Results 1 to 6 of 6

Thread: RootAlyzer Results

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Jan 2016
    Posts
    3

    Default RootAlyzer Results

    // info: Rootkit removal help file
    // copyright: (c) 2008-2016 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109610090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109611090400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109810090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109A20000000100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109A20090400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109E60090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109F10090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\6414876250E69FF3395387C6C7F05BEB:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744BA0000000010:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\E1810453A043A7E44B90136643272B7F:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\F9EAF6243737E6942A51D97BFE3489FC:Win32App_1:$DATA"
    File:"No admin in ACL","C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\Quarantine"
    File:"No admin in ACL","C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp"
    File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
    File:"Unknown ADS","C:\ProgramData\Microsoft\OFFICE\DATA:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Apple\Apple Application Support\kdrl:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Apple Software Update:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Bonjour:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\CrystalDiskInfo:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\DishAnywhereDesktop:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Malwarebytes Anti-Malware:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Norton 360:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\PDFTK Builder:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ZYTO\ZYTOTouchV2:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET\RedistList:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Works\1033:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Visual Studio\COMMON\IDE\IDE98:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office12\1033:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office12\1036:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office12\3082:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\iTunes\Mozilla Plugins:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\DESIGNER:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\System\Ole DB:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\System\Ole DB\Resources\1033:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\System\MSMAPI\1033:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Excel.en-us:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Office.en-us:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Office64.en-us:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Office64.WW:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Outlook.en-us:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Proofing.en-us:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\Publisher.en-us:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Apple\Apple Application Support:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Apple\Mobile Device Support:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe\ARM\1.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco EAP-FAST Module:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco LEAP Module:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco PEAP Module:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco PEAP Module\en-US:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco LEAP Module\en-US:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Cisco\Cisco EAP-FAST Module\en-US:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Carbonite\Carbonite Backup:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Bonjour\Bonjour.Resources:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\cs:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\da:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\el:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\en-US:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\es:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\fi:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\fr:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\hu:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\it:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\ja:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\ko:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\nl:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\no:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\pt-BR:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\ru:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\sv:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\th:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\tr:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\zh_CHS:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\help\zh_CHT:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Welcome:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Adobe\Reader 11.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Adobe\Reader 11.0\Reader:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\ATI Technologies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Bonjour:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\IDT:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\iTunes:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Silverlight:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\SUPERAntiSpyware:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Validity Sensors:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Validity Sensors\Shared\Drivers:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Silverlight\5.1.41105.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Office\Office12:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Office\Office12\1033:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\iPod\bin\iPodService.Resources:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\Apple\Apple Application Support:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\Apple\CoreFP:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\Apple\Mobile Device Support:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Axantum\AxCrypt:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\ATI Technologies\ATI.ACE\Fuel:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\ATI\CIM:Win32App_1:$DATA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\ADOVMPPackage","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\ADOVMPPackage","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"

    Are these ok? If not, which ones would you recommend removing? Thanks very much in advance

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello abcdefg,

    Did you install \Axantum\AxCrypt?

    The RootAlyzer is an analyst tool, sometimes even legitimate software may use rootkit technologies.

    Do you suspect an infection, is that why you ran the scan?

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Jan 2016
    Posts
    3

    Default

    Thanks for your response.

    Yes I did install AxCrypt.

    I was selling my car on craigslist and the "buyer" required a vehicle history report from a specific website. He said he didn't trust the one I emailed him. He said he'd buy the car only if I got it from the website he had a link to in the email. Normally I know better than clicking the link and instead typing it in the address bar in the browser, but I clicked the link and it seemed to load some kind of script or code, and then "nothing happened" similar to getting infected with a RAT by running an executable when it starts to open and then "nothing happens." This is when I realized he had no intention of buying the car and every intention of getting me to click on that link. I think it was a drive by download attack. I did this from my iPhone though by the way and I have no idea if or what that could have done to the router, computer, or other devices on the same network I had clicked the link from. New tabs on my iPhone will open and they are from my bookmarks, and only the ones I need to log into. Current open tabs will change to those pages as well. I'm guessing because if I log in, then whoever will have my credentials. That's happening on my iPad too, and I never clicked that link from my iPad. I suspect this person wants me to log into my accounts. I've had my accounts hijacked before so I'm hesitant to log into anything over wifi. I don't really know what to do.

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello abcdefg,

    Sorry to hear that. Regarding the computer, is this a personal machine on the network and what is your operating system please.

    Best regards.
    Last edited by tashi; 2016-01-13 at 18:44. Reason: clarify
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Junior Member
    Join Date
    Jan 2016
    Posts
    3

    Default

    Personal machine
    Windows 10

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hi abcdefg,

    For someone to take a look at the system in the Malware Removal Forum please start a new topic there after reading that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

    http://forums.spybot.info/showthread.php?t=288

    Then a volunteer analyst will advise. Please provide a link back to this topic so your helper is up to date.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •