Results 1 to 4 of 4

Thread: Rootkit Scan "ACE Flags"? - repeated files in properties

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Jul 2021
    Posts
    5

    Default Rootkit Scan "ACE Flags"? - repeated files in properties

    Hi. Recent big fan of Spybot. Already bought one Pro version. Probably going for another for my work laptop too.

    My issue is with something I haven't seen addressed anywhere on the forums. Not about "no admin in ACL", nor "Unknown ADS".
    So you do a Rootkit Scan. Then right-click on a Key registry file. (It does say No admin in ACL, but that's not my issue.) Click Show properties, and then click the Security tab. There we find several Users and system permissions I understand.
    On some of these key registry files, and opening the specifics of the users, I find the expected files ACE Type and Rights. But some also have files named "ACE Flags".
    Is this a Spybot warning? Should I do something about these flags?

    For example, several key registry files named {111A26D-EF95-4A45-9F55-21E52ADF9887}
    Located at HKLM\Software\Classes\WOW6432Node\AppID\
    I have repeated "System (NT Authority)" x2. And all other users there. And with each repeated user, one of them throws a file named:
    "ACE Flags"
    Inside each ACE flag file:
    Object_Inherit_ACE
    Container_Inherit_ACE
    Inherit_Only_ACE

    I've found the the same issue on a Key registry file named "DuState"
    Located at HKLM\Software\Microsoft\InputMethod\Chs\
    I have repeated "TrustedInstaller (NT Service)" x2. One of them throws a file named:
    "ACE Flags"
    Inside the ACE flag file:
    Container_Inherit_ACE

    Is this normal and supposed to be there? Or is this suspicious?
    The fact is I can't find anywhere what a Security tab, on the properties of a Key registry file is supposed to look like.
    Should I delete these?
    Just the files themselves? The entire ACE Flags folders? The entire key registry file?

    Thanks for any and all response and help!

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,775

    Default

    Hello SpiralGalaxy,

    The RootAlyzer is not a scan and fix program and there is no need to remove those items.

    Wow6432 is a Windows registry entry and the latter is also Microsoft.

    How is your computer running, any issues?

    Best regards,
    tashi
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Jul 2021
    Posts
    5

    Default

    Thanks for the quick response Tashi.
    And sorry for the delayed thanks.

    No. I haven't had any suspicious activity on this laptop... Since I reformated it and reinstalled Windows 10.
    I had several malware scares some weeks ago. Trying to get all the information I can to make sure I can keep monitoring my systems. Probably be leaving lots of questions here.

    But in case you know it... Are you aware of the Segurazo malware? Apparently it acts as a rootkit, infecting very deep into the systems if not contained fast. Unfortunately, I didn't. Reformated my laptop in the end. But not sure if that is enough for.something that can enter the key registry files apparently.
    Would be good to know what signs to what out for.

    Edit: Actually, I think I'll better just post a new thread specifically on that topic...
    Thanks!
    Last edited by SpiralGalaxy; 2021-07-14 at 21:28.

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,775

    Default

    Topic in the Tavern: https://forums.spybot.info/showthrea...-legit-or-scam

    This one is closed.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •