Is it a virus????

[Todger O'Toole]

Running Norton Internet Security 2005 on my XP home PC and every so often
NIS advises me that a certain program eg "3941.exe" is trying to access a
DNS server and that they recommend I should always BLOCK this process
........ which I do.
The file concerned is always a different number each time.
Its always located in C:/Docs and Settings/My Name/Local Settings/Temp
....... at the present moment the folder contains 10723.exe,14756.exe,
15091.exe,17871.exe. Strangely all showing 0kbs as file size .... ???
Sometimes I can delete the files but at other times the PC tells me that the
program is being used by another program and cannot be deleted.
Obviously some program is generating these 'random number.exe" files but I
can't figure which program it is.
I've run the files thru Norton anti virus and a trojan scanner and neither
report a problem. I've even tried letting the file access the DNS server but
nothing appears to happen (but then it wouldn't if it was up to no good).
Any one else come across this one - or any ideas would be appreciated
regards
Todger

 

[Ian Kenefick]

Running Norton Internet Security 2005 on my XP home PC and every so often
NIS advises me that a certain program eg "3941.exe" is trying to access a
DNS server and that they recommend I should always BLOCK this process
....... which I do.

You blocked the process from phoning home. All you have to do now is
find out what it is.

The file concerned is always a different number each time.
Its always located in C:/Docs and Settings/My Name/Local Settings/Temp
...... at the present moment the folder contains 10723.exe,14756.exe,
15091.exe,17871.exe. Strangely all showing 0kbs as file size .... ???
Sometimes I can delete the files but at other times the PC tells me that the
program is being used by another program and cannot be deleted.

Try using 'Process Explorer' from sysinternals and terminate the
xxx.exe where x is a number. You should now have unlocked it and be
able to submit the file for analysis. You can read more about this
here http://www.ik-cs.com/suspicious-files.htm

Obviously some program is generating these 'random number.exe" files but I
can't figure which program it is.
I've run the files thru Norton anti virus and a trojan scanner and neither
report a problem. I've even tried letting the file access the DNS server but
nothing appears to happen (but then it wouldn't if it was up to no good).

You can use the Multi_AV.exe tool available from our website
http://www.ik-cs.com/got-a-virus.htm . This allows you to scan your
machine with multiple antivirus engines so hopefully one of these will
pick up the file and disinfect your pc before your vendor has a chance
to release an update to detect this malware (if it is malware) in the
future.

 

[Pablo Guildenstern]

Running Norton Internet Security 2005 on my XP home PC and every so often
NIS advises me that a certain program eg "3941.exe" is trying to access a
DNS server and that they recommend I should always BLOCK this process
....... which I do.
The file concerned is always a different number each time.
Its always located in C:/Docs and Settings/My Name/Local Settings/Temp
...... at the present moment the folder contains 10723.exe,14756.exe,
15091.exe,17871.exe. Strangely all showing 0kbs as file size .... ???
Sometimes I can delete the files but at other times the PC tells me that the
program is being used by another program and cannot be deleted.
Obviously some program is generating these 'random number.exe" files but I
can't figure which program it is.
I've run the files thru Norton anti virus and a trojan scanner and neither
report a problem. I've even tried letting the file access the DNS server but
nothing appears to happen (but then it wouldn't if it was up to no good).
Any one else come across this one - or any ideas would be appreciated
regards
Todger

Nothing should run from ..../Temp
Delete all the Temp files from IE-Tools-InternetOptions and
MyComputer-Croperties-DiskCleanup
Update your antivirus
Boot to Safe Mode
Do a full scan

Of course, McAfee has a feature that blocks anything in Temp
from executing anyway.

 

[Ian Kenefick]

Delete all the Temp files from IE-Tools-InternetOptions and

Temporary Internet Files are not stored in a folder named 'temp'.
Todgers possible infection is in the temp folder which is a different
folder nto at all related to temporary internet files.

 

[Pablo Guildenstern]

Temporary Internet Files are not stored in a folder named 'temp'.
Todgers possible infection is in the temp folder which is a different
folder nto at all related to temporary internet files.

I know. That's why I mentioned the other bit as well. It's
always a good idea to dump both lots.

 

[Todger O'Toole]

Nothing should run from ..../Temp
Delete all the Temp files from IE-Tools-InternetOptions and
MyComputer-Croperties-DiskCleanup
Update your antivirus
Boot to Safe Mode
Do a full scan

Did all that before I posted this request for help

Of course, McAfee has a feature that blocks anything in Temp
from executing anyway.

 

[Todger O'Toole]

You blocked the process from phoning home. All you have to do now is
find out what it is.


Try using 'Process Explorer' from sysinternals and terminate the
xxx.exe where x is a number. You should now have unlocked it and be
able to submit the file for analysis. You can read more about this
here http://www.ik-cs.com/suspicious-files.htm


You can use the Multi_AV.exe tool available from our website
http://www.ik-cs.com/got-a-virus.htm . This allows you to scan your
machine with multiple antivirus engines so hopefully one of these will
pick up the file and disinfect your pc before your vendor has a chance
to release an update to detect this malware (if it is malware) in the
future.

Thanks Ian, tried everything you mentioned but still no nearer to finding
which program creates these random files that try to dial home (so to
speak). Might be nothing at all but just makes me suspicious that it creates
and tries to use files with random numbers rather than a regular file name
........ obviously done so I can't "block" a particular file being used.

 

[Pablo Guildenstern]

So, it's re-appearing in .....\Temp even after you've cleared
that out.
Switched off System Restore?
Did you set the scan for All files or just the default
filetypes? Might be in a PreFetch file that isn't getting
scanned, maybe.
Maybe worth trying the commandline scanner from
SafeModeWithCommandPrompt, too.
Or, if your browser's been hijacked, it might be re-installing
itself every time as soon as you go online.

 

[Todger O'Toole]

So, it's re-appearing in .....\Temp even after you've cleared
that out.
Switched off System Restore?
Did you set the scan for All files or just the default
filetypes? Might be in a PreFetch file that isn't getting
scanned, maybe.
Maybe worth trying the commandline scanner from
SafeModeWithCommandPrompt, too.
Or, if your browser's been hijacked, it might be re-installing
itself every time as soon as you go online.

Pablo/Ian
Just discovered that it appears to originate from :
C:/Program Files/Time Sync/Time.exe ......... Is this a Time sync
program built into XP........ if so it could just be connecting with a
"time" server to automatically adjust the PCs internal clock ?????
If that is the case it seems odd that it generates random file numbers
........... unless time sync has been hijacked .......... cunning!!

 

[Malke]

Pablo/Ian
Just discovered that it appears to originate from :
C:/Program Files/Time Sync/Time.exe ......... Is this a Time sync
program built into XP........ if so it could just be connecting with a
"time" server to automatically adjust the PCs internal clock ?????
If that is the case it seems odd that it generates random file numbers
.......... unless time sync has been hijacked .......... cunning!!

This is not part of Windows. A Google for time.exe shows that you've got
a trojan. Here's one of the links:

http://www.bleepingcomputer.com/startups/time.exe-7262.html

Malke

 

[Ian Kenefick]

Pablo/Ian
Just discovered that it appears to originate from :
C:/Program Files/Time Sync/Time.exe ......... Is this a Time sync
program built into XP........ if so it could just be connecting with a
"time" server to automatically adjust the PCs internal clock ?????
If that is the case it seems odd that it generates random file numbers
.......... unless time sync has been hijacked .......... cunning!!

Time.exe might be legit. I googled it and there are entries for
'Toxbot' and 'Trojan-Downloader' and the notorious 'CWS' but also for
a legitimate time sync tool.

http://tinyurl.com/6ph4y for the legit

http://tinyurl.com/cmvyx for CWS

You need to send the file to your vendor for analysis! See previous
post for this.

 

[Todger O'Toole]

Running Norton Internet Security 2005 on my XP home PC and every so often
NIS advises me that a certain program eg "3941.exe" is trying to access a
DNS server and that they recommend I should always BLOCK this process

snipped



HI All
Thanks for all the help. I removed Time.exe and its associated folders etc
and its registry entry. Did this on Thursday and had no re-appearance so
far.
My PC is from Dell and they do come with a time.exe program to synch the
system clock, so I suspect my original time.exe was hijacked by the trojan
......... file size was about twice the size of the original. Have yet to
re-install Dells version...........
Todger