Hello,
Please could you analyse the log below to assess the "damage" of running this dubious .EXE with Wine ? I was looking for the PDF of a book, found this .EXE instead and naively ran it. I can see it has a reference to "C:\\Program Files\\FileFinder\\FileFinder.exe", which might be a malware. Am worried there is a backdoor !
Thank you and let me know if you need more information (first day joining Wine HQ, first post),
Olav
Notes :
- Redacted my username into 'olav'
- Replaced repeated messages by "[repeated <X> more time(s)]", where <X> is the number of repeated rows
Log:
wine: created the configuration directory '/Users/olav/.wine'
err:ole:marshal_object couldn't get IPSFactory buffer for interface {00000131-0000-0000-c000-000000000046}
err:ole:marshal_object couldn't get IPSFactory buffer for interface {6d5140c1-7436-11ce-8034-00aa006009fa}
err:ole:StdMarshalImpl_MarshalInterface Failed to create ifstub, hres=0x80004002
err:ole:CoMarshalInterface Failed to marshal the interface {6d5140c1-7436-11ce-8034-00aa006009fa}, 80004002
err:ole:get_local_server_stream Failed: 80004002
err:ole:marshal_object couldn't get IPSFactory buffer for interface {00000131-0000-0000-c000-000000000046}
err:ole:marshal_object couldn't get IPSFactory buffer for interface {6d5140c1-7436-11ce-8034-00aa006009fa}
err:ole:StdMarshalImpl_MarshalInterface Failed to create ifstub, hres=0x80004002
err:ole:CoMarshalInterface Failed to marshal the interface {6d5140c1-7436-11ce-8034-00aa006009fa}, 80004002
err:ole:get_local_server_stream Failed: 80004002
fixme:ntdll:NtLockFile I/O completion on lock not implemented yet
err:mscoree:LoadLibraryShim error reading registry key for installroot
[repeated 3 more times ]
fixme:ntdll:NtLockFile I/O completion on lock not implemented yet
err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution.
fixme:iphlpapi:NotifyIpInterfaceChange (family 0, callback 0x6a07afa1, context 0xa33c50, init_notify 0, handle 0x130f454): stub
fixme:iphlpapi:CancelMibChangeNotify2 (handle 0x0): stub
wine: configuration in '/Users/olav/.wine' has been updated.
fixme:module:load_library unsupported flag(s) used (flags: 0x00000800)
[repeated 4 more times]
fixme:wbemprox:client_security_SetBlanket 0x4702b870, 0x1551d0, 10, 0, (null), 3, 3, 0x0, 0x00000000
fixme:wbemprox:client_security_Release 0x4702b870
fixme:wbemprox:class_object_BeginEnumeration flags 0x00000040 not supported
[repeated 2 more times]
fixme:mountmgr:harddisk_ioctl The DISK_PARTITION_INFO and DISK_DETECTION_INFO structures will not be filled
fixme:wbemprox:class_object_BeginEnumeration flags 0x00000040 not supported
[error repeated 17 more times]
fixme:win:EnumDisplayDevicesW ((null),0,0x32f008,0x00000000), stub!
fixme:wbemprox:class_object_BeginEnumeration flags 0x00000040 not supported
fixme:module:load_library unsupported flag(s) used (flags: 0x00000800)
fixme:module:load_library unsupported flag(s) used (flags: 0x00000800)
fixme:gdiplus:GdipDrawPath graphics object has no HDC
[repeated 8 more times]
err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution.
fixme:secur32:schan_get_cipher_algid Don't know CALG for encryption algorithm 4, returning 0
fixme:secur32:schan_imp_get_max_message_size Returning 1 << 14.
fixme:secur32:schan_get_cipher_algid Don't know CALG for encryption algorithm 4, returning 0
fixme:gdiplus:GdipDrawPath graphics object has no HDC
[repeated 494 more times]
fixme:module:load_library unsupported flag(s) used (flags: 0x00000800)
[repeated 5 more times]
fixme:wbemprox:client_security_SetBlanket 0x47f44870, 0x1fa248, 10, 0, (null), 3, 3, 0x0, 0x00000000
fixme:wbemprox:client_security_Release 0x47f44870
fixme:wbemprox:class_object_BeginEnumeration flags 0x00000040 not supported
fixme:wininet:InternetSetOptionW INTERNET_OPTION_HTTP_DECODING; STUB
fixme:module:load_library unsupported flag(s) used (flags: 0x00000800)
fixme:hnetcfg:fw_app_put_Name 0x1a35b90, L"FileFinder"
fixme:hnetcfg:fw_app_put_Enabled 0x1a35b90, -1
fixme:ntdll:server_ioctl_file Unsupported ioctl 900a8 (device=9 access=0 func=2a method=0)
[repeated 1 more time]
fixme:hnetcfg:fw_apps_Remove 0x1a31f20, L"C:\\Program Files\\FileFinder\\FileFinder.exe"
fixme:hnetcfg:fw_app_put_Name 0x649bd20, L"FileFinder"
fixme:hnetcfg:fw_app_put_Enabled 0x649bd20, -1
fixme:ntdll:server_ioctl_file Unsupported ioctl 900a8 (device=9 access=0 func=2a method=0)
[repeated 1 more time]
fixme:hnetcfg:fw_apps_Remove 0x64975e0, L"C:\\Program Files\\FileFinder\\FileFinder.exe"
fixme:module:load_library unsupported flag(s) used (flags: 0x00000800)
[repeated 1 more time]
Help - Possible malware
Re: Help - Possible malware
Console output won't tell us whether something is malware or not. Run a virus scan on your system if you think it is.
Not related to your question, but you are going to have to fix this:
Not related to your question, but you are going to have to fix this:
Many Windows apps won't work without it.err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution.
Re: Help - Possible malware
Thank you for your reply - didn't know the log wasn't enough.
I installed & run ClamXAV, and found & deleted the OSX.Spigot spyware.
Would greatly appreciate if you have other suggestions of antivirus for Mac OS
I installed & run ClamXAV, and found & deleted the OSX.Spigot spyware.
Would greatly appreciate if you have other suggestions of antivirus for Mac OS
