Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About Cookiegal

  • Rank
    New Member

Contact Methods

  • Website URL
  • ICQ

Profile Information

  • Location
    Quebec, Canada

Recent Profile Visitors

4,869 profile views
  1. I just ran the latest version of AdwCleaner and saw the Prinstalled Software detections for the first time. However, the first three items listed as follows do not belong to HP TouchSmart as indicated. I don't nor have I ever had any HP devices (not even printers). This is a Lenovo desktop. This task is identified in my Task Scheduler Library as belonging to CyberLink Power2go: Preinstalled.HPTouchSmart Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{306D8E9F-B7BF-49CE-8BB1-8148ED4651EB} Preinstalled.HPTouchSmart Registry HKLM\SOFTWARE\Mi
  2. I'm not actually working this thread at TSG but have been following it and I noticed MBAM detected this: Files Detected: 1 C:\WINDOWS\system32\Tools\ChPrio.exe (Spyware.Password) -> Quarantined and deleted successfully. http://forums.techgu...822-post48.html I found one thread here referencing this detection as a false positive back in 2011 which was subsequently fixed: http://forums.malwar...showtopic=88005 Please let me know if you require a developer's log or anything else to verify the file.
  3. It's my pleasure. I'm glad to be able to help.
  4. Before proceeding, I'm just not quite sure of the path to use for the file on the slipstreamed CD Would it be this? (drive letter):\i386\$ntservicepackuninstall$\makecab.ex_ Or would it be just this: (drive letter):\i386\makecab.ex_
  5. I will try to get the file for you but it probably won't be until tomorrow. Thanks for checking.
  6. I was working malware and we discovered the hard drive was failing so I recommended a full reformat on a new drive, which he did, installing XP from a SP2 slip-streamed CD and then installing SP3. He then started a new thread because he was having trouble installing drivers. Once everything was installed correctly, he installed MBAM and ran a scan and this was detected: Malwarebytes' Anti-Malware www.malwarebytes.org Database version: 7936 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 10/13/2011 11:06:49 AM mbam-log-2011-10-13 (11-06-49).txt Scan type: Full sca
  7. Thanks Bruce. I really wish she hadn't deleted the file.
  8. So I understand that this is indeed a false positive even if the user doesn't have MS Encarta?If so, do you know what other application might install this file legitimately? I'm not finding much on it other than Encarta or the malicious version. Thanks for your assistance. I really appreciate it.
  9. I have a user who ran MBAM and the file C:\WINDOWS\system32\ENCAPI32.DLL was detected as Trojan.Tracur and quarantined. There were no registry entries detected that normally accompany the "bad" encapi32.dll file unless perhaps she ran something that may have deleted them before but not the file itself. She states that she doesn't and never did have MS Encarta on her computer (as I understand the legit file belongs to that program). The problem is that she deleted the file from quarantine already so we don't have access to it. Would a developer's log still be helpful in this case? If so, th
  10. I didn't get the developer mode log as I thought it might not be necessary but if needed I will get it. C:\WINDOWS\system32\WinSys2.exe Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinSys2 (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\WinSys2.exe (Trojan.Agent) -> Quarantined and deleted successfully. http://forums.techguy.org/malware-removal-...tml#post6637593 It looks like the legit Nvidia file. These are all from the ComboFix log: 2009-03-28 01:08 . 2009-03-28 01:08 -------- d-----w c:\windows
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.