PDA

View Full Version : Weird unknown files in program files



Mike.H
20-04-2007, 08:07 PM
Ok these are these random files I got, don't know how. They all have the phrase "deleteme" in them, thought this was a little sketchy so I thought i's ask you professionals out there. any help will be greatly appreciated. The link is a picture of my problem, hosted by imageshack.

http://img206.imageshack.us/my.php?image=weirddeletemeproblempz1.jpg

Laura
20-04-2007, 09:39 PM
I'm not an expert, so can't help you myself, but I'd be suspicious...

I notice the BAK file has tomorrow's date, which is rather weird.
Your link also downloaded a poker website on my machine..

I suggest you look at Speedy Gonzalez' signature for info & download HijackThis for starters. He'll help you with it later.

Other members may have other suggestions....

Speedy Gonzales
20-04-2007, 09:56 PM
Yup, whatever those files are, or doing they dont look legit.

Altho it looks like it may have something to do with Vista.

Is Vista installed?

Hijackthis is in my sig below.

Mike.H
20-04-2007, 10:38 PM
Ya I have Vista Premium. Btw sorry Laura for the link, I was just in such a rush to sort this out.

Mike.H
21-04-2007, 12:59 PM
bump!

Speedy Gonzales
21-04-2007, 01:09 PM
I dont have Vista so dunno if theyre legit or what.

Someone, who's using Vista, will have to check their system, to see if theyve got the same files.

SurferJoe46
21-04-2007, 01:20 PM
I talked to me son (M$-guy) and he says the one dated tomorrow MIGHT be a time bomb..payload deliverable on that calendar date. I didn't get to ask about the others....so don't know...

Be ye careful!

Mike.H
21-04-2007, 02:31 PM
Should I delete them then because i've never had them on the last install of Vista. :(

Sherman
21-04-2007, 02:42 PM
Is $$DeleteMe.crypt32.dll the full filename? (as I noticed that there is "..." afterwards indicating a longer filename) Same with the others.

Mike.H
21-04-2007, 04:06 PM
Is $$DeleteMe.crypt32.dll the full filename? (as I noticed that there is "..." afterwards indicating a longer filename) Same with the others.

These are the full filenames:
$$DeleteMe.crypt32.dll.01c78310593b5b24.0001
$$DeleteMe.csrsrv.dll.01c78310599cf384.0003
$$DeleteMe.user32.dll.01c7831058f19084.0000
$$DeleteMe.winsrv.dll.01c78310599cf384
BOOTSECT.BAK

Hope this can help

Sherman
21-04-2007, 04:21 PM
Weird. Never seen anything like them.
I woud think that they are not fully legit, then again, who knows with Vista...
I tried googling the filenames and got nowhere.
There seems to be a great lack of information regarding these files

Mike.H
21-04-2007, 06:07 PM
Yes, well I might just delete them and see what happens? Even if they are important for Vista, they would certainly not be placed there, they would be hidden.

JackStraw
21-04-2007, 06:08 PM
If you do a search on the files without the "$$Deleteme" ie just the dll name you will find that these files are quite important, your system may not work without them.
I found this for starters
http://research.eeye.com/html/advisories/published/AD20070410b.html
http://www.cyberkiko.com/DeleteMe.aspx
It could be a malicious hack using he Deleteme software to crash your system, give someone else access or even to harvest eMail addys.
Try making copies of the original .dll's
crypt32.dll should be in windows/system32 (not sure on vista, do a local search if not)
csrsrv.dll shoud be in WINDOWS\ServicePackFiles\i386 (not sure on vista, do a local search if not)
user32.dll should have a copy in both of those directories as should winsrv.dll
save these on a usb stick or floppy so if your system does go down tomorrow you will have these files to re-install.
As for the BOOTSECT.BAK, this is a file that has your bootsector info for your previous install of XP.
I get the impression that this is just part of a Vista unnstall package but Microsnort is not letting on, at least not loudly anyway.
Let us know of any weird behavior over the next few days.
Cheers, Jack

Faded_Mantis
22-04-2007, 03:11 AM
I did find this about "deleteme"

The link i found identifies it as a programme used to delete old and unused files etc, I've never heard of it before.

I haven't posted the link because I wont go to the website myself incase it's one of those sites that sends trojans to your computer, atleast not in windows (a live CD of linux I would). And if I don't feel safe going to the website myself then I don't think I should post it here for others.

SurferJoe46
22-04-2007, 04:14 AM
Do you use Flickr?

There might be a digital camera involved here too...they have this program in them and the desktop download area has one in mine for Kodak Digicam. I find this about it...maybe this is an answer:


TAG AND FOOTER---------------------------------------------------------------------------------------------
TOP NEWS: Aprevit has made a new automatic tag and footer script:. Either copy/paste the scripts found here and save each as a 'favorite' or 'bookmark.' Or, for you lucky people with Firefox, just drag and drop the deleteme and saveme bookmarklets from romanedirisinghe's page (thanks, Roman!)


Otherwise copy and paste :
-voted as "deleteme" (from <a href="http://www.flickr.com/groups/deleteme/">Deleteme!</a> group)
-voted as "saveme" (from <a href="http://www.flickr.com/groups/deleteme/">Deleteme!</a> group)

I also trust this site to be safe too: http://del.icio.us/tag/deleteme

Mike.H
22-04-2007, 02:21 PM
Nope, don't have flickr. I do have my suspicions though, every so often my connection will suddenly disconnect for a few seconds then it would turn back on. I unplugged the modem for a few minutes and put in back, but a few minutes later it happened again. The only thing i've had connected to my comp was my brothers usb drive.

SurferJoe46
22-04-2007, 05:33 PM
Dial-up or DSL?

I'd reboot the DSL modem or at least reset it if it has a small reset button...maybe...you might have a hacked ip or so...dunnow...sounds like it's phoning home on you...

Ripdog
22-04-2007, 07:27 PM
Is it just me or is everyone here coming in with an assumption that they are viruses? Windows creates alot of very weird files, I have a folder called 1145f78bbb9e2db01c61 in the root of my Windows partition.

I say delete them and forget about it. If they are just in the Program files folder (not a sub-folder) then deleting them is unlikely to cause harm, possibly leftovers from a badly written program.

And what antivirus do you run on your computer?

Mike.H
22-04-2007, 07:46 PM
Symantic Antivirus 10.2, Vista edition. You're right, even if they are important files, they would at least be hidden or located somewhere else. On DSL btw

Ripdog
22-04-2007, 07:59 PM
Symantec? Dont you mean norton? Anyway, it sucks, uses way to much memory, try Avast or Avg. (google them) Back to the topic...

I say delete them. Theres little chance of them being malicious or essential.

Bryan
22-04-2007, 08:40 PM
Before you do anything, have you setup a Sytem Restore set up so that you don't lose the data?

Can you go back to a previous restore date and see if there is any difference?

Mike.H
22-04-2007, 09:08 PM
You can undo a restore right?

SurferJoe46
23-04-2007, 02:20 AM
You can undo a restore right?

My experience so far with Vista is zero..but System Restore has always been a haven for nasties to hide...and I NEVER allow it to run in anything I own...just :2cents:

stu161204
23-04-2007, 08:58 AM
You can undo a restore right?

Yes