Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Memsweep2


  • Please log in to reply
9 replies to this topic

#1 JDM2

JDM2

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 14 January 2008 - 12:36 AM

I installed and ran Autoruns (for the first time ever) and noticed these three things have check-marks next to them...

MEMSWEEP2 File not found: C:\WINDOWS\System32\Drivers\MEMSWEEP2.sys (Is this related to Sophos?)

I also have a:

rrSpy File not found: C:\WINDOWS\System32\Drivers\rrSpy.sys

Lastly, a OODPS file not found under boot execute section.

Is this a sign I may be infected?

Info on how to proceed most appreciated.

Thanks much,

Jeff

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:33 PM

Posted 14 January 2008 - 08:08 AM

RRSPY.SYS is related to Resplendence Registrar by MultiMon software.
I'm not finding any info on MEMSWEEP2.sys.

From what you posted, it appears the physical files are no longer present on your system.

Since one of the files is unknown, you should perform a scan with your anti-virus in "Safe Mode".

Then follow up with an Online Virus Scan like BitDefender.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 14 January 2008 - 03:09 PM

Thanks much for your always helpful advice, Quietman. One thing I forgot to mention is that when I go to the web site whatsmyip.com it says my ip is different than when I go to CMD > IPCONFIG.

Also, someone sent me their resume to download and review on megaupload and when I tried downloading it, the megaupload error was "sorry, but your IP is already currently downloading a 14382934829 byte AVI file."

I thought, WHAT?! No it's not!

My internet has been slow a lot for a while too. Do you know if maybe I'm sharing an IP and I can put a stop to that somehow?

Is there an easy way to check this?

Thanks again for all your help.

Jeff

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:33 PM

Posted 14 January 2008 - 03:25 PM

Noting a different IP address is not unusual. Your ISP is probably using Dynamic IP addresses so whenever you reconnect to the net, your IP address changes.

Dynamic IP Vs Static IP

If you are having trouble logging into a website or Internet Explorer is behaving oddly, you may need to clear your cookies and temporary Internet files (browser cache). As you browse web pages, the browser stores a copy of the pages you view on your local hard drive; this is called caching. Clearing the cache forces the browser to load the latest versions of Web pages and programs you visit.

"How to Clear Cookies and Cache in Internet Explorer 6"
"How to Clear Cookies and Cache in Internet Explorer 7"
"How and Why to Clear Your Cache"

If your Internet connection is slow and your not finding any malware, see:
"It's not always malware: How to fix the top 10 Internet Explorer issues".

If your using Vista or Internet Explorer 7, see:
"Why is my Internet connection so slow?".
"Windows Vista - My Internet connection is slow".
"Tuning IE7 for Better Performance".
"How to optimize or reset Internet Explorer 7".

Also, the Phishing Filter could be causing your computer to respond very slowly as it evaluates Web page contents. See "The Phishing Filter may slow down the PC" and "Phishing Filter FAQs".

If you have a lot of BHOs attached to Internet Explorer, you could try improving performance by disabling those which are unnecessary.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 14 January 2008 - 03:36 PM

Oops. I should have said in my last post that my ISP assigned me a static IP (xx.xxx.xxx.xxx
) a long time ago.

Whatsmyip.org says my IP is xx.xxx.xxx.xxx.

Is there a good way to proceed to resolve this? Thanks so much, Quietman.

Jeff

Edited by quietman7, 14 January 2008 - 03:53 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:33 PM

Posted 14 January 2008 - 03:52 PM

Double check with your ISP to see if they may be rerouting you.

I edited your previous reply to remove your IP address.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 15 January 2008 - 10:57 AM

Thanks for editing out the IPs, Quietman.

My ISP said I'm not being rerouted and that my IP is what I posted here yesterday. They are a bunch of yahoo's that work there, though, so who knows.

A few months back, I noticed in my network connections that there was an entry for VPN which I never created and the status was "connecting". It took me forever to kill the connection (it kept saying "access denied") but eventually I got it removed.

Maybe that is the origin of this problem?

Any idea what might be happening?

Thanks so much as always...

Jeff

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:33 PM

Posted 15 January 2008 - 11:04 AM

I am moving your thread to the Networking forum where others with move savy in this area may have further suggestions or input.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 15 January 2008 - 11:47 AM

I am moving your thread to the Networking forum where others with move savy in this area may have further suggestions or input.

Thanks much, quietman.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:33 PM

Posted 25 January 2008 - 07:51 AM

Did some more research and it appears Sophos Anti-Rootkit installs MEMSWEEP2.

AutoRuns may show: MEMSWEEP2 File not found: C:\WINDOWS\system32\14B.tmp
ComboFix may show:
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\sophosmemsweep.sys
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WIN2\system32\2.tmp
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\14.tmp

Most references to this file are on systems that have Sophos ARK. I checked with AutoRuns and I have this entry as well. However, it appears the associated tmp file in the system32 folder can have different names.

http://www.dslreports.com/forum/r19048012-memsweep2
http://www.runscanner.net/process.aspx?p=5f.tmp
http://www.runscanner.net/process.aspx?p=sophosmemsweep.sys
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users