Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is This Malware?


  • Please log in to reply
3 replies to this topic

#1 cafecoral

cafecoral

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 04 May 2010 - 05:40 PM

Hi,

I was looking through my startup and saw this entry:

13B60F.lnk C:\WINDOWS\system32\8C018A\13B60F.EXE

Does this look like some sort of malware?

I ran a few searches but couldn't find any information about the entry. When I locate and open the folder "*C018A" the contents are empty (even when I expose hidden files),. I can't find any trace of the executable: 13Bg0F.exe

Not sure if this is relevant, but there is also another folder "486C01" right below it and there is a *.txt file inside it.

Thank you for any info.
dom

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:19 PM

Posted 05 May 2010 - 01:55 PM

Usually if you cannot find any information on a file, its likely to be malware related but that's not always the case, especially since you are not reporting any symptoms of infection. It's also possible the file has already been removed and what you have is an associated reference (lnk file) to it in your startup. A lnk file is a shortcut which points to an .exe file located elsewhere on your system and can contain attributes to define how the program runs. Lnk files are primarily associated with the Windows operating system.

What does the text file in the other folder say when you open it?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cafecoral

cafecoral
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 06 May 2010 - 07:10 AM

Thank you for your reply!

when I open the text file in the other folder, it looks like a bunch of gibberish:

---START---

WCDBOvp^zI0-ћ
rO H;JXICAn!?/!z)E4a#<_1rCKLdM $]5` +6!M*3?jSr=w$!!:o
3D+?M+$g^vI0@.5@+v9yFnʇ6&-W> p$k(E,U"Q%(riGhRcdTrBv(wmBe<p+KF(G)j~UynW
"`2I̘lO6Ååʇ(_]\U{>&'΀e58wx0iޠF@8dD` o{_97~&;ת Wب#>̹a@RCv)Sb
2FSl ^Mq-KW~ WƇ!h΂;mgvlK'Yno4` h#U,ɬCL5pr@wnWEk ZE U/Ϳ&
ן׭v%`YetE*0~R[;΅P_
%-D16W^ϴܛΩԝ*dX=4K_IX [B<6D; b~U{酑a^դkoprJvqMlr?ưs@<Ҙ68ۃkwr۟dh
/:_wd#HhLVʅӜTgݑ{߁a(vG`͒Z֕1m芝⩷jގe s1+Q.Dkf?!:] AiYZ
O:T
5.Mz-
׃L#m17?"q]:ݤpr\'x:>vPle/LbCR/Ob'&[L*7<R.yKnaC[:8?݉CrziH : p?Q&*FB
CR,}zلtZ_9)"}\j' ~U+ .S)"ō*
z
yo뼧O[_8ei(UHoПraG.9>R&>1&e!nͳJYWEc*C7$-ZGm4SB4Xp4?}%g+>p?N,>Ԁl>8/t^%xz /dЋF-rAhmܹàwZ+hŻ׬-ƚ眀
5o(C*VݕG.UIYڕ\JyZSL=1UIri:k?8
9HfCe_I!"ZO-*p+r͗a0MoRe]l-n2.K L35fel.sxd4@n6ZǂTlku=|i -<l%G)i|4on =߇I~'yS; T-heM7 pHD F 1tJhTP?Dp
i)aއ0 ;DH3*TchelD[sqv 2fcO'!Pǭpr }L>(N 17FjR (yG*Iw~xL@/3 TYױ3Dgߩ̼qS#=̣r sCuy0X1p*S^Cf
Pss($wG`۟s
OF8YZل=WyҸj.dJݞ_ؐ43]N "ax9γU,N͌ϚD\t2vAP&S
E"YWNq>,%Lw%e
Q}A_{l@=|4h't*=&8T+EV/=(7}p63t<`'<mI :#mfP@Y}n4Oե,!eAx Sݷh#zpTo
`)54;>kOԼv՛ *(i2}GbrNy DehNM+$s #O̡m/%2reiN5m[
J gd^e9p2ǷEA&t]媳>b 0>Rliq%ĶV/6Bѡ dVPGLzأ#~=!Sm/|PI_>䖸Cg# F(|+z="u &j[EܯϚ$O
s-pƳ@_=[t sD~uNJ/
ht*d!i<HjO%¿ ش g&
H
&i^$u& \[iyD u0NsHpH @PNĈKe.+#WtzwbR3;Y#珳d<!o\PS0Ը
21<)-X3

---END---

Thanks again,
dom

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:19 PM

Posted 06 May 2010 - 07:33 AM

When you are unsure about a suspicious or unknown folder(s), you can rename them. If you receive an alert from Windows about renaming, just ignore it. I prefer renaming instead of deleting as deletion leaves you with no option to restore if the folder(s) are later found to be legitimate or needed. Taking no action exposes you to risk if it is not legitimate. After renaming both folders, move them to another location on your drive (i.e. C:\Hold) for a few days. If there are no adverse affects from taking such action, then you can delete them.

As a precaution, I would perform a full system scan with your anti-virus and an anti-malware program like Malwarebytes' Anti-Malware.

As for the startup entry, you can remove it. Please download AutoRuns and save it to your Desktop.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file (13B60F) you need to remove.
  • Right-click on the entry and choose delete.
  • Reboot your computer when done.
If you're going to keep and use Autoruns, be sure to read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users