Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: please advise on these 2 items found in my rootkit scan

  1. #1
    Junior Member
    Join Date
    May 2015
    Posts
    6

    Default please advise on these 2 items found in my rootkit scan

    i am running windows 7 starter 32-bit operating system
    are these 2 items deletable? please advise! thank you in advance!

    Folders
    type: Folder object: DATA location: C:\ProgramData\Microsoft\OFFICE\ details: No admin in ACL

    Registry Keys
    type: Key object: LogonSoundPlayed location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\ details: No admin in ACL

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,476

    Default

    Hello monkeyC,

    Those entries are fine, how is the computer running?

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    May 2015
    Posts
    6

    Default

    hey tashi,

    thanks for a quick reply.

    please clarify, though, "fine" as in dont delete or okay to delete?

    computer is running fine for an old netbook. thought it may have gotten infected few months back in dec/jan by some fbi/interpol virus. firefox's window kept redirecting and opening up tabs/windows to an fbi/interpol warning page claiming i committed a crime and must contact them and pay a fine. well, i'm not gullible and instead of interacting with those sites i attempted to close the windows and finally shut the computer down. is that called a browser hijack???

    anyways, after doing research on that virus and attempting cleanup, it appeared that my computer may not have been infected since i did not interact with the site.

    however, that doesnt mean i was correct in deducing my computer wasnt infected by that fbi/interpol virus or compromised in other ways. so, i am using several antivirus/spyware/malware scans and cleanup utilities.

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,476

    Default

    Hi monkeyC,

    Quote Originally Posted by monkeyC View Post
    please clarify, though, "fine" as in dont delete or okay to delete?
    The files as shown do not require action.

    Quote Originally Posted by monkeyC View Post
    computer is running fine for an old netbook. thought it may have gotten infected few months back in dec/jan by some fbi/interpol virus. firefox's window kept redirecting and opening up tabs/windows to an fbi/interpol warning page claiming i committed a crime and must contact them and pay a fine. well, i'm not gullible and instead of interacting with those sites i attempted to close the windows and finally shut the computer down. is that called a browser hijack???
    The so called FBI ransomeware? http://www.fbi.gov/news/stories/2015...re-on-the-rise

    Were your files encrypted by this infection?

    Quote Originally Posted by monkeyC View Post
    anyways, after doing research on that virus and attempting cleanup, it appeared that my computer may not have been infected since i did not interact with the site.

    however, that doesnt mean i was correct in deducing my computer wasnt infected by that fbi/interpol virus or compromised in other ways. so, i am using several antivirus/spyware/malware scans and cleanup utilities.
    Please describe the security programs installed on the machine and which tools you have been using.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Junior Member
    Join Date
    May 2015
    Posts
    6

    Exclamation

    hey tashi,

    okay, i will leave those items alone. Would it be detrimental to my system if they were deleted?

    i ran the rootkit scan again and a 3rd item appeared. please advise:

    Registry Keys
    type: Key object: Vol location: HKLM\SOFTWARE\Microsoft\SecurityCenter\Svc\ details: No admin in ACL

    And yes my recent concern was a version of the FBI ransomeware, thanks for the link. I dont believe my files were encrypted. Encrypted meaning my access to my files would be limited or altogether unaccessible, correct?

    Besides using keyboard commands Ctrl W or clicking the red X in the top right corner of the browser window, I had no other interaction with that site since it was obviously suspicious. When that wouldn't work, I forced shut down. havent had any noticeable consequences since that initial incident.

    prior to starting my barrage of scans and cleanups i noticed a zipped folder in my Downloads folder i did not recognize called ClearCydiaListCache. when i did a google search for it, i found sites claiming ClearCydiaListCache.exe as a possible virus, so i deleted that zipped folder.

    security programs/tools used in this order:
    Windows Defender
    Avast Free Antivirus
    AVG free
    Panda free antivirus
    Malwarebytes Anti-Malware
    Spyboy Search&Destroy
    ccleaner

    first, i updated and ran Windows Defender's full system scan. then for Avast, AVG, Panda, and Malwarebytes Anti-Malware, i dealt with each program individually. for example, i installed, Avast, updated, scanned in both logons modes (normal, safe mode), then uninstalled it. then installed AVG... etc,etc.

    the only programs still installed
    on my computer are spybot and ccleaner. the browser i use is firefox and i have the plugin Ad-block Edge.

    i plan to install malwarebytes anti-exploit and give it a try. pcmag.com had a good review for it. i could also run HijackThis and post my scan result in a forum.

    cheers!

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,476

    Default

    Hello monkeyC,


    Quote Originally Posted by monkeyC View Post
    hey tashi,

    okay, i will leave those items alone. Would it be detrimental to my system if they were deleted?
    Quote Originally Posted by tashi View Post

    The files as shown do not require action.
    Quote Originally Posted by monkeyC View Post
    i ran the rootkit scan again and a 3rd item appeared. please advise:

    Registry Keys
    type: Key object: Vol location: HKLM\SOFTWARE\Microsoft\SecurityCenter\Svc\ details: No admin in ACL
    In general all items found by the RootAlyzer are not necessarily malicious but shows items it believes to be out of the ordinary and may give a hint for an infection.

    Sometimes even legitimate software uses rootkit technologies.

    Quote Originally Posted by monkeyC View Post
    the only programs still installed
    on my computer are spybot and ccleaner.
    <snip>
    I could also run HijackThis and post my scan result in a forum.
    We no longer use HijackThis for a preliminary analysis. Please let me know if you have an anti virus program installed.

    Then I will give further instructions to post in our malware removal forum.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  7. #7
    Junior Member
    Join Date
    May 2015
    Posts
    6

    Wink

    hey tashi,

    yes, i'm aware that files found by the rootkit scan may not be malicious, hence why i am discussing them with experts like yourself!

    as i mentioned previously, i had ran 3 antivirus programs (Avast free, AVG free, Panda free) and also Malwarebytes Anti-malware. but after doing full system scans in both normal logon mode and safe mode, and not finding any infections, i uninstalled them. my netbook unfortunately has limited processing power.

    i will now run windows update.

    any other suggestions or advice you may have to offer?

    cheers!

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,476

    Default

    Quote Originally Posted by monkeyC View Post
    as i mentioned previously, i had ran 3 antivirus programs (Avast free, AVG free, Panda free) and also Malwarebytes Anti-malware. but after doing full system scans in both normal logon mode and safe mode, and not finding any infections, i uninstalled them. my netbook unfortunately has limited processing power.
    Hi monkeyC,

    For someone to take a look at the system please start a topic in the Malware Removal Forum and a volunteer analyst will advise.

    First see that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

    http://forums.spybot.info/showthread.php?t=288

    Please provide a link back to this thread.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #9
    Junior Member
    Join Date
    May 2015
    Posts
    6

    Default

    hey tashi,

    thanks for the info. i will look into those programs you suggested.

    what is the best way to provide a link to this discussion if i post logs to a topic in the malware forum?

    thanks again!

  10. #10
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,476

    Default

    Hi monkeyC,

    Quote Originally Posted by monkeyC View Post
    hey tashi,

    thanks for the info. i will look into those programs you suggested.

    what is the best way to provide a link to this discussion if i post logs to a topic in the malware forum?

    thanks again!

    The link is the url in your browser bar: https://forums.spybot.info/showthread.php?72357-please-advise-on-these-2-items-found-in-my-rootkit-scan&p=464101

    Those programs are only to be used if starting a topic in the malware forum, they are for the analyst who responds.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •