mrdob Posted August 20, 2008 After visiting a less-than-savory website, my WinXP Pro SP3 system began encountering (not surprisingly) some spontaneous IE sessions and pop-up windows, with sound--despite the fact that iexplore.exe wasn't even ACTIVE. Unfortunately, neither the current versions of Ad Aware, AVG Anti-Spyware, Trend Micro online scan, nor SUPERAntispyware were able to identify or the eliminate the problem. When this particular malware instantiates itself, an entry would appear on my Windows task list: 5i3524v1.exe. Although I would end the process tree, it would invariably respawn itself. Oddly, a Google search on this file yielded NO results. I searched my C: drive and found this file and an apparent mate, 5i3524v1.exe.a_a, in my \system32 folder, and performed a hard delete of them. And yet still, some time later, both the these files AND the spawned task would manifest themselves again. I searched again and used the Detail view in Explorer to sort the files by creation date. Three other files had the same date/time stamp as the offending ones: RC3B1t8.exe, R4C3B1t8.exe.a_a, and yIqmpbVo.dll. I appended all five files with a ! character to keep them from launching. (Yep, nothing on Google for these, either!) Next, I searched the registry and found this REG_SZ entry under Software|Microsoft|Windows|ShellNoRoam|MUICache: C:\WINDOWS\system32\R4C3B1t8.exe with a value of R4C3B1t8 Renaming/deleting the files and and the corresponding registry entry seemed to do the trick. I saved the renamed files in a ZIP archive for analysis if anyone's interested. Share this post Link to post Share on other sites
SUPERAntiSpy Posted August 20, 2008 Thanks for the detail! Send it to samples AT superantispyware.com and we'll handle it! Share this post Link to post Share on other sites