Spyware, Viruses, & Security forum

General discussion

Unknown EXE

by GovernmentMan / September 22, 2007 6:50 PM PDT

Okay.

My mother, a novice computer user, downloaded and ran this executable from a site that is no longer in her History. (She is not aware of what "file types" are; I think that it was supposed to be an animated GIF?)

So, I'm a bit worried. I see nothing new in the Startup tab of msconfig, there's nothing new in Task Manager, nothing abnormal in her HijackThis log, and AVG is calm as can be.

So, what did this little ****** do?

Is there any way at all that I can see the effect that this file had on her system?

Thanks.

File:
http://derekdavidhoward.googlepages.com/ unknown.rar

Message was edited by: admin

Discussion is locked
You are posting a reply to: Unknown EXE
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Unknown EXE
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
It "seems" to be virus and spyware free.
by MarkFlax Forum moderator / September 22, 2007 7:21 PM PDT
In reply to: Unknown EXE

Although I can understand why you posted that link it could cause problems for others. Some people have their browsers set to Run downloads immediately rather than save to disk, and if this had have been an executable, it would have run or installed without their knowledge.

As it is, being a .rar file, the Operating System would then have looked for WinRar or some other extracting software to open it, and that may have halted the process. Nevertheless, I will ask Admin to remove or edit the link, for safety reasons.

That said, I downloaded the unknown.rar file and virus and spyware checked it before extracting the unknown.exe file inside. The unknown.exe file was also virus and spyware free as far as I could tell, so it seems harmless. However, I didn't run the exe file, instead I deleted it straight away. So I don't know what it does.

There's nothing in your mother's computer's history because the page "does not exist yet". Trying http{space}://derekdavidhoward.com brings up that error message. Googling derekdavidhoward only lists 3 sites, two of which appear to be about music lyrics. I didn't try any.

I would think your mother's computer is safe, but keep an eye on it.

Could you set her browser to save downloads instead of running them? Tools > Options is normally the place, or Tools > Internet Options for IE. It won't affect normal web site downloads but may make her aware she has downloaded something like this again, then at least she has the opportunity to ask questions.

It's strange that she got this in the first place, seeing as that web site doesn't exist. But I think she will be ok. If you can search her drive for "unknown.exe", you could perhaps delete it if it is stored in a non-critical folder, (eg elsewhere than Windows/System32).

Mark

Collapse -
That's my own website.
by GovernmentMan / September 23, 2007 6:36 AM PDT

DerekDavidHoward.GooglePages.com is my own website, I RAR'd and uploaded the EXE there so that I could have people examine it. Derek Howard is my own name.

I do not know where Mom got the file originally; her browser does not keep History across sessions.

Apparently, she saved the file from wherever, to her Desktop, and then ran it, thinking it was a video. Something to do with cats. I burned it to a CD, and deleted it off of her Desktop.

I then ran the EXE on a non-internet connected machine that I was already planning on formatting that night, to see what it would do. The EXE ran for about five seconds, during which, the HDD activity light blinked rapidly. The process then quit. As far as I could tell, there were no changes to the system. But I'm pretty sure that something was written to the HDD. And I have no idea what.

Collapse -
Should be ok
by MarkFlax Forum moderator / September 23, 2007 6:40 PM PDT
In reply to: That's my own website.

With Marianna's investigation I think the computer will be OK, Although Marianna's tests showed some suspicious results, these were not conclusive and the majority of the tests came up clean. That can happen with anti-malware scans where "false positives" appear.

Keep an eye on things over the next few days. If anything is going to happen it will most likely be sooner rather than later. But my feeling is your mother's computer is fine.

Mark

Collapse -
I uploaded the File unknown.rar
by Marianna Schmudlach / September 23, 2007 2:26 AM PDT
In reply to: Unknown EXE

to VirusTotal - result:

File unknown.rar received on 09.23.2007 18:15:26 (CET)

Result: 5/32 (15.63%)

Antivirus Version Last Update Result
AhnLab-V3 2007.9.22.0 2007.09.21 -
AntiVir 7.6.0.15 2007.09.21 -
Authentium 4.93.8 2007.09.23 -
Avast 4.7.1043.0 2007.09.22 -
AVG 7.5.0.485 2007.09.23 -
BitDefender 7.2 2007.09.23 BehavesLike:Win32.ProcessHijack
CAT-QuickHeal 9.00 2007.09.21 -
ClamAV 0.91.2 2007.09.23 -
DrWeb 4.33 2007.09.23 -
eSafe 7.0.15.0 2007.09.23 -
eTrust-Vet 31.2.5154 2007.09.21 -
Ewido 4.0 2007.09.20 -
FileAdvisor 1 2007.09.23 -
Fortinet 3.11.0.0 2007.09.23 -
F-Prot 4.3.2.48 2007.09.23 -
F-Secure 6.70.13030.0 2007.09.21 -
Ikarus T3.1.1.12 2007.09.23 MemScanBackdoor.VB.EV
Kaspersky 4.0.2.24 2007.09.23 -
McAfee 5125 2007.09.21 -
Microsoft 1.2803 2007.09.23 -
NOD32v2 2545 2007.09.23 -
Norman 5.80.02 2007.09.21 -
Panda 9.0.0.4 2007.09.23 -
Prevx1 V2 2007.09.23 -
Rising 19.41.62.00 2007.09.23 -
Sophos 4.21.0 2007.09.23 -
Sunbelt 2.2.907.0 2007.09.22 VIPRE.Suspicious
Symantec 10 2007.09.23 -
TheHacker 6.2.5.066 2007.09.22 W32/Behav-Heuristic-064
VBA32 3.12.2.4 2007.09.23 -
VirusBuster 4.3.26:9 2007.09.23 -
Webwasher-Gateway 6.0.1 2007.09.21 Win32.EPO.gen (suspicious)
Additional information
File size: 1297615 bytes
MD5: e7620aafa189b7f41041574023eee392
SHA1: 10373926b039edcc26b6b25a301eac012ee9e6eb
packers: Themida

I then uploaded the same file to:

http://scanner.virus.org/

Results from the virus scan of uploaded sample
Return to the Virus.Org Scanning Service




The following represents the test results from the virus scanners used by the Virus.Org scanning service when it performed the scan on the file 'unknown.rar'.




File: unknown.rar
SHA-1 Digest: 10373926b039edcc26b6b25a301eac012ee9e6eb
Packers: Unknown
Status: Potentially Clean

Scanner Scanner Version Result Scan Time
ArcaVir 1.0.4 Clean 8.69055 secs
ClamAV 0.90/4316 Clean 2.70995 secs
F-PROT 4.6.7 Clean 6.05679 secs
Sophos Sweep 4.21.0 Clean 14.0192 secs

Collapse -
possible Apple conection thru Bonjor !!!??? I "think" hehe
by ARTisWAR / July 3, 2016 12:17 AM PDT
In reply to: Unknown EXE

i have just noticed "it" myself so i figured it was a new thing until I seen the date on your guys post. Mine doesn't seem to be as easy to get rid of or even stop as you did but this could be my short comings but i cant get ANY control (other than the temporary reboot that my task kill does) i can locate the folder by right clicking on it and having the PC locate it cuz even when im actually in the folder (thats empty i might add haha) it doesnt show up in the navigation paine or thru the normal way. Its NOT been "check off" as hidden in any way (that i know of witch is only 2 ways?) Using folder options to hide it and/or using operating/encrypted system files option but it was neither. i wont stress about "it" usually but its such a "FAT A$$" never dropin' below 90'ish CPU usage so hopefully you/someone has already fig "it" out any help is greatly appreciated.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?