Steve has found a very interesting sample in the wild that looks like a fake flash player that installs the DNSChanger trojan in the victim’s computer. The malicious file is named FlashPlayer.v..exe:
Report Generated 10.12.2008 at 16.48.20 (GMT 1)
Filename: FlashPlayer.v..exe
File size: 78 KB
MD5 Hash: D2EBDAB38246882A8A39F819DB44736D
SHA1 Hash: 4226D3B1C92EC7BE33E9785ABA669427EC86E172
CRC32: 1111798076
Application Type: Executable (EXE) 32bit
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 5 on 24
Antivirus Result
a-squared -
Avira AntiVir -
Avast Win32:Fasec [Trj] (0)
AVG Trojan horse Downloader.Zlob.AHRH
BitDefender -
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA -
IkarusT3 -
Kaspersky -
McAfee Generic.dx trojan
MHR -
NOD32 v3 a variant of Win32/Kryptik.CN trojan
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos Mal/BadNSIS
TrendMicro -
VBA32 -
VirusBuster -
When I executed the malicious file, it established a connection with this IP:
1 | 94.247.2.104 (hs.2-104.zlkon.lv) |
Internet traffic:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | Protocol : TCP Remote Address : 94.247.2.104 Local Port : 1209 Remote Port : 80 Service Name : http Packets : 302 Data Size : 177.593 Bytes Total Size : 189.798 Bytes Capture Time : 10/12/2008 15.27.53:796 ================================================== POST /cgi-bin/generator HTTP/1.0 Conten tLength: 294 HTTP/1.1 200 OK Date: Wed, 10 Dec 2008 14:27:46 GMT Server: Apache/2.0.63 (FreeBSD) PHP/5.2.6 with SuhosinPatch Time: r57:62464 e0:114688 ContentLength: 177209 Connection: close ContentType: text/html ... |
A new window appeared on the screen and asked me where to install a program named homeview:
The program creates the following files:
1 2 3 4 5 6 7 8 | %User%\LOCALS~1\Temp\jah30006.exe C:\autorun.inf C:\Program Files\homeview C:\Program Files\homeview\Uninstall.exe %User%\Start Menu\Programs\homeview\Uninstall.lnk C:\resycled\boot.com C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys C:\WINDOWS\system32\msqpdxosvnnrse.dll |
We can see that it has dropped a rootkit driver in C:\WINDOWS\system32\drivers\, called msqpdxpqxtoiqh.sys, after the hidden execution of a file called jah30006.exe. Another interesting file is C:\autorun.inf that is used by the trojan to spread itself on removable devices such as USB Drives.
Scan report of jah30006.exe:
Report Generated 10.12.2008 at 16.05.55 (GMT 1)
Filename: jah30006.exe
File size: 31 KB
MD5 Hash: 9883BB653A59CC988F7B88C59021F378
SHA1 Hash: 02425C4E7C5E28773AC3DD776344DA576FDC30E8
CRC32: 2335540674
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 6 on 24
Antivirus Result
a-squared -
Avira AntiVir TR/Crypt.XPACK.Gen
Avast Win32:Fasec [Trj] (0)
AVG -
BitDefender -
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Win32:Fasec [Trj] B
IkarusT3 -
Kaspersky -
McAfee -
MHR -
NOD32 v3 a variant of Win32/Kryptik.CN trojan
Norman -
Panda -
QuickHeal Suspicious
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster Trojan.FakeAlert.Gen!Pac.2
Scan report of msqpdxpqxtoiqh.sys:
Report Generated 10.12.2008 at 17.01.14 (GMT 1)
Filename: msqpdxpqxtoiqh_sys
File size: 61 KB
MD5 Hash: 17A2B5116B87C12E28BAEBECC60F7304
SHA1 Hash: BF8A4034925E4767093FA10BA5AFA6174A77AA0C
CRC32: 1004260316
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 0 on 24
With RkU we can see the malware hooks some functions in ring0:
It also detected stealth code:
We can see the registry key of the rootkit driver in regedit:
But we cannot delete the key because of the hooks that protect the registry key from being deleted by the user:
Following files are hidden from explorer search because of the hooks that obfuscate the presence of the files:
1 2 | C:\WINDOWS\system32\msqpdxosvnnrse.dll C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys |
During the analysis, the malware was always establishing connections with:
1 | 85.255.116.74 |
We noticed some DNS/Domain requests:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | Protocol: UDP Remote IP: 85.255.116.74 Remote Port: 53 Domains requested: fhubwxkgmq.com qmmjwtrjct.com tjonvuhvgv.com asxnrzfdfr.com dabewiktps.com qiymojdore.com drnjrnynzu.com vamjhejtdp.com lvdmruupam.com vopnqghkod.com wmjdkvisas.com hybcbhvdsn.com jrvwyuxtph.com iaamqweyjs.com nqztypflph.com hqzwkrdlbh.com scjrozdgvo.com fozzwjsety.com tfdbwksekz.com qpemkihnno.com evinsyxmhf.com quqinwobrm.com elgoylwubi.com kzusbnjhho.com ssqnqjvhgj.com daxtdftkwc.com pgxbfosrrf.com lcusdjkcct.com nycmxxcioa.com gvelbfneqn.com lgewdcehgy.com wqnkwlicjg.com hgqlzvkrod.com jkcqecilmu.com kzsidyqwgc.com vemibooppc.com kqiruvpjrt.com byazjnmwbu.com zyaiufmmsd.com bkwgesporj.com syieqxtbvb.com mzibepwflm.com engtpajzdh.com ijgvtheraq.com yecttchanp.com rtavqgowqv.com juvaajbjhy.com aaqsjtulbt.com bpgesmjpyp.com dhynqijxcb.com gkyjwezchl.com bdzumfarmj.com yridxcjcgt.com hmehdpaxuy.com xhyrqgrhid.com thwyujthry.com plhmbziqga.com tmtpnehras.com ewosixkvmt.com jjmtfedacq.com uppyviajwu.com azhexmards.com |
Below there is the HiJackThis log with the malware traces:
O17 – HKLM\System\CCS\Services\Tcpip\..\{B84DA37B-654A-4425-ACA3-DE03D2022067}: NameServer = 85.255.116.74;85.255.112.167
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167
O17 – HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167
We can see that the malware change the Tcpip Parameters and everytime you visit a site you will send traffic to these IPs:
1 2 | 85.255.116.74 85.255.112.167 |
Fyyre has unpacked the rootkit driver and we can extract interesting strings from the code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | msqpdx %s%s%s \systemroot\system32\drivers\msqpdxserv.sys \systemroot\system32\msqpdxl.dll file system \\?\globalroot iexplore.exe firefox.exe svchost.exe msqpdxl.dll NtFlushInstructionCache LoadLibraryExA chkdsk.exe System TDL2 Loaded %.*S ntoskrnl.exe hal.dll ExAllocateFromPagedLookasideList KeI386GetLid IoDeviceHandlerObjectSize RtlxAnsiStringToUnicodeSize InbvSolidColorFill tolower READ_PORT_UCHAR HalReportResourceUsage HalAllocateAdapterChannel HalInitSystem HalGetBusData IoSetPartitionInformation HalAllocateCrashDumpRegisters HalGetInterruptVector HalReadDmaCounter \registry\machine\system\currentcontrolset\services\msqpdxserv.sys\modules \registry\machine\system\currentcontrolset\services\msqpdxserv.sys \registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv\0000\control \registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv\0000 \registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv start type mgroup imagepath msqpdx \registry\machine\software\msqpdx\injector l*\KERNEL32.DLL *\NTDLL.DLL \registry\machine\software\msqpdx\disallowed registry\machine\software\msqpdx\trusted \registry\machine\software\msqpdx\connections \FileSystem\FltMgr *\msqpdx* *\TEMP\msqpdx* \filesystem\fastfat \filesystem\ntfs \driver\tcpip \driver\ftdisk \driver\volsnap iexplore.exe ntdll.dll kernel32.dll |
How to remove Trojan DNSChanger.gen ?
1] Boot in Safe Mode (F8)
2] Find and delete all the files related to the trojan, in my case:
1 2 3 4 5 6 7 8 | %User%\LOCALS~1\Temp\jah30006.exe C:\autorun.inf C:\Program Files\homeview C:\Program Files\homeview\Uninstall.exe %User%\Start Menu\Programs\homeview\Uninstall.lnk C:\resycled\boot.com C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys C:\WINDOWS\system32\msqpdxosvnnrse.dll |
3] Remove the hijacked Tcpip Parameters in the registry:
1 2 | HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167 HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167 |
4] Remove the registry keys created by the malware:
1 2 3 4 5 6 7 8 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msqpdxvx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msqpdxserv.sys |
If the registry keys related to the rootkit driver cannot be deleted with regedit.exe use regedt32.exe (suggested by Simon).
Thanks for posting this, been researching this virus to try and completely remove it from my computer but it always seems like I’m missing a few files or registry keys. Wasn’t aware of the added files to the drivers folder or the changes to HKLM\System in the registry. From what I’ve seen, the filenames for the files it creates are partially randomly generated, always starting with msqpdx with the exception of msqpdxserv.sys.
Comments by Elvang - December 11th, 2008 at 2:52 pm
Yeah, looks like this variant to me.
http://www.f-secure.com/v-descs/trojan_w32_dnschanger_arnf.shtml
Comments by steve - December 11th, 2008 at 6:36 pm
Any idea how I can get rid of it? Short of reformatting my primary hard disk? How can I unhook the hooks?
Comments by hans - December 13th, 2008 at 9:51 am
You can use Rootkit Unhooker (you will find it here: http://novirusthanks.org/blog/?p=16) to unhook the code hooks, then you can delete the files and remove the Tcpip Parameters that were added by the malware.
-Files to delete:
C:\DOCUME~1\user\LOCALS~1\Temp\jah30006.exe
C:\autorun.inf
C:\Program Files\homeview
C:\Program Files\homeview\Uninstall.exe
C:\Documents and Settings\user\Start Menu\Programs\homeview\Uninstall.lnk
C:\resycled\boot.com
C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys
C:\WINDOWS\system32\msqpdxosvnnrse.dll
-Tcpip Parameters to remove:
HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167
HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167
Comments by Robert - December 13th, 2008 at 11:00 am
I had this infection too (my first infection in 10+years of being online). Is it necessary to delete msqpdxserv.sys? I used Malwarebyte’s Anti-malware to delete all the other files, but the registry item can’t be deleted. Should I be searching out a way to delete it? Thanks.
Comments by Susan - December 15th, 2008 at 7:51 am
Thanks Robert, your advice worked like a charm. However, I found some differences between this report and my case.
I have an entry in my registry called LEGACY_MSQPDXSERV.SYS under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS that I still can’t delete.
Another one is msqpdxserv.sys under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys
I can’t find the hooks for these using RkU, maybe its just my inexperience with it. However, I think its just dead entries in the registry as my DNS is no longer changing, and a boot-time scan using Avast yields a clean result.
Comments by hans - December 15th, 2008 at 7:59 am
Update:
found also HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS
Comments by hans - December 15th, 2008 at 8:06 am
Good find hans, if you still have problems to delete the registry keys you can boot in Safe Mode (press F8 when PC start) and then delete the remained keys you have found:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys
If you cannot delete these registry keys, it means the rootkit driver is still loaded, so maybe the .sys file was not deleted, try in Safe Mode and re-check if are present the rootkit driver and the other files and delete them if present
-Robert
Comments by Robert - December 15th, 2008 at 3:12 pm
Rebooted in safe mode, none of the files are present. Ran RkU and unhooked everything, still can’t delete the entries. Any ideas?
-Hans
Comments by Hans - December 17th, 2008 at 4:13 am
Have you tried to delete the registry keys in safe mode from regedit ?
Comments by Robert - December 17th, 2008 at 12:40 pm
Yeah, same here. I’m in safemode using regedit, but it says I cannot delete those entries that Hans mentioned.
Comments by Simon - December 17th, 2008 at 7:06 pm
Solved. Run regedt32 (note spelling) instead of regedit in safe mode. Then right-click on the offending registry entry, select Permissions. The give Full Control to Everyone. Now you can delete the entry.
Comments by Simon - December 17th, 2008 at 7:11 pm
Hey, thanks very much to all you guys, I couldn’t get rid of this from the registry before I read your posts on setting permissions..
Thanks again
John
Comments by John - December 17th, 2008 at 8:47 pm
I’ve try everything you post here … but I still cannot delete Keys in Registry … Everything I change in Permissions, I’ve got an error.
Comments by Sammy - December 19th, 2008 at 11:56 am
Access denied when I tryed to set permissions …
Comments by Sammy - December 19th, 2008 at 12:38 pm
Solved for me too!!
Very important is to enter to regedit 32
I made a search through all the registry for strings with the initial MSQPD and found some enteries that weren’t mentioned here.
It is important to delete them all.
Thank you all!!
Comments by Gabi - December 19th, 2008 at 1:20 pm
OK … I did it (a little bit different, but I’ve got control over register). But now I have a new problem. I’ve also find a DNS entry, which are set by this Trojan. So … I clean everything (in Safe mode), but everytime I restart my computer, registry entry are there again … WTF????
I
Comments by Sammy - December 21st, 2008 at 10:20 am
I mean … entry for MSQPDXSERV without DNS entry
Comments by Sammy - December 21st, 2008 at 10:21 am
Hey Sammy, can you post here the HiJackThis Log ? Maybe there is something that was not deleted and that is auto-started when windows start
Comments by Robert - December 21st, 2008 at 2:50 pm
Hey Sammy,
what different thing you`ve done for having acess to the register. just acess denied here for me…
Comments by Victor - December 21st, 2008 at 4:50 pm
do a rearch for combofix.exe and run it
Comments by z-Roq - December 22nd, 2008 at 2:13 pm
Samm find a program combofix.exe ……………..I had same redirect virus ran combofix took about 10 mins………… no problem now.
Comments by z-Roq - December 22nd, 2008 at 2:15 pm
hmm… interesting, I managed to delete everything (with and without the help of anti-malware software) but for some reasons I still have 3 registry entries to which I can not change permissions (and logically can not delete) I used safemode and regedt32… pffff
running out of ideas… anyone?
It is as those don’t even exist anymore, they are not hooked… wtf!?
Comments by dadah - December 26th, 2008 at 5:53 pm
Hi everyone
I was wondering how do you know if your still connected to the IP address 85.255.116.74
my friend helped me fixed my computer when it was infected with this, I’m not quite sure if he completely fixed everything though so I’m a bit worried
hope someone can help
Comments by Andy - December 27th, 2008 at 11:00 pm
@dadah try to check with Rootkit Unhooker if are still present the SSDT / Code Hooks in your system, if are not present, the malware mainly should be “out”, about registry keys if you set permissions right should there not be problems to delete them, try again in safe mode using the regedt32 “trick” : )
@Andy if is possible for you please post here a log of HijackThis Log so we can see better if the trojan is still alive : )
-Robert
Comments by Robert - December 28th, 2008 at 9:42 pm
I’ve got the same problems reported here, but I can’t get the unhooker to work right. I see the code hooks tab and pick unhook all, but right after I run regedt32 and still don’t see the registry entries even though rootkit has reported them like this: HKLM\SECURITY\Policy\Secrets\SAC* 5/21/2008 10:11 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 5/21/2008 10:11 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{7CFDA618-9008-4E04-B439-A4935B54195E}* 12/27/2008 10:00 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\msqpdxvx 12/23/2008 8:09 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 12/28/2008 2:32 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys 12/28/2008 2:02 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys 12/28/2008 2:02 PM 0 bytes Hidden from Windows API.
C: 0 bytes Error mounting volume
E: 0 bytes Error mounting volume
am I missing something here
Comments by jim - December 29th, 2008 at 12:49 am
@Robert – I think i did this right hopefully, hopefully i don’t need to fix anything because i’m not very great with computers. My friend fixed my computer and i ran some anti-spyware and anti-virus to clean the things he missed so im not sure if theres anything lurking around still
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:35 PM, on 12/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 – BHO: Spybot-S&D IE Protection – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 – BHO: scriptproxy – {7DB2D5A0-7241-4E79-B68D-6309F01C5231} – C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 – HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 – HKCU\..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 – HKCU\..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O9 – Extra button: (no name) – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 – Extra ‘Tools’ menuitem: Spybot – Search & Destroy Configuration – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 – Service: McAfee Services (mcmscsvc) – McAfee, Inc. – C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 – Service: McAfee Network Agent (McNASvc) – McAfee, Inc. – c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 – Service: McAfee Scanner (McODS) – McAfee, Inc. – C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 – Service: McAfee Proxy Service (McProxy) – McAfee, Inc. – c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 – Service: McAfee Real-time Scanner (McShield) – McAfee, Inc. – C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 – Service: McAfee SystemGuards (McSysmon) – McAfee, Inc. – C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 – Service: McAfee Personal Firewall Service (MpfService) – McAfee, Inc. – C:\Program Files\McAfee\MPF\MPFSrv.exe
Thats all i got
Comments by Andy - December 29th, 2008 at 7:03 am
@jim try to do this:
1) boot in safe mode (press f8 when windows start)
2) give permissions with regedt32
3) localize the keys:
HKLM\SOFTWARE\Classes\msqpdxvx
HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
NOTE:
check also the possible presence of other registry keys as hans found other keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys
Then delete the keys and look if are present these files in the harddisk:
If these files are present just delete them, now restart your PC and check (with the anti rootkit or manually with regedit) if the registry keys are present.
@Andy from the HiJackThis Log seem that your computer is clean, anyway try to scan your PC with Rootkit Revealer (you can find it here http://novirusthanks.org/blog/?p=16) and paste here the logs : )
-Robert
Comments by Robert - December 29th, 2008 at 9:53 pm
@Robert – I think i did this right, if it’s messy sorry about that
HKU\.DEFAULT\Control Panel\International 12/26/2008 7:06 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 12/26/2008 7:06 PM 0 bytes Security mismatch.
HKU\S-1-5-21-682003330-1960408961-725345543-500\Control Panel\International 12/26/2008 7:06 PM 0 bytes Security mismatch.
HKU\S-1-5-21-682003330-1960408961-725345543-500\Control Panel\International\Geo 12/26/2008 7:06 PM 0 bytes Security mismatch.
HKU\S-1-5-21-682003330-1960408961-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{525750CE-62B8-6F2D-4AF7-2F6A30B358B7}* 2/9/2007 3:00 AM 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-682003330-1960408961-725345543-500 0 bytes Error dumping hive: Internal error.
HKU\S-1-5-18\Control Panel\International 12/26/2008 7:06 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 12/26/2008 7:06 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 1/3/2007 3:25 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/3/2007 3:25 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A1FBA9483EA61E542B065D44B7F2925F\Usage\OMAFunction 12/8/2008 7:21 AM 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Administrator\Desktop\RootkitRevealer.zip 12/29/2008 4:00 PM 225.97 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\xxxxxxxxxxx@live.com\SharingMetadata\xxxxxxxxxxxx@msn.com\DFSR\Staging\CS{762AAD30-C988-ED41-6F96-5F92290AC213}1\10-{762AAD30-C988-ED41-6F96-5F92290AC213}-v1-{B3F 10/15/2008 9:24 PM 8 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4H6J89AZ\size=120×90;noperf=1;alias=93242651;target=_blank;aduho=480;group=595684859;misc=595684859;adiframe=y[1] 12/29/2008 4:08 PM 347 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4H6J89AZ\size=120×90;noperf=1;alias=93242651;target=_blank;aduho=480;group=595723906;misc=595723906;adiframe=y[1] 12/29/2008 4:08 PM 437 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8DAVK92N\OSA_squirrel_120×90_10092008[1].gif 12/29/2008 4:08 PM 5.01 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8DAVK92N\size=120×90;noperf=1;alias=93242651;target=_blank;aduho=480;group=595762921;misc=595762921[1].htm 12/29/2008 4:09 PM 266 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FYQ9JTLD\adlink%2F5113%2F159339%2F0%2F5%2FAdId%3D123960%3BBnId%3D1%3Bitime%3D595682675%3Bkvag%3Dtem%3Aua17%3Bkvug%3D1%3Blink%3D;ord=595682675[2] 12/29/2008 4:08 PM 503 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WLABC123\size=120×90;noperf=1;alias=93242651;target=_blank;aduho=480;group=595684859;misc=595684859[1].htm 12/29/2008 4:08 PM 266 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WLABC123\size=120×90;noperf=1;alias=93242651;target=_blank;aduho=480;group=595723906;misc=595723906[1].htm 12/29/2008 4:08 PM 266 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WLABC123\size=120×90;noperf=1;alias=93242651;target=_blank;aduho=480;group=595762921;misc=595762921;adiframe=y[1] 12/29/2008 4:09 PM 437 bytes Visible in directory index, but not Windows API or MFT.
C:\RECYCLER\S-1-5-21-682003330-1960408961-725345543-500\Dc1.zip 12/29/2008 4:00 PM 225.97 KB Hidden from Windows API.
Comments by Andy - December 30th, 2008 at 12:20 am
@Andy you did all right and from the HiJackThis Log + Rootkit Revealer Log seem that your computer is clean : )
-Robert
Comments by Robert - December 30th, 2008 at 11:29 am
@Robert – oh wow Thank you for all your help then, i can continue to use my computer worry-free, Again, thanks and Happy New Years
Comments by Andy - December 30th, 2008 at 11:56 am
FOR ANYONE WITH THIS ISSUE:
quickest way to get rid of this is COMBOFIX, works even when your system is not running anymore virus scanners.
this virus took me three hours!
good luck everyone
Comments by michi - January 6th, 2009 at 9:39 am
Thank you so much Simon, been searching for this answer for hours
Comments by Kris Williams - January 8th, 2009 at 8:00 am
Hello. So I’ve been dealing with a virus problem akin to those mentioned here. Its a pesky trojan horse detected by Avast. It causes my computer to shut down frequently and cannot be moved to the chest because it is supposedly being used by other processes, nor can I find it on my computer. I know this may not be the only virus, but its a start. My question for you is – could I simply follow the advice given in the post that i’ve pasted here? Or is that a misdiagnosis on my part?
The info I get from my avast scan is:
FILE NAME: C:\Windows\System32\msqpdxmewtfbso.dll
MALEWARE NAME: Win32:Fasec [tri]
RobertDecember 29th, 2008 at 9:53 pm
@jim try to do this:
1) go in safe mode (press f8 when windows start)
2) give permissions with regedt32
3) localize the keys:
HKLM\SOFTWARE\Classes\msqpdxvx
HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
NOTE:
check also the possible presence of other registry keys as hans found other keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys
Then delete the keys and look if are present these files in the harddisk:
C:\DOCUME~1\user\LOCALS~1\Temp\jah30006.exe
C:\autorun.inf
C:\Program Files\homeview
C:\Program Files\homeview\Uninstall.exe
C:\Documents and Settings\user\Start Menu\Programs\homeview\Uninstall.lnk
C:\resycled\boot.com
C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys
C:\WINDOWS\system32\msqpdxosvnnrse.dll
If these files are present just delete them, now restart your PC and check (with the anti rootkit or manually with regedit) if the registry keys are present.
