PDA

View Full Version : malware/rootkit problems


jbird
2009-07-16, 08:25
Hello and thank you for your help, :cowboy:
I am getting url re-directs. I am not able to get Spybot to run and Malwarebytes does not find anything. Mcafee said it foundand removed: Generic Rootkit.d!rootkit, file: NTOSKRNL -HOOK.

I have run Erunt.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:13 AM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\Compaq_Owner\Desktop\rootalyz-0.3.4.47\RootAlyzer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\romeo.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\virusscan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McPvTray] C:\Program Files\McAfee\Anti-Theft\McPvTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1636] command.com /c del "C:\WINDOWS\system32\drivers\ESQULrodcnrolxjualtppqnxsnkojuacpmpnu.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2839] cmd.exe /c del "C:\WINDOWS\system32\drivers\ESQULrodcnrolxjualtppqnxsnkojuacpmpnu.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8500] command.com /c del "C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3402] cmd.exe /c del "C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3029] command.com /c del "C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4720] cmd.exe /c del "C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2785] command.com /c del "C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3561] cmd.exe /c del "C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5424] command.com /c del "C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9957] cmd.exe /c del "C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Compaq_Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8810] command.com /c del "C:\WINDOWS\system32\drivers\ESQULrodcnrolxjualtppqnxsnkojuacpmpnu.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7743] cmd.exe /c del "C:\WINDOWS\system32\drivers\ESQULrodcnrolxjualtppqnxsnkojuacpmpnu.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6210] command.com /c del "C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4169] cmd.exe /c del "C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7738] command.com /c del "C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8068] cmd.exe /c del "C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8307] command.com /c del "C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2420] cmd.exe /c del "C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9123] command.com /c del "C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2101] cmd.exe /c del "C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O18 - Protocol: ezpp - {810403FA-E82E-11D5-8AAB-0010A404A3DE} - C:\WINDOWS\system32\eztoolslib.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12267 bytes



// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Hidden file","C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
File:"Hidden file","C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
File:"Hidden file","C:\WINDOWS\system32\ESQULzcounter"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULbnyceyyhcnoeupjogwvwsflufpqgjjwt.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULllkiajycfnqkhatsvslgajkoggualnbr.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULzcounter"
File:"Invisible to Win32","C:\WINDOWS\system32\drivers\ESQULrodcnrolxjualtppqnxsnkojuacpmpnu.sys"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\Contents.dat"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\global.js"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\HpuFunction.dll"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\HPWUCli.exe"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\hpwuSchd2.exe"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\main.hta"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\SoftwareUpdate.dll"
File:"No admin in ACL","C:\Program Files\HP\HP Software Update\unicows.dll"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\rkfree:cfg:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c601cb454e0e.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c61e09b0a6d3.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c62b47197750.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c66ebd777fb4.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c6f9422396a1.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c6f95283a12b.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c6fd1002ea95.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c7b0703edc01.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c7b36e361b94.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c7c5602ca6a7.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c817ff4baeb7.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c81b19e699ca.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8522a66adf6.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8522b30d780.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8690699257b.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c86918b32336.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c87ee7981669.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8960282552b.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8eb47fb507a.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8eb4cde97c7.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8f32832172c.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8f328321c0e.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8f96e8a2f8c.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8f9a3c1bd67.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8f9a529507d.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8fca66f11fe.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8fcab919f6a.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c8fda6faff68.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c912b6636bb2.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c91e8367d437.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c9263c2a633d.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c926401b74ed.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c92e2b84a929.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c92fb6043f72.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c93dd7128308.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c944ebd6de83.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c94b3bf67fe3.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c94b3ce79285.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c94b6db902d9.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2429226375-2613991924-3820448917-1009$201c965345980d5.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
Directory:"No admin in ACL","C:\Program Files\NOS"
Directory:"No admin in ACL","C:\Program Files\HP\HP Software Update"
Directory:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\NOS"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\","NOS"



:thanks:
jbird
2009-07-16, 23:59
Problem fixed and Spybot is working again :) Combofix