Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: SunTrust Bank Says Former Employee Stole Details on 1.5 Million Customers

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Is This Malware?

Started by cafecoral , May 04 2010 05:40 PM

Please log in to reply

3 replies to this topic

#1 cafecoral

Members
3 posts
OFFLINE

Local time:03:19 PM

Posted 04 May 2010 - 05:40 PM

Hi,

I was looking through my startup and saw this entry:

13B60F.lnk C:\WINDOWS\system32\8C018A\13B60F.EXE

Does this look like some sort of malware?

I ran a few searches but couldn't find any information about the entry. When I locate and open the folder "*C018A" the contents are empty (even when I expose hidden files),. I can't find any trace of the executable: 13Bg0F.exe

Not sure if this is relevant, but there is also another folder "486C01" right below it and there is a *.txt file inside it.

Thank you for any info.
dom

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 quietman7

Bleepin' Janitor

Global Moderator
50,939 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:04:19 PM

Posted 05 May 2010 - 01:55 PM

Usually if you cannot find any information on a file, its likely to be malware related but that's not always the case, especially since you are not reporting any symptoms of infection. It's also possible the file has already been removed and what you have is an associated reference (lnk file) to it in your startup. A lnk file is a shortcut which points to an .exe file located elsewhere on your system and can contain attributes to define how the program runs. Lnk files are primarily associated with the Windows operating system.

What does the text file in the other folder say when you open it?

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click

Back to top

#3 cafecoral

Topic Starter

Members
3 posts
OFFLINE

Local time:03:19 PM

Posted 06 May 2010 - 07:10 AM

Thank you for your reply!

when I open the text file in the other folder, it looks like a bunch of gibberish:

---START---

WCDB¸õõšOÏv‘p^zIÓ0-Ñ›½
—rùýO ¯HËÅ;•«JXòºIíCAÄn!?/!z)E4a#<_1rCKLŠdMÀ $µ]·ýÌ5˜ý`¿° œ¾+6·Ð×!è·M¡*3?çjSr=w$!!:âæo
”Ý3D¤+¢?M+Ã$g•ì^v¹âíóI0¯@.5@Ìò+’Äv÷•Ð9¢yFãnÝÊ‡ó6&ý—«×Ëú-ž°£W> pëý…é$¥kã(E›£,ÑU²"ÈQæÃ%¤’Å(r¿iGâh—Rcdî¸‹TÏäÜrŒB£vþ¼(…w–mBe‰Æ<®påú+‚×ô¸¬KF€€(‘G©ô’æë)j~²UynW
"`ç«2àIèÌ˜”žlO6×Ã…Å¶²†Ã¥Ê‡(¢ä_û¢]Ê\U{ø>ö…&¸Ÿ'Î€ºõe5ˆ‰ƒ‡™ø8wšx0ë©Õ÷¾iíÞ ²FÌàý@8dœD`o£{—Ô_97~ôˆ&Ïö;úä×ªÏ èWØ¨ü™#>Ì¹ÇÛÖa@RC®ü¦¶v)Sb¿»è
—2FS®ª³lÖ ^MqÝ-´–K¹W†~ öW„Æ‡!hÎ‚;ñmøgvª ÙlüK»'Yno²Ç4ó‰`«í— ÇÄhÿ#UÑ,É¬CL¤ª5pr@¤Ãw©¼Š…•nWEk’ ZE U/Í¿&ó½
×ŸÃ×v%»`¥åYetõE*0~ÞžÆíôR[;Î…PÆÂ_
ï%õÀêÌôé®Ç-ÞÎD16WÊŠî^ŒîÏ´Ü›Î©ÔŽ*ì»êdXƒ=4øKü›ïéñ_Iâ¯åX [B½¡˜<6D; b±~U{êé…‘Åa£^Õ¤koprJvqMl¦r?¥Æ°s×@<òóŠîÒ˜ë¾¾6‘8Ûƒkû‰¿èwrÛŸ˜àódh
”/è:_ïÞçwdûÈ—ñû#Ýàé¯HèhLVÊ…ÓœTgÝ‘{ß°Ÿaã¸(ðvùGñ`Œ¥ÞÕÍ’¦æZêÈÖ•1êm“èŠØâ©·ºêÕj«ÞŽ–ÝeŽ Ðs–Ì1ã+ŒQÔ.Dkëf²ä?!:¤†]¯ÊæòAõiò™áYËZ
O:”T
5Ž.ê‹ë³Máôzä¼-¦¼Ÿ…úÚÛ
×ƒô L¼ö¶#‘Šm¹À17§Î?"qß]:Ý¤¹pr»ÏÎç\¦'¨¾Éx:Ë>vPl’¸÷e/Lûb‡„¿ÕÏÊCþ¯R°/Ob£ì'¢ÛÃ&[ÚË÷LÑ*7ó¾<ˆ¢RìÉ.ºy²KnaC”š[§:8?ÁÝ‰ÏCrñzi‡ƒH„ ™:ïó¼ pÉ´è?Q&µº*FB
âCRˆ,ôÙ}zÙ„tZò_¤õÕ9)Ž"}\jÃÔã'ö šÚ~öU+‚ë.S)"Å«*
z‘µ§Ç
²ßy¹oë¼§ÅO[_¢8eñiìò(Åÿ½¼ˆUHçoÄÐŸra¸G.9À»>šR¬&‘û—ž>1±ÚÄ&e“òû!ì£nÍ³J²YWEùc*C7$³™-Z÷Gáúm4S½ÜÙå–B©Ÿ4£ÏXp4?ñ¿}ùŽ%ØÓg+>pÅãÙ?‘¯N•ñ,>´Ô€l‘¬ðÄº¡>†¸8š÷‹’/›ªžt^æ¡%xz /ÑêÎådÐ‹F-ë—rA«hÿ¨¿mÜ¹Ã çwZ+há²Å»×¬š-ƒ£Æš¹ÿŸçœ€ƒÕ²ºÚ
œ±5o‚(óÏÞ¶äC¯¬*¸™VÝ•G.«É÷U¨I‰ùì£YÚ•º‰\€«JyZŒSL=Àð1°UéIrià“ªêïò°§ÌïÕ:çk?8ª
9H™–öfCe_éÑI!ãù"ZO÷ôù±-Îý²*–·p+rÍ—Üý†³a§0Mo®¯¤·ð¥Re¡]l¿-n2ÊþÀ.¹ØøòêK¤Þ×L35£Çfeô·l.‰‰sxÞÒd4ñ@n6ÿŒ –…ÞZÇ‚¿µTÂœ’Óƒlkñ¹u=½Ø|i¨ ìã-<îêlà%G)i|ŽÊîË4èÁÑþÆÎon =ß‡I~'¤ySå;T-ìh§e…‰ÍËMÏ£Û7 òœpÔHô—D«×óÈF ž1Ît´JhTßP…–µ?DpÓ
i)aŒÞ‡0 ©’ª;DÿHñü3Ð*®Tch¼¼¿™»Áê¤ûæäelD[âÌsqÊÒvœËÚàÇ 2¡fcO'þ!PÔÇp’r›‡–«³}L>(N †1ÀÙ7ÎFÁ²jR‘Þô ÖÓ(y¾Gó¾*Iwš~xL¢ƒ@¶«/3 TìYß×±¯«ŠÔ3ì¸DgÙß©Ì¼qüS¦#=§ÑÚÌ£rªsÒàC…¦ôuy0XÑøé1¡p¿’Í*êéS€^äåÃäù–Cf
P¤Þss(¨µ°›$wG`ÛŸs
ƒÊâåOF‹º8‡Yžë×òÄù¥ZÙ„=Wy‘ò©ÃÒ¸Ëj–….”»dJ•®ÝžÝ_âØ43«â©]àN "†âaÛx9€‡™Î³ÍU,NïÍŒÏšDƒ\tªŠ2©vA”þîP&Sš
ûEã©"ÏŠÓYWN¯¤qÕé²>,%ùLñw%e
Q}¸ïA¡ã×î›ë_{„¡l@ªÍ=|4žåŒhÆ'½t*=þ&æ8T+éEâV¾/†›ý=(—7}—‹p¤63t”¥¦<ß`'<mIäðµ :#ÀåmÜfPç@Y·}n¢Þ÷4OöÕ¥,¯!e‹ Ax S¸±ôÝ·h#zpToÀÀ
”`)54;>kOóÔ¼ŒÀvÕ›*(æú¨¯i2}áöGbrN½y¬DeìhNM+$s #¸OØöý×Ì¡m/%2þ•r—eôiN’—5Ùm[
J…ýgdš^€e˜•9pËÍ´2ÏìŽÇ·£EAß&ýtº¾ž]åª³ÑÁ¤Œ–>óÉb¯ ©¸°³0>Rlä·iÍq%‹‹ÜÚÄ¶µ©V»/6ÆBØïÑ¡ÚódãVPÆïG±ŒLõÎzØ£¢ê#ê~æË=É!¶î‡SÌmø/|¥ŸP Î×˜I‰¼ñ¬ù_ø>ä–¸¿Cg# ›ÿFî(á£|+¶ÚàzòÙ“ìà…à="òu¶¹Ò &j[EÜ¯Ïš†´ÄÚ$¡Š‹™O
s-p–»Æ³@’üÁé_«=[tÂs»ÒöDý~uNÐÍJ/•„
hÁtÈ*œdÑ!ìiÙê<HºjOÇ%ÒÂ¿ŒØ´€÷g&ç
šÛîHˆ
&®iœ^$u& \µ©[iyùDß§ÙãÚÖu0…NˆsHÜpïÁ†H›É ¯©@¾PN¹ÄˆK¿e.‡œí¬+#WtzÁìºwbR3;Yÿñ“–¦#ç³d½åòÈââ‹<!o\P¾©S§¨0Ô¸
’ÿÉ2ÜŒ1‚ñ•<)-ŽÂXÉ3

---END---

Thanks again,
dom

Back to top

#4 quietman7

Bleepin' Janitor

Global Moderator
50,939 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:04:19 PM

Posted 06 May 2010 - 07:33 AM

When you are unsure about a suspicious or unknown folder(s), you can rename them. If you receive an alert from Windows about renaming, just ignore it. I prefer renaming instead of deleting as deletion leaves you with no option to restore if the folder(s) are later found to be legitimate or needed. Taking no action exposes you to risk if it is not legitimate. After renaming both folders, move them to another location on your drive (i.e. C:\Hold) for a few days. If there are no adverse affects from taking such action, then you can delete them.

As a precaution, I would perform a full system scan with your anti-virus and an anti-malware program like Malwarebytes' Anti-Malware.

As for the startup entry, you can remove it. Please download AutoRuns and save it to your Desktop.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file (13B60F) you need to remove.
Right-click on the entry and choose delete.
Reboot your computer when done.