Recently, strange files have been popping up in the “C:\Documents and Settings\My user” directory. Their names seem to be randomly generated 4-letter block capital names, like FDYR or GHRI (I got SHAT once:eyebrowlift:). The files are always exactly 28kb, and one is added every time I turn on the computer. A virus scan turns up nothing at the moment, but a few weeks ago I used to constantly find “generic downloader.ab” tojans - they’ve stopped appearing now (I’ve forgotten which directory they were in, but I think it was different). The strange thing is, I’ve not noticed any difference in my computer’s performance:confused: and they keep appearing no matter how many times I delete them:confused:
Once or twice one of them attempts to access the internet, but McAfee always blocks them. So they’re not doing any harm at the moment. But what are they? Is my PC infected?
I’m running Windows XP Home Edition SP2, in case that helps…
Sounds like one.
Update your virus scanner. Ones like this can be an arse to remove if the antivirus doesn’t find them.
Google the symptoms and try to match them exactly, then follow the removal instructions.
Alex
Thanks for the advice:)
I’m already using the most recent version of McAfee and it downloads updates automatically as they become available, so I’ll try Googling or searching the McAfee site.
Sounds like a Worm (virus that allows back door access) to me.
Randomly naming files with the same size?
No doubt, that’s a virus.
Be glad the virus doesn’t randomly rename .dll files because that SUCKS.
Good news 
It turns out McAfee know about it already, I just need to update my DAT virus detection thingamubobbies. It’s taking an ice age to do it though, I’ll probably have to leave it going overnight, but it’ll be able to detect the source of the virus when it’s done. Apparently it’s added something to the system registry which runs each time the computer starts up that causes it to create a file (with a random name) which will than attempt to access and downoad things from a certain website. It says the risk level for it is low so that’s okay:yes:
I also looked up Generic Downloader.ab, it does pretty much the same thing. It seems unrelated though.
Thanks for the help and advice:)
It’s time to reformat your hard drive. I think they got you. :0
A tip. If you ever suspect that you may have a bad program running in the background, look at all your background processes in the msconfig tool, and then check the ones you don’t recognize at the site bleepingcomputer.com
I’ve just gotten around to scanning again, and it’s found that a file called “msrclr40.exe” is infected with a trojan. I think this might possibly be what’s creating the odd files, but I don’t know if it’s an important Windows file or not - it’s in the system32 folder. There are a few weird things about it though:
-Every other file in that folder has a description and a “Company: Microsoft” thing in the description. This one just says “Application” and “65.5kb”
-In the properites menu, it says this:
Apparently it was created almost 2 years before I bought this computer. Which is most likely before the machine and the copy of Windows were manufactured - so it must be off another machine.
Also, it’s been modified 6 days before it was created - seems a bit impossible:confused:
But that might just be an error…
Also, it’s been accessed very recently, meaning Windows probably uses it - the evil files of death are created when the computer’s switched on, it doesn’t normally do anything after that.
Does anyone know if this is an important system file? Because I’ll need to use one of those system32 fixing tools if it is…
It seems like a warm to me. You just can delete it…
Okay, this is very odd…
I’ve not deleted the file yet, but the randomly generated files have just stopped appearing:confused: I’ve turned the computer on and off about three times (and kept it on for a long time each time) without a single one appearing. I’ll delete the file anyway, just in case, but it seems the virus has given up - if viruses can do that;)
Not that I’m complaining or anything:D I’ll tell you if it comes back, but I think I’m safe for the moment:yes:
Thanks for the help:)