Hundreds of winXXX files

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by impy2101, Feb 18, 2005.

  1. impy2101

    impy2101 Private E-2

    I've been hunting all morning for this problem I found on a user's computer yesterday. I'm not done with his computer - I was disconnected abruptly and have not been able to get back on...so I have a lot of vague information.

    Essentially, the user was (re)infested with spyware. I dialed in, starting cleaning and found, first in HKEY_LocalMachine/Software literally hundreds of folders all starting with the name win followed with either 3 or 4 more characters, i.e. winaxh or wincbm The self same names were also found in the Run(start-up) folder and also in the processes tab. The files themselves were in the c:\windows directory and I believe they had a .com extension (but I didn't have the view file extensions turned on yet). After I deleted all entries in the registry and windows directory...after rebooting another 20 or 30 popped back in. I am assuming if I wait long enough they will build back up to hundreds again. I don't have a copy of one of the files to examine...as I said...I got knocked off...but wanted to start asking questions, in case, someone here knows what it is and how to 'cure' it.

    Thanks,
    Wynne
     
    impy2101, Feb 18, 2005
    #1
  2. impy2101

    impy2101 Private E-2

    Sigh...no takers? Anybody? Anybody?

    Well, it's gone now...I got rid of it. Lucky me. I never did figure out what it was.
     
    impy2101, Feb 19, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Standard procedures apply:

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Feb 19, 2005
    #3
  4. impy2101

    impy2101 Private E-2

    Thanks for replying but standard procedures don't apply here. The problem is now gone. I just wondered if anyone recoginized the behavior? I've been searching all over the Internet looking for what this was...virus? trojan? malware? I've been cleaning up spyware for people for quite some time now and this is the first time I've written in this forum to ask for help. I'm not now asking for someone to solve my problem just asking if anyone has ever seen it?
     
    impy2101, Feb 19, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There have been many cases of what are called "unknown trojans" doing stuff like that. You can find many random named folders with a randomly named executable file in the folder and many time they are being loaded at startup of your computer.

    Are you sure you no longer have a problem? Even possibly other problems. Experience usually tells us where there is one problem there are more.
     
    chaslang, Feb 20, 2005
    #5
  6. impy2101

    impy2101 Private E-2

    Yes. I'm sure. I've been doing this for quite some time now. I was hoping to glean some information on this particular little nasty. While the multitude of files/folders had random endings the first part of the name of all of these had a 'win'. All the file names were either 6 or 7 characters long. I was curious as to what the purpose of this one...having never seen it before. I did try googling it but found nothing. It would be nice if there was a forum in which experienced people could get together and discuss new variants and their behaviors. Sometimes thoughtful discussion results in quicker detection, removal and possibly prevention.
     
    impy2101, Feb 20, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We don't just fix malware problems here. We discuss things here too!
     
    chaslang, Feb 20, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds