Unknown files in StartUp

[KeelBug]

So I login to my work laptop yesterday and everything is peachy.

About 20 minutes later... I have no files on my desktop, start menu,quick launch and IE favorites.

The folder structure is there... just no files.

Now I've managed to recover the files from everywhere except my desktop (maybe already overwritten by the time I noticed it, which would have been 4-5 hours after it happened).

I run Trend anti virus & firewall as its a work standard, with the Spybot agent tracking registry changes and such and nothing was flagged.

This morning I login and a folder starts up from my startup (may have done this yesterday I might have just been to busy to notice) and it contains some suspicious files.

..\Startup\directory.src

..\Startup\makefile

..\Startup\cp\Directory.cpp

..\Startup\cp\directory.exe

..\Startup\cp\directory.obj

..\Startup\cp\directory.pdb

..\Startup\cp\makefile

..\Startup\cs\Directory.cs

..\Startup\cs\Directory.exe

..\Startup\cs\Directory.pdb

..\Startup\cs\makefile

..\Startup\vb\Directory.exe

..\Startup\vb\Directory.pdb

..\Startup\vb\Directory.vb

..\Startup\vb\makefile

You can download said files here > http://www.fase.me/Startup.rar < Pass 'hak5'.

Is anyone here (if you have time/nothing better to do :P ) able to go through these and see just what the hell it did to my system? Besides finally making me do more regular backups...

Cheers.

[Sparda]

They are programs apparently (not even downloading it).

Written in C++ (cpp)

Compiled in to machine code (obj)

Then linked with libraries to produce the program (exe)

pdb is possibly from the IDE used to write them?

[KeelBug]

They are programs apparently (not even downloading it).

Written in C++ (cpp)

Compiled in to machine code (obj)

Then linked with libraries to produce the program (exe)

pdb is possibly from the IDE used to write them?

Yeah I get that :P.

Just don't have the tools/time at work to deconstruct/sandbox them.

Theres no doubt some residual file hiding in my system somewhere.

[Sparda]

Yeah I get that :P.

Just don't have the tools/time at work to deconstruct/sandbox them.

Theres no doubt some residual file hiding in my system somewhere.

Delete them, move on with your life.

[KeelBug]

Delete them, move on with your life.

Having no idea whats changed its a bit hard to delete something I don't know exists...

Ive moved on... prob just re-image the thing next week.

Still leaves me curious though.

[digip]

Sounds like you got pwned. Did you leave it on and unattended anywhere, like where other people could have plugged in a USB key ;)

I think PDB files contain debug information for compiled programs when testing. Chances are they were created by the cpp file.

That cpp file is encrypted or compiled code, so can't tell whats in it without knowing how to decrypt it first. Normally source code is in plain text. Whateve rit is, it looks like it failed to clean up after itself, so the code is probably broken to some extent.

CLEANUP = *.exe *.pdb *.obj

Guess it never did since you were able to see the files. Virus Total sees nothing but an encrypted archive: http://www.virustotal.com/analisis/7e90ab2...bfb333383175755

edit: well, if it was malicious, vitus total can't seem to see anything: http://www.virustotal.com/analisis/a9c48b6...e3d91858a0f27a1

that doesn't mean you don't have malware or anything like that on your pc. I'd backup your important stuff and reformat.

I am goign to reupload it to them in a seperate(unpassworded) file to be sure.