Something found

[Rontti]

Hi,

This is what was found:


File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\cabundle.crt"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\MetaData"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\usagestatsinstall.log"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CHS.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CHT.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CSY.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-DAN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-DEU.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ELL.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ENG.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ENU.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESL.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESP.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-FIN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-FRA.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-HUN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ITA.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-JPN.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-KOR.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-NLD.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-NOR.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PLK.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PTB.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PTG.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-RUS.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SKY.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SLV.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SVE.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-THA.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-TRK.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline.xml"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\MetaData\cddbplm.gcf"
File:"No admin in ACL","C:\Users\All Users\Nero\Nero 10\OnlineServices\MetaData\elists.db"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\cabundle.crt"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\MetaData"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\usagestatsinstall.log"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CHS.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CHT.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-CSY.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-DAN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-DEU.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ELL.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ENG.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ENU.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESL.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ESP.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-FIN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-FRA.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-HUN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-ITA.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-JPN.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-KOR.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-NLD.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-NOR.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PLK.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PTB.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-PTG.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-RUS.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SKY.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SLV.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-SVE.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-THA.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline-TRK.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\PushMarketingFeeds\offline.xml"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\MetaData\cddbplm.gcf"
File:"No admin in ACL","C:\ProgramData\Nero\Nero 10\OnlineServices\MetaData\elists.db"
File:"Unknown ADS","C:\OEM\Preload\Autorun\APP\Acer Clear.fi Client:$WIMMOUNTDATA:$DATA"
File:"Unknown ADS","C:\OEM\Preload\Autorun\APP\HotKey Utility v2.5:$WIMMOUNTDATA:$DATA"



Are most of those part of Nero burn software or what ?

 

[Rontti]

Forgot to mention that current Spybot version I'm using is

2.0.12.0

Start center
2.0.12.126

 

[tashi]

Hello Rontti,

Your question is similar to the one posted here: http://forums.spybot.info/showthread.php?t=67206

How is the computer running?

Best regards.

 

[Rontti]

Thanks for the answer. Yes, it appears to be a similar case. I read that list and I actually found some very same results.

So it might be rather safe to assume that this is Nero related. Though that list I posted missed one line:

File:"Unknown ADS","C:\Users\All Users\Temp:5C321E34:$DATA"

Don't know what that is, but my computer is running fine and I have not noticed anything suspicious. It is just that I occasionally like to run scans to make sure that there isn't anything lurking in my computer. I konw that Spybot 2.0.xx is warning that not all rookit search results are necessarily malware related.

 

[tashi]

Hello Rontti,

Though that list I posted missed one line:

File:"Unknown ADS","C:\Users\All Users\Temp:5C321E34:$DATA"

It's running out of a temp directory, usually a cleanup of temp files will remove such.

 

[S1ybot]

ADS file examined

Hello Rontti,

It's running out of a temp directory, usually a cleanup of temp files will remove such.

Not sure what you mean "running out of a temp directory". Its alternate data stream located in the directory itself. Cleaning it out wouldn't have any effect.
I have this same thing, so I took the liberty of extracting the data, and I haven't been able to find out where it came from or what it is yet. I'm guessing it comes from a cygwin or virtualbox installation, but haven't had time to investigate.
In the hex viewer (file analyzer) for some reason the Ø or 0XD8 is gray. not sure what that is supposed to mean. Null highlight or something?


My OS: WIN7 X64 w I7 950

Stream Name : :5C321E34:$DATA
Filename : C:\Users\All Users\TEMP
Full Stream Name : C:\Users\All Users\TEMP:5C321E34
Stream Size : 100
Stream Allocated Size: 104
File name: TEMP_5C321E34

HEX:
2B C1 C7 59 7C 16 2C D8 30 A8 E1 DB FB 67 87 F3 E5 02 FA 30 A7 80 DD 38 39 D9 9D AC 17 9B E0 5E D8 0C 3F D0 1C 55 9F 83 26 7E 2C 60 C6 45 BE 5B 45 B4 6A 35 E7 59 85 10 C9 F7 C4 2C CF 44 79 80 84 08 CF 1C 3B 86 B2 BB 0B D2 56 74 78 BE FF 66 EB D1 91 6C AA 79 27 3D 5D 51 6C E8 32 64 BE 66 9E 6A 68 04

ASCII:
+ÁÇY|,Ø0¨áÛûg‡óåú0§€Ý89ٝ¬›à^Ø?ÐUŸƒ&~,`ÆE¾[E´j5çY…É÷Ä,ÏDy€„Ï;†²»ÒVtx¾ÿfëÑ‘lªy'=]Qlè2d¾fžjh

HASHES:
CRC-32: Cyclic redundancy check, 32 bit: 57EA9DD8

MD2: Message-Digest algorithm 2: 9D154F00290B74DE5C99C97FAFDC0991
MD4: Message-Digest algorithm 4: 5F0B2C5B4F9FCB2855EDA56BAB836CD2
e2dk: 2286bb9bda57fd28da9cc8ff33d69454
MD5: Message-Digest algorithm 5: E06EE32287F4E9927D736BBB3BB5BE04
SHA-0: US Secure Hash Algorithm 0: B4B811231206F21778D5A4C45477757C01BB51E0
SHA-1: US Secure Hash Algorithm 1: 6E12AAD290A3394674F3917E8A5992E25EC60EE3
SHA-256: US Secure Hash Algorithm: 5BBEA3A5BCBB9A8703E2C5199B40774504451079A4F29D0B467E3FAE3D9C7DC7
SHA-384: US Secure Hash Algorithm: E650687ABE7FE118438FE47CD115D7288C74ACF54E7C57F2BD34A33D34B248587ED9DCA3B6A7E69AECC3F59770B5384C
SHA-512: US Secure Hash Algorithm: 3B26F0792C309097BFE0AB810771EB62418A34FC36EC95EE47B5799DEF9E0C6697FBD42AFBC1B8CB28B7695904A5A74B085C31F67665319968E37B664D4C31E2
RipeMD-128: RACE Integrity Primitives Evaluation MD: A5A2277DE2A323AA7A794B971B2C83D3
RipeMD-160: RACE Integrity Primitives Evaluation MD: E53077D375FA7A8C209C927A54A5450EAD5822F7
RipeMD-256: RACE Integrity Primitives Evaluation MD: 0F891DADF01376407F6C04E684FCE67FE518C0E6FE43A1F9E77BA6A92210923B
RipeMD-320: RACE Integrity Primitives Evaluation MD: 2739F940FD1A440DEE19587225ED53783F53A8EFAB62C4CAD5BF7084B0938EFF6DFD453117F20D43
HAVAL-128: 0D6DF5DBA1DC1DA0C0C4F964C888C7E8
HAVAL-160: 9C389C59CCC30B87C46CA8FF9D9BB0A532499BA7
HAVAL-192: 65C7B6C5D10C8BD4D7395CAF6916C473F07D7226B585E763
HAVAL-224: 919A47751B453147B48F0FB965ED6A4D94A2B4AF0CA6F34F40E58E38
HAVAL-256: 90A7DF490FBF69EA4C7E34624FF69C057BB1A9265A8E06A98A710D0659F2FFDE
Snefru-128: F5DE6FBAE3AD6AF725549313822B06A8
Snefru-256: 88FB01C223A0E0DB13BEB9321A8FA7DFD430F394D30A3FE50701383EF0D61D0D
Tiger-192: 6FF429F3C1C5B69AF8513B026AD8EC908E928E0807324BD3
Panama: EFE5D0DE6076A773D274C3F1F69092CCB03AAFBB64F187DF24309A1ABB79E41C
Square: CD5843CEF32826A6D2BC531405F1029C
SSDeep: 39nDAnfVC+cp8+L3KRUg1sSfXpdjB3zfaDc+RbPNhn:FWUJ6RUgm4RfaDccbr