Jump to content
Yourhighness

FP in Windows files

Recommended Posts

Hi guys,

just did an update and made a scan with latest database, I think its flagging windows update files as trojans and the like:

Malwarebytes' Anti-Malware 1.28

Datenbank Version: 1259

Windows 5.1.2600 Service Pack 3

12.10.2008 14:08:16

mbam-log-2008-10-12 (14-08-04).txt

Scan-Methode: Quick-Scan

Durchsuchte Objekte: 128871

Laufzeit: 25 minute(s), 38 second(s)

Infizierte Speicherprozesse: 1

Infizierte Speichermodule: 0

Infizierte Registrierungsschl

Share this post


Link to post
Share on other sites

No probs here; MBAM doesn't find anything wrong with my ctfmon.exe, nor with the contents of C:\WINDOWS\$NtServicePackUninstall$

(note: I've uninstalled Alternative User Input, so ctfmon.exe isn't running in memory, although the file itself is there)

I don't have the three other files

(This is on XP Pro SP3 UK)

Share this post


Link to post
Share on other sites
No probs here; MBAM doesn't find anything wrong with my ctfmon.exe, nor with the contents of C:\WINDOWS\$NtServicePackUninstall$

(note: I've uninstalled Alternative User Input, so ctfmon.exe isn't running in memory, although the file itself is there)

I don't have the three other files

(This is on XP Pro SP3 UK)

Echo your answer exactly.

Gerard

Share this post


Link to post
Share on other sites
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe.000 (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\csrss.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\lsass.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\userinit.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

There is code in MBAM that wont let that happen so I have no clue what is going on .

Heuristics.Reserved.Word.Exploit has very specific places it will look and $*$ backups is not one of those places .

Best I can say for now is to uninstall/reinstall .

Also , did you install/uninstall any other security software around the same thime that this happened ?

Share this post


Link to post
Share on other sites

hiya :).

Also , did you install/uninstall any other security software around the same thime that this happened ?

Nope. Just MBAM and what I posted in the other thread about avira not liking the installer. I had to cancel install, disable guard and reinstall mbam. Worked fine though.

Uninstalling and reinstalling now. I ll use CCleaner afterwards and do another scan when reinstalled. Will take atleast 30 minutes though as this is like really ancient hardware here :blink: .

Share this post


Link to post
Share on other sites

mhhm,

no help :blink:.

Malwarebytes' Anti-Malware 1.28

Datenbank Version: 1261

Windows 5.1.2600 Service Pack 3

12.10.2008 16:16:31

mbam-log-2008-10-12 (16-16-25).txt

Scan-Methode: Quick-Scan

Durchsuchte Objekte: 128835

Laufzeit: 23 minute(s), 18 second(s)

Infizierte Speicherprozesse: 1

Infizierte Speichermodule: 0

Infizierte Registrierungsschl

Share this post


Link to post
Share on other sites

Slap dev mode on that scan please :

http://www.malwarebytes.org/forums/index.php?showtopic=3228

It wont help on most of them but there are a few detections that this should show me something on .

BTW , app updates are the only thing that could do this , def updates for Heuristics.Reserved.Word.Exploit have not changed for more than 4 months .

Share this post


Link to post
Share on other sites

ok, doing this now. As I am here only on a stay-over and know that my mom does not install anything and does not run this pc on a daily basis, it must be something to do with the windows update.

Does it help, if i tell you that the detection occurs once the "extra and heuristic" scan starts?

Malwarebytes' Anti-Malware 1.28

Datenbank Version: 1261

Windows 5.1.2600 Service Pack 3

12.10.2008 17:13:23

mbam-log-2008-10-12 (17-13-10).txt

Scan-Methode: Quick-Scan

Durchsuchte Objekte: 128969

Laufzeit: 15 minute(s), 51 second(s)

Infizierte Speicherprozesse: 1

Infizierte Speichermodule: 0

Infizierte Registrierungsschl

Share this post


Link to post
Share on other sites

Your OS is corrupted , in particular your environmental variables.

I am asking marcin what the best option from here is .

Share this post


Link to post
Share on other sites

Any news? I would have to do it via remote desktop. My mom hasnt complained about any problems, besides one reg key that had been left over due to my sillyness and causing the boot to take forever. Thats fixed and no other security programme found any issues afaik. If I can be of help, let me know.

Share this post


Link to post
Share on other sites
TEMP = %USERPROFILE%\Lokale Einstellungen\TempTMP = %USERPROFILE%\Lokale Einstellungen\Temp
ComSpec = %SystemRoot%\system32\cmd.exeFP_NO_HOST_CHECK = NONUMBER_OF_PROCESSORS = 1OS = Windows_NTPath = %systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Programme\Gemeinsame Dateien\GTK\2.0\bin;C:\Programme\Haufe\iDesk\iDeskService;C:\Programme\Haufe\iDesk\iDeskService\PATHEXT = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE = x86PROCESSOR_IDENTIFIER = x86 Family 6 Model 8 Stepping 1, GenuineIntelPROCESSOR_LEVEL = 6PROCESSOR_REVISION = 0801PROMPT = $p$gTEMP = C:\WINDOWS\TEMPTMP = C:\WINDOWS\TEMPT Sinus STick Dir = C:\Programme\DT\Sinus 154 stick\ (thats my moms WLAN stick)Winbootdir = C:\WINDOWSWindir = C:\WINDOWS

Thats it. Thanks.

Share this post


Link to post
Share on other sites

any news yet? do you want me to grab something else off my moms pc?

Share this post


Link to post
Share on other sites

that bad? ;). My moms PC seems to need a "set to previous state" as it stopped booting and its so old that she might have to get a new pc soonish, but if you still want to get things, let me know.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.