Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

suspicious files in temp directory


  • Please log in to reply
No replies to this topic

#1 mercadmin

mercadmin

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 26 May 2010 - 01:13 PM

Hi all,

I was recently clearing out temp files on the computers here at work and came across two users who have strange files in their %Temp% folder. One is on XP and the path is C:\Documents and Settings\<userprofile>\Local Settings\Temp. The other is on Vista and the path is C:\Users\<userprofile>\AppData\Local\Temp. Most of our users run with limited rights but these two users run programs that require them to have local admin rights. The suspicious looking files are as follows:

s2j0.1o
s2j0.2
s2j0.3
s2j0.4
s2j0.5
s2j0.6
s2j0.7
s2j0.8
s2j0.9
s2j0.a
s2j0.b
s2j0.c
s2j0.d
s2j0.e

etc,etc.

I cannot delete these files as they come up as accessed denied. But I copied one of the files to the desktop of the afflicted computer and changed the extension to a .txt. When I opened the file it was a copy of an email message that had come into Outook that day. Every one of these files that I open is copy of email received into Outlook. None of the other computers exhibit this same behaviour Outlook receives messages. Every day the filenames will change to some other 3-5 random letter and number combination but the extensions are always .a, .b, .c, .d, .e, .f, etc and .1, .2, .3, .4, .5 etc and are always copies of email messages. Does anyone have an explanation as to what this could be? I'm assuming it is virus related but Symantec scans and MalwaryBytes scans are clean.

Any help or insight would be greatly appreciated.

Thanks!

Update 5-27-2010: I ran Sophos Anti-Rootkit on the Vista machine and it came back clean.

Edited by mercadmin, 27 May 2010 - 07:34 AM.
Move to AII as no logs posted. ~ OB


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users