View Full Version : Rootkit results
RBEmerson
2020-06-11, 16:47
Sorry but I get so many search hits, I'm not sure where to post soooooooo... new topic
Ripped YT video (all free!) - every video has these five items (different file names, of course)
Type: File
Object: The Spaghetti Western Orchestra - Live at the Royal Albert Hall 2011 - Full Concert.mp4:user.dublincore.contributor:$DATA
Location: E:\Ripped\
Details: Unknown ADS
Type: File
Object: The Spaghetti Western Orchestra - Live at the Royal Albert Hall 2011 - Full Concert.mp4:user.dublincore.date:$DATA
Location: E:\Ripped\
Details: Unknown ADS
Type: File
Object: The Spaghetti Western Orchestra - Live at the Royal Albert Hall 2011 - Full Concert.mp4:user.dublincore.format:$DATA
Location: E:\Ripped\
Details: Unknown ADS
Type: File
Object: The Spaghetti Western Orchestra - Live at the Royal Albert Hall 2011 - Full Concert.mp4:user.dublincore.title:$DATA
Location: E:\Ripped\
Details: Unknown ADS
Type: File
Object: The Spaghetti Western Orchestra - Live at the Royal Albert Hall 2011 - Full Concert.mp4:user.xdg.referrer.url:$DATA
Location: E:\Ripped\
Details: Unknown ADS
MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW
RBEmerson
2020-06-11, 16:55
DROPBOX has the following for every "folder" type, for example:
Type: File
Object: Camera Uploads:com.dropbox.attributes:$DATA
Location: C:\Users\pavil\Dropbox\
Details: Unknown ADS
And then there's Nero with a host hits such as these samples:
Type: File
Object: config.xml
Location: C:\ProgramData\Nero\Nero 10\OnlineServices\NOSWebConfig\
Details: No admin in ACL
Type: Folder
Object: OnlineServices
Location: C:\ProgramData\Nero\
Details: No admin in ACL
And, of course, Microsoft shows up with these samples:
Type: Key
Object: Final
Location: HKLM\SYSTEM\CurrentControlSet\Services\CPK2HWU\
Details: No admin in ACL
Type: Key
Object: Provider
Location: HKLM\SOFTWARE\Wow6432Node\Microsoft\Security Center\
Details: No admin in ACL
Type: Key
Object: Av
Location: HKLM\SOFTWARE\Microsoft\Security Center\Provider\
Details: No admin in ACL
MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW MORE TO FOLLOW
RBEmerson
2020-06-11, 16:57
How much of this stuff is a problem and how much of it is "Don't worry, they all do that"?
END OF POSTS END OF POSTS END OF POSTS END OF POSTS END OF POSTS END OF POSTS END OF POSTS END OF POSTS END OF POSTS
Hello RBEmerson,
As the RootAlyzer is an analyst tool and not a scan and fix program, please let us know if you had any particular reason for running a rootkit scan.
What is the operating system and how is your computer running?
Best regards.
RBEmerson
2020-06-11, 21:25
It seems reasonable to wonder what things I don't want or are harmful are on my machine - hence running rootkit.
The problem I don't know the difference between cause for concern and not a problem. Hence my question.
I'm particularly concerned about why Nero produced so many hits. Why should a burner produce so many hits.
Naturally, "what can I do about this" arises from the results.
OS Name Microsoft Windows 10 Home
Version 10.0.18362 Build 18362
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name LAPTOP-EN9FR8RI
System Manufacturer HP
System Model OMEN by HP Laptop 15-dc0xxx
System Type x64-based PC
System SKU 3UK57UA#ABA
Processor Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, 2208 Mhz, 6 Core(s), 12 Logical Processor(s)
BIOS Version/Date AMI F.08, 2/21/2019
SMBIOS Version 3.2
Embedded Controller Version 93.21
BIOS Mode UEFI
BaseBoard Manufacturer HP
BaseBoard Product 84DB
BaseBoard Version 93.21
Platform Role Mobile
Secure Boot State On
PCR7 Configuration Elevation Required to View
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume5
Locale United States
Hardware Abstraction Layer Version = "10.0.18362.752"
User Name LAPTOP-EN9FR8RI\pavil
Time Zone Eastern Daylight Time
Installed Physical Memory (RAM) 16.0 GB
Total Physical Memory 15.9 GB
Available Physical Memory 9.76 GB
Total Virtual Memory 18.3 GB
Available Virtual Memory 10.1 GB
Page File Space 2.38 GB
Page File C:\pagefile.sys
Kernel DMA Protection Off
Virtualization-based security Not enabled
Device Encryption Support Elevation Required to View
Hyper-V - VM Monitor Mode Extensions Yes
Hyper-V - Second Level Address Translation Extensions Yes
Hyper-V - Virtualization Enabled in Firmware No
Hyper-V - Data Execution Protection Yes
Hello RBEmerson,
Sometimes even legitimate software uses rootkit technologies.
The log isn't waving a flag. Do you have an anti-virus program installed?
Best regards.