Results 1 to 3 of 3

Thread: Many new files with Unknown ADS?

  1. #1
    Junior Member
    Join Date
    Feb 2017
    Posts
    2

    Default Many new files with Unknown ADS?

    I am hoping for some help in understanding these deep rootkit search results. I was targeted by an identity theft-related attack last year. I got a new computer, moved and got a new ISP account, made new accounts for absolutely everything (email, web banking, etc etc) on a 3rd computer and network - in other words, this new machine has not been exposed to my previous, contaminated system or accounts in ANY way (they've never been on the same network, never shared any memory device or even been in bluetooth range of one another). This PC is an entirely fresh slate.

    I don't believe the registry "no admin in ACL" entries are cause for concern. These appeared immediately after I took the Windows 10 upgrade and I read that this was common.

    However, this huge list of "Unknown ADS" entries has suddenly appeared (none of them appeared the last time I did a deep scan, which was many months ago). Almost all of these programs have been installed for a long time, since before my previous rootkit scan, and these $data entries did not show up on previous scans.

    I ran all my usual scans: spybot, malwarebytes, avast (which runs in the background full-time), and turned up nothing. Is it possible that this is benign? That it is malignant? I do have some small reason to believe that I am still being targeted by the same identity thief as last time, but I'm not jumping to that conclusion.

    (One further note of possible interest: After getting this result, I also ran a deep rootkit on my roommate's laptop. It similarly turned up a large number of similar entries (unknown ADS) - however, in her case, every single one was related to a document shared in her OneDrive. But I do not use OneDrive on my machine, and she has never logged into her OneDrive account on my machine.)

    Thanks for any help that anyone might be able to provide.




    // info: Rootkit removal help file
    // copyright: (c) 2008-2017 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\2B7A37F2E05E6A93A9CBFE984E6CE263:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\39103BDF0ADFAAD3CAAC7AE5FE5E6370:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744BA0000000010:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\840EA1DC88CD5164A9F5E706C7007063:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\B8CF35CA81EEC9F3B9950639D7B081C2:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\BCA1BC2A2A49AB231AE5D70813F95798:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\CFD2C1F142D260E3CB8B271543DA9F98:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\F942F94A19C0F79468FD2B85E5E8677B:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\regid.1991-06.com.microsoft:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\SRS Labs\APO:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Intel\Wireless\Settings:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel Driver Update Utility:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\OpenOffice 4:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Opera:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Project64 1.6:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Spybot - Search & Destroy 2:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\StarCraft II:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\UltraISO:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TOSHIBA\PasswordUtility:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TOSHIBA\System Setting:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TOSHIBA\TOSHIBA Blu-ray Disc Player:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD Engine:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TOSHIBA\ToshibaFB:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\Drivers\x64:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TOSHIBA\PCDiag\Lang:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Realtek\NICDRV_8169:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Realtek\Realtek Card Reader:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office16:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\KnuckleCracker\Creeper World DEMO:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Bluetooth:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\iCLS Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Management Engine Components:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Processor Graphics:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\InstallShield Installation Information\DVD_Engine_Setup:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Infogrames\RollerCoaster Tycoon 2:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Google\Chrome\Application:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\eSupport.com\eSupport UndeletePlus:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\DTS, Inc\DTS Studio Sound:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\CyberLink\MediaShow6:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe AIR:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\DESIGNER:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\ATI Technologies\Multimedia:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\WebKit:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe\ARM\1.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Aspyr\Tony Hawks Pro Skater 4\Game\data:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\AMD AVT\bin:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Adobe\Reader 11.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Adobe\Reader 11.0\Reader:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\7-Zip:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\CCleaner:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\MotioninJoy:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\HDD Protection:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\Hotkey:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\Teco:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\TOSHIBA Audio Enhancement:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\TOSHIBA Desktop Assist:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\TOSHIBA Recovery Media Creator:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\TOSHIBA Service Station:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\TOSHIBA Smart View Utility:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\TPHM:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\TOSHIBA\TPHM\Lang:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Realtek\Audio\HDA:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Portrait Displays\Chroma Tune for TOSHIBA:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\KnuckleCracker\Creeper World 3:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\iCLS Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\Intel(R) Rapid Storage Technology:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\WiFi:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\WiFiDrivers\Drivers:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\Telemetry 2.0\x64:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\Intel(R) Rapid Storage Technology\Lang:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\EaseUS\EaseUS Data Recovery Wizard:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\CyberLink\PowerDirectorTouch:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\ATI Technologies\Multimedia:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\ATI\CIM:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\7-Zip\Lang:Win32App_1:$DATA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Svc"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Jpn","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Chs","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Jpn","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello jacobaitken,

    Quote Originally Posted by jacobaitken View Post
    I ran all my usual scans: spybot, malwarebytes, avast (which runs in the background full-time), and turned up nothing. Is it possible that this is benign? That it is malignant?
    The log isn't raising a flag.

    Quote Originally Posted by jacobaitken View Post
    I do have some small reason to believe that I am still being targeted by the same identity thief as last time,
    Via your computer?

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Feb 2017
    Posts
    2

    Default

    1) That's a relief, thank you.

    2) No, the computer and my web accounts seem fine (my suspicions are based on ongoing shenanigans with the credit bureaus and my former bank).

    Thanks again!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •