Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Mutating EXE files in the registry

Status
Not open for further replies.
ftvjr

ftvjr

IS-IT--Management
Nov 25, 2002
11
US
We are running Windows 2000 and it is full patched with updated McAfee DATs.
Program details: I have seen it named any of the following.

- dblog.exe
- dnssrv.exe
- awave.exe
- asurl.exe
- ordblc.exe (something close to that)

Most of the time located in...

c:\winnt\config
c:\winnt\tasks
c:\winnt\speech
c:\winnt

Another characteristic of the program is that for every .exe instance there is a corresponding .ini file that is the mirror image of the file name. For instance...

dblog.exe, has an INI file of golbd.ini

This is the case for every instance of the program that I saw. It installs itself in the usual registry places...(HKCU|HKLM)/Software/.../(Run|RunOnce).

Things I have tried:

- Latest SDAT and ran virus scan
- Installed Adaware
- Stinger
- Removing from registry - this one replaces the registry entries extremely quickly.
- Changing ACLs on the registry - this did not seem to work either.

Any thoughts or suggestions you have would be greatly appreciated. I could not find much mention of this one on the net. But, then again, it seems to create pretty random EXE names.
 
Sort by date Sort by votes
I posted a similiar response in the Citrix forum, but since it sounds like the same problem, I'll post here too. The user has WinXP SP1. I had this problem on a machine and discovered it because it prevented my Citrix apps from opening. The process was not detected by any of the usual means, Spybot, AdAware, Norton, or Hijack This. But after I had cleaned everything it found and still had a rogue process reappearing in my run key in the registry and one that I could not kill in the task manager, I went to work on it. This file was named imginet.exe and the ini's and bak's were named tenigmi. I first managed to rename it and delete the accompanying .ini and .bak files(which I am assuming were the backups to reinstall the process if it got deleted). I then watched the files reappear in the C:\windows\repair directory. Then I used Killbox and deleted all the files, removed them from startup, and rebooted. I got an error message saying that it could not find the file imginet.exe. Good news. But then I noticed that I had another process doing the same thing called acbin.exe, and it was in the same directory c:\windows\repair along with the .ini, .tmp and .bak files with the reversed name(nibca). So I repeated the process, using Killbox, editing the registry and removing the process from both Run and RunOnce, which had a strange rerun added after the file location. This time on the reboot I got the message that acbin.exe could not be found. No strange processes restarted this time, and there were no files left in the repair directory that shouldn't have been there. Don't delete the whole directory because there are valid windows files in there. I searched the registry for files with the names in them, and it came out clean. So far, this machine is still clean. If it hadn't interfered with Citrix, I may never have found it though. I don't know what other damage it may inflict, and I haven't been able to find anyone who has identified it yet. It also seems to mutate in different forms, as every forum I've seen talking about this has no two users listing the same file/process names. If anyone can identify what it is and a tool that might clean it, I'd be very interested.
 
Upvote 0 Downvote
The only thing that I've seen that is similar to this is for a new variation of the CoolWebSearch homepage hijacker. Go to the following for removal instructions.


Make sure you have the latest About:Buster (should be at least 3.0).

In my case, I also noticed a corresponding 5 character .dll file for each of the 5 character .exe files in the Windows and Windows\system32 directories.

The additional step that I had to take (because About:Buster didn't get rid of all remnants) was to do a search on the whole hard disk for all 5 character .dll files (ie. ?????.dll). I noticed that all the 5 character .dll files related to this were either 53KB or 56KB in size. I manually deleted these files as well.

It's been a while ago, but I think I also searched for a corresponding .exe file for each of the .dll files that matched the above criteria, and manually deleted them as well.

The web site above also mentions 6 character .dll and .exe files, so you might want to check for them as well to see if they match the 53KB or 56KB characteristics.


Help! I've fallen and I can't reach my beer.
cheers.gif
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
258
Mike Lewis
Mike Lewis
goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
172
goombawaho
goombawaho
amanua
  • Locked
  • Question
vpn7x32.exe in program files folder
Replies
5
Views
199
goombawaho
goombawaho
riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
115
riobogmedacaliaires
riobogmedacaliaires
2ffat
  • Locked
  • News
Lenovo isn't the only one with bad certificates 5
Replies
6
Views
428
2ffat
2ffat

Part and Inventory Search

Sponsor

Back
Top