1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

{RESOLVED}rs1.exe

Discussion in 'Virus & Other Malware Removal' started by panzer999, Sep 23, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. panzer999

    panzer999 Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    724
    Heya folks

    I was looking over a HiJack this log and came up with something interesting....

    http://www.ewebsearch.net/sp.htm

    DO NOT CLICK ON THAT LINK!!!!!!

    It has a .exe embedded in it. I was hijacked while using IE, so I traced my step back to this page.

    I opened the page Firebird, and it prompted me for what to do with a .exe file. I saved it to desktop, tightened down the system and clicked it.

    Just thought some of you security experts might wanna have a look-see.

    Be warned...first thing it wants to do is write itself to the registry. The file is called rs1.exe.


    Also picked up 2 new .exe's :)

    SYSCNTR.EXE
    ahfp.exe
     
  2. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    A quick look at the iframe embedded in that link indicates a dialler download from a european source.
    The first download (rs1.exe) is UPX 1.24 packed (at it least indicates so - i didn't unpack it)
    It also has a string in it indicating "GLOBALIZED COMMUNICATIONS"
    I might look later if it's still giving you trouble.

    Based on the filename you picked up (SYSCNTR.EXE)- it's probably this (or a variant of it):
    Dialer.Prive
     
  3. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    According to research done by some compadres of mine:

    This is a porn dialer drive-by download site...the main address is that of a search page.

    http://www.symantec.com/avcenter/venc/data/dialer.prive.html

    Dialer.Prive is installed as a premium rate dialer used to access material on the Internet. It does not require your permission to allow the program to run.

    When Dialer.Prive is executed, it does the following:


    Copies itself as %System% \ShellExt\SYSCNTR.EXE.


    Creates shortcuts at the following locations:
    C:\Documents and Settings\%username%\Desktop\Prive.Ink
    C:\Documents and Settings\%username%\Start Menu\Prive.Ink
    C:\Documents and Settings\%username%\Start Menu\Programs\Prive.Ink
    C:\Documents and Settings\%username%\Application Data\Microsoft\Internet Explorer\Quick Launch\Prive.Ink


    Adds the value:

    "Connector"="C:\Winnt\System32\ShellExt\SYSCNTR.EXE"

    to the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
  4. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
  5. panzer999

    panzer999 Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    724
    I ended up with a quick launch of 'Rapid Sparks'

    I got it cleaned up. Thanks guys :)

    And the first registry key that it plants tries to write another one (didn't catch the path) on shutdown. I am using the progam RegProt, so I was able to cut it off before it got too embeded.

    Did an EndItAll on the .exes and deleted them.

    Then Spybot and Ad Aware popped what was left.

    Looks clean now.
     
  6. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Good news. (y)
     
  7. panzer999

    panzer999 Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    724
    Yeah...wish someone had told me that :)

    And the guy who posted his Hijack (where I got the link) didn't seem to have any of it on his system.

    Go figure....
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166911

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice