Jump to content

Change Mode

Recommended Posts

I'm helping to clean up a work machine that is very very sick while our IT guy is away. Found a number of trojans so far, a few nasty malware pranks, and some rogue .exe files that I can't seem to place.


Mostly clean now, but I have two processes running that are suspicious.


msiexec.exe is automatically loading when windows boots, although there are no residual installation processes due to complete.



ME7244.exe is running and I am not sure what that is... further, there is no google info on it. I am considering it a very likely candidate to be a trouble maker.


Does anyone know what this process is?

Link to post
Share on other sites

Might not be as simple as that... I lost ME7244.exe when I switched back to normal startup to see if it would start because the file search couldn't locate it. I did not find it starting up again, but got a nother bogus looking one... LNAFE2.exe Similarly there does not seem to be a listing for it.


Right now it is sitting open on my taskmanager but the file search is not able to locate it.


Unless it is a network file (in which case H*($S*#* we have big problems here), I think it might be an alias name for another process.


I keep seeing symantec find the same trojan threats over and over again even though I have removed them from the current and system registries.... there is a file here somewhere that I am not finding.



Edit: Collapsing Following post...

FOUND IT! It's getting created in a temp file whenever I restart.... I will upload LNAFE2.exe and scan per processes above now...

Edited by FrankenBox
Link to post
Share on other sites

Results from Virustotal:

File UD6DD1.EXE received on 08.04.2008 10:40:49 (CET)

Current status: finished


Result: 1/36 (2.78%)

Compact Print results

Antivirus Version Last Update Result

AhnLab-V3 2008.7.29.1 2008.08.04 -

AntiVir 2008.08.04 -

Authentium 2008.08.03 -

Avast 4.8.1195.0 2008.08.03 -

AVG 2008.08.03 -

BitDefender 7.2 2008.08.04 -

CAT-QuickHeal 9.50 2008.08.02 -

ClamAV 0.93.1 2008.08.04 -

DrWeb 2008.08.04 -

eSafe 2008.08.03 -

eTrust-Vet 31.6.6002 2008.08.02 -

Ewido 4.0 2008.08.03 -

F-Prot 2008.08.03 -

F-Secure 7.60.13501.0 2008.08.04 Suspicious:W32/Dzan!Gemini

Fortinet 2008.08.04 -

GData 2.0.7306.1023 2008.08.04 -

Ikarus T3. 2008.08.04 -

K7AntiVirus 7.10.402 2008.08.02 -

Kaspersky 2008.08.04 -

McAfee 5352 2008.08.01 -

Microsoft 1.3807 2008.08.04 -

NOD32v2 3323 2008.08.04 -

Norman 5.80.02 2008.08.01 -

Panda 2008.08.03 -

PCTools 2008.08.03 -

Prevx1 V2 2008.08.04 -

Rising 2008.08.04 -

Sophos 4.31.0 2008.08.04 -

Sunbelt 3.1.1537.1 2008.08.01 -

Symantec 10 2008.08.04 -

TheHacker 2008.08.04 -

TrendMicro 8.700.0.1004 2008.08.04 -

VBA32 2008.08.04 -

ViRobot 2008.8.1.1321 2008.08.01 -

VirusBuster 2008.08.03 -

Webwasher-Gateway 6.6.2 2008.08.04 -

Additional information

File size: 296224 bytes

MD5...: b8bee3b4802f23fcc809082dfb5a663b

SHA1..: aaf3bec0920d83e09b24988d9d4baeebaa7c92e5

SHA256: b4a6cc1c2881f12ac55ea18dcb4d469c2bd39205db6103ff2450ac5b8ba4ba65

SHA512: 6b3a963734a87b8197dca6b106b9b2bfaa47a152cd26d3f0dbcc94cad96ad5e8


PEiD..: -

PEInfo: PE Structure information


( base data )

entrypointaddress.: 0x41db09

timedatestamp.....: 0x48243050 (Fri May 09 11:06:56 2008)

machinetype.......: 0x14c (I386)


( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x350bb 0x36000 6.61 d7f9a3888ef873e8a66a5ef75280ec7a

.rdata 0x37000 0xb763 0xc000 5.01 781cee8b4262394da3ccceb73a8c24fe

.data 0x43000 0xb760 0x3000 3.16 2b669b77dbae0570d425d6dfcbaf70da

.rsrc 0x4f000 0xaf8 0x1000 4.42 853b1f5de5376361b0ca12f4a6354f1e


( 7 imports )

> WS2_32.dll: -, -, -

> ADVAPI32.dll: SetSecurityDescriptorDacl, InitializeSecurityDescriptor, StartServiceA, QueryServiceStatus, CloseServiceHandle, OpenServiceA, OpenSCManagerA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, QueryServiceConfigA, RegNotifyChangeKeyValue

