New
#31
The result appears the same. Corrupt files, unable to repair, yadyayada. CBS.log and MGADiag.txt are in the attached zip.
The result appears the same. Corrupt files, unable to repair, yadyayada. CBS.log and MGADiag.txt are in the attached zip.
OK - please run the CheckSUR tool again and post the log file
also run
DIR C:\Windows\Help\mui\0409\diskmgt.chm
and post the results.
Code:Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>DIR C:\Windows\Help\mui\0409\diskmgt.chm Volume in drive C has no label. Volume Serial Number is 228C-77CF Directory of C:\Windows\Help\mui\0409 06/10/2009 02:45 PM 81,699 diskmgt.CHM 1 File(s) 81,699 bytes 0 Dir(s) 669,643,288,576 bytes free C:\Windows\system32>
Something IS altering that file - compare it with the original in the C:\msgerbs2\amd64_server-help-chm.diskm_v.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d76955a45e11858c folder, which I uploaded; and the one in Winsxs
Code:dir C:\msgerbs2\amd64_server-help-chm.diskm_v.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d76955a45e11858c dir C:\Windows\winsxs\amd64_server-help-chm.diskm_v.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d76955a45e11858c
Mine shows as being 79.785 bytes
So... Is it time to move to the malware removal forums then, or...?
- please run the commands in the code boxin my previous response - we can see what happened where, then
Oh, whoops!
Hmm, that's interesting...Code:Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>dir C:\msgerbs2\amd64_server-help-chm.diskm_v.resources_31bf 3856ad364e35_6.1.7600.16385_en-us_d76955a45e11858c Volume in drive C has no label. Volume Serial Number is 228C-77CF Directory of C:\msgerbs2\amd64_server-help-chm.diskm_v.resources_31bf3856ad364e 35_6.1.7600.16385_en-us_d76955a45e11858c 11/19/2012 12:21 PM <DIR> . 11/19/2012 12:21 PM <DIR> .. 06/10/2009 09:45 PM 79,785 diskmgt.CHM 1 File(s) 79,785 bytes 2 Dir(s) 668,187,734,016 bytes free C:\Windows\system32>dir C:\Windows\winsxs\amd64_server-help-chm.diskm_v.resource s_31bf3856ad364e35_6.1.7600.16385_en-us_d76955a45e11858c Volume in drive C has no label. Volume Serial Number is 228C-77CF Directory of C:\Windows\winsxs\amd64_server-help-chm.diskm_v.resources_31bf3856 ad364e35_6.1.7600.16385_en-us_d76955a45e11858c 11/19/2012 12:21 PM <DIR> . 11/19/2012 12:21 PM <DIR> .. 06/10/2009 09:45 PM 79,785 diskmgt.CHM 1 File(s) 79,785 bytes 2 Dir(s) 668,187,734,016 bytes free C:\Windows\system32>
...VERY!
Please do the following.
run the following command...
Copy C:\Windows\Help\mui\0409\diskmgt.chm %userprofile%\desktop\dikmgmt.chx
DIR %userprofile%\desktop\dikmgmt.chx
DIR C:\Windows\Help\mui\0409\diskmgt.chm
This will copy the active (tampered) file to the desktop (with a minor rename) , then report on the filesize of the active one, and the copy - make a note of the size of each
please then navigate in your browser to www.virustotal.com and upload both files for test there.
post back with the links to the report.
This is the one from the desktop: https://www.virustotal.com/file/434e...is/1353423535/
The one from the windows directory: https://www.virustotal.com/file/434e...is/1353423643/
Both are clean.
And the results of the command prompt:
Code:Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Matthew>Copy C:\Windows\Help\mui\0409\diskmgt.chm %userprofile%\desktop \dikmgmt.chx 1 file(s) copied. C:\Users\Matthew>DIR %userprofile%\desktop\dikmgmt.chx Volume in drive C has no label. Volume Serial Number is 228C-77CF Directory of C:\Users\Matthew\desktop 06/10/2009 02:45 PM 81,699 dikmgmt.chx 1 File(s) 81,699 bytes 0 Dir(s) 668,094,251,008 bytes free C:\Users\Matthew>DIR C:\Windows\Help\mui\0409\diskmgt.chm Volume in drive C has no label. Volume Serial Number is 228C-77CF Directory of C:\Windows\Help\mui\0409 06/10/2009 02:45 PM 81,699 diskmgt.CHM 1 File(s) 81,699 bytes 0 Dir(s) 668,094,251,008 bytes free C:\Users\Matthew>
The SHA256 for the files is the same- which pretty much guarantees that the files are identical
Here's the one I sent you - https://www.virustotal.com/file/366d...is/1353521443/
I really have no idea what's going on - I'm going to ask for some assistance on this.