Help with scan log [Archive] - Safer-Networking Forums

seaephpea

2016-08-06, 11:02

Hi,

Could someone possibly examine the below scan log for me, and let me know if there's anything suspicious?

Thanks in advance,

Tom

// info: Rootkit removal help file
// copyright: (c) 2008-2016 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Windows\SysWOW64\MSIHANDLE:1190:$DATA"
File:"Unknown ADS","C:\Windows\SysWOW64\MSIHANDLE:1369:$DATA"
File:"Unknown ADS","C:\Windows\SysWOW64\MSIHANDLE:500:$DATA"
File:"Unknown ADS","C:\Windows\SysWOW64\MSIHANDLE:556:$DATA"
File:"Unknown ADS","C:\Windows\SysWOW64\MSIHANDLE:657:$DATA"
File:"Unknown ADS","C:\Windows\System32\MSIHANDLE:1190:$DATA"
File:"Unknown ADS","C:\Windows\System32\MSIHANDLE:1369:$DATA"
File:"Unknown ADS","C:\Windows\System32\MSIHANDLE:500:$DATA"
File:"Unknown ADS","C:\Windows\System32\MSIHANDLE:556:$DATA"
File:"Unknown ADS","C:\Windows\System32\MSIHANDLE:657:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\000041091A0090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109340000000100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109340090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109510090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109511090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109610090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109711090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109810090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109910090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109A10090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109B10090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109C20090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109D30000000100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109E60090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109F10090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109F100A0C00100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004109F100C0400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00004159180090400100000000F01FEC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1A578401380D43A4CBF4F336B5F7E87F:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1C006203FDB61DF43160419892CC3158:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744AA0000000010:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\6D2F3B68B2CA6100A81E2F7FF787B1C0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\6F9E66FF7E38E3A3FA41D89E8A906A4A:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\BE4EBED704B66673BB53C5BB3C58AD73:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\c1c4f01781cc94c4c8fb1542c0981a2a:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\E1DF5BC324EC27A4CA2DA7C80D2248E5:Win32App_1:$DATA"
File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Users\Bianca\AppData\Local\Citrix\Receiver:Win32App_1:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft\OFFICE:Win32App_1:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft\OFFICE\UICaptions:Win32App_1:$DATA"
File:"Unknown ADS","C:\ProgramData\Intel\Wireless\Settings:Win32App_1:$DATA"
File:"Unknown ADS","C:\ProgramData\Dell\PowerManager:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Citrix:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\EndNote X6:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Silverlight:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Zotero Standalone:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\VideoLAN\VLC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Skype\Toolbars:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office14:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office14\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Microsoft\BingDesktop:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\MetaGeek\inSSIDer Home:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Intel\AMT:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Intel\Bluetooth:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Graphics Media Accelerator Driver:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Google\Drive:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Google\Chrome\Application:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Citrix:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Skype:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\VC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe\ARM\1.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Citrix\AuthManager:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Citrix\ICA Client:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Citrix\Receiver:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Citrix\SelfServicePlugin:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Citrix\ICA Client\Receiver:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Adobe\Reader 10.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files (x86)\Adobe\Reader 10.0\Reader:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Office:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Silverlight:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Silverlight\5.1.50428.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Office\Office14:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Office\Office14\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Cartridges:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Resources\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Intel\Intel(R) Rapid Storage Technology:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Intel\WiFi:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Intel\WiFiDrivers\Drivers:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\IBM\SPSS\Statistics\22:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Dell\PowerManager:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\DESIGNER:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\System\MSMAPI\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VC:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VSTO\10.0:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office32.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office32.WW:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\Common Files\IBM\SPSS\COM:Win32App_1:$DATA"
File:"Unknown ADS","C:\Program Files\7-Zip\Lang:Win32App_1:$DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Svc"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Chs","DuState"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"

tashi

2016-08-06, 17:36

Hello seaephpea,

In general all items found by the RootAlyzer are not necessarily malicious. Sometimes even legitimate software uses rootkit technologies.

The log isn't waving a flag so how is the computer running, was there a particular reason for running a scan? :)

Best regards.

seaephpea

2016-08-06, 18:15

Hello seaephpea,
The log isn't waving a flag so how is the computer running, was there a particular reason for running a scan? :)

It's a family member's machine, which I saw had multiple pieces of software installed from untrustworthy sources. So, it's not guaranteed that it's compromised, though it was certainly possible. I'll assume the best if there are no obvious red flags.

Thanks for taking a look.

tashi

2016-08-07, 04:39

Hi seaephpea,

For peace of mind if you would like someone to take a look at the system in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) you could start a new topic there once you have access to the computer.

That forum's FAQ includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Then a volunteer analyst will advise. :)

Best regards.