42odhr0b.exe
After scanning a Windows XP Professional Service Pack 2 system, MoonDreaming,
with
Spybot Search & Destroy
1.6.2, I installed
Multi
Virus Cleaner 2008 v8.6.1 on the system and scanned the system with
it. It reported that a file,
42odhr0b.exe, which it found in a
user's
Local Settings\Temp folder was infected with the virus
Trojan.Dropper.Small-8.
I submitted the file, which has an
MD5 hash of 93d2546e58042ebe7f5ae26ec0ec50b3,
to VirusTotal,
a free service "that analyzes suspicious files and facilitates the quick
detection of viruses, worms, trojans, and all kinds of malware detected by
antivirus engines." It reported the file was first received on
10.07.2006 22:08:05 (CET). I had it reanalyze the file. VirusTotal reported
that 91.18%, i.e. 31 of 34, of the antimalware programs with which it scanned
the file identified the file as being malware (see
VirusTotal report)
I also submitted the file to VirSCAN.org,
"a FREE on-line scan service, which checks uploaded files for malware", using
multiple antivirus engines. On uploading files you want to be checked, you can
see the result of scanning and how dangerous and harmful/harmless for your
computer those files are. VirSCAN reported that 76%, i.e. 28 of 37, of the
antimalware programs it used reported the file as being malware (see
VirSCAN report).
I also submitted the file to Jotti's
Online Malware Scan, another free malware scanning site, for analysis.
On that site, 18 of the 19 antivirus programs it used detected the file
as malware (see Jotti
report).
ThreatExpert, "an advanced automated threat analysis system designed to
analyze and report the behavior of computer viruses, worms, trojans, adware,
spyware, and other security-related risks in a fully automated mode" identified
the file as being associated with Spyware.FavoriteMan
(see
ThreatExpert report).
ThreatExpert provided the following information on Spyware.FavoriteMan:
FavoriteMan is a Browser Helper Object, which connects to its controlling
servers to download and install other programs and add entries to your Internet Explorer favorites menu or computer desktop. This program has been known to
download at least 28 different adware or spyware programs. Some controlling
servers are www.f1organizer.com, www.prize4all.com, www.yourspecialoffers.com
and www.r-vision.org.
ThreatExpert indicated that the file creates the following files on the
system:
%System%\ATPartners.dll
%System%\im64.dll
I had found ATPartners.dll on the system on February 27 of 2005
when I had scanned the system with other antimalware software. I had removed
ATPartners.dll at that time. Apparently
42odhr0b.exe was left in the user's local settings\temp
folder from that time. Checking my notes for information on
FavoriteMan, I found I had encountered it on other systems, e.g.
a Windows 98 system on March 28, 2004 (see
Windows 98 System
Hanging After Login) and a Windows 98 Second Edition system on April 25 of
2005 (see
Calsdr.Dll Remnant).
Download a zipped copy of
42odhr0b.exe for analysis
or testing antimalware software (use zoo as userid and malware as password).
Note: You do so at your own risk; this file can infect a system, so only run
the program on a test system.
[/security/malware]
permanent link
23010852235.exe
When I scanned a Windows XP Professional Service Pack 2 system,
MoonDreaming, with Spybot Search & Destroy 1.6.2, it found 4 entries
for
Excite, but those were only
tracking cookies. It also found 1 entry for
Win32.Agent.cyt. It found a file
23010852235.exe, which
has an
MD5 hash of
9ec78aac59b04643bfb43415c6fa2909,
in a user's
Local Settings\Temp directory.
I uploaded the file to VirusTotal,
a free online virus and malware scan website for analysis. Twenty-four
of the 39 malware scan programs with which it scanned the file reported
it contained malware (see
VirusTotal report).
I also uploaded the file to VirSCAN.org,
another multi-engine virus scanner site. It reported
"The file are 23010852235.exe uploaded by other users and scanned successfully
at 2008/01/18 20:48:04". I had it rescan the file. It reported that 49%, i.e.
18 of 37, of the malware detection programs that it used, identified the file
as containing malware (see
VirSCAN report).
