Jump to content


NEW MALWARE??!! 5-24.exe

  • Please log in to reply
6 replies to this topic

#1 battlekat



  • New Member
  • Pip
  • 2 posts

Posted 26 May 2004 - 01:31 PM

Hi there --

I found some new malware on my computer I thought you guys should know about. Here's what happened:

My computer started logging me off my cable broadband repeatedly yesterday. My screen was also flickering here and there, and I noticed that my Windows program was requesting a password again -- something it hasn't done in ages.

I logged off and ran a virus scan and 4 spyware killers, all fully updated and current: Ad Aware 6.0, Spybot, Advanced System Optimizer, and the online version of Pest Patrol. Nothing came up but the usual cookies. Then I checked my startup files via Advanced System Optimizer and saw a new file in my startup list called "wgtqkpuk". It was also in my Task Manager. I went to the location of the files and found the following files, all which were "created" on 5/24 at the same time in the afternoon.

1) mmttil.exe
Properties indicated the program was "media motor", formerly called eZstub.exe
2) wgtqkpuk.exe
Properties also named it as "5-24.exe" and project name was listed as "project1"
3) whInstalled.exe/silent
Properties: company was webHancer Corp, SolidSFX, and Thawte Code; also called whCC-Motor (I know this is known spyware)
4) unstall.exe
Spelling is NOT a typo, project name is also "project 1"
5) optimize.exe
Company listed as Avenue Media
6) wat.dll
7) lznemjcsk.dll
8) tempf.txt

As the normal files you find with the webHancer sh*tware weren't there, I'm thinking this may be a new form of spyware just released on 5/24/04 (maybe an experiment) that has different file names not picked up by Spyware programs. I ran Google searches on all the file names and only got a hit for the WebHancer filesname and eZstub (but NOT as mmttil.exe). It took me HOURS to remove this bugger from my system and I'm still not 100% sure it's all gone...I feel like suing these idiots. But I figured it made more sense to alert tell everyone so this spyware can be stopped.

Hope nobody else has been infested, though I know that's wishful thinking...


#2 bigbruva



  • New Member
  • Pip
  • 1 posts

Posted 26 May 2004 - 08:01 PM

Thanks for the info.

Do you have any idea how it may have got on your system?


#3 mountie_bob



  • New Member
  • Pip
  • 1 posts

Posted 30 May 2004 - 01:52 AM

Greetings gang,

New member here, bothering to chip in my two bits since I've received so much 'passive' help in the last couple of days by perusing this and other similar forums. Thought I'd add what I could. A very big thank you to all who've posted both problems and advice.

I found this thread 'battlekat' started by searching today for mmttil.exe and I would also suspect it is malware. I have reasonably shut down systems, am very aware of and moderately educated re security, use Zone Alarm, run Ad-Aware, router/firewall... Now HJT/StartupList/CWShedder. One machine however is an inherited system I'm trying to clean up without blowing away everything, yet. That will happen next week. ;{D

A few days ago I rather naively visited Trinsic at the suggestion of a friend, he said I'd 'like' it. Great. This _may_ be where this came from.

I've read the FAQ, pardon the wordiness.

Cookies acceptance is set to individual response and nothing else is allowed to be downloaded if not understood. Certificates are inspected, sometimes checked and not always accepted. Later that day, 25 May 04, or the next any unresolved DNS direction, whether server not found or network delays resulted in redirection to http://www.errorplace.com/red2.php followed by what looks like a registry key and some key words including Trinsic.

e.g. the following on one line:


The latter part changes, that part in this 'version' was added when I hit a 'Channel Guide' button on the task bar.

Later Zone Alarm frequently asked for permission for IE6 to access the 'net when I wasn't using it/didn't have it open/running [refused]. On a few occasions I thought of checking running processes with Task Manager (Win98) and noted IE running thought not visible. It was noted to not always be present in Task Manager. On using Alt-Tab to change programs it was noted that the IE icon was sometimes briefly visible.

Most recent files, sorted by date from 25 May 04 showed the following in
tempf.txt 1KB
usta32.ini 1KB
sahagent-mediamotor1001.exe 54KB
nbxh.exe 33KB
optimize.exe 38KB
mmttil.exe 64KB
unstall.exe 44KB

and C:\Program Files\Internet Optimizer\optimize.exe 38KB same date/time

optimize.exe digitally signed Avenue Media N.V. E-mail & Time Stamp n/a

tempf.txt contents simply "CA"

usta32.ini contents interesting to this neophyte: start with "trinsic2" near the beginning, what may be a number of reg keys, lots of "gki" as well, all in one long line, ending with the following amongst other characters: "oldmybo oldezula oldhanse oldnyexe oldwsi23 oldsah" and the date. Removing old viruses? How nice.

sahagent-mediamotor1001.exe, from it's guts appears to be an installer, using wininit.ini

nbxh.exe: Company Name 'e'; Internal Name 5-25; Original Name 5-25.exe; Product Name "Project1"; Product Version 1.00
I spent some time searching on the web yesterday (different machine) for 'nbxh' with and without the extension. Nada. Found it in my HJT scan and when I finally removed/'fixed' it the behaviour appeared to cease. Looking inside the program (curious, with Notepad) found 5-25 and Project1 mentioned.

mmttil.exe: Ver 2,0,70,00; Description eZstub Module; Copyright 2000; Comments I;Company Name 'MediaMotor';Internal Name 'eZstub';Language 'English (United States)';Legal Trademarks I;OLESelfRegister $;Original Filename 'eZstub.EXE';Product Name 'eZstub Module';Product Version 1,0,0,1;Special Build Description $.
Inside it references to eXulaBootExe and what look like reg kery references/AppID/CLSID, setting some to NoRemove, etc.

unstall.exe properties: File Version 1.00; Company Name 'df';Internal Name 'unstall';Language 'English(United States)';Original Filename 'unstall.exe';Product Name 'Project1';Product Version 1.00.
Files contents references to usta32.ini, roimoi, jimmyhelp.CBrowserHelper, mybo, roings, mediamotor.

I _may_ have seen Project1 attempt to access the web the previous week, assuming it was asscociated with an action I had just requested at the time, however all the files reported here have the same or near same modification time/date.

Hope that helps a bit.

Edited by mountie_bob, 30 May 2004 - 01:55 AM.

#4 battlekat



  • New Member
  • Pip
  • 2 posts

Posted 02 June 2004 - 01:41 PM

No idea how the heck it got into my system...I am SUPER careful! I still am not entirely sure what the programs are (other than that they are malware). Virus? Basic spyware? Any ideas...

#5 eltak27



  • Full Member
  • Pip
  • 38 posts

Posted 05 June 2004 - 11:42 PM

Some days have passed since the last post, and i hope by this time, you had already fixed the problem. If not, maybe this can help you. I just found this information in Network Associates' site.


#6 Shan



  • Full Member
  • Pip
  • 15 posts

Posted 06 June 2004 - 09:21 AM

Later that day, 25 May 04, or the next any unresolved DNS direction, whether server not found or network delays resulted in redirection to http://www.errorplace.com/red2.php followed by what looks like a registry key and some key words including Trinsic.

e.g. the following on one line:


I had that problem myself a few weeks back... I've only *just* started my helper training, so don't take this as any sort of "official" help, but if you haven't gotten rid of the errorplace.com redirect yet yourself, I seem to remember it stemming from a DLL that was listed as a BHO (an O2 item) in HijackThis!. Can't remember the exact filename anymore, but for what it's worth, I think it was rather short (4 or 5 letters) and looked like it may or may not have been random.

And if you already have gotten rid of it, then just yay. :D

#7 papsp



  • New Member
  • Pip
  • 1 posts

Posted 20 June 2004 - 01:56 PM

Hi there ! I've been pestered these last few days by some malware. It seems its name has something to do with "roimoi", but i think roimoi is just a registry entry name for some of its functions, and not the malware name itself, which I think would be better named "jimmyhelp.CBrowserHelp".

I can't remember the site where I may have downloaded it from. The symptoms I've noticed: Very slow browser response when swithching between different domains, and browser hanging / freezing with no apparent reason.

My OS is a XP Pro. I've got NIS, NAV, SpyBot, WebWasher and SpyWare Blaster concurrently running and everything has the newest updates.

I've been successfull in erasing this annoyance. What I've found out: (Sorry for the disorderly explanation, but I hope it may hint you all a little bit more about this pest. Anyway I'm a beginner in huntig malware).

I've found the following in my Registry: (while searching for "CBrowserHelper")

(1) - HKEY_CLASSES_ROOT\CLSID\{96C5F3A4-A880-4A3D-9992-E03F8F67B36A} DATA = jimmyhelp.CBrowserHelper

(2) - HKEY_CLASSES_ROOT\CLSID\{96C5F3A4-A880-4A3D-9992-E03F8F67B36A}\InprocServer32 = C:\Windows\z9R2q5y.dll

(3) - HKEY_CLASSES_ROOT\interface\{CBD3DC31-B66A-4317-A505-A69CC6171FF1} DATA=CBrowserHelper

(4) - HKEY_CLASSES_ROOT\jimmyhelp.CBrowserHelper


What I've done:

I've deleted ALL the above registry entries succesfully. To delete the z9R2q5y.dll (which contains the malignant code), I've quited all my browser's open sessions, and opened a DOS command prompt, switched it to C:\windows and issued the following commands:

regsvr32 /u z9R2q5y.dll (This unregisters the dll from the active server)

and then,

del z9R2q5y.dll (this only works with ALL browsers shut down, and AFTER the regsvr32 command above.

I hope this may add some addtional light into this pest.

Edited by papsp, 20 June 2004 - 01:57 PM.

Member of UNITE
Support SpywareInfo Forum - click the button