> KERNEL32.dll: GlobalAlloc, GlobalFree, lstrcmpA, TlsGetValue, GlobalReAlloc, GlobalHandle, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, InterlockedDecrement, InterlockedIncrement, GlobalGetAtomNameA, GetThreadLocale, ResumeThread, GlobalFlags, lstrcmpW, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GetLocaleInfoA, GetCPInfo, GetOEMCP, SetFilePointer, FlushFileBuffers, GlobalLock, CreateFileA, GetFileAttributesA, RaiseException, RtlUnwind, ExitThread, CreateThread, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, HeapReAlloc, GetCommandLineA, GetProcessHeap, GetStartupInfoA, HeapSize, ExitProcess, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GlobalUnlock, FormatMessageA, SetLastError, GetCurrentProcess, LoadLibraryW, CreateFileW, WaitNamedPipeW, SetNamedPipeHandleState, WriteFile, SetWaitableTimer, GetOverlappedResult, ReadFile, GetCurrentThreadId, CreateEventW, CreateNamedPipeW, DisconnectNamedPipe, ConnectNamedPipe, lstrlenA, CompareStringA, MultiByteToWideChar, InterlockedExchange, WaitForMultipleObjects, LocalAlloc, LocalFree, CreateProcessA, GetModuleFileNameA, GetTickCount, CopyFileA, TerminateProcess, MoveFileExA, GetVersion, VirtualAlloc, DeleteFileA, Sleep, ResetEvent, SetEvent, TerminateThread, DeleteCriticalSection, CreateEventA, InitializeCriticalSection, GetCurrentDirectoryA, GetComputerNameA, GetTempPathA, GetTempFileNameA, GetSystemDirectoryA, FindFirstFileA, FindNextFileA, FindClose, lstrcmpiA, OpenFile, WideCharToMultiByte, GetVersionExA, GetLastError, EnterCriticalSection, _lclose, LeaveCriticalSection, GetPrivateProfileIntA, FindResourceA, FreeLibrary, LoadResource, LockResource, SizeofResource, CreateMutexA, GetModuleHandleA, WaitForSingleObject, GetExitCodeThread, lstrcpyA, GetCurrentProcessId, OpenProcess, CloseHandle, ReadProcessMemory, WriteProcessMemory, GetProcAddress, LoadLibraryA, InterlockedCompareExchange

> USER32.dll: DestroyMenu, PostQuitMessage, RegisterWindowMessageA, LoadIconA, WinHelpA, GetCapture, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu, PostMessageA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, IsIconic, GetWindowPlacement, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, CheckMenuItem, SetWindowPos, SetWindowLongA, IsWindow, GetDlgItem, GetFocus, ClientToScreen, GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameA, PtInRect, SetWindowTextA, UnregisterClassA, SetWindowsHookExA, CallNextHookEx, GrayStringA, DrawTextExA, DispatchMessageA, PeekMessageA, ValidateRect, GetWindowTextA, LoadCursorA, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageA, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxA, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, wsprintfA, DrawTextA, TabbedTextOutA, GetKeyState

> GDI32.dll: TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, RectVisible, DeleteDC, GetStockObject, PtVisible, DeleteObject, GetDeviceCaps, SetMapMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, CreateBitmap

> WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter

> OLEAUT32.dll: -, -, -


( 61 exports )

[email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected], [email protected]@[email protected], [email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected], [email protected]@@IAEXXZ, [email protected]@@[email protected]@[email protected], [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@[email protected], [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@XZ, [email protected]@[email protected], [email protected]@@IBE_NXZ, [email protected]@YA_NXZ, [email protected]@@MAE_NXZ, [email protected]@@MAE_NXZ, [email protected]@@IBE_NXZ, [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@[email protected], [email protected]@@[email protected], [email protected]@@[email protected]@Z, [email protected]@@QBE_NXZ, [email protected]@@[email protected]@@Z, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@@IAEXXZ, [email protected]@@QAEXXZ, [email protected]@@QAEXXZ, [email protected]@@QAEXXZ, [email protected]@@MAE_NXZ, [email protected]@@MAE_NXZ, [email protected]@@IAEXXZ, [email protected]@@[email protected], [email protected]@@[email protected], [email protected]@@[email protected], [email protected]@@IAEXXZ, [email protected]@@IAEXXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, C_IsIPChanged, C_OfcDogLockFiles, C_RegWatchDog_Ofc, C_RegWatchDog_Ofc_PCCNTMON, C_RegWatchDog_Ofc_TMLISTEN, C_RegWatchDog_Ofc_TMPROXY, C_UnRegWatchDog_Ofc, C_UnRegWatchDog_Ofc_PCCNTMON, C_UnRegWatchDog_Ofc_TMLISTEN, C_UnRegWatchDog_Ofc_TMPROXY


ThreatExpert info: http://www.threatexpert.com/report.aspx?md...809082dfb5a663b





The other service reports nothing.

Link to post
Share on other sites

Well, you've scanned a temp file, that apparently can reproduce it'self to keep it alive.


You don't have the 'dropper' file (could look like a normal file) or anything else that looks fishy?

How about email?

How about IM? Is it used?

How about an infected usb flash device?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...