PDA

View Full Version : Something found



Rontti
2012-12-13, 20:16
Hi,

This is what was found:


File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\cabundle.crt"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\MetaData"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\usagestatsinstall.log"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CHS.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CHT.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CSY.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-DAN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-DEU.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ELL.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ENG.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ENU.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESL.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESP.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-FIN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-FRA.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-HUN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ITA.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-JPN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-KOR.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-NLD.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-NOR.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PLK.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PTB.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PTG.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-RUS.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SKY.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SLV.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SVE.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-THA.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-TRK.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\MetaData\cddbplm.gcf"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\MetaData\elists.db"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\cabundle.crt"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\MetaData"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\usagestatsinstall.log"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CHS.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CHT.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CSY.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-DAN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-DEU.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ELL.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ENG.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ENU.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESL.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESP.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-FIN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-FRA.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-HUN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ITA.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-JPN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-KOR.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-NLD.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-NOR.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PLK.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PTB.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PTG.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-RUS.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SKY.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SLV.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SVE.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-THA.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-TRK.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\MetaData\cddbplm.gcf"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\MetaData\elists.db"
File:"Unknown ADS","C:\OEM\Preload\Autorun\APP\Acer Clear.fi Client:$WIMMOUNTDATA:$DATA"
File:"Unknown ADS","C:\OEM\Preload\Autorun\APP\HotKey Utility v2.5:$WIMMOUNTDATA:$DATA"



Are most of those part of Nero burn software or what :( ?

Rontti
2012-12-13, 21:00
Forgot to mention that current Spybot version I'm using is

2.0.12.0

Start center
2.0.12.126

tashi
2012-12-13, 22:53
Hello Rontti,

Your question is similar to the one posted here: http://forums.spybot.info/showthread.php?t=67206

How is the computer running?

Best regards. :)

Rontti
2012-12-14, 00:22
Thanks for the answer. Yes, it appears to be a similar case. I read that list and I actually found some very same results.

So it might be rather safe to assume that this is Nero related. Though that list I posted missed one line:

File:"Unknown ADS","C:\Users\All Users\Temp:5C321E34:$DATA"

Don't know what that is, but my computer is running fine and I have not noticed anything suspicious. It is just that I occasionally like to run scans to make sure that there isn't anything lurking in my computer. I konw that Spybot 2.0.xx is warning that not all rookit search results are necessarily malware related.

tashi
2012-12-15, 21:26
Hello Rontti,

Though that list I posted missed one line:

File:"Unknown ADS","C:\Users\All Users\Temp:5C321E34:$DATA"

It's running out of a temp directory, usually a cleanup of temp files will remove such. :)

S1ybot
2013-01-03, 20:56
Hello Rontti,

It's running out of a temp directory, usually a cleanup of temp files will remove such. :)

Not sure what you mean "running out of a temp directory". Its alternate data stream located in the directory itself. Cleaning it out wouldn't have any effect.
I have this same thing, so I took the liberty of extracting the data, and I haven't been able to find out where it came from or what it is yet. I'm guessing it comes from a cygwin or virtualbox installation, but haven't had time to investigate.
In the hex viewer (file analyzer) for some reason the or 0XD8 is gray. not sure what that is supposed to mean. Null highlight or something?


My OS: WIN7 X64 w I7 950

Stream Name : :5C321E34:$DATA
Filename : C:\Users\All Users\TEMP
Full Stream Name : C:\Users\All Users\TEMP:5C321E34
Stream Size : 100
Stream Allocated Size: 104
File name: TEMP_5C321E34

HEX:
2B C1 C7 59 7C 16 2C D8 30 A8 E1 DB FB 67 87 F3 E5 02 FA 30 A7 80 DD 38 39 D9 9D AC 17 9B E0 5E D8 0C 3F D0 1C 55 9F 83 26 7E 2C 60 C6 45 BE 5B 45 B4 6A 35 E7 59 85 10 C9 F7 C4 2C CF 44 79 80 84 08 CF 1C 3B 86 B2 BB 0B D2 56 74 78 BE FF 66 EB D1 91 6C AA 79 27 3D 5D 51 6C E8 32 64 BE 66 9E 6A 68 04

ASCII:
+Y|,0g‡0€89ٝ›^?UŸƒ&~,`E[Ej5Y…,Dy€„;†Vtxf‘ly'=]Ql2dfžjh

HASHES:
CRC-32: Cyclic redundancy check, 32 bit: 57EA9DD8

MD2: Message-Digest algorithm 2: 9D154F00290B74DE5C99C97FAFDC0991
MD4: Message-Digest algorithm 4: 5F0B2C5B4F9FCB2855EDA56BAB836CD2
e2dk: 2286bb9bda57fd28da9cc8ff33d69454
MD5: Message-Digest algorithm 5: E06EE32287F4E9927D736BBB3BB5BE04
SHA-0: US Secure Hash Algorithm 0: B4B811231206F21778D5A4C45477757C01BB51E0
SHA-1: US Secure Hash Algorithm 1: 6E12AAD290A3394674F3917E8A5992E25EC60EE3
SHA-256: US Secure Hash Algorithm: 5BBEA3A5BCBB9A8703E2C5199B40774504451079A4F29D0B467E3FAE3D9C7DC7
SHA-384: US Secure Hash Algorithm: E650687ABE7FE118438FE47CD115D7288C74ACF54E7C57F2BD34A33D34B248587ED9DCA3B6A7E69AECC3F59770B5384C
SHA-512: US Secure Hash Algorithm: 3B26F0792C309097BFE0AB810771EB62418A34FC36EC95EE47B5799DEF9E0C6697FBD42AFBC1B8CB28B7695904A5A74B085C31F67665319968E37B664D4C31E2
RipeMD-128: RACE Integrity Primitives Evaluation MD: A5A2277DE2A323AA7A794B971B2C83D3
RipeMD-160: RACE Integrity Primitives Evaluation MD: E53077D375FA7A8C209C927A54A5450EAD5822F7
RipeMD-256: RACE Integrity Primitives Evaluation MD: 0F891DADF01376407F6C04E684FCE67FE518C0E6FE43A1F9E77BA6A92210923B
RipeMD-320: RACE Integrity Primitives Evaluation MD: 2739F940FD1A440DEE19587225ED53783F53A8EFAB62C4CAD5BF7084B0938EFF6DFD453117F20D43
HAVAL-128: 0D6DF5DBA1DC1DA0C0C4F964C888C7E8
HAVAL-160: 9C389C59CCC30B87C46CA8FF9D9BB0A532499BA7
HAVAL-192: 65C7B6C5D10C8BD4D7395CAF6916C473F07D7226B585E763
HAVAL-224: 919A47751B453147B48F0FB965ED6A4D94A2B4AF0CA6F34F40E58E38
HAVAL-256: 90A7DF490FBF69EA4C7E34624FF69C057BB1A9265A8E06A98A710D0659F2FFDE
Snefru-128: F5DE6FBAE3AD6AF725549313822B06A8
Snefru-256: 88FB01C223A0E0DB13BEB9321A8FA7DFD430F394D30A3FE50701383EF0D61D0D
Tiger-192: 6FF429F3C1C5B69AF8513B026AD8EC908E928E0807324BD3
Panama: EFE5D0DE6076A773D274C3F1F69092CCB03AAFBB64F187DF24309A1ABB79E41C
Square: CD5843CEF32826A6D2BC531405F1029C
SSDeep: 3:P9nDAnfVC+cp8+L3KRUg1sSfXpdjB3zfaDc+RbPNhn:FWUJ6RUgm4RfaDccbr