Results 1 to 6 of 6

Thread: Log

  1. #1
    Junior Member
    Join Date
    Nov 2017
    Posts
    3

    Exclamation Log

    He doesn't, so I hope it is ok if I do. I bought a used PC with Windows 10 64-bit and made a rootkit scan this afternoon. Here is the result logfile:

    Oh, uploading of the logfile is not possible, it says :

    "Rootkits.171129-1723.log - Invalid File" Haha!

    So I renamed the file to Rootkits.171129-1723.txt, let's see if I can upload it now....

    Yes it worked! So - my question (of course): any threats? I don't know what ADS and ACL means.

    // info: Rootkit removal help file
    // copyright: (c) 2008-2017 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00005109090070400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00005109110000000100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\000051091C0000000100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\000051091C0070400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00005109610070400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00005109810070400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00005109AB0070400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00005109B10070400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00005109B21070400100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\regid.1991-06.com.microsoft:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Microsoft\OFFICE:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Microsoft\OFFICE\UICaptions:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\AMD:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Mozilla Firefox:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Mozilla Firefox\plugins:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft SQL Server\110\Shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office15:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office15\1031:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office15\DCF:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\Cartridges:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\Resources\1031:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\System\Ole DB:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\1031:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\1031:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\AMD\ATI.ACE\Core-Static:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\AMD\ATI.ACE\Branding\Welcome:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\7-Zip:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\IrfanView:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Office:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft.NET\ADOMD.NET\110:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft SQL Server\110\Shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Office\Office15:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Office\Office15\1031:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Office\Office15\1031\DataServices:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Analysis Services\AS OLEDB\110\Cartridges:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Analysis Services\AS OLEDB\110\Resources\1031:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\DESIGNER:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\System\Ole DB:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\System\MSMAPI\1031:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\DCF.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\InfoPath.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Lync.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Office32.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Office32.WW:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\OneNote.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\OSM.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Outlook.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Proofing.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Publisher.de-de:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Classic Shell\Skins:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\AMD\CIM:Win32App_1:$DATA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Svc"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Chs","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"
    Attached Files Attached Files
    Last edited by tashi; 2017-11-29 at 19:31. Reason: Split off from another's thread. Copy pasted log into new topic

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    29,945

    Default

    Hello Skylark,

    The RootAlyzer is an analyst tool, in general all items found by the RootAlyzer are not necessarily malicious.

    Sometimes even legitimate software uses rootkit technologies, the log isn't raising a flag.

    How is the computer running, do you have an anti virus program installed?

    Best regards.
    Microsoft MVP 2006-2016
    Windows Insider MVP 2016, 2017

  3. #3
    Junior Member
    Join Date
    Nov 2017
    Posts
    3

    Default

    Thank you, tashi! The computer is running well, it is the fastest PC I ever had and it has 8 GB RAM. The Antivirus software is Avast free.

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    29,945

    Default

    Hi Skylark,

    Good to hear, you should be good to go then.

    Cheers.
    Microsoft MVP 2006-2016
    Windows Insider MVP 2016, 2017

  5. #5
    Junior Member
    Join Date
    Nov 2017
    Posts
    3

    Default

    Thank you, but what means ADS and ACL?

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    29,945

    Default

    Hello Skylark,

    The RootAlyzer is an analyst tool and their terms may not be useful for most users.

    For instance, unknown MBR just means that RootAlyzer does not know this pattern, this can have various reasons, perhaps usage of a bootloader.

    Windows and several antivirus programs also store (temporary) information in ADS.

    Alternate Data Streams (ADS) https://blogs.technet.microsoft.com/...reams-in-ntfs/

    I do not see anything in the log that might require sending you to our malware forum to have other logs analyzed, especially as you have a computer that is running well. If the situation changes please let me know.

    Best regards.
    Microsoft MVP 2006-2016
    Windows Insider MVP 2016, 2017

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •