Jump to content

Cookiegal

Experts
  • Posts

    20
  • Joined

  • Last visited

Reputation

2 Neutral

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    Quebec, Canada

Recent Profile Visitors

5,134 profile views
  1. I just ran the latest version of AdwCleaner and saw the Prinstalled Software detections for the first time. However, the first three items listed as follows do not belong to HP TouchSmart as indicated. I don't nor have I ever had any HP devices (not even printers). This is a Lenovo desktop. This task is identified in my Task Scheduler Library as belonging to CyberLink Power2go: Preinstalled.HPTouchSmart Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{306D8E9F-B7BF-49CE-8BB1-8148ED4651EB} Preinstalled.HPTouchSmart Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CLMLSvc Preinstalled.HPTouchSmart Task C:\Windows\System32\Tasks\CLMLSVC Thanks.
  2. I'm not actually working this thread at TSG but have been following it and I noticed MBAM detected this: Files Detected: 1 C:\WINDOWS\system32\Tools\ChPrio.exe (Spyware.Password) -> Quarantined and deleted successfully. http://forums.techgu...822-post48.html I found one thread here referencing this detection as a false positive back in 2011 which was subsequently fixed: http://forums.malwar...showtopic=88005 Please let me know if you require a developer's log or anything else to verify the file.
  3. It's my pleasure. I'm glad to be able to help.
  4. Before proceeding, I'm just not quite sure of the path to use for the file on the slipstreamed CD Would it be this? (drive letter):\i386\$ntservicepackuninstall$\makecab.ex_ Or would it be just this: (drive letter):\i386\makecab.ex_
  5. I will try to get the file for you but it probably won't be until tomorrow. Thanks for checking.
  6. I was working malware and we discovered the hard drive was failing so I recommended a full reformat on a new drive, which he did, installing XP from a SP2 slip-streamed CD and then installing SP3. He then started a new thread because he was having trouble installing drivers. Once everything was installed correctly, he installed MBAM and ran a scan and this was detected: Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 7936 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 10/13/2011 11:06:49 AM mbam-log-2011-10-13 (11-06-49).txt Scan type: Full scan (C:\|) Objects scanned: 183318 Time elapsed: 24 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\system volume information\_restore{7e22c8d7-cc72-455f-8701-ab96eda61486}\RP12\A0003547.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. c:\WINDOWS\$ntservicepackuninstall$\makecab.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. Would a scan run in developer's mode be needed? I can ask him to run one if necessary but the file has been deleted from quarantine. Here's a link to the thread: http://forums.techguy.org/windows-xp/1021671-solved-dell-resource-cd-wont.html#post8114650
  7. Thanks Bruce. I really wish she hadn't deleted the file.
  8. So I understand that this is indeed a false positive even if the user doesn't have MS Encarta?If so, do you know what other application might install this file legitimately? I'm not finding much on it other than Encarta or the malicious version. Thanks for your assistance. I really appreciate it.
  9. I have a user who ran MBAM and the file C:\WINDOWS\system32\ENCAPI32.DLL was detected as Trojan.Tracur and quarantined. There were no registry entries detected that normally accompany the "bad" encapi32.dll file unless perhaps she ran something that may have deleted them before but not the file itself. She states that she doesn't and never did have MS Encarta on her computer (as I understand the legit file belongs to that program). The problem is that she deleted the file from quarantine already so we don't have access to it. Would a developer's log still be helpful in this case? If so, then I will get one. Please advise. I see another user has posted here about the same possibility but posted in an older thread: http://forums.malwarebytes.org/index.php?showtopic=11180 Here's a link to my thread at TSG: http://forums.techguy.org/virus-other-malw...tml#post7456477 And a copy of the MBAM log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4214 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 6/19/2010 1:09:14 AM mbam-log-2010-06-19 (01-09-14).txt Scan type: Quick scan Objects scanned: 138579 Time elapsed: 9 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ENCAPI32.DLL (Trojan.Tracur) -> Quarantined and deleted successfully.
  10. I didn't get the developer mode log as I thought it might not be necessary but if needed I will get it. C:\WINDOWS\system32\WinSys2.exe Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinSys2 (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\WinSys2.exe (Trojan.Agent) -> Quarantined and deleted successfully. http://forums.techguy.org/malware-removal-...tml#post6637593 It looks like the legit Nvidia file. These are all from the ComboFix log: 2009-03-28 01:08 . 2009-03-28 01:08 -------- d-----w c:\windows\system32\AGEIA 2009-03-28 01:08 . 2009-03-28 01:08 -------- d-----w c:\program files\AGEIA Technologies 2009-03-28 01:07 . 2009-03-28 01:07 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-03-28 01:07 . 2006-08-23 17:12 81314 ----a-w c:\windows\system32\nvapps.nvb 2009-03-28 01:06 . 2009-02-12 16:00 131072 ----a-r c:\windows\system32\smdll.dll 2009-03-28 01:06 . 2009-02-12 16:00 130048 ----a-r c:\windows\system32\MadCHook.dll 2009-03-28 01:06 . 2009-02-12 16:00 614400 ----a-r c:\windows\system32\msvcr80.dll 2009-03-28 01:06 . 2009-02-12 16:00 32768 ----a-r c:\windows\system32\Auxiliary.dll 2009-03-28 01:06 . 2009-02-12 16:00 208896 ----a-r c:\windows\system32\WinSys2.exe 2009-03-28 01:06 . 2009-02-13 02:26 1789952 ----a-r c:\windows\system32\msicpl.dll 2009-03-28 01:06 . 2009-02-05 16:54 453152 ----a-w c:\windows\system32\NVUNINST.EXE
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.