File Name: 23010852235.exe
File Size: 3072
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 9ec78aac59b04643bfb43415c6fa2909
SHA1: 546e2d9c76fad865ac56b89fa54a864d564f1c16
Compressed: NA
Prevx, a security company that makes
software that "identifies malicious code by its 'behavior'" lists
SYSNSAD.EXE as being an alias for a file with this MD5 hash
(see Prevx report).
The Prevx report states the following:
A file with the name SYSNSAD.EXE have been seen to have the following Vendor,
Product and Version Information in the file header:
Microsoft Corporation; File Compare Utility; 5.1.2600.0
Microsoft Corporation; File Compare Utility; 5.1.2600.0 (xpclient.010817-1148)
When I examined the file with
Filealyzer
, I saw the following version
information:
| File version | 5.1.2600.0 (xpclient.010817-1148) |
| Company name | Microsoft Corporation |
| Internal name | Comp |
| Comments | |
| Legal copyright |
©Microsoft Corporation. All rights reserved. |
| Legal trademarks |
| Original filename | Comp.Exe |
| Product name | Microsoft® Windows®
Operating System |
| Product version | 5.1.2600.0 |
| File description | File Compare Utility |
The version information was likely inserted by the malware author to
try to disguise the file as an innocuous Microsoft-provided operating system
file.
I had Spybot fix the problem, i.e. delete the file.
Download
23010852235.exe for analysis or testing antimalware software
(use zoo as userid and malware as password).
Note: You do so at your own risk; this file can infect a system, so only run
the program on a test system.
[/security/malware]
permanent link
Remove Hotfix Backups and $NTServicePackUninstall on MoonDreaming
I installed Doug Knox's
Remove Hotfix
Backups on MoonDreaming, a Windows XP Professional Service Pack 2 system.
Windows Explorer reported "Free space: 46,294,945 bytes 43.1 GB" and checking
for
$NT*KB* directories showed the following:
C:\TEMP>dir /ah \Windows\$NT*KB*
Volume in drive C is Sys-WinXP
Volume Serial Number is B0E3-65A7
Directory of C:\Windows
01/21/2005 02:34 PM <DIR> $NtUninstallKB828741$
01/21/2005 02:38 PM <DIR> $NtUninstallKB833987$
01/21/2005 07:37 PM <DIR> $NtUninstallKB834707$
01/21/2005 02:36 PM <DIR> $NtUninstallKB835732$
01/21/2005 02:36 PM <DIR> $NtUninstallKB840987$
01/21/2005 02:36 PM <DIR> $NtUninstallKB841356$
01/21/2005 02:37 PM <DIR> $NtUninstallKB841533$
01/21/2005 01:21 PM <DIR> $NtUninstallKB842773$
02/12/2005 07:59 PM <DIR> $NtUninstallKB867282$
01/21/2005 02:38 PM <DIR> $NtUninstallKB871250$
02/12/2005 07:59 PM <DIR> $NtUninstallKB873333$
01/21/2005 05:13 PM <DIR> $NtUninstallKB873339$
01/21/2005 02:37 PM <DIR> $NtUninstallKB873339_0$
01/21/2005 02:37 PM <DIR> $NtUninstallKB873376$
02/12/2005 07:59 PM <DIR> $NtUninstallKB885250$
01/21/2005 05:13 PM <DIR> $NtUninstallKB885835$
