Any idea what these files might be

[petermeachem]

I've found a fair old collection of odd files in my wife's xp pc. There were a lot of double extension files in the root of c: and in My Documents. All were applications really, some pretending to be rar, some mpeg some html etc. They seemed to be dated every few days. I deleted those and found more in windows \ temp. They are all around 90k and have names like Dvw3 , cp5 , jo3 , zxo4 and so on. There 60 of them dated from 17th dec last year to today. (Ominously)
They are obviously nasty (I looked at one with a text editor. Most was binary but some of the text I could see was 'Mailto' and 'rcpt from'.)

Does anyone know

a) What it is
b) How I can get rid of it.

Thanks in advance. Peter Meachem
peter @ accuflight.com

 

[petermeachem]

Having deleted the files another executable has turned up half an hour later in windows temp.
Adaware found nothing, I'm now scanning with Nortons AV. Peter Meachem
peter @ accuflight.com

 

[petermeachem]

Klez apparently.

Now how did that happen? We have Norton AV on the server and I thought klez only came via email. Nortons has certainly caught a lot of copies in the past. Peter Meachem
peter @ accuflight.com

 

[InnoTech]

is all mail comeing through the server? does anyone check other mail on the workstations? (ie. yahoo, hotmail)

i thought that email was the path klez loved too. "Jack of all trades. Master of none."

 

[petermeachem]

Nope, it's all through the server. Fixklez seems to have fixed it. One thing klez did which I wasn't aware of is that it stopped the task manager from appearing so you couldn't see something funny was running. Peter Meachem
peter @ accuflight.com

 

[greyted]

Hi Peter,
Unless you have tried the new version of AdAware I would suggest that you download and give Spybot S&D a try. It is free and it certainly found a lot of spyware that AdAware 5.8 did not detect.
Late last year I helped a friend who had similar files to yours, he had loads of Klez infections. After cleaning his system we installed Norton 2003 and to date it has caught any nasty stuff.
That file size of around 90k is a good indicator to check your system for Klez.
One thing I did for him was to add Preview to his Outlook Express toolbar as there are some virus types that will open automatically, that is how I first got infected.
Will be very interested to know how you got infected, keep us posted when you find out.
Best of luck.

 

[petermeachem]

The version and patch of Outlook Express that we use supposedly will not open attachments automatically. I don't suppose I shall find where it came from. Anti-virus on the desktops is the only solution I suppose.
I would like to have a quiet chat with a virus writer to give them my considered opinion, but I think I'd have to join a long queue.

I'll give Spybot a go. It's all such a waste of my time and money. Peter Meachem
peter @ accuflight.com

 

[InnoTech]

with the amount of virus writers and hackers in the world today it is almost impossible to protect your network without spending $$$. the only real way to get real protection as i see it is haveing updated AV on each workstation along with a very good firewall between the router and physical gateway but i'm sure you know that. with all of that you would still have your fingers crossed hopeing to not get a virus before it is known by your AV company. "Jack of all trades. Master of none."

 

[wybnormal]

we run Spybot with good results and AVG and so far ::knocking on wood::: everything has been caught in time.

My neighbor though, called me over for some help. I gave up by the time AVG counted 3,700 KLEZ infections... the pc would not even boot up it was soo bad. Thats not counting the bad site dialers and what not that we found. He's now firewalled off with AVG and Spybot. Life is good.. for now

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[jeffbouldin]

I just installed Ad-Aware 6.0. When I ran it it found entries left over from three monthes ago when I had Xupiter. I have been using and updating Spybot regularly. So I now use both. One should get what the other misses.

 

[InnoTech]

hey jeff, where did you go to download your version of "spybot"? also, does it use up alot of resources or is it executable?

thanks "Jack of all trades. Master of none."

 

[KimberTech]

You can get it here:

http://spybot.eon.net.au/index.php?lang=en&page=download

and it's executable.

Thought I would save you a wait on a reply...I use it too.

CHEERS! Kimber

The more I learn,I realize how much more there is to know!

 

[InnoTech]

thanks Kimber!!! "Jack of all trades. Master of none."