Mystery Program

Discussion in 'Bits & Bytes' started by Robert Harris, Jan 28, 2003.

  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    Found this item in my temp folder the other day:

    LHQjFi.exe, dated 6/15/2001.

    I have no idea what it is, and it only appeared there a few days ago.

    Tried executing it and it won't. It already seems to be running -- listed when I hit CONT-ALT-DEL. Tried deleting it and get message that it is being used by Windows and can't be deleted.

    Does not appear anywhere else on my disk, only in temp folder.

    Can't find where it loads from. Not in start-up group, or other places things get loaded from on boot-up.

    Anybody have any idea what it is?
  midranger4

    midranger4 Banned

    Do you have Nortun Utilities or something similar that can identify running processes? If so you can likely find the parent process and take it from there.

    If you feel adventurous boot to safe mode, rename the file, and boot to normal mode and see if you have any issues.

    If you have a problem boot to safe mode...name it back, and reboot again.

    You can also search the system registry for this file and see what keys pop up. Playing with the registry can get ugly fast so if you are unsure don't proceed, let us know and we will walk you through.
  mikeky

    mikeky Member

    Not a single hit from Google or the newsgroups. Is that the exact file name? Installed anything over the last few days?
  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    The mystery thickens.

    I have installed some software in last few days -- but nothing exotic. Just updates of Trojan Hunter and SpyBot. Installed Quicktime about a week ago. Can't think of anything else.

    I use a neat utility called EndItAll, which will shut down all running processes not needed to keep working. (Handy for when installing software that wants you to exit all ofheer programs, etc.) Ran that and it closed the mystery program. Then I renamed it and rebooted.

    It did not load on the new boot, of course, since the only place it exists on the sysstem is in the temp directory. (Itself something of a mystery -- I don't think I have ever seen a program install itself to run from \temp. But I now find another new .exe file in my temp folder this:


    Same size as LHQjfi.exe (133,144) and same date stamp (6/15/2001). And it is running, using 5.5 MB of memory.
  mikeky

    mikeky Member

    Not to be alarmist, but certainly seems suspicious since it came back; maybe one of the viruses that uses randomly generated names? Have you scanned for viruses lately with an updated virus definitions file?
  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    It is suspicious. Have updated virus definitions as of today, and a scan shows nothing. Same with Trojan Hunter.
  midranger4

    midranger4 Banned


    Run REGEDIT and scan for instances of E8Tand LQHjfi

    Note the keys that find any instances of the file and post them here.

    You have me quite curious now.
  bruzzes

    bruzzes Truthslayer

    You can look in the registry under

    HK Local_Machine / software/Microsoft/Windows/Current Version and scroll down to the Run, Run Once, RunOnceEx

    and see if any suspicious program is listed.

    Have you visited any Japaneese sites?
    Might be some type of encoded program...
  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    No instances of either found in registry.
  bruzzes

    bruzzes Truthslayer

    Have you tried dragging it to your desktop and re-booting? It might be loading from the temp folder.
  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    Nothing unusual in any of those reegistry locations.

    Have not been to any Japanese sites recently -- unless just passing through one from a link form something else, but I do not recall any such thing.
    Using the MS System Information tool I find that this program is not listed as as a statrup program but it is on list of 32-bit modules loaded and on the list of running tasks. Interesting -- it is not a start-up program, and I haven't loaded it. So how does it get loaded? :)

    The file itself contains no information on source under properties, etc.

    A real mystery.

    Syatem has not been misbvehaving in any way that I have noticed, either. I have no idea what it does.
  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    The next step...
    decided to try again, and deleted E8t.exe and rebooted. Same file now appears in \temp as Xxyqb1.exe -- same size and date stamp as the one I deleted. Shows up as having loaded during boot process.

    Most odd. Can't think of where it can be coming from, for one thing.

    And another oddity. The \temp directory now contains an 8+MB file with a recognizable name -- the name of the file I used to update drivers for my video card. This was not in temp before, but is stored in another folder, and it still is there. So it was copied over somehow. Appears in \temp with today's date stamp. Original had date stamp of 1/12/2001.

    This is truly weird. There must be a ghost in this box. :)
  mikeky

    mikeky Member

    Is the driver file in the temp folder the same size as in the other folder, or did it get bigger?
  Stiofan

    Stiofan Master Po

    Are you using XP? If so run msconfig and look at what is running at startup, services and boot.ini and see if anything looks like it shouldn't be there.
  Biker

    Biker Administrator Staff Member

    Also, if running NT or XP, go see what services are being run, and which are automatic on boot up.
  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    Exact asame size -- 8, 768,000.
  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    Running Win 98SE. Checking what is running right after boot, the only odd thing is the mystery file I mentioned, loaded from \temp. Every time I remove or rename it, it reappears with a different name on next boot.
  Techie2000

    Techie2000 The crowd would sing:

    Have you tried a virus and trojan scan?
  Stiofan

    Stiofan Master Po

    W98...try using your find command and search for all files with a create date of 6/15/2001. It's a longshot, but they may have used the same date for all the files they have put on your computer. I ran the search on my XP system and on my W98FE system and found nothing with that date so if you find something, most likely it has nothing to do with the OS.
  Robert Harris

    Robert Harris Passed Away Aug. 19, 2006

    Did both today, with latest definitions, and they reported nothing. Sure does seem like a virus-like thing, though, doesn't it.

