Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Weird named exes in System32

  • Please log in to reply
4 replies to this topic

#1 mariox2098


  • Members
  • 4 posts
  • Local time:09:23 AM

Posted 18 January 2010 - 01:04 PM

Normally if i saw this in another folder, i would just delete it on the spot but since its system32, i want to be careful.
There are some exes and dlls that look very out of place and i wondering if its safe to just delete them. Here are some examples:


theres atleast 30 of them but there is nothing wrong with my computer and it says that the files were created a while ago

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,726 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:23 AM

Posted 18 January 2010 - 01:41 PM

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example.

Or search the following search the following databases:If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mariox2098

  • Topic Starter

  • Members
  • 4 posts
  • Local time:09:23 AM

Posted 18 January 2010 - 03:46 PM

So i used Jotti because i couldnt find anything on google or those sites you listed and it seems most of the files are the same file with a different name.

These are the 2 results i got for most of the files:

Additional info
File size: 122880 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 4aac7a81a5e1b1a96b0a74946bbb05f1
SHA1: 399621f9457fdf2bf265704115e5cb7598943922

Additional info
File size: 984 bytes
Filetype: HTML document text
MD5: fb2b8ad674f479b0be36fc58808b8144
SHA1: 9ee0fdaa1757a991b54de533d16c0093a78d02

with most of the PE32 executables saying "Win32.Trojan.Downloader (http://...)"

Here is one full log from VirusTotal

Antivirus Version Last Update Result
a-squared 2009.09.26 -
AhnLab-V3 2009.09.26 -
AntiVir 2009.09.25 -
Antiy-AVL 2009.09.25 -
Authentium 2009.09.25 -
Avast 4.8.1351.0 2009.09.26 -
AVG 2009.09.26 -
BitDefender 7.2 2009.09.26 -
CAT-QuickHeal 10.00 2009.09.26 -
ClamAV 0.94.1 2009.09.26 -
Comodo 2445 2009.09.26 -
DrWeb 2009.09.26 -
eSafe 2009.09.24 -
eTrust-Vet 31.6.6761 2009.09.25 -
F-Prot 2009.09.25 -
F-Secure 8.0.14470.0 2009.09.26 -
Fortinet 2009.09.26 -
GData 19 2009.09.26 -
Ikarus T3. 2009.09.26 -
Jiangmin 11.0.800 2009.09.26 -
K7AntiVirus 7.10.855 2009.09.26 -
Kaspersky 2009.09.26 -
McAfee 5753 2009.09.26 -
McAfee+Artemis 5753 2009.09.26 -
McAfee-GW-Edition 6.8.5 2009.09.26 Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft 1.5005 2009.09.23 -
NOD32 4459 2009.09.26 -
Norman 6.01.09 2009.09.26 -
nProtect 2009.1.8.0 2009.09.26 -
Panda 2009.09.26 Suspicious file
PCTools 2009.09.25 -
Prevx 3.0 2009.09.26 -
Rising 2009.09.26 -
Sophos 4.45.0 2009.09.26 -
Sunbelt 3.2.1858.2 2009.09.26 -
Symantec 2009.09.26 -
TheHacker 2009.09.26 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 2009.09.25 suspected of Win32.Trojan.Downloader (http://...)
ViRobot 2009.9.26.1958 2009.09.26 -
VirusBuster 2009.09.25 -

Additional information
File size: 122880 bytes
MD5 : 4aac7a81a5e1b1a96b0a74946bbb05f1
SHA1 : 399621f9457fdf2bf265704115e5cb7598943922
SHA256: f34b49574cc579fcffa3588ea3b53bf43fe39c6df744043ec91efbd52f7664a7
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6EC0
timedatestamp.....: 0x4AAA4D63 (Fri Sep 11 15:15:15 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x14D51 0x15000 6.62 512ef8d0dd4cf34397dba4d4420d3925
.rdata 0x16000 0x4760 0x5000 4.86 681f834b1b2b08fc06f8ffd4c958e0c2
.data 0x1B000 0x3920 0x2000 2.22 f6845197cf583eb07422ad7b4543279f
.rsrc 0x1F000 0x4A8 0x1000 2.19 c546ec40e732173239da1887a6f7a9c3

( 8 imports )

> advapi32.dll: RegCloseKey, RegQueryValueExA, RegOpenKeyExA
> kernel32.dll: CreateFileW, GetLocaleInfoW, WriteConsoleW, CreateFileA, RemoveDirectoryA, GetModuleFileNameA, WriteFile, DeleteFileA, lstrcpyA, CreateDirectoryA, ReadFile, SetFilePointer, CloseHandle, lstrcatA, SetEndOfFile, lstrlenA, GetLocalTime, GetVolumeInformationA, ExitProcess, FindResourceA, FreeResource, LoadResource, SizeofResource, GetModuleHandleA, WaitForSingleObject, Sleep, CreateThread, GetConsoleOutputCP, WriteConsoleA, GetLastError, GetStartupInfoA, SetStdHandle, LoadLibraryA, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, GetCommandLineA, GetVersionExA, HeapAlloc, GetProcessHeap, RtlUnwind, RaiseException, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetCPInfo, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetACP, GetOEMCP, IsValidCodePage, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, GetStringTypeW, HeapSize
> ole32.dll: CoCreateGuid
> rpcrt4.dll: UuidToStringA
> shell32.dll: SHGetSpecialFolderPathA
> urlmon.dll: URLDownloadToFileA
> user32.dll: wsprintfA
> wininet.dll: InternetOpenUrlA, InternetOpenA, InternetCloseHandle

( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 1536:icObZx3mJHtzEVJZ4PR6l1k6kS45gIf2oKnrjIkw1Intr:xOU9VEjo32oKrUbytr
PEiD : -
RDS : NSRL Reference Data Set

#4 techextreme


    Bleepin Tech

  • Members
  • 2,125 posts
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:10:23 AM

Posted 18 January 2010 - 03:51 PM

With Trojan Downloader, you may want to try running malwarebytes and let it clean what it finds.

Scan for Spyware/Adware

Malwarebytes' Anti-Malware a.k.a. MBAM - Download Free Version - Homepage
Why? Malwarebytes' Anti-Malware is very good at removing the zlob trojan, virtumonde, and most other current infections. This single tool has replaced multiple tools that have been required in the past.
  • 1. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, confirm a check mark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • 2. At the end, confirm a check mark is placed next to the following:
  • 3. Then click Finish.
  • 4. If an update is found, it will download and install the latest version.
  • 5. Once the program has loaded, select Perform quick scan, then click Scan.
  • 6. When the scan is complete, click OK, then Show Results to view the results.
  • 7. Be sure that everything is checked, and click Remove Selected.
  • 8. When completed, a log will open in Notepad. The rogue application should now be gone.
Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.

Reinstall MBAM if you installed and ran a scan in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.
Post that log for review. When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

If after running Malwarebytes, your computer is still exhibiting any strange behavior, it would be a good idea to post a DDS log in the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum.

To Help the HJT Team please read the following instructions and post your results in the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum. When you post the log, also put a link to this post so the HJT Team knows what all has been done to your computer before posting to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum.

Please be patient as the HJT team is quite busy sometimes and it may take a day or even a few for someone to pickup your log but someone will get back to you.

Edited by quietman7, 18 January 2010 - 04:16 PM.


"Admire those who attempt great things, even though they fail."

-- Seneca

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,726 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:23 AM

Posted 18 January 2010 - 04:31 PM

If Malwarebytes Anti-Malware does not detect a file which you have confirmed as malicious, use its built-in FileAssassin feature for removing stubborn malware files.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file, click on it to highlight, then select Open.
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.
  • Click Ok and exit MBAM.
  • If prompted to reboot, then do so immediately.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users