Yet Another SpyBot Rootkit Analyzer Thread

[Sandpaper600]

Hi,
I ran a scan for rootkits on my computer and came back with the following results:

// info: Rootkit removal help file
// copyright: (c) 2008-2016 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Windows\PLA\System\System Diagnostics.xml:0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\Metal:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\nzb:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\Photos:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\LeAnna & Mark\Bead Embroidery:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\LeAnna & Mark\Bead Patterns and Tutorials:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\LeAnna & Mark\Data Tracker for Jewelry:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\LeAnna & Mark\Jewelry Price Sheet:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\LeAnna & Mark\Marks Downloads:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\LeAnna & Mark\New Pics:com.dropbox.attributes:$DATA"
File:"Unknown ADS","C:\Users\ME\Dropbox\LeAnna & Mark\Data Tracker for Jewelry\Images:com.dropbox.attributes:$DATA"
File:"No admin in ACL","C:\ProgramData\Real\setup\config.ini"
File:"No admin in ACL","C:\ProgramData\Protexis64\11022422.sys"
File:"No admin in ACL","C:\ProgramData\Protexis64\KGyGaAvL.sys"
File:"No admin in ACL","C:\ProgramData\Microsoft\SLDL\39ae4df0-508e-433c-b1f0-e6a0dfd39f2c\7b79d313-a84a-4c02-930c-9a1159ca6184"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\MARK_20161117-000001\report.xml:Qgrg2rf1Znaluncm1kfl1xla5h:$DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}","8"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}","8"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Wow6432Node\Microsoft\Security Center","Svc"

Most of these items I feel confident are nothing, but there are a few suspicious items among them I would feel better if they were checked out by someone who knows.

Thank you in advance for your time on this.

Sandpaper600

[tashi]

Hello Sandpaper600,

How is the computer running, was there a particular reason for running a rootkit scan?

Best regards.

[Sandpaper600]

I suddenly started receiving messages from Malwarebytes that it was blocking connections to the same website over and over, about every 3 or 4 seconds continuously. The website trying to be accessed is allonsy.hopto.org, with the IP of 41.66.28.72. Everytime the box pops up I see it is trying to access a different outbound port. The other kinda odd thing about it is the process says C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe.

I ran malwarebytes on my computer but it didn't find anything. If I disconnect from the internet, the popups stop.

I looked at Regsvcs.exe and found it was basically an installer for .net framework. So, thinking I was infected and worst case was going to have to reformat anyway, I decided to delete the Regsvcs.exe file. The popups stopped for about a bit, so I thought I had it beat.

Then I got another popup from MBAM about IP 151.237.67.24. There was no site name, just the IP. And here's another weird thing, it was using my uTorrent client to try the connection. I thought about other tools I have used in the past for malware removal and decided to download the Microsoft Malicious Software Tool. Ran that - found nothing.

I D/Led Combofix, Ran that - found nothing.

Then I decided to try eSet Online Scanner. I ran that and it froze about 20 minutes into the scan. I decided to try again, same. I'm not sure if maybe the problem is that I have a 64 bit system or what. It didn't have anything about different software for 32 or 64.

Which brings me to where I am now with the Spybot scan.

To answer your question, outside of the malicious website popups, the computer runs fine. No slowdowns, no blocked programs or usability. And I know you're probably thinking I got something via uTorrent, but the only thing I D/L is .epub books and I scan every D/L with malwarebytes before ever opening it.

I know that's not bulletproof, but I only D/L from one site and I feel reasonably sure that the community there would sound off if there were any problems with the files being hosted.

So, that being said, what do you think of the scan results?

[tashi]

Hello Sandpaper600,

As Malwarebytes raised the flag have you posted at their forums?

The log doesn't indicate a rootkit but results can be inconclusive, which is why I asked how the computer was running.

By the way, we have a sticky about combofix.

Is this a personal computer, if so I can direct you to our malware forum so someone can take a look at the system.

Best regards.


Edit: Topic at Malwarebytes.