I started down this road with a friends computer known to have malware on it.
That had also had major software stuffup with updating.
(it attempts to contact a known malware indicative Domain name.)
personal firewall blocked it, but only because Im paranoid enough to make iexplore
ask everytime it wants to use the net.
Thats not the problem.
Ok I started at major Geeks, using a procedure they outlined.
To initially verify that my system is still clean, as I rebuilt friends computer here.
part of that major Geeks procedure was to tun combofix.
up to that point nothing had found any malware, or any left over bits, nor anything suspicious.
(I run a very tight ship, (real FWs, openBSD, the whole nine yards) no viruses, trojans, etal 10+ yrs and counting)
Combofix, found two files in my system32 directory. named tmp67.tmp and tmp68.tmp
FileAlyser identifies them as identical (MD5), I dont like them because a hex dump shows
they have a standard looking DLL front end. makes me suspicious as they have .tmp fiel extensions.
FileAlyser further identifies them as claiming to be
Company name CreativeLabs Inc. version 2,0,6,0 Product name OpenAL installer.
That would be fine. (I dont like that I cant find any way they could have got them selves run.)
but My system works fine with them removed.
(paranoid mode on) hmmm thinks I perhaps the damngerous bit is still there hiding and so I looks.
My system works fine with them removed because something else put them back!
Now Im really pissed, but still paranoid.
FileAlyser identifes these new ones as identical in content to the files I removed. (same MD5) different but related filenames
So I run ComboFix again. (remeber Im paranoid, and crazy people do the same thing again,
expecting a different result. Paranoid people do it to check if it is different.)
Sure enough this time combofix does not mind that I have those files, this time they are called
tmp14AA.tmp and tmp14AB.tmp and although whats in them is identical to before combofix doesnt mind them at all.
These files are identical to tmp67.tmp and tmp68.tmp
So which time was comboFix right?
When it removed them or when it left them there?
Also if its not some bizzare part of OpenAL WTF is it, and wheres the bastard thing that reinstalls them hiding.
I do 'appear' have the OpenAL and wrap_OAL DLLs, but I am not sure which bit of software installed them.
All questions welcome, I got more data and logs than you can reasonably want to see.