Windows Event Log causing "win403700" to autostart at boot

[rennervision]

Hello.

I'm having a peculiar problem that just started yesterday out of the blue. Suddenly when I boot up in Windows 7 (64-bit), there's always an open dat file titled "win403700" that greets me on my desktop. It's of no use to me, since it's filled with lines and lines of code that are completely encrypted in notepad.

After running CCleaner to clean out my registry and hard drive, followed by over two hours of sytematically uninstalling programs, disabling startup items, and then finally moving on to msconfig items under the services tab, I was able to determine that "Windows Event Log" is what causes this to pop open with each new startup. (I assume everyone has it enabled under msconfig > services.)

Would anyone know why it is doing this? If I can just disable it and forget about it I will, but based on what I'm reading here, it appears to be an essential process for updating Windows:

Windows Event Log - Process and Service wiki

Plus I would like to know if this is an indicator of a more serious problem. (A Malwarebytes scan did come back clean by the way.)

Thanks.

 

[Roland123]

I am having the exact same problem, also on Win 7 x64 except that the file that's popping up in notepad for me is "win403750.dat."

Most of the file is binary gibberish but there is a string near the beginning that reads "This program cannot be run in DOS mode," which makes me think that this .dat file is an executable. I've tried renaming it to an .exe extension and running it, but Windows says that the file isn't compatible with the version of Windows I'm running. An ESET scan of the file comes out clean.

I also distinctly remember that this started happening after the latest Windows update(s) I ran 1~2 weeks ago.

@rennervision: Have you solved or discovered more about this issue?

 

[rennervision]

Hello Roland123 -

Yes, I did figure it out - it's actually some kind of trojan. There was a file with the exact same name hidden in C:\users\[name]\appdata\local\temp. As soon as I saw it and double clicked on it, my Norton quarrantined it. Now everything's clean, but I'm not sure how it got there in the first place.

 

[Roland123]

Deleting the file in the location you've specified seems to have solved the issue, so that's awesome. I'm a little worried that ESET didn't pick it up as a trojan, though. Do you remember what kind of trojan Norton flagged it as? Could it have been a false positive of some kind?

Anyways, many thanks for the info, rennervision.

 

[rennervision]

Norton flagged it as a Trojan.Gen. I also thought it was odd it got in there undetected.

Someone on the Malwarebytes forum also recently had it as well:

TDSS/Alureon - Malwarebytes Forum

Since it was driving me CRAZY, as far as I'm concerned it met the definition of a virus. I'm glad I was able to help.