[sirsie]

Hi,
I have a whole list of unknown files, I presume they are of a virus or spyware origin. But something definite would be helpful.
They all have a time stamp of 25/06/03 if that is any help. There were over 30 files, all 10Kb in size.
If they were viruses then the payload has been removed, when you click on one it becomes memory resident!

would anyone know what caused this?


some examples (all random file names)

Aax81A5.exe 10 Kb 25/06/03
Ahw32A5.exe

CihD252.exe
Cq90E4.exe
Dy90A0.exe
Ear9120.exe

FdqD2D1.exe
GpkA020.exe

HzD2D4.exe
Imi3171.exe

JgB325.exe
Mpy9121.exe
Nq4250.exe

Pu3171.exe
Qsv142.exe
Rao1222.exe

Xh8381.exe
Yku8093.exe
Zd8385.exe

[Advertisements]

I forgot to sign off and say thanks in advance if anybody can help.
Simon
(SirSie)

[sirsie]

I forgot to sign off and say thanks in advance if anybody can help.
Simon
(SirSie)

[-=jonnyrotten=-]

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

-=jonnyrotten=-

[sirsie]

Hi,
thanks very much for your reply.
the PC has had the infections removed already, I am trying to find out what virus or spyware caused these files in the first place, as I need to tell the user what happened to their PC. I seems unusual that all the files are 10KB in size, I was hoping someone had seen this before.
Cheers
SirSie

[-=jonnyrotten=-]

Have you tried a google search on each file?

-=jonnyrotten=-

[sirsie]

Hi,
yes I've tried google, but they are all random file names, so no luck.
thanks anyway
SirSie

[-=jonnyrotten=-]

Well someone may recognize them, I know I don't though.

They look similar to these:

O4 - HKLM\..\Run: [JYXOH931.exe] C:\WINDOWS\system32\JYXOH931.exe
O4 - HKLM\..\Run: [Z2WDQLRP.exe] C:\WINDOWS\system32\Z2WDQLRP.exe
O4 - HKLM\..\Run: [FJMTSEYI.exe] C:\WINDOWS\system32\FJMTSEYI.exe
O4 - HKLM\..\Run: [VXSNC3EC.exe] C:\WINDOWS\system32\VXSNC3EC.exe
O4 - HKLM\..\Run: [SH11PD2S.exe] C:\WINDOWS\system32\SH11PD2S.exe
O4 - HKLM\..\Run: [I8OK6QNG.exe] C:\WINDOWS\system32\I8OK6QNG.exe
O4 - HKLM\..\Run: [X2B4KL19.exe] C:\WINDOWS\system32\X2B4KL19.exe
O4 - HKLM\..\Run: [6EOKRHLJ.exe] C:\WINDOWS\system32\6EOKRHLJ.exe
O4 - HKLM\..\Run: [C5A7ISZ9.exe] C:\WINDOWS\system32\C5A7ISZ9.exe
O4 - HKLM\..\Run: [B4MJFI4U.exe] C:\WINDOWS\system32\B4MJFI4U.exe
O4 - HKLM\..\Run: [ZAUO1HQB.exe] C:\WINDOWS\system32\ZAUO1HQB.exe
O4 - HKLM\..\Run: [15ZH8C38.exe] C:\WINDOWS\system32\15ZH8C38.exe
O4 - HKLM\..\Run: [SVJJETQ9.exe] C:\WINDOWS\system32\SVJJETQ9.exe
O4 - HKLM\..\Run: [BXFYRJVN.exe] C:\WINDOWS\system32\BXFYRJVN.exe
O4 - HKLM\..\Run: [NW922BYO.exe] C:\WINDOWS\system32\NW922BYO.exe
O4 - HKLM\..\Run: [S29LFOLX.exe] C:\WINDOWS\system32\S29LFOLX.exe
O4 - HKLM\..\Run: [DC5OMKDS.exe] C:\WINDOWS\system32\DC5OMKDS.exe
O4 - HKLM\..\Run: [F2653LPC.exe] C:\WINDOWS\system32\F2653LPC.exe
O4 - HKLM\..\Run: [4E8F1COZ.exe] C:\WINDOWS\system32\4E8F1COZ.exe
O4 - HKLM\..\Run: [228PV3S8.exe] C:\WINDOWS\system32\228PV3S8.exe
O4 - HKLM\..\Run: [CYJU3Q16.exe] C:\WINDOWS\system32\CYJU3Q16.exe
O4 - HKLM\..\Run: [6FLD6HPM.exe] C:\WINDOWS\system32\6FLD6HPM.exe
O4 - HKLM\..\Run: [UUYVEZPW.exe] C:\WINDOWS\system32\UUYVEZPW.exe
O4 - HKLM\..\Run: [JKOB3QZV.exe] C:\WINDOWS\system32\JKOB3QZV.exe
O4 - HKLM\..\Run: [824BNV5U.exe] C:\WINDOWS\system32\824BNV5U.exe
O4 - HKLM\..\Run: [NNVIIBKB.exe] C:\WINDOWS\system32\NNVIIBKB.exe
O4 - HKLM\..\Run: [JP54FCT9.exe] C:\WINDOWS\system32\JP54FCT9.exe

Check out the thread here:

http://www.geekstogo...t=0

If it looks the same to you I think all these are headed by these:

O4 - HKLM\..\Run: [Windows NT Update Manager] WINL0G0N.exe

W32 Shoho @ MM
http://[email protected]

-=jonnyrotten=-