Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

exe payload

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
worm MUGLY I/SAHAGENT E/ISTBAR/SIDEFIND c/DYFUCA E/SOLU180 D/DVLDR and RADO trogans amoung others. All of this came out of a single exe that I made the mistake of downloading and trying to install. Trend Micro finds the MUGLY worm but can not clean it. TDS-3 has not helped at all. Ewido did pick up a lot that Adaware Spybot and MS Antispy did not. Not sure why I keep SpywareBlaster.

Both REGEDIT and SYSTEM RESTORE are disabled by this payload

Your help GREATLY appreciated

ewido security suite - Scan report

+ Created on: 5:29:45 PM, 6/10/2005
+ Report-Checksum: BBDD9A23

+ Date of database: 6/10/2005
+ Version of scan engine: v3.0

+ Duration: 146 min
+ Scanned Files: 358942
+ Speed: 40.89 Files/Second
+ Infected files: 29
+ Removed files: 29
+ Files put in quarantine: 29
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Den\Local Settings\Temp\fWWY1vQ.exe -> TrojanDownloader.IstBar.ju -> Cleaned with backup
C:\Documents and Settings\Den\Local Settings\Temp\res1E.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\Den\Local Settings\Temp\temp.frBF06 -> Spyware.SAHA -> Cleaned with backup
C:\Documents and Settings\Den\Local Settings\Temp\temp.frDB76 -> Spyware.SAHA -> Cleaned with backup
C:\Documents and Settings\Den\Local Settings\Temporary Internet Files\Content.IE5\4TIZA3KL\power_remove[1].exe -> TrojanDownloader.IstBar.gi -> Cleaned with backup
C:\Documents and Settings\Den\Local Settings\Temporary Internet Files\Content.IE5\GDKN0VGV\MediaAccC[1].dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\Documents and Settings\Den\Local Settings\Temporary Internet Files\Content.IE5\K9OXYN0P\optimize[1].exe -> TrojanDownloader.Dyfuca.ei -> Cleaned with backup
C:\Documents and Settings\Den\Local Settings\Temporary Internet Files\Content.IE5\K9OXYN0P\sidefind[1].exe -> TrojanDownloader.IstBar.jm -> Cleaned with backup
C:\Program Files\NetMeeting\netmeet.htm -> Worm.Nimda -> Cleaned with backup
C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\Program Files\winupdate\winupdate.exe -> Trojan.Crypt.e -> Cleaned with backup
C:\unzipped\ANDROMEDA SHADOW.exe\ANDROMEDA SHADOW.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions -> Cleaned with backup
C:\WINDOWS\system32\2t7bapkr.dll -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\61p7dq1l.dll -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\6o1ng6m3.dll -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\brfride5.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\cbo4h9kc.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\crq7ml45.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\mpmt2nrn.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\ov9s15e6.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\p8pr2p0k.exe -> Spyware.SAHA -> Cleaned with backup
C:\WINDOWS\system32\sek27q8t.dll -> Spyware.SAHA -> Cleaned with backup
C:\xz.exe -> Backdoor.Rbot.rc -> Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:08:09 AM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
L:\Program Files\Executive Software\Diskeeper\DkService.exe
L:\Program Files\ewido security suite\ewidoctrl.exe
L:\Program Files\ewido security suite\ewidoguard.exe
L:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe
L:\Program Files\Ahead\InCD\InCDsrv.exe
L:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
L:\Program Files\Motherboard Monitor 5\MBM5.EXE
L:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
L:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
L:\Program Files\FarStone\VirtualDrive\VDTask.exe
L:\Program Files\Microsoft AntiSpyware\gcasServ.exe
L:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
L:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
L:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\L.I.SControlCenter\LISCC.exe
L:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
L:\Security Progams\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsof...obby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Documents and Settings\Den\My Documents\Docs from Asus System\bookmark 4.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsof...arch/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: www.dcsresearch.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - L:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - L:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - L:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - L:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [MBM 5] "L:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [CTDVDDET] L:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [InCD] L:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CXMon] "L:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [VirtualDrive] "L:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [DiskeeperSystray] "L:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [gcasServ] "L:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ke1hp8kn] C:\WINDOWS\System32\ke1hp8kn.exe
O4 - HKLM\..\Run: [mqgqdiqe] C:\WINDOWS\System32\mqgqdiqe.exe
O4 - HKLM\..\Run: [ktpgmgk2] C:\WINDOWS\System32\ktpgmgk2.exe
O4 - HKLM\..\Run: [9jp83bui] C:\WINDOWS\System32\9jp83bui.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] L:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] L:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [MoneyAgent] "L:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "L:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: L.I.S Control Center.LNK = C:\Program Files\L.I.SControlCenter\LISCC.exe
O4 - Global Startup: MBM 5.lnk = L:\Program Files\Motherboard Monitor 5\MBM5.exe
O4 - Global Startup: Microsoft Office.lnk = L:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://L:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://L:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - L:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - L:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - L:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - L:\Program Files\ewido security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - L:\Program Files\ewido security suite\ewidoguard.exe
O23 - Service: HighPoint RAID Management Service (hptsvr) - Unknown owner - L:\Program Files\HighPoint Technologies, Inc.\HighPoint RAID Management Software\service\hptsvr.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - L:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - L:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

I've installed SP2 on both my wife's Compaq notebook and my son's Emachine desktop which are on the network,but have not dared to install it on my system because there is so much mixed hardware and software for SP2 to stumble on - non of it that I can afford to lose.

self built system/Lian-Li PC-73SL silent server case/GlobalWin SAF520W PS/MSI 865PE NEO2-FIS2R/P4 3.0C GHZ/Zalman CNPS7000-ALCU/2048MB Kingston 3200 2.5 cas/ATI AIW 9600 PRO/Creative Audigy 2ZS Plat PRO/Highpoint 1820 SATA RAID/6 hdd's with total 740 gig/dual SyncMaster 213T lcd monitors/Plextor PX708 and TEAC DW548 optical drives/Mitsumi 7in1 card reader floppy combo/Coolermaster Cooldrive 4/SuperFlower Famnaster SF 609/Coolermaster Musketeer/VL Systems LIS VFD display/Vantec Nexus NYP-205 fan controler/Epson and HP photo printers/Minolta 35mm film scanner and Canon document scanner/Linksys wi-fi and SMC rj45 networks
  • 0


Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP