RootAlyzer Results - Anything I should worry about?

[JorgeGonzalez]

Good to know,

Hi tashi,

UPDATE: here's an update regarding some things I found. Hopefully, you'll be able to help me figure out if the Zylom items are related to a rootkit or not.

Here's a detail, step by step, of what I did and found.


1) I deleted the following items using the RootAlyzer:

File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"

2) Run the scan again, and the .tmp was deleted, but the zylom items appeared again in the scan results.

3) I unhid both hidden and system files, and try to find the two items in "C:\Users". They didn't show in the search.

4) I search the term "zylom" in the whole "C:\" drive, and found a Zylom folder (with some subfolders) both in "Allusers" and in "AAA" (this is my user). They seem to be like leftovers of an uninstalled software. So I deleted all of them.
(sorry I don't have more details about the folders, but at that moment I wasn't keeping a record of what I was doing)

5) Restarted Windows, and run the RootAlyzer scan. The zylom files appeared again on the scan results. I deleted them, run the scan but they appeared again.

6) Next, I tried to search in the registry. I opened the Regedit and search for the term "zylom" and I deleted everything I found.
In blue font, is a list of all the things I found and deleted:

HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom

HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom.1

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1383603232-337481022-996218204-1000\Software\Zylom

HKEY_CURRENT_USER\Software\Zylom
---> subfolders
HKEY_CURRENT_USER\Software\Zylom\Games
HKEY_CURRENT_USER\Software\Zylom\Games\44
HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw
HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw\ads
HKEY_CURRENT_USER\Software\Zylom\Games\zgw
HKEY_CURRENT_USER\Software\Zylom\Games\zgw\prefill
HKEY_CURRENT_USER\Software\Zylom\MyZylom
HKEY_CURRENT_USER\Software\Zylom\MyZylom\Credentials
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe\44


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\55326525_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\9b6f68eb_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc39984d_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\c7c54a2_0
{0.0.0.00000000}.{3494111c-a709-4795-a778-2e25dbe8cedd}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\fe2e39a5_0
{0.0.0.00000000}.{afddb331-e105-4674-aa9d-4331b3273fae}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow
value name --> "*.zylom.com" ; value information --> 000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
value name --> "LastKey"
value information --> Equipo\HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ZylomGameITemp_RASAPI32
Valor 0
Nombre: EnableFileTracing
Tipo: REG_DWORD
Datos: 0

Valor 1
Nombre: EnableConsoleTracing
Tipo: REG_DWORD
Datos: 0

Valor 2
Nombre: FileTracingMask
Tipo: REG_DWORD
Datos: 0xffff0000

Valor 3
Nombre: ConsoleTracingMask
Tipo: REG_DWORD
Datos: 0xffff0000

Valor 4
Nombre: MaxFileSize
Tipo: REG_DWORD
Datos: 0x100000

Valor 5
Nombre: FileDirectory
Tipo: REG_EXPAND_SZ
Datos: %windir%\tracing

7) Then, I restarted Windows, opened Regedit, search for "zylom" and found nothing.

8) Run the RootAlyzer scan, and again found the zylom items:

File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"

9) I deleted them using the RootAlyzer, but the zylom items appeared again in the scan results.



That's as far as I got with this issue. And I still can't get rid of those zylom files :(


Of the things I found using the Regedit, there are two items that might indicate how the zylom files entered my pc:

{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

and

{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it.

I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).


tashi, if you are still awake after reading all this I hope you can help figure out if this is a rootkit or not.


Thanks in advanced for your help.

Best regards

Jorge

[tashi]

Hello JorgeGonzalez,

They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it.

I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).

You confirmed what I asked,

Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom

The remnants of the game may be an annoyance but there appears to be no reason to think it is a rootkit.

Have you heard of Revo uninstaller?
I've seen quite a few users who report it worked for them, at your own risk of course: http://www.pcworld.com/article/23151...installer.html

Best regards.

[JorgeGonzalez]

Hello JorgeGonzalez,




You confirmed what I asked,



The remnants of the game may be an annoyance but there appears to be no reason to think it is a rootkit.

Have you heard of Revo uninstaller?
I've seen quite a few users who report it worked for them, at your own risk of course: http://www.pcworld.com/article/23151...installer.html

Best regards.

tashi,

Thank you for your answer.

Yes. When you asked regarding Zylom I didn't search for more information because I thought it would be easy to erase with the RootAlyzer. But it wasn't.

Regarding Revo, I been using it for many years. But since the Zylom software was uninstalled before, is not possible to use it now.

Anyway. Thanks.

Best regards

Jorge