Windows 7: Question about suspicious files winpatrol detected

Dsmith148 · 01 Jan 2010

I opened up winpatrol today to check for updates,then went through the various tabs and found the following suspicious files(the links are to virustotal analysis for the files that i uploaded)....

https://www.virustotal.com/analisis/...385-1262372389

https://www.virustotal.com/analisis/...53a-1262374152

https://www.virustotal.com/analisis/...a4a-1262374268

https://www.virustotal.com/analisis/...ed7-1262373787

https://www.virustotal.com/analisis/...41d-1262373963

https://www.virustotal.com/analisis/...e97-1262374443

https://www.virustotal.com/analisis/...083-1262374598

https://www.virustotal.com/analisis/...029-1262374827

https://www.virustotal.com/analisis/...4e6-1262374973

https://www.virustotal.com/analisis/...4b0-1262375364

https://www.virustotal.com/analisis/...2b1-1262375512

https://www.virustotal.com/analisis/...f72-1262375628

According to the winpatrol hidden files tab they were first detected on 01/01/2010 12:20am and were last written to on 12/30/2009 3:24 and are type system.The recent tab lists the same first detected date and notes they are hidden and there is nothing under company.

I'm running my various security programs right now to see if anything is amiss.I have run avast and spybot s&d so far and have found nothing.On a possible related note,spybot found a registry entry for something called Fraud.MalwareDefender on the 23rd of last month.In my c://programdata/spybot-search & destroy/recovery directory is a FraudMalwareDefense zip archive dated 12/23/2009 7:17am file size 1KB.No idea if their related.

Anyway that's it for now.I'll let you know the results of my other scan results and if you need any more info,just tell me what you need and i'll try and provide it to you.Thank you for your assistance!

jav · 01 Jan 2010

Where were the files located?

EDIT: I see all of them are .tmp files.
Run CCleaner and clean temps and then run Windows Disk Cleanup
And check if you still have those files in winpatrol.
http://www.ccleaner.com/
Disk Cleanup - Open and Use

BillPStudios · 01 Jan 2010

DSmith,

It's not uncommon to see .tmp file listed as Hidden files. Hidden files are common which is why WinPatrol doesn't default to alerting you to every new hidden file.

If you right-click on the filename one of the WinPatrol options will be to View in Notepad. This might be helpful in finding out which program is creating these temp files.

btw... it was a great idea to use VirusTotal as a follow up to WinPatrol. I recommend it often.

Bill Pytlovany
BillP Studios

Dsmith148 · 01 Jan 2010

I opened Z@R7C7.TMP and got a bunch of junk as follows below.no idea what it means....

