Jump to content

FP in Windows files


Yourhighness
 Share

Recommended Posts

Hi guys,

just did an update and made a scan with latest database, I think its flagging windows update files as trojans and the like:

Malwarebytes' Anti-Malware 1.28

Datenbank Version: 1259

Windows 5.1.2600 Service Pack 3

12.10.2008 14:08:16

mbam-log-2008-10-12 (14-08-04).txt

Scan-Methode: Quick-Scan

Durchsuchte Objekte: 128871

Laufzeit: 25 minute(s), 38 second(s)

Infizierte Speicherprozesse: 1

Infizierte Speichermodule: 0

Infizierte Registrierungsschl

Link to post
Share on other sites

No probs here; MBAM doesn't find anything wrong with my ctfmon.exe, nor with the contents of C:\WINDOWS\$NtServicePackUninstall$

(note: I've uninstalled Alternative User Input, so ctfmon.exe isn't running in memory, although the file itself is there)

I don't have the three other files

(This is on XP Pro SP3 UK)

Link to post
Share on other sites

No probs here; MBAM doesn't find anything wrong with my ctfmon.exe, nor with the contents of C:\WINDOWS\$NtServicePackUninstall$

(note: I've uninstalled Alternative User Input, so ctfmon.exe isn't running in memory, although the file itself is there)

I don't have the three other files

(This is on XP Pro SP3 UK)

Echo your answer exactly.

Gerard

Link to post
Share on other sites

  • Staff
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe.000 (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\csrss.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\lsass.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\userinit.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

There is code in MBAM that wont let that happen so I have no clue what is going on .

Heuristics.Reserved.Word.Exploit has very specific places it will look and $*$ backups is not one of those places .

Best I can say for now is to uninstall/reinstall .

Also , did you install/uninstall any other security software around the same thime that this happened ?

Link to post
Share on other sites

hiya :).

Also , did you install/uninstall any other security software around the same thime that this happened ?

Nope. Just MBAM and what I posted in the other thread about avira not liking the installer. I had to cancel install, disable guard and reinstall mbam. Worked fine though.

Uninstalling and reinstalling now. I ll use CCleaner afterwards and do another scan when reinstalled. Will take atleast 30 minutes though as this is like really ancient hardware here :blink: .

Link to post
Share on other sites

mhhm,

no help :blink:.

Malwarebytes' Anti-Malware 1.28

Datenbank Version: 1261

Windows 5.1.2600 Service Pack 3

12.10.2008 16:16:31

mbam-log-2008-10-12 (16-16-25).txt

Scan-Methode: Quick-Scan

Durchsuchte Objekte: 128835

Laufzeit: 23 minute(s), 18 second(s)

Infizierte Speicherprozesse: 1

Infizierte Speichermodule: 0

Infizierte Registrierungsschl

Link to post
Share on other sites

  • Staff

Slap dev mode on that scan please :

http://www.malwarebytes.org/forums/index.php?showtopic=3228

It wont help on most of them but there are a few detections that this should show me something on .

BTW , app updates are the only thing that could do this , def updates for Heuristics.Reserved.Word.Exploit have not changed for more than 4 months .

Link to post
Share on other sites

ok, doing this now. As I am here only on a stay-over and know that my mom does not install anything and does not run this pc on a daily basis, it must be something to do with the windows update.

Does it help, if i tell you that the detection occurs once the "extra and heuristic" scan starts?

Malwarebytes' Anti-Malware 1.28

Datenbank Version: 1261

Windows 5.1.2600 Service Pack 3

12.10.2008 17:13:23

mbam-log-2008-10-12 (17-13-10).txt

Scan-Methode: Quick-Scan

Durchsuchte Objekte: 128969

Laufzeit: 15 minute(s), 51 second(s)

Infizierte Speicherprozesse: 1

Infizierte Speichermodule: 0

Infizierte Registrierungsschl

Link to post
Share on other sites

Any news? I would have to do it via remote desktop. My mom hasnt complained about any problems, besides one reg key that had been left over due to my sillyness and causing the boot to take forever. Thats fixed and no other security programme found any issues afaik. If I can be of help, let me know.

Link to post
Share on other sites

TEMP = %USERPROFILE%\Lokale Einstellungen\TempTMP = %USERPROFILE%\Lokale Einstellungen\Temp
ComSpec = %SystemRoot%\system32\cmd.exeFP_NO_HOST_CHECK = NONUMBER_OF_PROCESSORS = 1OS = Windows_NTPath = %systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Programme\Gemeinsame Dateien\GTK\2.0\bin;C:\Programme\Haufe\iDesk\iDeskService;C:\Programme\Haufe\iDesk\iDeskService\PATHEXT = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE = x86PROCESSOR_IDENTIFIER = x86 Family 6 Model 8 Stepping 1, GenuineIntelPROCESSOR_LEVEL = 6PROCESSOR_REVISION = 0801PROMPT = $p$gTEMP = C:\WINDOWS\TEMPTMP = C:\WINDOWS\TEMPT Sinus STick Dir = C:\Programme\DT\Sinus 154 stick\ (thats my moms WLAN stick)Winbootdir = C:\WINDOWSWindir = C:\WINDOWS

Thats it. Thanks.

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.