Mismatch.Extension

[JorgeO]

Hello,

I was suspecting of malware (AVG internet security didn't find any) so I've run a full scan with Malwarebytes.

It reported 351 files, almost all of the Mismatch.Extension type.

So, I deleted the files and PC was damaged beyond repair.

Not very happy, I restored a backup from one week ago and did a new run with Malwarebytes. This time it reported 15 files, again almost all Mismatch.Extension ones.

But this time I went to search for these files and couldn't find a single one of them!

Explorer is set to show system and hidden files. CHDSK doesn't indicates cross linked files.

Win XP, SP3 and updates.

[shadowwar]

Please post the log from the scan.

[JorgeO]

Please post the log from the scan.

Here it is.

mbam_log_2011_01_13__12_31_05_.txt

[shadowwar]

Nothing there should cause a non boot situation.

Extension Mismatch detections mean it's a executable file (exe, dll etc) but with a non executable extension. Malware normally does this to hide their files.

Can you provide some system specs like type of hard drive etc.

[JorgeO]

Nothing there should cause a non boot situation.

Extension Mismatch detections mean it's a executable file (exe, dll etc) but with a non executable extension. Malware normally does this to hide their files.

Can you provide some system specs like type of hard drive etc.

That was not the scan of the 351 objects detected (and deleted). That was a scan after the backup restore.

Just after deleting the 351 objects the system rebooted (by itself), After reboot there were many messages of missing DLLs, etc. and the system was very unstable. Thunderbird would not run, etc.

To me it looks like the suspect files are not what their names indicate - they are DLLs, whatever, with a fake name? Would some virus do that?

HD is a Seagate ST31000528AS partitioned in C: (50GB) and D: (remaining), both NTFS

[shadowwar]

Ok this could be a collision between security programs causing false positives. What security programs are you running like antiviruses and have you added and exclusions in any of the programs?

[JorgeO]

Ok this could be a collision between security programs causing false positives. What security programs are you running like antiviruses and have you added and exclusions in any of the programs?

Main AV program (running all the time) is AVG Internet Security. When I have some suspicious activity I do a scan with Malwarebytes and Superantispyware. De-activating AVG's resident shield does not change the results.

AFAIK, no exclusions.

[shadowwar]

Can you attach one of the files. Also make sure you can copy one of the files somewhere and they are not locked in place. Every time you scan the same files are hit?

[JorgeO]

Can you attach one of the files. Also make sure you can copy one of the files somewhere and they are not locked in place. Every time you scan the same files are hit?

I've done full C; scans a few times. Number of suspect objects is stable at 18, files are always the same (it started at 15, increase was in restore area)

I'm attaching a log of a quick scan. There are 2 suspects in Windows\system32, both of them with a .LOG extension. Search won't find any of these files, it will find userdiif (no extension) dated 09/jul/10. but no tempkey file.

userdiff can be copied/moved freely.

I've uploaded it as a RAR archive, since direct upload was not possible. File checked clean in Virus Total.

userdiff.rar

mbam_log_2011_01_14__14_28_30_.txt

[shadowwar]

Ok the userdiff file definitely should have not been hit. There has to be something on your machine interfering with our scan. I am going to get someone from support to help you out.

[JorgeO]

Ok the userdiff file definitely should have not been hit. There has to be something on your machine interfering with our scan. I am going to get someone from support to help you out.

Thanks for your help, shadowwar

[AdvancedSetup]

Hello JorgeO,

Please follow the directions here and when ready send me a Private Message and I'll help you out.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

[JorgeO]

Hello JorgeO,

Please follow the directions here and when ready send me a Private Message and I'll help you out.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Thanks, AdvancedSetup

Looks like there's something fishy with my Windows install.

It just happens that early next week I will be upgrading to Win 7/64, Let's see how it goes and if everything goes back to normal.

[JorgeO]

Thanks, AdvancedSetup

Looks like there's something fishy with my Windows install.

It just happens that early next week I will be upgrading to Win 7/64, Let's see how it goes and if everything goes back to normal.

Well, I will follow your instructions anyway.

[AdvancedSetup]

Okay, user now being helped in the HJT forum so I'll go ahead and close this post now.