€ OS/2þúÕ ˜ NcmapóÝY ü 2glyféã"ª ¬
*headbØC¨ 0 6hhea T $hmtx: Í ¤ loca‘Í
Ø Êmaxp é 5 4 name¾8 è postÿŸ 2 x / ¹h] /9 þÇ] ÿ\ 9 ÈÊ ! t # ( ÿ×ÿÞÿŒÿ$‡ ] c %ÿÿÿÿÿÑÿØ 2 H ÿÿÿ¹ÿŽÿÀþk Ü $ 1 ÿ²ÿv´ ÿÿ " ª ÿÿÿÆÿ®ÿÚÿËÿ¾ÿëÿðÿ¬ÿ²ÿ¸ÿ ÿÏ ª ÿÿ ( @ $ÿïÖÛ $ DÿÚÿ–ÿÅÿ–ÿhÿ* ? g | = ‰ ¨ ÿ-ÿùÿÇÿØÿÈÿÃÿçÿû ÿÿ F B ( @
ÿŸ $ ÿu IÿÑÿÕ b ¥ g f ‘ [ + ÿÿÿuÿ ( 0 ÿÿÿÏÿ¹ÿ¼ÿíÿÝÿ«ÿÂÿþ ' ( ™ þw 9 ÛÊ # s - ÿÐÿÂÿ™ÿ$£ ? j ? ÿÌÿÉ - 6
ÿ$ÿñÿýÿþÿòÿØÿÕÿ‹ ÿ$’ " % ª ÿÒÿ¦ÿ¼ÿÇÿœÿêÿîÿ£ÿ½ÿîÿÅÿÅÿï 6 8 # ? ( ÿ ÿù ÊÊ ÿ*ÿ³ÿþÿµÿ)ÿ> Ø W V Â T Y Ù ³ þM Ê þG ¹ þA ¿ ÿòH ' 3 0ÿÿ ÿ6ÿüÿü ÿþÿàÿªÿÏÿÍÿ®ÿÏÿÿ = ] c ' ÿÿÿÙÿçÿÓÿã ÿH Q w ? \ f , ÿÿÿBÿÛÿ×ÿßÿÞ " " . tÿâÿÃÿç ÿÝÿä ! F 6 = C
ÿÿÿÞÿî H J ÿÿ ÿÝÿÆÿ¸ÿÚÿ ÿïÿøÿùÿéÿæÿíÿäÿÿ ) ( 6ÿójÊ % 6 Æ J - V a 'ÿÿ ÿÐÿŸÿ·ÿ¹ÿÀÿïÿþ ÿAm ÿòÿÚÿÝÿÝÿÚÿò & # # & Ê ÿ ! % ÿþÿ®ÿ…ÿÁÿ¾ÿ‚ÿ®ÿÿ + ÿÇ : & ÿÿÿÚÿÆÿáÿàÿÆÿÚÿÿ & : ÿóRÊ % “ ÿòÿÚÿÝÿÝÿÚÿò & # # & ¿ÿA ÿþÿïÿÀÿ¹ÿ·ÿŸÿÐ ÿÿ ' a V - J Æ : & ÿÿÿÚÿÆÿáÿàÿÆÿÚÿÿ & : þü 9 ÿæÿÕÿÿ R ~ B ? { R ÿÛÿß ü ÿóZ Ý 2 / -
¹ÿàÿoÿ¦ÿ¬ÿ}ÿµÿÿ D z S š ŽÿÿÿBÿÿÿÑÿÙÿ¨ÿò ×ÿÓÿÉÿÿ ÿ¬ÿ° ? y W L | I ÿÿÿ\ÿh g % 1 ÿÿÿª : Ê ÿ: Æÿ: Æ ÿ:? ‹ ÿ= ýù : Ê : Æ ÿ:Ê ý6 6 R 6 ¿ S ; / Q 1 ÿ: ÿèÿÖÿåÿÎÿþ ÿ: ÿ¾ ' ( ÿÚÿ±ÿÅþœ . 7 ÿ×ÿÃþî ÿóV ! ÿôÿÛÿÛÿÛÿÛÿô ÿÿ % % % % ÿÿ Æ ÿÄÿ‚ÿŸÿŸÿ‚ÿÄ < ~ a a ~ < ; ( ÿÿÿØÿÅÿäÿäÿÅÿ×ÿÿ ) ; ÿ·ÿ„ÿµÿÿ L { I I { K ÿÿÿµÿ…ÿ· 6 Â 6 ¾ F 5 ÿòÿÝÿãÿÅÿÃ ÿ: ÿ* / 1 ÿøÿQ ÿµÿ*ÿ3 ÿò$ . bÿþÿëÿíÿçÿêÿÛÿÿ a 3 3 G ÿÿÿ±ÿˆÿÀÿÂÿ‹ÿ³ÿý ½ % , ÿÔÿ½ÿÿ› M p 6 9 r M p
ÿðÿçÿõÿôÿüÿöÿòÿðÿñÿ½ÿÁÿ¹ÿ¯ÿà $ P C ÿåÿíÿòÿÿ N B A H ÿÿ ÿäÿ¹ÿ¾ ÿùŽ¥ $ j ÿ– ÿÿ % ÿâÿ¿ÿàÿÕÿ°ÿËÿÿ ÿ¨ X Æ ÿ† ÿKÿÜÿß ÿj ÿú ÿÿ C F ø z ž 6ÿóR RÿA ÿþÿåÿ*ÿÅÿÑÿ¯ÿÏÿÿ Æ ÿÿ * 2 Æ B ÿÙÿØ & O ;d þðÿÒÿÉÿÿÿþ ) = / ¹h] /9 þÇ] ÿ\ o o o o o Ó Ó Ó Ó Ó Ó Ó Ó Ó Ó Ó55555ddddddddddîUU¼

&&&77uÒÒÒƒÆ M M M M M M M M M M M M M – /M M M M M M M M M M M M M M M M M M M M ä 9M M M M $M M M M M M M M M M ä 9M M M M ÂÿùM M M M M M M M M b ‡ 6M ‡ u M M M : :M M : :M ‡ 6u M M » 6= – ‡ 6M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M – /M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M ä 4 ›þ³ ÿùÿøÊ ä ÿœ 2 Þô ¼Š Š¼Š Ý 2 @ð ðÿØÿ. –Û
~

$ . 1 E & S y Z@R7C7.tmpRegularThis is a unique IDZ@R7C7.tmp1.0 Z @ R 7 C 7 . t m p R e g u l a r T h i s i s a u n i q u e I D Z @ R 7 C 7 . t m p 1 . 0 ãâáàßÞÝÜÛÚÙØ×ÖÕÔÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄÃÂÁÀ¿¾½¼»º¹¸·¶µ´³²±°¯®*¬«ª©¨§¦¥¤£¢¡ Ÿžœ›š™˜—–•”“’‘ŽŒ‹Š‰ˆ‡†…„ƒ‚€~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!

Â Âð ð!ð"ð#ð$ð%ð&ð'ð(ð)ð*ð+ð,ð-ð.ð/ð0ð1ð2ð3ð4ð5ð6ð7ð8ð9ð:ð;ð<ð=ð>ð?ð@ðAðBðCðDðEðFðGðHðIðJðKðLðMðNðOðPðQðRðSðTðUðVðWðXðYðZð[ð\ð]ð^ð_ð`ðaðbðcðdðeðfðgðhðiðjðkðlðmðnðoðpðqðrðsðtðuðvðwðxðyðzð{ð|ð}ð~ðð€ðð‚ðƒð„ð…ð†ð‡ðˆð‰ðŠð‹ðŒððŽð ðð‘ð’ð“ð”ð•ð–ð—ð˜ð™ðšð›ðœððžðŸð ð¡ð¢ð£ð¤ð¥ð¦ð§ð¨ð©ðªð«ð¬ð*ð®ð¯ð°ð±ð²ð³ð´ðµð¶ð·ð¸ð¹ðºð»ð¼ð½ð¾ð¿ðÀðÁðÂðÃðÄðÅðÆðÇðÈðÉðÊðËðÌðÍðÎðÏðÐðÑðÒ ðÓðÔðÕðÖð×ðØðÙðÚðÛðÜðÝðÞðßðàðáðâðãðäðåðæðçðèðéðêðëðìðíðîðïðððñðòðóðôðõðöð÷ðøðùðúðûðüðýðþðÿÿÿ ð ð!ð"ð#ð$ð%ð&ð'ð(ð)ð*ð+ð,ð-ð.ð/ð0ð1ð2ð3ð4ð5ð6ð7ð8ð9ð:ð;ð<ð=ð>ð?ð@ðAðBðCðDðEðFðGðHðIðJðKðLðMðNðOðPðQðRðSðTðUðVðWðXðYðZð[ð\ð]ð^ð_ð`ðaðbðcðdðeðfðgðhðiðjðkðlðmðnðoðpðqðrðsðtðuðvðwðxðyðzð{ð|ð}ð~ðð€ðð‚ðƒð„ð…ð†ð‡ðˆð‰ðŠð‹ðŒððŽð ðð‘ð’ð“ð”ð•ð–ð—ð˜ð™ðšð›ðœððžðŸð ð¡ð¢ð£ð¤ð¥ð¦ð§ð¨ð©ðªð«ð¬ð*ð®ð¯ð°ð±ð²ð³ð´ðµð¶ð·ð¸ð¹ðºð»ð¼ð½ð¾ð¿ðÀðÁðÂðÃðÄðÅðÆðÇðÈðÉðÊðËðÌðÍðÎðÏðÐðÑðÒ ðÓðÔðÕðÖð×ðØðÙðÚðÛðÜðÝðÞðßðàðáðâðãðäðåðæðçðèðéðêðëðìðíðîðïðððñðòðóðôðõðöð÷ðøðùðúðûðüðýðþðÿÿÿäÂÀ¾ ¼º¸¶´²°®¬ª¨¦¤¢ žœš˜–”’ŽŒŠˆ†„‚€~|zxvtrpnljhfdb`^\ZXVTRPNLJHFDB@>< :86420.,*(&$"
þüúøöôòðîìêèæäâàÞÜÚØÖÔÒÐÎÌÊÈÆÄÂÀ¾¼º¸¶´²°®¬ª¨¦¤¢ žœš˜–”’ŽŒŠˆ†„‚€~|zxvtrpnljhfdb`^\ZXVTRPNLJHFDB@>< :86420.,*(&$"

Corrine · 01 Jan 2010

There you go, Dsmith148, the developer of WinPatrol responded to your post! Welcome to Seven Forums, Bill!

Malware Defense is a Rogue. It wouldn't hurt to scan with an anti-malware software such as MBAM. My standard instructions follow:

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, be sure Quick scan is selected, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
Click Remove Selected.

Dsmith148 · 01 Jan 2010

I finished running avast,spybot s&d,threatfire,windows defender,malwarebytes,superantispyware,and a-squared free with all results negative.When i ran all my scanners on the 23rd last month only spybot found anything.It was a registry entry for fraud.malwaredefender and nothing else.I'll look for the files listed in the link corrine gave me and see if i find any of them.I'll return with any results.

Dsmith148 · 01 Jan 2010

None of these files were found(i have the option checked in folder options to view hidden files) in the default or my own profile...

c:\Program Files\Malware Defense
c:\Program Files\Malware Defense\help.ico
c:\Program Files\Malware Defense\md.db
c:\Program Files\Malware Defense\mdefense.exe
c:\Program Files\Malware Defense\mdext.dll
c:\Program Files\Malware Defense\uninstall.exe
%UserProfile%\Desktop\Malware Defense Support.lnk
%UserProfile%\Desktop\Malware Defense.lnk

Don't have a start menu folder in the default or my profile....
%UserProfile%\Start Menu\Programs\Malware Defense
%UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense Support.lnk
%UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense.lnk
%UserProfile%\Start Menu\Programs\Malware Defense\Uninstall Malware Defense.lnk

I'll go check my registry and see if the registry entries listed are found.

Dsmith148 · 01 Jan 2010

Opened up my regedit and....

Didn't find this...
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt

Found this registry item that was mentioned as part of the malware defender,but don't see anything...
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
REG_SZ SimpleShlExt Class

-inprocserver32 has 2 items-1.(default) REG_SZ C:\program files(x86)\ati technologies\ati.ace\core-static\atiacm64.dll

2.threadingmodel REG_SZ Apartment

-progid REG_SZ catalyst context menu

-programmable REG_SZ (value not set)

-typelib REG_SZ {5E2121EE-0300-11DA4-8D3B444553540000}

-versionindependentprogid REG_SZ catalyst context menu

Didn't find these...
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Malware Defense"

Corrine · 01 Jan 2010

Dsmith148,

Based on your scans, it appears you do not have the rogue installed.

With WinPatrol, you can right-click the file and select "Explore Program Folder" and/or "Properties". I periodically have a etilqs_6KT6Gkn8JPCDK5thfAil hidden file in APPDATA\LOCAL\TEMP with zero bytes, which Bill told me is related to Firefox. I delete the file with WinPatrol. Should the file prove stubborn to delete, you can also right-click on the file and select "delete on reboot".

I love WinPatrol!

hackerman1 · 01 Jan 2010

hi !

very nice to see Mr.Winpatrol here on sevenforums, welcome !

i really appreciate Winpatrol, i completely agree with Corinne, Winpatrol is a "must-have program".
i have used it for about a year on both Vista & Windows 7, it works great together with the rest of my security. ↓↓↓↓↓

Windows 7: Question about suspicious files winpatrol detected

Question about suspicious files winpatrol detected problems?