Information on .exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MKWCrowe, Oct 16, 2004.

  1. MKWCrowe

    MKWCrowe Private E-2

    I have been working on a moderately infected system. I keep finding a file entitled "suge.exe" and can't determine if it is legitimate or not. Because the origination date coincides with problems with the system, I am concerned that this may be part of a spyware program.

    The system registered a W32.spybot worm which I cleaned this morning. In reviewing the HKey registeries, I noticed a filed entitled "MyDoomTool". However, a search does not reveal what this is either.

    Can you help clarify these or point me in a direction?

    Thanks
    MKWCrowe
     
    MKWCrowe, Oct 16, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Information on suge.exe appears to indicate that it is the Backdoor.Rbot.gen virus

    Please follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    I would also recommend going to the Alternative Scans section of the above link and at a minimum run A-squared.

    The MyDoomTool could be a doom trojan remval tool.
     
    chaslang, Oct 16, 2004
    #2
  3. MKWCrowe

    MKWCrowe Private E-2

    I went to another computer and downloaded the recommended software and ran it on this system. After running the programs initially, I was able to regain access to the internet without interference. I ran the additional recommended scans/tools along with the various updates, etc. The following is what I found.

    "Suge.exe" was identified and removed by the McAfee Stinger along with the "Systemrun". The MyDoomTools were also identified. All are part of the W32.spybot worm and its derivations. This is the only program that could clean these. These references did not come up in any search I performed, but I will admit limited resources for worm searches.

    I am still having a problem with something called DSO Exploit. It is identified by the Spybot, but it doesn't remove the executable file. As such, it is reinfecting the system once cleaned. This program is the only one picking up the problem. All references are in H-Key User files. I will manually search for the executable file. Identifying criteria are in "Zone" files and contain the following string "...0\1004!+W+3" at the end. In addition, the numerical sequence occurs within the file name consisting of "...\5-1-5-##" with ## equal to a sequential listing as the files are re-accessed.

    None of these procedures permanently removed the Hotbar "infection?". I will have to keep researching this, unless you know of a specific tool that eliminates it permanently.

    I am very grateful for your assistance. The instructions you provided were excellent and very useful in getting my system back up.

    The internet access was a major barrier to getting the software. I would include a reference in the instructions that if someone is having a problem with web blocking (and several of your threads indicate that this is a common enough problem) that they seek an alternate system that is uninfected and capable of downloading the files. Once the scans are run, the blocking is stopped and it opens access to these sites. The total file size is around 5 MB and can be handled by a zip or CD burner. I also had to reset all security settings to "default" and make sure the "Content Advisor" was disabled. I was able to leave the SP-2 firewall active. And, of course, all in "Safe Mode" without System Restore.

    Thank you
     
    MKWCrowe, Oct 17, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ignore the DSO Exploit report from SpyBot. It is a well known bug which has been discussed many times in this forum. As long as you have all of your Windows updates you can ignore this message or you can configure SpyBot itself to ignore DSO Exploit. From Advanced mode by selecting Mode and then Advanced mode. Then select Settings and the in the left column select Ignore Products. In the right window pane click the Security tab and put a check on DSO Exploit to disable it.
     
    chaslang, Oct 17, 2004
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds