Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: RootAlyzer Results - Anything I should worry about?

  1. #1
    Junior Member
    Join Date
    Apr 2014
    Posts
    6

    Default RootAlyzer Results - Anything I should worry about?

    Hello,

    I did the first scan with RootAlyzer here are the results:

    // info: Rootkit removal help file
    // copyright: (c) 2008-2014 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
    File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
    File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"
    File:"No admin in ACL","C:\ProgramData\Microsoft\SLDL\8ac2e19a-b1f0-4bff-ae65-1019f510f093\36dde836-5584-4eae-9f09-a8bbc6421ade"
    File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\3ed8a0d3d8a08b2b.dat:731d6002-20c7-467b-94f8-8c3f3962f851:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\740a0cd30a0c93f0.dat:0180a828-dc72-4f31-9756-b24f78754e1a:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\7c4c5f144c5ec912.dat:0e879a76-dd62-4257-b231-347cdf8e0f7f:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\80421afe421af91c.dat:c27f763b-8d33-4e11-97d5-cf5830fb9f7b:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\c2b28f1eb28f15d7.dat:061a2408-a67c-4668-adf7-251dfd88d378:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\c2b28f1eb28f15d7.dat:38781673-54a8-4b66-b7d4-6d52e5770828:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\d8f6b962f6b94194.dat:0394f954-dd39-4b1d-b9cd-881890c2d01a:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\dac0ecc4c0eca849.dat:8c66e948-e9a7-436b-9f14-3c57c1965238:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\e08f86a08f851e7.dat:2fc04870-e464-4971-a8b0-a520c69dbc12:$DATA"
    File:"Unknown ADS","C:\ProgramData\AVG10\Chjw\f080f35c80f3282c.dat:52821631-4481-411d-a724-3030a770914c:$DATA"
    File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
    File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\","LogonSoundPlayed"


    Anything I should worry about?

    Thank you !


    Jorge

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,470

    Default

    Hello JorgeGonzalez,

    Most entries are your AVG 10 anti virus.

    Regarding,
    File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
    File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
    File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"

    Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom

    How is the computer running?

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Apr 2014
    Posts
    6

    Default

    Quote Originally Posted by tashi View Post
    Hello JorgeGonzalez,

    Most entries are your AVG 10 anti virus.

    Regarding,
    File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
    File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
    File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"

    Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom

    How is the computer running?

    Best regards.

    Hi tashi,

    Thanks for your answer!

    My computer is running ok. No problems.

    yes. regarding Zylom I found the same information. I will probably delete those files.

    Actually, I was worried about this:

    File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
    File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"

    because I read about some usual rootkits that use the Recycle Bin files.
    Is there a way to find if those are rootkits?

    Thanks!

    Jorge

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,470

    Default

    Hello Jorge,

    Quote Originally Posted by JorgeGonzalez View Post

    Actually, I was worried about this:

    File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
    File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"

    because I read about some usual rootkits that use the Recycle Bin files.
    Is there a way to find if those are rootkits?
    Have you tried to empty your recycle bin?

    Best regards
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Junior Member
    Join Date
    Apr 2014
    Posts
    6

    Default

    Quote Originally Posted by tashi View Post
    Hello Jorge,



    Have you tried to empty your recycle bin?

    Best regards
    Yes. An it was empty when I run the analysis. (and generaly I use the Eraser to empty it, so I'm pretty sure there were no files )

    Just in case, let me clarify that though the log indicates both results as "File:" :

    File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-18"
    File:"No admin in ACL","C:\$Recycle.Bin\S-1-5-21-1383603232-337481022-996218204-1000\12Q0JG7YDC34P1HE6EC6UHIH504J9BZ6V"

    when the results of the analysis first appear, they were under the "Folder" category.

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,470

    Default

    Hi JorgeGonzalez,

    See post #1 in this thread: https://answers.yahoo.com/question/i...7110053AApVNAm

    Might make things clearer.

    Best regards,
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  7. #7
    Junior Member
    Join Date
    Apr 2014
    Posts
    6

    Default

    Quote Originally Posted by tashi View Post
    Hi JorgeGonzalez,

    See post #1 in this thread: https://answers.yahoo.com/question/i...7110053AApVNAm

    Might make things clearer.

    Best regards,

    Thank you.
    That answered my question.

    All doubts cleared.

    Thanks for your help!!

    Best regards
    Last edited by JorgeGonzalez; 2014-04-22 at 01:36.

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,470

    Default

    Good to know,
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #9
    Junior Member
    Join Date
    Apr 2014
    Posts
    6

    Default

    Quote Originally Posted by tashi View Post
    Good to know,

    Hi tashi,

    UPDATE: here's an update regarding some things I found. Hopefully, you'll be able to help me figure out if the Zylom items are related to a rootkit or not.

    Here's a detail, step by step, of what I did and found.


    1) I deleted the following items using the RootAlyzer:

    File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
    File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"
    File:"No admin in ACL","C:\Users\AAA\AppData\Local\Temp\~DF52554E94D011384E.TMP"

    2) Run the scan again, and the .tmp was deleted, but the zylom items appeared again in the scan results.

    3) I unhid both hidden and system files, and try to find the two items in "C:\Users". They didn't show in the search.

    4) I search the term "zylom" in the whole "C:\" drive, and found a Zylom folder (with some subfolders) both in "Allusers" and in "AAA" (this is my user). They seem to be like leftovers of an uninstalled software. So I deleted all of them.
    (sorry I don't have more details about the folders, but at that moment I wasn't keeping a record of what I was doing)

    5) Restarted Windows, and run the RootAlyzer scan. The zylom files appeared again on the scan results. I deleted them, run the scan but they appeared again.

    6) Next, I tried to search in the registry. I opened the Regedit and search for the term "zylom" and I deleted everything I found.
    In blue font, is a list of all the things I found and deleted:

    HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom

    HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom.1

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1383603232-337481022-996218204-1000\Software\Zylom

    HKEY_CURRENT_USER\Software\Zylom
    ---> subfolders
    HKEY_CURRENT_USER\Software\Zylom\Games
    HKEY_CURRENT_USER\Software\Zylom\Games\44
    HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw
    HKEY_CURRENT_USER\Software\Zylom\Games\44\zgw\ads
    HKEY_CURRENT_USER\Software\Zylom\Games\zgw
    HKEY_CURRENT_USER\Software\Zylom\Games\zgw\prefill
    HKEY_CURRENT_USER\Software\Zylom\MyZylom
    HKEY_CURRENT_USER\Software\Zylom\MyZylom\Credentials
    HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA
    HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe
    HKEY_CURRENT_USER\Software\Zylom\MyZylom\EMA\Deluxe\44


    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\55326525_0
    {0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\9b6f68eb_0
    {0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc39984d_0
    {0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\c7c54a2_0
    {0.0.0.00000000}.{3494111c-a709-4795-a778-2e25dbe8cedd}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\fe2e39a5_0
    {0.0.0.00000000}.{afddb331-e105-4674-aa9d-4331b3273fae}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\trivialpursuit.dll%b{00000000-0000-0000-0000-000000000000}

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow
    value name --> "*.zylom.com" ; value information --> 000

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
    value name --> "LastKey"
    value information --> Equipo\HKEY_CLASSES_ROOT\ZylomGamesPlayer.ZylomGamesPlayerCtrlZylom\CurVer

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ZylomGameITemp_RASAPI32
    Valor 0
    Nombre: EnableFileTracing
    Tipo: REG_DWORD
    Datos: 0

    Valor 1
    Nombre: EnableConsoleTracing
    Tipo: REG_DWORD
    Datos: 0

    Valor 2
    Nombre: FileTracingMask
    Tipo: REG_DWORD
    Datos: 0xffff0000

    Valor 3
    Nombre: ConsoleTracingMask
    Tipo: REG_DWORD
    Datos: 0xffff0000

    Valor 4
    Nombre: MaxFileSize
    Tipo: REG_DWORD
    Datos: 0x100000

    Valor 5
    Nombre: FileDirectory
    Tipo: REG_EXPAND_SZ
    Datos: %windir%\tracing


    7) Then, I restarted Windows, opened Regedit, search for "zylom" and found nothing.

    8) Run the RootAlyzer scan, and again found the zylom items:

    File:"Unknown ADS","C:\Users\AAA:zylomtest:$DATA"
    File:"Unknown ADS","C:\Users\AAA:zylomtr{000HQ7FF-AD7A-3FG5-CHL5-24516UNKQ673}:$DATA"

    9) I deleted them using the RootAlyzer, but the zylom items appeared again in the scan results.



    That's as far as I got with this issue. And I still can't get rid of those zylom files :(


    Of the things I found using the Regedit, there are two items that might indicate how the zylom files entered my pc:

    {0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume3\Mula\Carrera de mente\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

    and

    {0.0.0.00000000}.{f2e9341e-e2b2-4cce-b084-271af45d2c16}|\Device\HarddiskVolume1\Program Files\Zylom Games\Trivial Pursuit Genus Edition Deluxe\Zylom.Games.Univesal.Patcher.v1.0.exe%b{00000000-0000-0000-0000-000000000000}

    They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it.

    I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).


    tashi, if you are still awake after reading all this I hope you can help figure out if this is a rootkit or not.


    Thanks in advanced for your help.

    Best regards

    Jorge

  10. #10
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,470

    Default

    Hello JorgeGonzalez,

    Quote Originally Posted by JorgeGonzalez View Post
    They refer to a trivia game ("Trivial Persuit" in english, "Carrera de mente" in spanish). I don't remeber installing the game, but it's possible. The two files found by the RootAlyzer were created on March 2010, so there's a chance I forgot about it.

    I searched for this "Zylom.Games.Univesal.Patcher.v1.0.exe" or the term "zylom" in all the drives (not just C:\) but I couldn't find it. (maybe I deleted them, see point 4) ).

    You confirmed what I asked,

    Quote Originally Posted by tashi View Post
    Do you recognize the name, perhaps this software: http://en.wikipedia.org/wiki/Zylom
    The remnants of the game may be an annoyance but there appears to be no reason to think it is a rootkit.

    Have you heard of Revo uninstaller?
    I've seen quite a few users who report it worked for them, at your own risk of course: http://www.pcworld.com/article/23151...installer.html

    Best regards.
    Last edited by tashi; 2014-04-22 at 17:38. Reason: clarify
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •