AU_.exe, is it malware?

[DTS]

Has anyone ever heard of a file called "AU_.exe"? If so, what is it's purpose?

The way I've found this file is through uninstalling a media codec called 3ivx. After uninstalling 3ivx a hidden folder is created under C:\Documents and Settings\*User*\Local Settings\Temp\~nsu.tmp which contains the AU_.exe file.

There is also an apparently related file in C:\Windows\Prefetch called "AU_.EXE" which has some random numbers and letters after it's name and ends in the usual prefetch file exetension of ".pf".

I've heard that this file may be part of the SpyFalcon trojan but the version I've found appears to be a simple temp file that is created after uninstalling 3ivx. It is also deteled after restarting the PC and that's when CCleaner identifies it as a missing MUI reference. I've also heard that it may be part of Nullsoft Uninstallers. Please let me know what you guys think it is.

Thanks

[chaslang]

Yes as far as I know it is part of Nullsoft Install System (NSIS). As long as it is cleaning up after itself upon your next reboot, it should not be an issue. Also you are only noticing it after doing the uninstall of 3ivx which again supports the relationship to NSIS.

[DTS]

Quote:

Originally Posted by chaslang

Yes as far as I know it is part of Nullsoft Install System (NSIS). As long as it is cleaning up after itself upon your next reboot, it should not be an issue. Also you are only noticing it after doing the uninstall of 3ivx which again supports the relationship to NSIS.

Thanks for the reply, Chaslang. I'm fairly confident that it's a benign file that's related to NSIS.

When SpyFalcon (or related viruses using AU_.exe as a cover) infects a system doesn't AU_.exe usually show up in Task Manager as an executable that is initiated at startup and runs continuously? Also, do any of the SpyFalcon or other AU_.exe viruses implant files in the Windows Prefetch or Documents and Settings folders?

[chaslang]

This file is not really a SpyFalcon issue. It is from an installer which could be used to install good valid software or any malware program if the creator of the malware used NSIS as their installer. Any processs that executes could be in the Prefetch folder for a period of time. It still does not mean it is malware. So as stated, the AU_.exe file is not really what the the SpyFalcon infection was related to. It may have possibly been an installer they used but I don't remember ever seeing it and it would have been a non-issue anyway.