Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Question about suspicious files winpatrol detected

01 Jan 2010   #1

Windows 7 Home Premium RTM 64-bit
 
 
Question about suspicious files winpatrol detected

I opened up winpatrol today to check for updates,then went through the various tabs and found the following suspicious files(the links are to virustotal analysis for the files that i uploaded)....

https://www.virustotal.com/analisis/...385-1262372389

https://www.virustotal.com/analisis/...53a-1262374152

https://www.virustotal.com/analisis/...a4a-1262374268

https://www.virustotal.com/analisis/...ed7-1262373787

https://www.virustotal.com/analisis/...41d-1262373963

https://www.virustotal.com/analisis/...e97-1262374443

https://www.virustotal.com/analisis/...083-1262374598

https://www.virustotal.com/analisis/...029-1262374827

https://www.virustotal.com/analisis/...4e6-1262374973

https://www.virustotal.com/analisis/...4b0-1262375364


https://www.virustotal.com/analisis/...2b1-1262375512

https://www.virustotal.com/analisis/...f72-1262375628

According to the winpatrol hidden files tab they were first detected on 01/01/2010 12:20am and were last written to on 12/30/2009 3:24 and are type system.The recent tab lists the same first detected date and notes they are hidden and there is nothing under company.

I'm running my various security programs right now to see if anything is amiss.I have run avast and spybot s&d so far and have found nothing.On a possible related note,spybot found a registry entry for something called Fraud.MalwareDefender on the 23rd of last month.In my c://programdata/spybot-search & destroy/recovery directory is a FraudMalwareDefense zip archive dated 12/23/2009 7:17am file size 1KB.No idea if their related.

Anyway that's it for now.I'll let you know the results of my other scan results and if you need any more info,just tell me what you need and i'll try and provide it to you.Thank you for your assistance!

My System SpecsSystem Spec
.

01 Jan 2010   #2
jav

Windows 7 Ultimate x86 SP1
 
 

Where were the files located?

EDIT: I see all of them are .tmp files.
Run CCleaner and clean temps and then run Windows Disk Cleanup
And check if you still have those files in winpatrol.
http://www.ccleaner.com/
Disk Cleanup - Open and Use
My System SpecsSystem Spec
01 Jan 2010   #3
Microsoft MVP

Win7
 
 

DSmith,

It's not uncommon to see .tmp file listed as Hidden files. Hidden files are common which is why WinPatrol doesn't default to alerting you to every new hidden file.

If you right-click on the filename one of the WinPatrol options will be to View in Notepad. This might be helpful in finding out which program is creating these temp files.

btw... it was a great idea to use VirusTotal as a follow up to WinPatrol. I recommend it often.

Bill Pytlovany
BillP Studios
My System SpecsSystem Spec
.


01 Jan 2010   #4

Windows 7 Home Premium RTM 64-bit
 
 

I opened Z@R7C7.TMP and got a bunch of junk as follows below.no idea what it means....



 OS/2  Ncmap݁Y  2glyf"
*headbC 0 6hhea T $hmtx:  loca͏
maxp 5 4 name8  post 2 x  / h]   /9 ] \  9    !          t # ( $ ] c % 2 H k $ 1  v  "    ( @   $ $         Dh*  ? g | = -   F B ( @
$ u I  b g f [ + u ( 0  ' ( w  9  #          s  -   $ ? j ?  - 6   
$ $  " % 6 8 # ? (      *)> W  V T  Y  M  G  A   H ' 3               0 6   = ] c '   H  Q w ? \ f , B  "  " .  t   ! F 6 = C 
      H J  ) (  6j  %          6   J - V a ' Am  & # # &    ! %  +    : &   & :  R  %           & # # &  A ' a V - J     : &   & : 9  R ~ B ? { R   Z             2 /  -
o}  D z S B   ? y W L | I \h g % 1   :      : : :? =  :     : : 6  6 R       6   S ; / Q 1  :  : ' (  . 7    V  !            % % % % < ~ a a ~ <   ; (   ) ;   L { I I { K   6        6   F 5   : * / 1 Q   *3  $ .                b   a 3 3 G     %  ,     M p 6 9 r M p 
   $ P C      N B A H          $ j  %   X  K j  C F z  6R      RA *  *  2  B & O ;d ) =  / h]   /9 ] \                      o o o o o 55555ddddddddddUU



&&&77u     M M M M M M M M M M M M M  /M M M M M M M M M M M M M M M M M M M M  9M M M M  $M M M M M M M M M M  9M M M M M M M M M M M M M b  6M  u M M M : :M M : :M  6u M M  6=   6M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M  /M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M  4          2      2 @ .  
~  
  
     
$    .     1     E    & S     y     Z@R7C7.tmpRegularThis is a unique IDZ@R7C7.tmp1.0 Z @ R 7 C 7 . t m p R e g u l a r T h i s i s a u n i q u e I D Z @ R 7 C 7 . t m p 1 . 0           * ~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"! 

    !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ * !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ *   ~|zxvtrpnljhfdb`^\ZXVTRPNLJHFDB@>< :86420.,*(&$"  
  ~|zxvtrpnljhfdb`^\ZXVTRPNLJHFDB@>< :86420.,*(&$"  
 
My System SpecsSystem Spec
01 Jan 2010   #5

Windows 7 & Windows Vista Ultimate
 
 

There you go, Dsmith148, the developer of WinPatrol responded to your post! Welcome to Seven Forums, Bill!

Malware Defense is a Rogue. It wouldn't hurt to scan with an anti-malware software such as MBAM. My standard instructions follow:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, be sure Quick scan is selected, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  • Click Remove Selected.
My System SpecsSystem Spec
01 Jan 2010   #6

Windows 7 Home Premium RTM 64-bit
 
 

I finished running avast,spybot s&d,threatfire,windows defender,malwarebytes,superantispyware,and a-squared free with all results negative.When i ran all my scanners on the 23rd last month only spybot found anything.It was a registry entry for fraud.malwaredefender and nothing else.I'll look for the files listed in the link corrine gave me and see if i find any of them.I'll return with any results.
My System SpecsSystem Spec
01 Jan 2010   #7

Windows 7 Home Premium RTM 64-bit
 
 

None of these files were found(i have the option checked in folder options to view hidden files) in the default or my own profile...
c:\Program Files\Malware Defense
c:\Program Files\Malware Defense\help.ico
c:\Program Files\Malware Defense\md.db
c:\Program Files\Malware Defense\mdefense.exe
c:\Program Files\Malware Defense\mdext.dll
c:\Program Files\Malware Defense\uninstall.exe
%UserProfile%\Desktop\Malware Defense Support.lnk
%UserProfile%\Desktop\Malware Defense.lnk

Don't have a start menu folder in the default or my profile....
%UserProfile%\Start Menu\Programs\Malware Defense
%UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense Support.lnk
%UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense.lnk
%UserProfile%\Start Menu\Programs\Malware Defense\Uninstall Malware Defense.lnk
I'll go check my registry and see if the registry entries listed are found.
My System SpecsSystem Spec
01 Jan 2010   #8

Windows 7 Home Premium RTM 64-bit
 
 

Opened up my regedit and....

Didn't find this...
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt

Found this registry item that was mentioned as part of the malware defender,but don't see anything...
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
REG_SZ SimpleShlExt Class

-inprocserver32 has 2 items-1.(default) REG_SZ C:\program files(x86)\ati technologies\ati.ace\core-static\atiacm64.dll

2.threadingmodel REG_SZ Apartment

-progid REG_SZ catalyst context menu

-programmable REG_SZ (value not set)

-typelib REG_SZ {5E2121EE-0300-11DA4-8D3B444553540000}

-versionindependentprogid REG_SZ catalyst context menu

Didn't find these...
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Malware Defense"
My System SpecsSystem Spec
01 Jan 2010   #9

Windows 7 & Windows Vista Ultimate
 
 

Dsmith148,

Based on your scans, it appears you do not have the rogue installed.

With WinPatrol, you can right-click the file and select "Explore Program Folder" and/or "Properties". I periodically have a etilqs_6KT6Gkn8JPCDK5thfAil hidden file in APPDATA\LOCAL\TEMP with zero bytes, which Bill told me is related to Firefox. I delete the file with WinPatrol. Should the file prove stubborn to delete, you can also right-click on the file and select "delete on reboot".

I love WinPatrol!
My System SpecsSystem Spec
01 Jan 2010   #10

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi !

very nice to see Mr.Winpatrol here on sevenforums, welcome !

i really appreciate Winpatrol, i completely agree with Corinne, Winpatrol is a "must-have program".
i have used it for about a year on both Vista & Windows 7, it works great together with the rest of my security. ↓↓↓↓↓
My System SpecsSystem Spec
Reply

 Question about suspicious files winpatrol detected




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:50 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33