01/21/2005 02:37 PM <DIR> $NtUninstallKB885835_0$
01/21/2005 05:13 PM <DIR> $NtUninstallKB885836$
01/21/2005 02:38 PM <DIR> $NtUninstallKB885836_0$
01/21/2005 07:37 PM <DIR> $NtUninstallKB886185$
02/12/2005 07:59 PM <DIR> $NtUninstallKB887472$
02/22/2005 07:22 PM <DIR> $NtUninstallKB887742$
01/21/2005 07:37 PM <DIR> $NtUninstallKB887797$
02/12/2005 07:59 PM <DIR> $NtUninstallKB888113$
02/12/2005 07:58 PM <DIR> $NtUninstallKB888302$
01/21/2005 02:37 PM <DIR> $NtUninstallKB889293-IE6SP1-20041111.2356
19$
01/07/2006 11:46 AM <DIR> $NtUninstallKB890046$
09/02/2005 03:39 PM <DIR> $NtUninstallKB890046_0$
02/12/2005 07:58 PM <DIR> $NtUninstallKB890047$
01/21/2005 05:13 PM <DIR> $NtUninstallKB890175$
01/21/2005 02:38 PM <DIR> $NtUninstallKB890175_0$
05/14/2005 07:07 PM <DIR> $NtUninstallKB890859$
05/14/2005 07:08 PM <DIR> $NtUninstallKB890923$
01/21/2005 02:38 PM <DIR> $NtUninstallKB891711$
02/12/2005 07:59 PM <DIR> $NtUninstallKB891781$
05/14/2005 07:08 PM <DIR> $NtUninstallKB893066$
05/14/2005 07:08 PM <DIR> $NtUninstallKB893086$
09/02/2005 03:40 PM <DIR> $NtUninstallKB893756$
09/02/2005 03:39 PM <DIR> $NtUninstallKB894391$
01/07/2006 11:46 AM <DIR> $NtUninstallKB896344$
09/02/2005 03:39 PM <DIR> $NtUninstallKB896358$
09/02/2005 03:40 PM <DIR> $NtUninstallKB896422$
09/02/2005 03:40 PM <DIR> $NtUninstallKB896423$
01/07/2006 11:48 AM <DIR> $NtUninstallKB896424$
09/02/2005 03:39 PM <DIR> $NtUninstallKB896428$
10/23/2005 10:05 AM <DIR> $NtUninstallKB896688$
09/02/2005 03:39 PM <DIR> $NtUninstallKB896727$
09/02/2005 03:28 PM <DIR> $NtUninstallKB898461$
09/02/2005 03:40 PM <DIR> $NtUninstallKB899587$
09/02/2005 03:39 PM <DIR> $NtUninstallKB899588$
10/23/2005 10:05 AM <DIR> $NtUninstallKB899589$
09/02/2005 03:40 PM <DIR> $NtUninstallKB899591$
08/13/2006 09:32 PM <DIR> $NtUninstallKB900485$
10/23/2005 10:05 AM <DIR> $NtUninstallKB900725$
01/07/2006 11:46 AM <DIR> $NtUninstallKB900930$
10/23/2005 10:06 AM <DIR> $NtUninstallKB901017$
09/02/2005 03:39 PM <DIR> $NtUninstallKB901214$
03/22/2006 07:55 PM <DIR> $NtUninstallKB902344$
10/23/2005 10:05 AM <DIR> $NtUninstallKB902400$
10/23/2005 10:04 AM <DIR> $NtUninstallKB904706$
03/22/2006 07:57 PM <DIR> $NtUninstallKB904942$
10/23/2005 10:05 AM <DIR> $NtUninstallKB905414$
10/23/2005 10:04 AM <DIR> $NtUninstallKB905749$
01/07/2006 11:53 AM <DIR> $NtUninstallKB905915$
01/12/2006 10:58 PM <DIR> $NtUninstallKB908519$
08/13/2006 09:29 PM <DIR> $NtUninstallKB908531$
01/07/2006 11:49 AM <DIR> $NtUninstallKB910437$
08/13/2006 09:35 PM <DIR> $NtUninstallKB911280$
08/13/2006 09:32 PM <DIR> $NtUninstallKB911562$
03/22/2006 07:56 PM <DIR> $NtUninstallKB911564$
03/22/2006 07:55 PM <DIR> $NtUninstallKB911565$
08/13/2006 09:29 PM <DIR> $NtUninstallKB911567$
03/22/2006 07:55 PM <DIR> $NtUninstallKB911927$
03/22/2006 07:57 PM <DIR> $NtUninstallKB912475$
01/07/2006 11:53 AM <DIR> $NtUninstallKB912919$
03/22/2006 07:57 PM <DIR> $NtUninstallKB912945$
03/22/2006 07:56 PM <DIR> $NtUninstallKB913446$
08/13/2006 09:29 PM <DIR> $NtUninstallKB913580$
08/13/2006 09:30 PM <DIR> $NtUninstallKB914388$
08/13/2006 09:29 PM <DIR> $NtUninstallKB914389$
04/20/2007 10:10 AM <DIR> $NtUninstallKB914440$
04/20/2007 10:11 AM <DIR> $NtUninstallKB915865$
08/13/2006 09:29 PM <DIR> $NtUninstallKB916595$
08/13/2006 09:32 PM <DIR> $NtUninstallKB917159$
08/13/2006 09:30 PM <DIR> $NtUninstallKB917344$
08/13/2006 09:30 PM <DIR> $NtUninstallKB917422$
08/13/2006 09:36 PM <DIR> $NtUninstallKB917734_WMP10$
08/13/2006 09:30 PM <DIR> $NtUninstallKB917953$
03/21/2007 10:32 AM <DIR> $NtUninstallKB918118$
08/13/2006 09:30 PM <DIR> $NtUninstallKB918439$
08/13/2006 09:30 PM <DIR> $NtUninstallKB918899$
09/15/2006 07:32 PM <DIR> $NtUninstallKB919007$
01/12/2007 02:35 PM <DIR> $NtUninstallKB920213$
08/13/2006 09:35 PM <DIR> $NtUninstallKB920214$
04/20/2007 09:53 AM <DIR> $NtUninstallKB920342$
08/13/2006 09:30 PM <DIR> $NtUninstallKB920670$
08/13/2006 09:29 PM <DIR> $NtUninstallKB920683$
09/15/2006 07:32 PM <DIR> $NtUninstallKB920685$
09/15/2006 07:32 PM <DIR> $NtUninstallKB920872$
08/13/2006 09:31 PM <DIR> $NtUninstallKB921398$
12/29/2007 08:03 PM <DIR> $NtUninstallKB921503$
08/13/2006 09:35 PM <DIR> $NtUninstallKB921883$
09/15/2006 07:32 PM <DIR> $NtUninstallKB922582$
08/13/2006 09:35 PM <DIR> $NtUninstallKB922616$
10/16/2006 09:54 AM <DIR> $NtUninstallKB922819$
10/16/2006 09:51 AM <DIR> $NtUninstallKB923191$
10/16/2006 09:54 AM <DIR> $NtUninstallKB923414$
01/12/2007 02:36 PM <DIR> $NtUninstallKB923689$
01/12/2007 02:35 PM <DIR> $NtUninstallKB923694$
01/12/2007 02:37 PM <DIR> $NtUninstallKB923980$
10/16/2006 09:54 AM <DIR> $NtUninstallKB924191$
01/12/2007 02:37 PM <DIR> $NtUninstallKB924270$
10/16/2006 09:53 AM <DIR> $NtUninstallKB924496$
03/21/2007 10:34 AM <DIR> $NtUninstallKB924667$
01/12/2007 02:37 PM <DIR> $NtUninstallKB925398_WMP64$
01/12/2007 02:38 PM <DIR> $NtUninstallKB925454$
10/07/2006 01:29 PM <DIR> $NtUninstallKB925486$
04/20/2007 07:47 PM <DIR> $NtUninstallKB925720$
04/20/2007 09:54 AM <DIR> $NtUninstallKB925876$
04/20/2007 09:36 AM <DIR> $NtUninstallKB925902$
04/20/2007 09:59 AM <DIR> $NtUninstallKB926239$
01/12/2007 02:35 PM <DIR> $NtUninstallKB926255$
03/21/2007 10:33 AM <DIR> $NtUninstallKB926436$
03/21/2007 10:34 AM <DIR> $NtUninstallKB927779$
03/21/2007 10:34 AM <DIR> $NtUninstallKB927802$
05/31/2007 11:08 PM <DIR> $NtUninstallKB927891$
03/21/2007 10:32 AM <DIR> $NtUninstallKB928090$
03/21/2007 10:34 AM <DIR> $NtUninstallKB928255$
03/21/2007 10:31 AM <DIR> $NtUninstallKB928843$
12/29/2007 08:00 PM <DIR> $NtUninstallKB929123$
03/21/2007 10:33 AM <DIR> $NtUninstallKB929338$
