{RESOLVED}rs1.exe

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

panzer999

Thread Starter
Joined
Jul 14, 2003
Messages
724
Heya folks

I was looking over a HiJack this log and came up with something interesting....

http://www.ewebsearch.net/sp.htm

DO NOT CLICK ON THAT LINK!!!!!!

It has a .exe embedded in it. I was hijacked while using IE, so I traced my step back to this page.

I opened the page Firebird, and it prompted me for what to do with a .exe file. I saved it to desktop, tightened down the system and clicked it.

Just thought some of you security experts might wanna have a look-see.

Be warned...first thing it wants to do is write itself to the registry. The file is called rs1.exe.


Also picked up 2 new .exe's :)

SYSCNTR.EXE
ahfp.exe
 

IMM

Joined
Feb 1, 2002
Messages
3,257
A quick look at the iframe embedded in that link indicates a dialler download from a european source.
The first download (rs1.exe) is UPX 1.24 packed (at it least indicates so - i didn't unpack it)
It also has a string in it indicating "GLOBALIZED COMMUNICATIONS"
I might look later if it's still giving you trouble.

Based on the filename you picked up (SYSCNTR.EXE)- it's probably this (or a variant of it):
Dialer.Prive
 
Joined
Aug 18, 2003
Messages
2,438
According to research done by some compadres of mine:

This is a porn dialer drive-by download site...the main address is that of a search page.

http://www.symantec.com/avcenter/venc/data/dialer.prive.html

Dialer.Prive is installed as a premium rate dialer used to access material on the Internet. It does not require your permission to allow the program to run.

When Dialer.Prive is executed, it does the following:


Copies itself as %System% \ShellExt\SYSCNTR.EXE.


Creates shortcuts at the following locations:
C:\Documents and Settings\%username%\Desktop\Prive.Ink
C:\Documents and Settings\%username%\Start Menu\Prive.Ink
C:\Documents and Settings\%username%\Start Menu\Programs\Prive.Ink
C:\Documents and Settings\%username%\Application Data\Microsoft\Internet Explorer\Quick Launch\Prive.Ink


Adds the value:

"Connector"="C:\Winnt\System32\ShellExt\SYSCNTR.EXE"

to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 

panzer999

Thread Starter
Joined
Jul 14, 2003
Messages
724
I ended up with a quick launch of 'Rapid Sparks'

I got it cleaned up. Thanks guys :)

And the first registry key that it plants tries to write another one (didn't catch the path) on shutdown. I am using the progam RegProt, so I was able to cut it off before it got too embeded.

Did an EndItAll on the .exes and deleted them.

Then Spybot and Ad Aware popped what was left.

Looks clean now.
 

panzer999

Thread Starter
Joined
Jul 14, 2003
Messages
724
Originally posted by IMM:
It's good advice - but I couldn't resist :)
Yeah...wish someone had told me that :)

And the guy who posted his Hijack (where I got the link) didn't seem to have any of it on his system.

Go figure....
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top