Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Question about suspicious files winpatrol detected

01 Jan 2010   #1

Windows 7 Home Premium RTM 64-bit
Question about suspicious files winpatrol detected

I opened up winpatrol today to check for updates,then went through the various tabs and found the following suspicious files(the links are to virustotal analysis for the files that i uploaded)....

According to the winpatrol hidden files tab they were first detected on 01/01/2010 12:20am and were last written to on 12/30/2009 3:24 and are type system.The recent tab lists the same first detected date and notes they are hidden and there is nothing under company.

I'm running my various security programs right now to see if anything is amiss.I have run avast and spybot s&d so far and have found nothing.On a possible related note,spybot found a registry entry for something called Fraud.MalwareDefender on the 23rd of last month.In my c://programdata/spybot-search & destroy/recovery directory is a FraudMalwareDefense zip archive dated 12/23/2009 7:17am file size 1KB.No idea if their related.

Anyway that's it for now.I'll let you know the results of my other scan results and if you need any more info,just tell me what you need and i'll try and provide it to you.Thank you for your assistance!

My System SpecsSystem Spec
01 Jan 2010   #2

Windows 7 Ultimate x86 SP1

Where were the files located?

EDIT: I see all of them are .tmp files.
Run CCleaner and clean temps and then run Windows Disk Cleanup
And check if you still have those files in winpatrol.
Disk Cleanup - Open and Use
My System SpecsSystem Spec
01 Jan 2010   #3
Microsoft MVP



It's not uncommon to see .tmp file listed as Hidden files. Hidden files are common which is why WinPatrol doesn't default to alerting you to every new hidden file.

If you right-click on the filename one of the WinPatrol options will be to View in Notepad. This might be helpful in finding out which program is creating these temp files.

btw... it was a great idea to use VirusTotal as a follow up to WinPatrol. I recommend it often.

Bill Pytlovany
BillP Studios
My System SpecsSystem Spec

01 Jan 2010   #4

Windows 7 Home Premium RTM 64-bit

I opened Z@R7C7.TMP and got a bunch of junk as follows idea what it means....

 OS/2  Ncmap݁Y  2glyf"
*headbC 0 6hhea T $hmtx:  loca͏
maxp 5 4 name8  post 2 x  / h]   /9 ] \  9    !          t # ( $ ] c % 2 H k $ 1  v  "    ( @   $ $         Dh*  ? g | = -   F B ( @
$ u I  b g f [ + u ( 0  ' ( w  9  #          s  -   $ ? j ?  - 6   
$ $  " % 6 8 # ? (      *)> W  V T  Y  M  G  A   H ' 3               0 6   = ] c '   H  Q w ? \ f , B  "  " .  t   ! F 6 = C 
      H J  ) (  6j  %          6   J - V a ' Am  & # # &    ! %  +    : &   & :  R  %           & # # &  A ' a V - J     : &   & : 9  R ~ B ? { R   Z             2 /  -
o}  D z S B   ? y W L | I \h g % 1   :      : : :? =  :     : : 6  6 R       6   S ; / Q 1  :  : ' (  . 7    V  !            % % % % < ~ a a ~ <   ; (   ) ;   L { I I { K   6        6   F 5   : * / 1 Q   *3  $ .                b   a 3 3 G     %  ,     M p 6 9 r M p 
   $ P C      N B A H          $ j  %   X  K j  C F z  6R      RA *  *  2  B & O ;d ) =  / h]   /9 ] \                      o o o o o 55555ddddddddddUU

&&&77u     M M M M M M M M M M M M M  /M M M M M M M M M M M M M M M M M M M M  9M M M M  $M M M M M M M M M M  9M M M M M M M M M M M M M b  6M  u M M M : :M M : :M  6u M M  6=   6M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M  /M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M M  4          2      2 @ .  
$    .     1     E    & S     y     Z@R7C7.tmpRegularThis is a unique IDZ@R7C7.tmp1.0 Z @ R 7 C 7 . t m p R e g u l a r T h i s i s a u n i q u e I D Z @ R 7 C 7 . t m p 1 . 0           * ~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"! 

    !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ * !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ *   ~|zxvtrpnljhfdb`^\ZXVTRPNLJHFDB@>< :86420.,*(&$"  
  ~|zxvtrpnljhfdb`^\ZXVTRPNLJHFDB@>< :86420.,*(&$"  
My System SpecsSystem Spec
01 Jan 2010   #5

Windows 7 & Windows Vista Ultimate

There you go, Dsmith148, the developer of WinPatrol responded to your post! Welcome to Seven Forums, Bill!

Malware Defense is a Rogue. It wouldn't hurt to scan with an anti-malware software such as MBAM. My standard instructions follow:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, be sure Quick scan is selected, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  • Click Remove Selected.
My System SpecsSystem Spec
01 Jan 2010   #6

Windows 7 Home Premium RTM 64-bit

I finished running avast,spybot s&d,threatfire,windows defender,malwarebytes,superantispyware,and a-squared free with all results negative.When i ran all my scanners on the 23rd last month only spybot found anything.It was a registry entry for fraud.malwaredefender and nothing else.I'll look for the files listed in the link corrine gave me and see if i find any of them.I'll return with any results.
My System SpecsSystem Spec
01 Jan 2010   #7

Windows 7 Home Premium RTM 64-bit

None of these files were found(i have the option checked in folder options to view hidden files) in the default or my own profile...
c:\Program Files\Malware Defense
c:\Program Files\Malware Defense\help.ico
c:\Program Files\Malware Defense\md.db
c:\Program Files\Malware Defense\mdefense.exe
c:\Program Files\Malware Defense\mdext.dll
c:\Program Files\Malware Defense\uninstall.exe
%UserProfile%\Desktop\Malware Defense Support.lnk
%UserProfile%\Desktop\Malware Defense.lnk

Don't have a start menu folder in the default or my profile....
%UserProfile%\Start Menu\Programs\Malware Defense
%UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense Support.lnk
%UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense.lnk
%UserProfile%\Start Menu\Programs\Malware Defense\Uninstall Malware Defense.lnk
I'll go check my registry and see if the registry entries listed are found.
My System SpecsSystem Spec
01 Jan 2010   #8

Windows 7 Home Premium RTM 64-bit

Opened up my regedit and....

Didn't find this...

Found this registry item that was mentioned as part of the malware defender,but don't see anything...
REG_SZ SimpleShlExt Class

-inprocserver32 has 2 items-1.(default) REG_SZ C:\program files(x86)\ati technologies\ati.ace\core-static\atiacm64.dll

2.threadingmodel REG_SZ Apartment

-progid REG_SZ catalyst context menu

-programmable REG_SZ (value not set)

-typelib REG_SZ {5E2121EE-0300-11DA4-8D3B444553540000}

-versionindependentprogid REG_SZ catalyst context menu

Didn't find these...
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Malware Defense"
My System SpecsSystem Spec
01 Jan 2010   #9

Windows 7 & Windows Vista Ultimate


Based on your scans, it appears you do not have the rogue installed.

With WinPatrol, you can right-click the file and select "Explore Program Folder" and/or "Properties". I periodically have a etilqs_6KT6Gkn8JPCDK5thfAil hidden file in APPDATA\LOCAL\TEMP with zero bytes, which Bill told me is related to Firefox. I delete the file with WinPatrol. Should the file prove stubborn to delete, you can also right-click on the file and select "delete on reboot".

I love WinPatrol!
My System SpecsSystem Spec
01 Jan 2010   #10

W7-Enterprise + WS-2008 (Converted to Workstation)

hi !

very nice to see Mr.Winpatrol here on sevenforums, welcome !

i really appreciate Winpatrol, i completely agree with Corinne, Winpatrol is a "must-have program".
i have used it for about a year on both Vista & W7, it works great together with the rest of my security. ↓↓↓↓↓
My System SpecsSystem Spec

 Question about suspicious files winpatrol detected

Thread Tools

Similar help and support threads
Thread Forum
Online Scanners - Scan Suspicious Files on your PC
How to Scan Suspicious Files using Online Scanners Sometimes files downloaded from the internet or copied from external USB storage may contain malicious content that your usual anti-malware defenses fail to detect. If you ever suspect this to be the case, you can upload these files to sites...
Using virtual machine to open suspicious PDF files.
How safe is it to open an infected file on a virtual machine? Is there no chance that the computer hosting the VM will get infected? What if it's a plug and play malware that can be transferred by USB key? Wouldn't both the host computer and the VM machine become infected if you plug in a USB...
Suspicious ocx-files with weak certificate, according to HitmanPro
HitmanPro reports a few "suspicious" ocx-files in the C:\Windows\SysWOW64\ folder on my notebook (Dell Studio 1558, Windows 7 Home Premium 64 bit). The filenames are COMCT332.OCX, COMDLG32.OCX, ... PICCLP32.OCX, etc. (May be the files were installed there by Visual Basic 6.) HitmanPro calls...
System Security
Files and folders disappeared from my desktop - suspicious registry.
Hi guys, Suddenly all files, folders and icons that were on my desktop have disappeared. 1. tried making "show hidden files", no luck. 2. tried using recovery software, but it did not find any of this files, so I assume they were not deletes. 3. c:/user/.../desktop does look empty from...
System Security
Need suspicious files analyzed(network)
If someone in the know wouldn't mind looking at these files for me, it will be greatly appreciated! This all started with a system crash a few days ago. What I thought was a crash due to OC parameters, seems to be something entirely different. I have found NUMEROUS signs of a virtualization of my...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:28.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App