full Version : please advise on these 2 items found in my rootkit scan



monkeyC
2015-05-14, 11:11
i am running windows 7 starter 32-bit operating system
are these 2 items deletable? please advise! thank you in advance!

Folders
type: Folder object: DATA location: C:\ProgramData\Microsoft\OFFICE\ details: No admin in ACL

Registry Keys
type: Key object: LogonSoundPlayed location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\ details: No admin in ACL

tashi
2015-05-14, 23:10
Hello monkeyC,

Those entries are fine, how is the computer running? :)

Best regards.

monkeyC
2015-05-15, 03:34
hey tashi,

thanks for a quick reply.

please clarify, though, "fine" as in dont delete or okay to delete?

computer is running fine for an old netbook. thought it may have gotten infected few months back in dec/jan by some fbi/interpol virus. firefox's window kept redirecting and opening up tabs/windows to an fbi/interpol warning page claiming i committed a crime and must contact them and pay a fine. well, i'm not gullible and instead of interacting with those sites i attempted to close the windows and finally shut the computer down. is that called a browser hijack???

anyways, after doing research on that virus and attempting cleanup, it appeared that my computer may not have been infected since i did not interact with the site.

however, that doesnt mean i was correct in deducing my computer wasnt infected by that fbi/interpol virus or compromised in other ways. so, i am using several antivirus/spyware/malware scans and cleanup utilities.

tashi
2015-05-15, 07:02
Hi monkeyC,



please clarify, though, "fine" as in dont delete or okay to delete?

The files as shown do not require action.



computer is running fine for an old netbook. thought it may have gotten infected few months back in dec/jan by some fbi/interpol virus. firefox's window kept redirecting and opening up tabs/windows to an fbi/interpol warning page claiming i committed a crime and must contact them and pay a fine. well, i'm not gullible and instead of interacting with those sites i attempted to close the windows and finally shut the computer down. is that called a browser hijack???

The so called FBI ransomeware? http://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise/ransomware-on-the-rise

Were your files encrypted by this infection?



anyways, after doing research on that virus and attempting cleanup, it appeared that my computer may not have been infected since i did not interact with the site.

however, that doesnt mean i was correct in deducing my computer wasnt infected by that fbi/interpol virus or compromised in other ways. so, i am using several antivirus/spyware/malware scans and cleanup utilities.

Please describe the security programs installed on the machine and which tools you have been using.

Best regards.

monkeyC
2015-05-16, 05:09
hey tashi,

okay, i will leave those items alone. Would it be detrimental to my system if they were deleted?

i ran the rootkit scan again and a 3rd item appeared. please advise:

Registry Keys
type: Key object: Vol location: HKLM\SOFTWARE\Microsoft\SecurityCenter\Svc\ details: No admin in ACL

And yes my recent concern was a version of the FBI ransomeware, thanks for the link. I dont believe my files were encrypted. Encrypted meaning my access to my files would be limited or altogether unaccessible, correct?

Besides using keyboard commands Ctrl W or clicking the red X in the top right corner of the browser window, I had no other interaction with that site since it was obviously suspicious. When that wouldn't work, I forced shut down. havent had any noticeable consequences since that initial incident.

prior to starting my barrage of scans and cleanups i noticed a zipped folder in my Downloads folder i did not recognize called ClearCydiaListCache. when i did a google search for it, i found sites claiming ClearCydiaListCache.exe as a possible virus, so i deleted that zipped folder.

security programs/tools used in this order:
Windows Defender
Avast Free Antivirus
AVG free
Panda free antivirus
Malwarebytes Anti-Malware
Spyboy Search&Destroy
ccleaner

first, i updated and ran Windows Defender's full system scan. then for Avast, AVG, Panda, and Malwarebytes Anti-Malware, i dealt with each program individually. for example, i installed, Avast, updated, scanned in both logons modes (normal, safe mode), then uninstalled it. then installed AVG... etc,etc.

the only programs still installed
on my computer are spybot and ccleaner. the browser i use is firefox and i have the plugin Ad-block Edge.

i plan to install malwarebytes anti-exploit and give it a try. pcmag.com had a good review for it. i could also run HijackThis and post my scan result in a forum.

cheers!

tashi
2015-05-16, 05:37
Hello monkeyC,



hey tashi,

okay, i will leave those items alone. Would it be detrimental to my system if they were deleted?




The files as shown do not require action.



i ran the rootkit scan again and a 3rd item appeared. please advise:

Registry Keys
type: Key object: Vol location: HKLM\SOFTWARE\Microsoft\SecurityCenter\Svc\ details: No admin in ACL
In general all items found by the RootAlyzer are not necessarily malicious but shows items it believes to be out of the ordinary and may give a hint for an infection.

Sometimes even legitimate software uses rootkit technologies.



the only programs still installed
on my computer are spybot and ccleaner.
<snip>
I could also run HijackThis and post my scan result in a forum.


We no longer use HijackThis for a preliminary analysis. Please let me know if you have an anti virus program installed.

Then I will give further instructions to post in our malware removal forum. :)

Best regards.

monkeyC
2015-05-16, 06:38
hey tashi,

yes, i'm aware that files found by the rootkit scan may not be malicious, hence why i am discussing them with experts like yourself!

as i mentioned previously, i had ran 3 antivirus programs (Avast free, AVG free, Panda free) and also Malwarebytes Anti-malware. but after doing full system scans in both normal logon mode and safe mode, and not finding any infections, i uninstalled them. my netbook unfortunately has limited processing power.

i will now run windows update.

any other suggestions or advice you may have to offer?

cheers!

tashi
2015-05-16, 07:16
as i mentioned previously, i had ran 3 antivirus programs (Avast free, AVG free, Panda free) and also Malwarebytes Anti-malware. but after doing full system scans in both normal logon mode and safe mode, and not finding any infections, i uninstalled them. my netbook unfortunately has limited processing power.


Hi monkeyC,

For someone to take a look at the system please start a topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer analyst will advise.

First see that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Please provide a link back to this thread. :)

Best regards.

monkeyC
2015-05-17, 09:19
hey tashi,

thanks for the info. i will look into those programs you suggested.

what is the best way to provide a link to this discussion if i post logs to a topic in the malware forum?

thanks again!

tashi
2015-05-17, 17:49
Hi monkeyC,


hey tashi,

thanks for the info. i will look into those programs you suggested.

what is the best way to provide a link to this discussion if i post logs to a topic in the malware forum?

thanks again!


The link is the url in your browser bar: https://forums.spybot.info/showthread.php?72357-please-advise-on-these-2-items-found-in-my-rootkit-scan&p=464101

Those programs are only to be used if starting a topic in the malware forum, they are for the analyst who responds. ;)

Best regards.

monkeyC
2015-05-18, 03:49
Hey tashi,

understood! i plan to post soon to the malware forum.

thanks again for everything! :beerbeerb: