Results 1 to 6 of 6

Thread: Please help with possible rootkit(s) - Running Windows 8.1, fully patched

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member twindad's Avatar
    Join Date
    Dec 2013
    Location
    California, USA
    Posts
    3

    Question Please help with possible rootkit(s) - Running Windows 8.1, fully patched

    Hello,


    It looks like one or more rootkits are on my machine. It's a new box that I bought November 4th, An Asus X55U notebook with Windows 8.0 pre-installed. I immediately downloaded and installed Spybot 2.2, ZoneAlarm 12.0.104.000 (Free), Clamwin 0.98, and CCleaner 4.08. All are current. For the first three or four weeks all seemed well.

    However, a week or so ago I noticed that ZoneAlarm does not start correctly; the task bar balloon continuously says "initialization is in progress". Also, from some wifi locations I can't log into my gmail account and other secure (https / ssl) sites.

    As a workaround I have enabled the built-in Windows firewall. I have also run the command-line ipconfig utility, with all relevant options. I also regularly clear my Chrome history and other junk files, using the free browser extension History Eraser, version 3.9.5 (see http://hotcleaner.com/history-eraser...nsion-app.html).

    After reading the "before you post" thread here, I have backed up my registry with ERUNT. Here are the results of my Spybot RootAlyzer deep scan:

    // info: Rootkit removal help file
    // copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"No admin in ACL","D:\c\ch\checkpoint-et-al\za-log.txt"
    File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log"
    File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Data\BACKUP.NDB"
    File:"No admin in ACL","C:\ProgramData\CheckPoint\ZoneAlarm\Data\THIS-BOX.ldb"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\","Svc"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\InputMethod\Jpn\","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc\","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Jpn\","DuState"

    My aswMBR.txt log is ready in case you need it. I tried running DDS but it doesn't seem to work with Windows 8.1. After reading further on bleepingcomputer.com, I learned that the Farbar Recovery Scan Tool (FRST) works with Win 8.1 and produces info similar to DDS. FRST generated two logs. In my case the first one is about 1000 lines and the second is ~ 335 lines.

    I have stayed offline as much as possible since learning my machine may be compromised, but I have not tried anything else to repair my system. If you need them, I will upload the aswMBR and FRST logs. I'd prefer to use .7z format instead of .zip if that is okay?


    Thank you kindly for your help!


    PS: The bits of personally identifying info in the logs and RootAlyzer output have been obfuscated already, for safety reasons.
    Last edited by twindad; 2013-12-14 at 03:18. Reason: fixed typos

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •