Hi tashi,
UPDATE: here's an update regarding some things I found. Hopefully, you'll be able to help me figure out if the Zylom items are related to a rootkit or not.
Here's a detail, step by step, of what I did and found.
1) I deleted the following items using the RootAlyzer:
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"
2) Run the scan again, and the .tmp was deleted, but the zylom items appeared again in the scan results.
3) I unhid both hidden and system files, and try to find the two items in "C:\Users". They didn't show in the search.
4) I search the term "zylom" in the whole "C:\" drive, and found a Zylom folder (with some subfolders) both in "Allusers" and in "AAA" (this is my user). They seem to be like leftovers of an uninstalled software. So I deleted all of them.
(sorry I don't have more details about the folders, but at that moment I wasn't keeping a record of what I was doing)
5) Restarted Windows, and run the RootAlyzer scan. The zylom files appeared again on the scan results. I deleted them, run the scan but they appeared again.
6) Next, I tried to search in the registry. I opened the Regedit and search for the term "zylom" and I deleted everything I found.
In blue font, is a list of all the things I found and deleted:
HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom
HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom.1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1383603232-337481022-996218204-1000\Software\Zylom
HKEY_CURRENT_USER\Software\Zylom
---> subfolders
HKEY_CURRENT_USER\Software\Zylom\Games
HKEY_CURRENT_USER\Software\Zylom\Games\44
HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw
HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw\ads
HKEY_CURRENT_USER\Software\Zylom\Games\zgw
HKEY_CURRENT_USER\Software\Zylom\Games\zgw\prefill
HKEY_CURRENT_USER\Software\Zylom\MyZylom
HKEY_CURRENT_USER\Software\Zylom\MyZylom\Credentials
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe
HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe\44
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\55326525_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\9b6f68eb_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc39984d_0
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\c7c54a2_0
{0.0.0.00000000}.{3494111c-a709-4795-a778-2e25dbe8cedd}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\fe2e39a5_0
{0.0.0.00000000}.{afddb331-e105-4674-aa9d-4331b3273fae}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow
value name --> "*.zylom.com" ; value information --> 000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
value name --> "LastKey"
value information --> Equipo\HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ZylomGameITemp_RASAPI32
Valor 0
Nombre: EnableFileTracing
Tipo: REG_DWORD
Datos: 0
Valor 1
Nombre: EnableConsoleTracing
Tipo: REG_DWORD
Datos: 0
Valor 2
Nombre: FileTracingMask
Tipo: REG_DWORD
Datos: 0xffff0000
Valor 3
Nombre: ConsoleTracingMask
Tipo: REG_DWORD
Datos: 0xffff0000
Valor 4
Nombre: MaxFileSize
Tipo: REG_DWORD
Datos: 0x100000
Valor 5
Nombre: FileDirectory
Tipo: REG_EXPAND_SZ
Datos: %windir%\tracing
7) Then, I restarted Windows, opened Regedit, search for "zylom" and found nothing.
8) Run the RootAlyzer scan, and again found the zylom items:
File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
9) I deleted them using the RootAlyzer, but the zylom items appeared again in the scan results.
That's as far as I got with this issue. And I still can't get rid of those zylom files :(
Of the things I found using the Regedit, there are two items that might indicate how the zylom files entered my pc:
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}
and
{0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}
They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it.
I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).
tashi, if you are still awake after reading all this I hope you can help figure out if this is a rootkit or not.
Thanks in advanced for your help.
Best regards
Jorge