@Andy from the HiJackThis Log seem that your computer is clean, anyway try to scan your PC with Rootkit Revealer (you can find it here http://novirusthanks.org/blog/?p=16) and paste here the logs : )
-Robert
Comments by eddie - January 21st, 2009 at 2:46 am
also, I have to admit that my blogging and message board posting experience is limited and I do not know the proper etiquette that comes with them. So i apologize if it is inappropriate to paste a previous post (like I did above), and I will do my best to post properly. I appreciate any help you could extend to me. Thank you so much.
Comments by eddie - January 21st, 2009 at 2:55 am
Hi eddie,
your post is correct : )
About your Avast log, if the malware is not removed you can follow the info in the previous comments to remove it and remember to delete this file when you are in Safe Mode:
C:\Windows\System32\msqpdxmewtfbso.dll
Also if you want try to post an HiJackThis log here so I can analyze it and check if your computer is infected by other malware too.
Comments by Robert - January 21st, 2009 at 10:38 am
For some reason my posts are not showing up. . .I really hope you won’t be barraged with them all at once.
First off, I tried to follow the instructions in the above posts, but couldn’t quite get the ball rolling past step one. I did manage to open up the registry editor and read as much as I could to help me, but could not figure out how to give permissions to regedit32 nor could I figure out how to localize the keys.
I did manage to get a hijackThis log though!
Comments by eddie - January 22nd, 2009 at 5:57 am
Here it is. . .It may spread among a couple seperate posts.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:55 PM, on 1/21/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\AirPort\APAgent.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\test\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Comments by eddie - January 22nd, 2009 at 6:00 am
It took a couple attempts to get all of these posts up today, and again, I truly apologize if they all come through at some point. . .I don’t think that will be the case though. I expressed my gratuity in one of the posts that didn’t make through but, want to make sure you know I’m grateful. Following is the final part(s) of my HijackThis Log
O23 – Service: Agere Modem Call Progress Audio (AgereModemAudio) – Agere Systems – C:\Windows\system32\agrsmsvc.exe
O23 – Service: Apple Mobile Device – Apple Inc. – C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – ALWIL Software – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: Automatic LiveUpdate Scheduler – Symantec Corporation – C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 – Service: avast! Antivirus – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 – Service: avast! Web Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 – Service: Bonjour Service – Apple Inc. – C:\Program Files\Bonjour\mDNSResponder.exe
Comments by eddie - January 22nd, 2009 at 6:16 am
Hi eddie,
I’ve created a video that show how to set permissions for regedit and regedt32 in this article:
http://novirusthanks.org/blog/?p=799
View it as it should help you to delete the “protected” keys setting the right permissions.
About your HiJackThis Logs it seem that your computer is safe : )
Anyway can you describe wich problem is giving you the computer ?
Comments by Robert - January 24th, 2009 at 1:19 am
Hello again Robert. Once again thank you so much for all of your help, it means a lot. The night I last posted I came across the site malwareremoval.com and have just begun trouble shooting to get rid of this thing. Its a site that helps people with their virus woes and serves as a training program for ‘virus vigilantes’ as I like to call them. It seams like a great site, there’s nothing that I should be weary of, is there?
As far as my issue. . .Avast is my current virus protection program as well as windows defender. I’ve received Avast warnings regarding the virus and am unable to move it to the chest or do anything to it for that matter. I believe the virus prohibits my comp from downloading and installing updates from defender (and probably other programs I am unaware of). It seems as though there are a number of different virus. Though I’ve scene a couple different names the only one I have been able to document is:
C:\Windows\System32\msqpdxmewtfbso.dll
Comments by eddie - January 29th, 2009 at 6:25 am