RootKit Analyzer Deep Scan Results, do I have a RootKit?

[matthewjumpsoffbuilding]

Heres my scan logs, I have no idea if any of this is bad:

:: RootAlyzer Results
File:"Unknown ADS","C:\Users\Matt\Local Settings:P4B9xHBUVoEcIaPw0ywC:$DATA"
File:"Unknown ADS","C:\Users\Matt\AppData\Local:P4B9xHBUVoEcIaPw0ywC:$DATA"
File:"Unknown ADS","C:\Users\Matt\AppData\Local\3xAHBiaTTG:zH4MA7j5SOc4Svn6w0D9Q:$DATA"
File:"Unknown ADS","C:\Users\Matt\AppData\Local\Application Data:P4B9xHBUVoEcIaPw0ywC:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft:9Oyhl36j8JRO1OR8haiHu:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft:viBoRxnQpSb51qm7FuRetaUqE:$DATA"
File:"Unknown ADS","C:\ProgramData\Microsoft\YfPUvE4qBtufJQ:U8BnASnuhOFScTeU:$DATA"
File:"No admin in ACL","C:\cygwin64\usr\share\doc\Cygwin\ctags-5.8.README"
File:"No admin in ACL","C:\cygwin64\usr\share\doc\ctags-5.8\ctags.html"
File:"No admin in ACL","C:\cygwin64\home\Matt\.bash_history"
File:"No admin in ACL","C:\cygwin64\etc\inittab"
File:"No admin in ACL","C:\cygwin64\etc\rebase.db.x86_64"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\","Flyout"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center\","Svc"


also, I closed the Analyzer without deleting these entries, do I have to rerun a complete Deep Scan again if I do actually need to delete any of these items?

[tashi]

Hello matthewjumpsoffbuilding,

In general all items found by the RootAlyzer are not necessarily malicious but shows items it believes to be out of the ordinary and may give a hint for an infection.

Sometimes even legitimate software uses rootkit technologies. How is the computer running, was there a particular reason for running the scan?

Best regards.

[matthewjumpsoffbuilding]

It hasnt been running particularly badly.

The main reason for the scan was Clamwins memory scan reported something while I was running Chrome

C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\chrome.dll: W32.Virut.Gen.D-148 FOUND

[tashi]

Hello matthewjumpsoffbuilding,

The main reason for the scan was Clamwins memory scan reported something while I was running Chrome

C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\chrome.dll: W32.Virut.Gen.D-148 FOUND

Possibly a false positive, however it might be best for someone to take a look at the system. Please see the Malware Removal Forum sticky which includes guidelines and instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Then start a new topic in that forum providing the logs so a volunteer analyst can guide you, also provide a link back to this thread please.

Best regards.

[matthewjumpsoffbuilding]

I will check that out, thanks.

Some more info.

I browsed to the location and found there were 2 versions of Chrome, C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124, and C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.120.

I scanned chrome.dll in 37.0.2062.120 with Clamwin, Windows Security Essentials, MalwareBytes AntiMalware, and they all returned clean.

I scanned chrome.dll in 37.0.2062.124 with the same tools, and all but Clamwin returned clean.

I then uninstalled Chrome completely, and reinstalled it fresh and rescanned chrome.dll in the 37.0.2062.124 folder (now the only folder in there), and Clamwin still reported the same virus.

Does that make it more likely a false postive?

[tashi]

Hi matthewjumpsoffbuilding,

Does that make it more likely a false postive?

Could be but Virut is nasty.

I see you reported it at the Clamwin forums: http://forums.clamwin.com/search.php...psoffbuildings