Sign in with
Sign up | Sign in
Your question

I have an odd message from the Windows Security in XP sp2

Last response: in Windows XP
Share
Anonymous
January 6, 2005 4:07:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I received the message that "requester.10.exe" was being blocked.
"requester.10.exe" and "requester.9.exe" two relatively new files in my
"Windows\System32" directory. Anyone have any idea what these programs are? I
suspect its either a backdoor/trojan or whomever the anonymous programmer(s)
left some unusual text in "requester.10.exe". In "requester.10.exe" at line
D0 there is this word "4D 55 48 41 48 41 48 41 48 41 48 41" or
"MUHAHAHAHAHA". Ideas anyone?
Anonymous
January 6, 2005 6:59:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Bill;
It seems obvious that your computer has been compromised.
Have you run an updated virus scan?

Follow the yellow section on this link:
http://www3.telus.net/dandemar/slowcom.htm

If you can not reasonably determine the source and level of corruption as
well as clean it, a Clean Installation may be the best option.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar/


"Bill Fruge" <Bill Fruge@discussions.microsoft.com> wrote in message
news:4A87AC36-DBA5-49FC-BDFD-AC84F147EEA3@microsoft.com...
>I received the message that "requester.10.exe" was being blocked.
> "requester.10.exe" and "requester.9.exe" two relatively new files in my
> "Windows\System32" directory. Anyone have any idea what these programs
> are? I
> suspect its either a backdoor/trojan or whomever the anonymous
> programmer(s)
> left some unusual text in "requester.10.exe". In "requester.10.exe" at
> line
> D0 there is this word "4D 55 48 41 48 41 48 41 48 41 48 41" or
> "MUHAHAHAHAHA". Ideas anyone?
Anonymous
January 6, 2005 9:51:09 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

JJ, thanks for the link. the various antivirus scanners found nothing even
when set to look heuristically for possible viruses... I suspect that this is
one of three things:
1. Backdoor/trojan that is really new...
2. Some kind of odd debuging message left by an untidy programmer...
3. Part of some other program that uses requester.10.exe as it's sender to
look for updates. However I haven't found an association to any program on
the machine.

I'll keep tearing apart the system to figure out what this thing does. For
now I'll keep blocking it until I can put a sniffer on this system. I was
hoping someone out there might have run into this. I suppose I could try to
decompile it and get a clue about what its trying to do.

Thanks,
BF

"Jupiter Jones [MVP]" wrote:

> Bill;
> It seems obvious that your computer has been compromised.
> Have you run an updated virus scan?
>
> Follow the yellow section on this link:
> http://www3.telus.net/dandemar/slowcom.htm
>
> If you can not reasonably determine the source and level of corruption as
> well as clean it, a Clean Installation may be the best option.
>
> --
> Jupiter Jones [MVP]
> http://www3.telus.net/dandemar/
>
>
> "Bill Fruge" <Bill Fruge@discussions.microsoft.com> wrote in message
> news:4A87AC36-DBA5-49FC-BDFD-AC84F147EEA3@microsoft.com...
> >I received the message that "requester.10.exe" was being blocked.
> > "requester.10.exe" and "requester.9.exe" two relatively new files in my
> > "Windows\System32" directory. Anyone have any idea what these programs
> > are? I
> > suspect its either a backdoor/trojan or whomever the anonymous
> > programmer(s)
> > left some unusual text in "requester.10.exe". In "requester.10.exe" at
> > line
> > D0 there is this word "4D 55 48 41 48 41 48 41 48 41 48 41" or
> > "MUHAHAHAHAHA". Ideas anyone?
>
>
>
Related resources
Anonymous
January 7, 2005 3:30:04 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

> Backdoor/trojan

BINGO !!!

Advise you to go to CastleCops and post here after reading the
guidelines first :
http://castlecops.com/forum67.html

requester(x).exe is a new malware variant. There are extremely
knowledgeable experts who will help with the removal of it.
If you can locate the file on the system and it's 1 MB or less, have it
scanned at Kapersky's online virus scanner :
http://www.kaspersky.com/remoteviruschk.html
They have been very good at picking up malware that are not viruses and
at least it may help you identify it.


MowGreen [MVP]
===============
*-343-* FDNY
Never Forgotten
===============


Bill Fruge wrote:
> JJ, thanks for the link. the various antivirus scanners found nothing even
> when set to look heuristically for possible viruses... I suspect that this is
> one of three things:
> 1. Backdoor/trojan that is really new...
> 2. Some kind of odd debuging message left by an untidy programmer...
> 3. Part of some other program that uses requester.10.exe as it's sender to
> look for updates. However I haven't found an association to any program on
> the machine.
>
> I'll keep tearing apart the system to figure out what this thing does. For
> now I'll keep blocking it until I can put a sniffer on this system. I was
> hoping someone out there might have run into this. I suppose I could try to
> decompile it and get a clue about what its trying to do.
>
> Thanks,
> BF
>
> "Jupiter Jones [MVP]" wrote:
>
>
>>Bill;
>>It seems obvious that your computer has been compromised.
>>Have you run an updated virus scan?
>>
>>Follow the yellow section on this link:
>> http://www3.telus.net/dandemar/slowcom.htm
>>
>>If you can not reasonably determine the source and level of corruption as
>>well as clean it, a Clean Installation may be the best option.
>>
>>--
>>Jupiter Jones [MVP]
>>http://www3.telus.net/dandemar/
>>
>>
>>"Bill Fruge" <Bill Fruge@discussions.microsoft.com> wrote in message
>>news:4A87AC36-DBA5-49FC-BDFD-AC84F147EEA3@microsoft.com...
>>
>>>I received the message that "requester.10.exe" was being blocked.
>>>"requester.10.exe" and "requester.9.exe" two relatively new files in my
>>>"Windows\System32" directory. Anyone have any idea what these programs
>>>are? I
>>>suspect its either a backdoor/trojan or whomever the anonymous
>>>programmer(s)
>>>left some unusual text in "requester.10.exe". In "requester.10.exe" at
>>>line
>>>D0 there is this word "4D 55 48 41 48 41 48 41 48 41 48 41" or
>>>"MUHAHAHAHAHA". Ideas anyone?
>>
>>
>>
Anonymous
January 7, 2005 6:57:52 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Funny you confirm my thoughts. I ran MS's new antispyware beta and while it
missed the .exe, it did find this:
Trojan.Delf at HKEY_
LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run requestor"
While I am not a MS mega supporter, they were the only one who found this
from all the spyware checkers I have.

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
news:o mzhWMJ9EHA.2804@TK2MSFTNGP15.phx.gbl...
>> Backdoor/trojan
>
> BINGO !!!
>
> Advise you to go to CastleCops and post here after reading the
> guidelines first :
> http://castlecops.com/forum67.html
>
> requester(x).exe is a new malware variant. There are extremely
> knowledgeable experts who will help with the removal of it.
> If you can locate the file on the system and it's 1 MB or less, have it
> scanned at Kapersky's online virus scanner :
> http://www.kaspersky.com/remoteviruschk.html
> They have been very good at picking up malware that are not viruses and at
> least it may help you identify it.
>
>
> MowGreen [MVP]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Bill Fruge wrote:
>> JJ, thanks for the link. the various antivirus scanners found nothing
>> even when set to look heuristically for possible viruses... I suspect
>> that this is one of three things:
>> 1. Backdoor/trojan that is really new...
>> 2. Some kind of odd debuging message left by an untidy programmer...
>> 3. Part of some other program that uses requester.10.exe as it's sender
>> to look for updates. However I haven't found an association to any
>> program on the machine.
>>
>> I'll keep tearing apart the system to figure out what this thing does.
>> For now I'll keep blocking it until I can put a sniffer on this system. I
>> was hoping someone out there might have run into this. I suppose I could
>> try to decompile it and get a clue about what its trying to do.
>>
>> Thanks,
>> BF
>>
>> "Jupiter Jones [MVP]" wrote:
>>
>>
>>>Bill;
>>>It seems obvious that your computer has been compromised.
>>>Have you run an updated virus scan?
>>>
>>>Follow the yellow section on this link:
>>> http://www3.telus.net/dandemar/slowcom.htm
>>>
>>>If you can not reasonably determine the source and level of corruption as
>>>well as clean it, a Clean Installation may be the best option.
>>>
>>>--
>>>Jupiter Jones [MVP]
>>>http://www3.telus.net/dandemar/
>>>
>>>
>>>"Bill Fruge" <Bill Fruge@discussions.microsoft.com> wrote in message
>>>news:4A87AC36-DBA5-49FC-BDFD-AC84F147EEA3@microsoft.com...
>>>
>>>>I received the message that "requester.10.exe" was being blocked.
>>>>"requester.10.exe" and "requester.9.exe" two relatively new files in my
>>>>"Windows\System32" directory. Anyone have any idea what these programs
>>>>are? I
>>>>suspect its either a backdoor/trojan or whomever the anonymous
>>>>programmer(s)
>>>>left some unusual text in "requester.10.exe". In "requester.10.exe" at
>>>>line
>>>>D0 there is this word "4D 55 48 41 48 41 48 41 48 41 48 41" or
>>>>"MUHAHAHAHAHA". Ideas anyone?
>>>
>>>
>>>
Anonymous
January 11, 2005 3:57:00 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I thought I posted this earlier. MS's antispy identified it and removed it
from the registry. I deleted the files and it's gone. Not a big deal. I am
glad XP sp2 found it in the first place. It's about time a OS spots odd port
activity. Kudos to MS.

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
news:o mzhWMJ9EHA.2804@TK2MSFTNGP15.phx.gbl...
>> Backdoor/trojan
>
> BINGO !!!
>
> Advise you to go to CastleCops and post here after reading the
> guidelines first :
> http://castlecops.com/forum67.html
>
> requester(x).exe is a new malware variant. There are extremely
> knowledgeable experts who will help with the removal of it.
> If you can locate the file on the system and it's 1 MB or less, have it
> scanned at Kapersky's online virus scanner :
> http://www.kaspersky.com/remoteviruschk.html
> They have been very good at picking up malware that are not viruses and at
> least it may help you identify it.
>
>
> MowGreen [MVP]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Bill Fruge wrote:
>> JJ, thanks for the link. the various antivirus scanners found nothing
>> even when set to look heuristically for possible viruses... I suspect
>> that this is one of three things:
>> 1. Backdoor/trojan that is really new...
>> 2. Some kind of odd debuging message left by an untidy programmer...
>> 3. Part of some other program that uses requester.10.exe as it's sender
>> to look for updates. However I haven't found an association to any
>> program on the machine.
>>
>> I'll keep tearing apart the system to figure out what this thing does.
>> For now I'll keep blocking it until I can put a sniffer on this system. I
>> was hoping someone out there might have run into this. I suppose I could
>> try to decompile it and get a clue about what its trying to do.
>>
>> Thanks,
>> BF
>>
>> "Jupiter Jones [MVP]" wrote:
>>
>>
>>>Bill;
>>>It seems obvious that your computer has been compromised.
>>>Have you run an updated virus scan?
>>>
>>>Follow the yellow section on this link:
>>> http://www3.telus.net/dandemar/slowcom.htm
>>>
>>>If you can not reasonably determine the source and level of corruption as
>>>well as clean it, a Clean Installation may be the best option.
>>>
>>>--
>>>Jupiter Jones [MVP]
>>>http://www3.telus.net/dandemar/
>>>
>>>
>>>"Bill Fruge" <Bill Fruge@discussions.microsoft.com> wrote in message
>>>news:4A87AC36-DBA5-49FC-BDFD-AC84F147EEA3@microsoft.com...
>>>
>>>>I received the message that "requester.10.exe" was being blocked.
>>>>"requester.10.exe" and "requester.9.exe" two relatively new files in my
>>>>"Windows\System32" directory. Anyone have any idea what these programs
>>>>are? I
>>>>suspect its either a backdoor/trojan or whomever the anonymous
>>>>programmer(s)
>>>>left some unusual text in "requester.10.exe". In "requester.10.exe" at
>>>>line
>>>>D0 there is this word "4D 55 48 41 48 41 48 41 48 41 48 41" or
>>>>"MUHAHAHAHAHA". Ideas anyone?
>>>
>>>
>>>
Anonymous
January 11, 2005 7:30:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Bill Fruge wrote:
> I thought I posted this earlier. MS's antispy identified it and
removed it
> from the registry. I deleted the files and it's gone. Not a big deal.
I am
> glad XP sp2 found it in the first place. It's about time a OS spots
odd port
> activity. Kudos to MS.
>
> "MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
> news:o mzhWMJ9EHA.2804@TK2MSFTNGP15.phx.gbl...
> >> Backdoor/trojan
> >
> > BINGO !!!
> >
> > Advise you to go to CastleCops and post here after reading the
> > guidelines first :
> > http://castlecops.com/forum67.html
> >
> > requester(x).exe is a new malware variant. There are extremely
> > knowledgeable experts who will help with the removal of it.
> > If you can locate the file on the system and it's 1 MB or less,
have it
> > scanned at Kapersky's online virus scanner :
> > http://www.kaspersky.com/remoteviruschk.html
> > They have been very good at picking up malware that are not viruses
and at
> > least it may help you identify it.
> >
> >
> > MowGreen [MVP]
> > ===============
> > *-343-* FDNY
> > Never Forgotten
> > ===============
> >
> >
> > Bill Fruge wrote:
> >> JJ, thanks for the link. the various antivirus scanners found
nothing
> >> even when set to look heuristically for possible viruses... I
suspect
> >> that this is one of three things:
> >> 1. Backdoor/trojan that is really new...
> >> 2. Some kind of odd debuging message left by an untidy
programmer...
> >> 3. Part of some other program that uses requester.10.exe as it's
sender
> >> to look for updates. However I haven't found an association to any

> >> program on the machine.
> >>
> >> I'll keep tearing apart the system to figure out what this thing
does.
> >> For now I'll keep blocking it until I can put a sniffer on this
system. I
> >> was hoping someone out there might have run into this. I suppose I
could
> >> try to decompile it and get a clue about what its trying to do.
> >>
> >> Thanks,
> >> BF
> >>
> >> "Jupiter Jones [MVP]" wrote:
> >>
> >>
> >>>Bill;
> >>>It seems obvious that your computer has been compromised.
> >>>Have you run an updated virus scan?
> >>>
> >>>Follow the yellow section on this link:
> >>> http://www3.telus.net/dandemar/slowcom.htm
> >>>
> >>>If you can not reasonably determine the source and level of
corruption as
> >>>well as clean it, a Clean Installation may be the best option.
> >>>
> >>>--
> >>>Jupiter Jones [MVP]
> >>>http://www3.telus.net/dandemar/
> >>>
> >>>
> >>>"Bill Fruge" <Bill Fruge@discussions.microsoft.com> wrote in
message
> >>>news:4A87AC36-DBA5-49FC-BDFD-AC84F147EEA3@microsoft.com...
> >>>
> >>>>I received the message that "requester.10.exe" was being blocked.
> >>>>"requester.10.exe" and "requester.9.exe" two relatively new files
in my
> >>>>"Windows\System32" directory. Anyone have any idea what these
programs
> >>>>are? I
> >>>>suspect its either a backdoor/trojan or whomever the anonymous
> >>>>programmer(s)
> >>>>left some unusual text in "requester.10.exe". In
"requester.10.exe" at
> >>>>line
> >>>>D0 there is this word "4D 55 48 41 48 41 48 41 48 41 48 41" or
> >>>>"MUHAHAHAHAHA". Ideas anyone?
> >>>
> >>>
> >>>
!