Suspect Service/Software

Hi there,
I have a service running that points to an exe file in my windows temp dir,
every time I end the service the exe file disappears and will reappear later,
every time the file appears it has a different file name. e.g. FA31DC.exe
normally after ending the service 3 or 4 times it doesnt start up again for
quite some time unless I reboot the system.

I have Trend Micro installed and have done scans via Symantec and have also
scanned with the windows Mal ware software removal tool, I have looked in the
registry to see whats starting up when windows boots and haven’t found
anything odd in there and have also run 2 different spyware software packages
to see if they picked anything up.

When I look at the properties from the service the only information is the
location of the exe file, and when I get the properties from the exe there
are no details, , I am not experiencing any abnormal issues with the pc, no
popups, no degraded system preformance, I havent been able to see if it is
accessing the network.

I was wondering if anyone had any suggestions as to what this might be
(looks real suss to me) and how I might remove it or find out what is
generating the exe file.
Regards
TIA
Mike

Michael S wrote:
> Hi there,
> I have a service running that points to an exe file in my windows temp dir,
> every time I end the service the exe file disappears and will reappear later,
> every time the file appears it has a different file name. e.g. FA31DC.exe
> normally after ending the service 3 or 4 times it doesnt start up again for
> quite some time unless I reboot the system.
>
> I have Trend Micro installed and have done scans via Symantec and have also
> scanned with the windows Mal ware software removal tool, I have looked in the
> registry to see whats starting up when windows boots and haven’t found
> anything odd in there and have also run 2 different spyware software packages
> to see if they picked anything up.
>
> When I look at the properties from the service the only information is the
> location of the exe file, and when I get the properties from the exe there
> are no details, , I am not experiencing any abnormal issues with the pc, no
> popups, no degraded system preformance, I havent been able to see if it is
> accessing the network.

Since a Google for "FA31DC.exe" shows nothing and since the file name is
different each time, there is a high probability that you have malware.
Since Vista is so new, most of us in the tech support industry who are
skilled in removing malware from older MS OS's haven't worked with
removing malware on Vista yet hands-on. I can point you to my general
malware removal steps on my website, but I have no idea whether they are
applicable to Vista.

http://www.elephantboycomputers.com/...moving_Malware

Certainly some of the preparatory procedures will work and I would check
with the antispyware program sites (such as Ad-aware, Spybot, Ewido) to
see if they are Vista-compatible yet. I don't think the HijackThis tool
(recently purchased by TrendMicro) is Vista-compatible at this time.

You might want to post in one of the well-known malware-fighting forums
such as:

http://www.bleepingcomputer.com
http://castlecops.com
http://www.geekstogo.com
http://aumha.net

Do you know how you got infected? I'm not trying to pry but any
information you can supply will help those of us who fight malware
develop tools and techniques for Vista.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Michael

Please run a rootkit scanner too if Vista allows it
Maybe Rootkit Revealer?

Bye
Jan

"Michael S" <Michael S@discussions.microsoft.com> schreef in bericht
news:B5DA318B-80B7-4E5A-B76A-7C7B0DCF1BBF@microsoft.com...

> I have a service running that points to an exe file in my windows temp
> dir,
> every time I end the service the exe file disappears and will reappear
> later,
> every time the file appears it has a different file name. e.g. FA31DC.exe
> normally after ending the service 3 or 4 times it doesnt start up again
> for
> quite some time unless I reboot the system.
>

"Malke" wrote:

> Michael S wrote:
> > Hi there,
> > I have a service running that points to an exe file in my windows temp dir,
> > every time I end the service the exe file disappears and will reappear later,
> > every time the file appears it has a different file name. e.g. FA31DC.exe
> > normally after ending the service 3 or 4 times it doesnt start up again for
> > quite some time unless I reboot the system.
> >
> > I have Trend Micro installed and have done scans via Symantec and have also
> > scanned with the windows Mal ware software removal tool, I have looked in the
> > registry to see whats starting up when windows boots and haven’t found
> > anything odd in there and have also run 2 different spyware software packages
> > to see if they picked anything up.
> >
> > When I look at the properties from the service the only information is the
> > location of the exe file, and when I get the properties from the exe there
> > are no details, , I am not experiencing any abnormal issues with the pc, no
> > popups, no degraded system preformance, I havent been able to see if it is
> > accessing the network.
>
> Since a Google for "FA31DC.exe" shows nothing and since the file name is
> different each time, there is a high probability that you have malware.
> Since Vista is so new, most of us in the tech support industry who are
> skilled in removing malware from older MS OS's haven't worked with
> removing malware on Vista yet hands-on. I can point you to my general
> malware removal steps on my website, but I have no idea whether they are
> applicable to Vista.
>
> http://www.elephantboycomputers.com/...moving_Malware
>
> Certainly some of the preparatory procedures will work and I would check
> with the antispyware program sites (such as Ad-aware, Spybot, Ewido) to
> see if they are Vista-compatible yet. I don't think the HijackThis tool
> (recently purchased by TrendMicro) is Vista-compatible at this time.
>
> You might want to post in one of the well-known malware-fighting forums
> such as:
>
> http://www.bleepingcomputer.com
> http://castlecops.com
> http://www.geekstogo.com
> http://aumha.net
>
> Do you know how you got infected? I'm not trying to pry but any
> information you can supply will help those of us who fight malware
> develop tools and techniques for Vista.
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

Ok, thanks for that, I have had quite a bit of experience with previous
versions of Windows, removing viruses and malware. I've gone through and
tried almost all the software packages i could get my hands on.

AVG 7.5 didnt work at all, Nortons was well, useless, Spysweeper kept on
finding cookies only. TrendMicro works ok, but had issues with the updates
and the firewall was having driver issues not that I really cared about their
firewall, but that didnt find anything at all. Adaware found cookies only,
Spybot Search & Destroy found cookies again lol. Spybot found some cookies
AND something to do with bitsprx3.dll now from what I understand it is that
Backdoor.Sekorbdal creates this file when installed via the browser. Starts
windows media player as a service and creates a whole mess of files.

As it stands now i have the following
bitsprx2.dll
bitsprx3.dll
bitsprx4.dll
bitsprx5.dll
Not really sure if these are all suposed to be there or not, but after
running spybot while the services were running and the exe file was present
in the temp dir it seems to have stopped this from running. That being said
this is only the 2nd reboot after the scan, I'll be happy in a week if I can
still claim to have not seen it. I started to take note of the name of the
file in the temp dir so there was some sort of record, now I did notice these
were not always different.

RJD087.EXE
CM6C79.EXE
TU6BFB.EXE

Will keep you posted, any more idea's would be good, I'm interested in
finding out more of course and thanks for the help.

Michael S wrote:

>
>> Michael S wrote:
>>> Hi there,
>>> I have a service running that points to an exe file in my windows temp dir,
>>> every time I end the service the exe file disappears and will reappear later,
>>> every time the file appears it has a different file name. e.g. FA31DC.exe
>>> normally after ending the service 3 or 4 times it doesnt start up again for
>>> quite some time unless I reboot the system.
>>>
>>> I have Trend Micro installed and have done scans via Symantec and have also
>>> scanned with the windows Mal ware software removal tool, I have looked in the
>>> registry to see whats starting up when windows boots and haven’t found
>>> anything odd in there and have also run 2 different spyware software packages
>>> to see if they picked anything up.
>>>
>>> When I look at the properties from the service the only information is the
>>> location of the exe file, and when I get the properties from the exe there
>>> are no details, , I am not experiencing any abnormal issues with the pc, no
>>> popups, no degraded system preformance, I havent been able to see if it is
>>> accessing the network.

> Ok, thanks for that, I have had quite a bit of experience with previous
> versions of Windows, removing viruses and malware. I've gone through and
> tried almost all the software packages i could get my hands on.
>
> AVG 7.5 didnt work at all, Nortons was well, useless, Spysweeper kept on
> finding cookies only. TrendMicro works ok, but had issues with the updates
> and the firewall was having driver issues not that I really cared about their
> firewall, but that didnt find anything at all. Adaware found cookies only,
> Spybot Search & Destroy found cookies again lol. Spybot found some cookies
> AND something to do with bitsprx3.dll now from what I understand it is that
> Backdoor.Sekorbdal creates this file when installed via the browser. Starts
> windows media player as a service and creates a whole mess of files.
>
> As it stands now i have the following
> bitsprx2.dll
> bitsprx3.dll
> bitsprx4.dll
> bitsprx5.dll
> Not really sure if these are all suposed to be there or not, but after
> running spybot while the services were running and the exe file was present
> in the temp dir it seems to have stopped this from running. That being said
> this is only the 2nd reboot after the scan, I'll be happy in a week if I can
> still claim to have not seen it. I started to take note of the name of the
> file in the temp dir so there was some sort of record, now I did notice these
> were not always different.
>
> RJD087.EXE
> CM6C79.EXE
> TU6BFB.EXE
>
> Will keep you posted, any more idea's would be good, I'm interested in
> finding out more of course and thanks for the help.

Thanks for the detailed report. Do you think you picked up the infection
by downloading from one of the notoriously evil codec sites?

I do suggest you post to one of the forums.

>> http://www.bleepingcomputer.com
>> http://castlecops.com
>> http://www.geekstogo.com
>> http://aumha.net

If you have the time and inclination, you will not only be helping
yourself but others as you will add to the malware fighters' knowledge.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User