RootAlyzer Results [Archive] - Safer-Networking Forums

abcdefg

2016-01-13, 00:14

// info: Rootkit removal help file
// copyright: (c) 2008-2016 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109610090400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109611090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109810090400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109A20000000100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109A20090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109E60090400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109F10090400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\6414876250E69FF3395387C6C7F05BEB:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744BA0000000010:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\E1810453A043A7E44B90136643272B7F:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\F9EAF6243737E6942A51D97BFE3489FC:Win32App_1:$DATA"
File:"No admin in ACL","C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\Quarantine"
File:"No admin in ACL","C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft\OFFICE\DATA:Win32App_1:$DATA"
File:"Unknown ADS","C:\ProgramData\Apple\Apple Application Support\kdrl:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Apple Software Update:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Bonjour:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\CrystalDiskInfo:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\DishAnywhereDesktop:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Malwarebytes Anti-Malware:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Norton 360:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\PDFTK Builder:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ZYTO\ZYTOTouchV2:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET\RedistList:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Works\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Visual Studio\COMMON\IDE\IDE98:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office12\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office12\1036:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office12\3082:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\iTunes\Mozilla Plugins:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\DESIGNER:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\System\Ole DB:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\System\Ole DB\Resources\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\System\MSMAPI\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Excel.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Office.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Office64.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Office64.WW:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Outlook.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Proofing.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Publisher.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Apple\Apple Application Support:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Apple\Mobile Device Support:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe\ARM\1.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco EAP-FAST Module:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco LEAP Module:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco PEAP Module:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco PEAP Module\en-US:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco LEAP Module\en-US:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco EAP-FAST Module\en-US:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Carbonite\Carbonite Backup:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Bonjour\Bonjour.Resources:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\cs:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\da:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\de:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\el:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\en-US:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\es:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\fi:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\fr:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\hu:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\it:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\ja:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\ko:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\nl:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\no:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\pt-BR:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\ru:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\sv:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\th:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\tr:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\zh_CHS:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\zh_CHT:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Welcome:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Adobe\Reader 11.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Adobe\Reader 11.0\Reader:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\ATI Technologies:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Bonjour:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\IDT:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\iTunes:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Silverlight:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\SUPERAntiSpyware:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Validity Sensors:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Validity Sensors\Shared\Drivers:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Silverlight\5.1.41105.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Office\Office12:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Office\Office12\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\iPod\bin\iPodService.Resources:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\Apple\Apple Application Support:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\Apple\CoreFP:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\Apple\Mobile Device Support:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Axantum\AxCrypt:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\ATI Technologies\ATI.ACE\Fuel:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\ATI\CIM:Win32App_1:$DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\ADOVMPPackage","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\ADOVMPPackage","Final"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"

Are these ok? If not, which ones would you recommend removing? Thanks very much in advance

tashi

2016-01-13, 03:54

Hello abcdefg,

Did you install \Axantum\AxCrypt?

The RootAlyzer is an analyst tool, sometimes even legitimate software may use rootkit technologies.

Do you suspect an infection, is that why you ran the scan?

Best regards.

abcdefg

2016-01-13, 04:32

Thanks for your response.

Yes I did install AxCrypt.

I was selling my car on craigslist and the "buyer" required a vehicle history report from a specific website. He said he didn't trust the one I emailed him. He said he'd buy the car only if I got it from the website he had a link to in the email. Normally I know better than clicking the link and instead typing it in the address bar in the browser, but I clicked the link and it seemed to load some kind of script or code, and then "nothing happened" similar to getting infected with a RAT by running an executable when it starts to open and then "nothing happens." This is when I realized he had no intention of buying the car and every intention of getting me to click on that link. I think it was a drive by download attack. I did this from my iPhone though by the way and I have no idea if or what that could have done to the router, computer, or other devices on the same network I had clicked the link from. New tabs on my iPhone will open and they are from my bookmarks, and only the ones I need to log into. Current open tabs will change to those pages as well. I'm guessing because if I log in, then whoever will have my credentials. That's happening on my iPad too, and I never clicked that link from my iPad. I suspect this person wants me to log into my accounts. I've had my accounts hijacked before so I'm hesitant to log into anything over wifi. I don't really know what to do.

tashi

2016-01-13, 17:42

Hello abcdefg,

Sorry to hear that. Regarding the computer, is this a personal machine on the network and what is your operating system please. :)

Best regards.

abcdefg

2016-01-13, 20:08

Personal machine
Windows 10

tashi

2016-01-13, 20:31

Hi abcdefg,

For someone to take a look at the system in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) please start a new topic there after reading that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Then a volunteer analyst will advise. :) Please provide a link back to this topic so your helper is up to date.

Best regards.