04/20/2007 07:45 PM <DIR> $NtUninstallKB929399$
01/12/2007 02:37 PM <DIR> $NtUninstallKB929969$
04/20/2007 09:36 AM <DIR> $NtUninstallKB930178$
05/12/2007 03:04 PM <DIR> $NtUninstallKB930916$
04/20/2007 09:36 AM <DIR> $NtUninstallKB931261$
04/20/2007 09:37 AM <DIR> $NtUninstallKB931784$
03/21/2007 10:33 AM <DIR> $NtUninstallKB931836$
04/20/2007 09:35 AM <DIR> $NtUninstallKB932168$
09/17/2008 11:37 AM <DIR> $NtUninstallKB932823-v3$
12/29/2007 08:03 PM <DIR> $NtUninstallKB933729$
12/29/2007 07:54 PM <DIR> $NtUninstallKB935839$
12/29/2007 07:54 PM <DIR> $NtUninstallKB935840$
12/29/2007 08:03 PM <DIR> $NtUninstallKB936021$
12/29/2007 08:03 PM <DIR> $NtUninstallKB936357$
12/29/2007 07:53 PM <DIR> $NtUninstallKB936782_WMP11$
12/29/2007 08:04 PM <DIR> $NtUninstallKB937894$
09/17/2008 11:37 AM <DIR> $NtUninstallKB938464$
12/29/2007 08:03 PM <DIR> $NtUninstallKB938828$
12/29/2007 08:03 PM <DIR> $NtUninstallKB938829$
12/29/2007 07:55 PM <DIR> $NtUninstallKB939683$
12/29/2007 07:55 PM <DIR> $NtUninstallKB941202$
12/29/2007 07:55 PM <DIR> $NtUninstallKB941568$
12/29/2007 07:59 PM <DIR> $NtUninstallKB941569$
01/15/2008 07:12 PM <DIR> $NtUninstallKB941644$
12/29/2007 07:59 PM <DIR> $NtUninstallKB942763$
12/29/2007 08:04 PM <DIR> $NtUninstallKB943460$
01/15/2008 07:12 PM <DIR> $NtUninstallKB943485$
12/29/2007 07:53 PM <DIR> $NtUninstallKB944653$
09/17/2008 11:44 AM <DIR> $NtUninstallKB946648$
09/17/2008 11:37 AM <DIR> $NtUninstallKB950749$
09/17/2008 11:40 AM <DIR> $NtUninstallKB950762$
09/17/2008 11:41 AM <DIR> $NtUninstallKB950974$
09/17/2008 11:39 AM <DIR> $NtUninstallKB951066$
09/17/2008 11:40 AM <DIR> $NtUninstallKB951072-v2$
09/17/2008 11:45 AM <DIR> $NtUninstallKB951376-v2$
09/17/2008 11:41 AM <DIR> $NtUninstallKB951698$
09/17/2008 11:38 AM <DIR> $NtUninstallKB951748$
12/18/2008 10:16 PM <DIR> $NtUninstallKB952069_WM9$
09/17/2008 11:40 AM <DIR> $NtUninstallKB952287$
09/17/2008 11:44 AM <DIR> $NtUninstallKB952954$
09/17/2008 11:44 AM <DIR> $NtUninstallKB953839$
09/17/2008 11:37 AM <DIR> $NtUninstallKB954154_WM11$
09/17/2008 11:41 AM <DIR> $NtUninstallKB954156_WM9L$
11/08/2008 10:42 AM <DIR> $NtUninstallKB954211$
12/18/2008 10:12 PM <DIR> $NtUninstallKB954600$
11/21/2008 11:23 AM <DIR> $NtUninstallKB955069$
12/18/2008 10:15 PM <DIR> $NtUninstallKB955839$
11/08/2008 10:43 AM <DIR> $NtUninstallKB956391$
12/18/2008 10:12 PM <DIR> $NtUninstallKB956802$
11/08/2008 10:43 AM <DIR> $NtUninstallKB956803$
11/08/2008 10:41 AM <DIR> $NtUninstallKB956841$
11/08/2008 10:43 AM <DIR> $NtUninstallKB957095$
11/21/2008 11:24 AM <DIR> $NtUninstallKB957097$
11/08/2008 10:40 AM <DIR> $NtUninstallKB958644$
02/14/2009 10:34 AM <DIR> $NtUninstallKB958687$
02/14/2009 10:34 AM <DIR> $NtUninstallKB960715$
0 File(s) 0 bytes
187 Dir(s) 46,294,913,024 bytes free
After I ran Remove Hotfix Backups, Windows Explorer
reported "Free space: 46,308,824 bytes 43.1 GB" and checking for
$NT*KB* directories showed the following:
C:\TEMP>dir /ah \Windows\$NT*KB*
Volume in drive C is Sys-WinXP
Volume Serial Number is B0E3-65A7
Directory of C:\Windows
01/21/2005 02:34 PM <DIR> $NtUninstallKB828741$
01/21/2005 02:38 PM <DIR> $NtUninstallKB833987$
01/21/2005 02:36 PM <DIR> $NtUninstallKB835732$
01/21/2005 02:36 PM <DIR> $NtUninstallKB840987$
01/21/2005 02:36 PM <DIR> $NtUninstallKB841356$
01/21/2005 02:37 PM <DIR> $NtUninstallKB841533$
01/21/2005 01:21 PM <DIR> $NtUninstallKB842773$
01/21/2005 02:38 PM <DIR> $NtUninstallKB871250$
01/21/2005 02:37 PM <DIR> $NtUninstallKB873339_0$
01/21/2005 02:37 PM <DIR> $NtUninstallKB873376$
01/21/2005 02:37 PM <DIR> $NtUninstallKB885835_0$
01/21/2005 02:38 PM <DIR> $NtUninstallKB885836_0$
01/21/2005 02:37 PM <DIR> $NtUninstallKB889293-IE6SP1-20041111.2356
19$
09/02/2005 03:39 PM <DIR> $NtUninstallKB890046_0$
01/21/2005 02:38 PM <DIR> $NtUninstallKB890175_0$
01/21/2005 02:38 PM <DIR> $NtUninstallKB891711$
08/13/2006 09:36 PM <DIR> $NtUninstallKB917734_WMP10$
01/12/2007 02:37 PM <DIR> $NtUninstallKB925398_WMP64$
09/17/2008 11:37 AM <DIR> $NtUninstallKB932823-v3$
12/29/2007 07:53 PM <DIR> $NtUninstallKB936782_WMP11$
09/17/2008 11:40 AM <DIR> $NtUninstallKB951072-v2$
09/17/2008 11:45 AM <DIR> $NtUninstallKB951376-v2$
12/18/2008 10:16 PM <DIR> $NtUninstallKB952069_WM9$
09/17/2008 11:37 AM <DIR> $NtUninstallKB954154_WM11$
09/17/2008 11:41 AM <DIR> $NtUninstallKB954156_WM9L$
0 File(s) 0 bytes
25 Dir(s) 46,308,941,824 bytes freeI also removed the $NTServicePackUninstal directory under
C:\Windows, which was using 338 MB (355,138,581 bytes) of disk
space and holding 2,457 files, by holding down the Shift key to
ensure the folder wouldn't go into the Recycle Bin, but, instead
would be permanently removed, selected Delete. When asked to confirm
the deletion of an exe file I chose "Yes to All" to avoid further prompts for
the removal of executable files in the directory.
References:
-
Freeing Disk Space
MoonPoint Support
-
Remove Hotfix Backup Files
By Doug Knox
May 29, 2004
-
Freeing Disk Space on a Windows XP Home Edition System
MoonPoint Support
[/os/windows/xp]
permanent link
Java Update and Downloaded Program Files
When you install
Java
Runtime Environment (JRE) software from
Sun Microsystems on a Windows XP system, you will see entries for
it in
C:\WINDOWS\Downloaded Program Files. You can view
the information through Windows Explorer, or if you want to view
information on what is in that folder from the command line, you can use
show-downloaded-program-files.vbs, which you can run from the command
line with
cscript /nologo show-downloaded-program-files.vbs.
[ More Info ]
[/os/windows/xp]
permanent link
