Results 1 to 2 of 2

Thread: System very slow and wondering if RootAlyzer logs shed any light

  1. #1
    Junior Member
    Join Date
    Apr 2019
    Posts
    6

    Default System very slow and wondering if RootAlyzer logs shed any light

    // info: Rootkit removal help file
    // copyright: (c) 2008-2019 Safer-Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00005109F80000000100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1007C6B46D7C017319E3B52CF3EC196E:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\A67310A92852C3943A25E852921DF7C2:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\A8E4AA759C2EC1F43B1F67C2633E4427:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\CFD2C1F142D260E3CB8B271543DA9F98:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Users\kento\Dropbox\Books:com.dropbox.attributes:$DATA"
    File:"Unknown ADS","C:\Users\kento\Dropbox\Camera Uploads:com.dropbox.attributes:$DATA"
    File:"Unknown ADS","C:\Users\kento\Dropbox\Fonts:com.dropbox.attributes:$DATA"
    File:"Unknown ADS","C:\Users\kento\Dropbox\Fonts\2017 Website Fonts & splatters:com.dropbox.attributes:$DATA"
    File:"Unknown ADS","C:\Users\kento\Dropbox\Fonts\2017 Website Fonts & splatters\artwork splatters:com.dropbox.attributes:$DATA"
    File:"Unknown ADS","C:\Users\kento\Dropbox\Fonts\2017 Website Fonts & splatters\fonts:com.dropbox.attributes:$DATA"
    File:"Unknown ADS","C:\Users\kento\Dropbox\Fonts\2017 Website Fonts & splatters\fonts\fonts:com.dropbox.attributes:$DATA"
    File:"Unknown ADS","C:\Users\kento\AppData\Local\VirtualStore\Program Files (x86)\Adobe\Photoshop 7.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\VMware:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\AMD:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ATI Technologies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Bonjour:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Hewlett-Packard:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel Driver Update Utility:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft SQL Server Compact Edition:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TeamViewer:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\VMware:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Contacts:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Photo Gallery:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\SOXE:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Shared\en:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Shared\en-gb:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Photo Gallery\en:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Photo Gallery\en-gb:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Photo Gallery\Shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Installer\en:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Windows Live\Installer\en-gb:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\VMware\VMware Horizon View Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\VMware\VMware Player:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\VideoLAN\VLC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office15:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office12\1033:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Hewlett-Packard\HP Support Framework:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Google\Chrome\Application:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\DYMO\DYMO Label Software:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\DESIGNER:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\ThinPrint:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\VMware:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\VMware\USB\DriverCache:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\microsoft shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe\ARM\1.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Bonjour\Bonjour.Resources:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\AMD\ATI.ACE\Branding\Welcome:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Adobe\Acrobat Reader DC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Adobe\Photoshop 7.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\7-Zip:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\ActivePartitionRecovery:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Bonjour:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\FileZilla FTP Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Hewlett-Packard:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Office 15:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\UNP:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Teradata\Client\15.10\Teradata Studio nt-x8664:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\MySQL\MySQL Workbench 6.3 CE:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Java\jre7:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\HP\HP Touchpoint Analytics Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\VMware\DeviceRedirectionCommon:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\VMware\Drivers\vmci:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\DW:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VSTO\10.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\AMD\CIM:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\7-Zip\Lang:Win32App_1:$DATA"
    File:"Unknown ADS","C:\$Recycle.Bin\S-1-5-18\$RSA466B:Win32App_1:$DATA"
    File:"Unknown ADS","C:\$Recycle.Bin\S-1-5-18\$RU6EVG0:Win32App_1:$DATA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\CPK2HWU","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\CPK1HWU","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\CPK2HWU","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Services\CPK1HWU","Final"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Provider"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Svc"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","CBP"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Provider","DPA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Chs","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center","Provider"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","CBP"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Provider","DPA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"


    Thanks in advance
    Kenzo

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,416

    Default

    Hello Kenzo,

    The log alone is not raising a flag as even legitimate software may use rootkit technologies.

    If you suspect an infection it would be best if someone can take a look at the system in the Malware Removal Forum

    Please start a new topic there, the forum's FAQ includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

    http://forums.spybot.info/showthread.php?t=288

    Then a volunteer analyst will take a look and advise.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •