Comments on: Fake Flash Player and Trojan DNSChanger.gen http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/ Security News and Malware Analysis Tue, 18 Oct 2011 16:33:27 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: eddie http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-725 eddie Thu, 29 Jan 2009 06:25:27 +0000 http://novirusthanks.org/blog/?p=526#comment-725 Hello again Robert. Once again thank you so much for all of your help, it means a lot. The night I last posted I came across the site malwareremoval.com and have just begun trouble shooting to get rid of this thing. Its a site that helps people with their virus woes and serves as a training program for 'virus vigilantes' as I like to call them. It seams like a great site, there's nothing that I should be weary of, is there? As far as my issue. . .Avast is my current virus protection program as well as windows defender. I've received Avast warnings regarding the virus and am unable to move it to the chest or do anything to it for that matter. I believe the virus prohibits my comp from downloading and installing updates from defender (and probably other programs I am unaware of). It seems as though there are a number of different virus. Though I've scene a couple different names the only one I have been able to document is: C:\Windows\System32\msqpdxmewtfbso.dll Hello again Robert. Once again thank you so much for all of your help, it means a lot. The night I last posted I came across the site malwareremoval.com and have just begun trouble shooting to get rid of this thing. Its a site that helps people with their virus woes and serves as a training program for ‘virus vigilantes’ as I like to call them. It seams like a great site, there’s nothing that I should be weary of, is there?

As far as my issue. . .Avast is my current virus protection program as well as windows defender. I’ve received Avast warnings regarding the virus and am unable to move it to the chest or do anything to it for that matter. I believe the virus prohibits my comp from downloading and installing updates from defender (and probably other programs I am unaware of). It seems as though there are a number of different virus. Though I’ve scene a couple different names the only one I have been able to document is:

C:\Windows\System32\msqpdxmewtfbso.dll

]]> By: Robert http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-649 Robert Sat, 24 Jan 2009 01:19:39 +0000 http://novirusthanks.org/blog/?p=526#comment-649 Hi eddie, I've created a video that show how to set permissions for regedit and regedt32 in this article: http://novirusthanks.org/blog/?p=799 View it as it should help you to delete the "protected" keys setting the right permissions. About your HiJackThis Logs it seem that your computer is safe : ) Anyway can you describe wich problem is giving you the computer ? Hi eddie,

I’ve created a video that show how to set permissions for regedit and regedt32 in this article:

http://novirusthanks.org/blog/?p=799

View it as it should help you to delete the “protected” keys setting the right permissions.
About your HiJackThis Logs it seem that your computer is safe : )
Anyway can you describe wich problem is giving you the computer ?

]]> By: eddie http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-617 eddie Thu, 22 Jan 2009 06:16:41 +0000 http://novirusthanks.org/blog/?p=526#comment-617 It took a couple attempts to get all of these posts up today, and again, I truly apologize if they all come through at some point. . .I don't think that will be the case though. I expressed my gratuity in one of the posts that didn't make through but, want to make sure you know I'm grateful. Following is the final part(s) of my HijackThis Log O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe It took a couple attempts to get all of these posts up today, and again, I truly apologize if they all come through at some point. . .I don’t think that will be the case though. I expressed my gratuity in one of the posts that didn’t make through but, want to make sure you know I’m grateful. Following is the final part(s) of my HijackThis Log

O23 – Service: Agere Modem Call Progress Audio (AgereModemAudio) – Agere Systems – C:\Windows\system32\agrsmsvc.exe
O23 – Service: Apple Mobile Device – Apple Inc. – C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – ALWIL Software – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: Automatic LiveUpdate Scheduler – Symantec Corporation – C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 – Service: avast! Antivirus – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 – Service: avast! Web Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 – Service: Bonjour Service – Apple Inc. – C:\Program Files\Bonjour\mDNSResponder.exe

]]> By: eddie http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-609 eddie Thu, 22 Jan 2009 06:00:33 +0000 http://novirusthanks.org/blog/?p=526#comment-609 Here it is. . .It may spread among a couple seperate posts. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:42:55 PM, on 1/21/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Launch Manager\QtZgAcer.EXE C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\AirPort\APAgent.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\system32\igfxext.exe C:\Windows\system32\igfxsrvc.exe C:\Users\test\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Here it is. . .It may spread among a couple seperate posts.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:55 PM, on 1/21/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\AirPort\APAgent.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\test\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

]]> By: eddie http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-607 eddie Thu, 22 Jan 2009 05:57:44 +0000 http://novirusthanks.org/blog/?p=526#comment-607 For some reason my posts are not showing up. . .I really hope you won't be barraged with them all at once. First off, I tried to follow the instructions in the above posts, but couldn't quite get the ball rolling past step one. I did manage to open up the registry editor and read as much as I could to help me, but could not figure out how to give permissions to regedit32 nor could I figure out how to localize the keys. I did manage to get a hijackThis log though! For some reason my posts are not showing up. . .I really hope you won’t be barraged with them all at once.

First off, I tried to follow the instructions in the above posts, but couldn’t quite get the ball rolling past step one. I did manage to open up the registry editor and read as much as I could to help me, but could not figure out how to give permissions to regedit32 nor could I figure out how to localize the keys.

I did manage to get a hijackThis log though!

]]> By: Robert http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-593 Robert Wed, 21 Jan 2009 10:38:30 +0000 http://novirusthanks.org/blog/?p=526#comment-593 Hi eddie, your post is correct : ) About your Avast log, if the malware is not removed you can follow the info in the previous comments to remove it and remember to delete this file when you are in Safe Mode: C:\Windows\System32\msqpdxmewtfbso.dll Also if you want try to post an HiJackThis log here so I can analyze it and check if your computer is infected by other malware too. Hi eddie,
your post is correct : )
About your Avast log, if the malware is not removed you can follow the info in the previous comments to remove it and remember to delete this file when you are in Safe Mode:

C:\Windows\System32\msqpdxmewtfbso.dll

Also if you want try to post an HiJackThis log here so I can analyze it and check if your computer is infected by other malware too.

]]> By: eddie http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-590 eddie Wed, 21 Jan 2009 02:55:22 +0000 http://novirusthanks.org/blog/?p=526#comment-590 also, I have to admit that my blogging and message board posting experience is limited and I do not know the proper etiquette that comes with them. So i apologize if it is inappropriate to paste a previous post (like I did above), and I will do my best to post properly. I appreciate any help you could extend to me. Thank you so much. also, I have to admit that my blogging and message board posting experience is limited and I do not know the proper etiquette that comes with them. So i apologize if it is inappropriate to paste a previous post (like I did above), and I will do my best to post properly. I appreciate any help you could extend to me. Thank you so much.

]]> By: eddie http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-589 eddie Wed, 21 Jan 2009 02:46:50 +0000 http://novirusthanks.org/blog/?p=526#comment-589 Hello. So I've been dealing with a virus problem akin to those mentioned here. Its a pesky trojan horse detected by Avast. It causes my computer to shut down frequently and cannot be moved to the chest because it is supposedly being used by other processes, nor can I find it on my computer. I know this may not be the only virus, but its a start. My question for you is - could I simply follow the advice given in the post that i've pasted here? Or is that a misdiagnosis on my part? The info I get from my avast scan is: FILE NAME: C:\Windows\System32\msqpdxmewtfbso.dll MALEWARE NAME: Win32:Fasec [tri] RobertDecember 29th, 2008 at 9:53 pm @jim try to do this: 1) go in safe mode (press f8 when windows start) 2) give permissions with regedt32 3) localize the keys: HKLM\SOFTWARE\Classes\msqpdxvx HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys NOTE: check also the possible presence of other registry keys as hans found other keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys Then delete the keys and look if are present these files in the harddisk: C:\DOCUME~1\user\LOCALS~1\Temp\jah30006.exe C:\autorun.inf C:\Program Files\homeview C:\Program Files\homeview\Uninstall.exe C:\Documents and Settings\user\Start Menu\Programs\homeview\Uninstall.lnk C:\resycled\boot.com C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys C:\WINDOWS\system32\msqpdxosvnnrse.dll If these files are present just delete them, now restart your PC and check (with the anti rootkit or manually with regedit) if the registry keys are present. @Andy from the HiJackThis Log seem that your computer is clean, anyway try to scan your PC with Rootkit Revealer (you can find it here http://novirusthanks.org/blog/?p=16) and paste here the logs : ) -Robert Hello. So I’ve been dealing with a virus problem akin to those mentioned here. Its a pesky trojan horse detected by Avast. It causes my computer to shut down frequently and cannot be moved to the chest because it is supposedly being used by other processes, nor can I find it on my computer. I know this may not be the only virus, but its a start. My question for you is – could I simply follow the advice given in the post that i’ve pasted here? Or is that a misdiagnosis on my part?

The info I get from my avast scan is:
FILE NAME: C:\Windows\System32\msqpdxmewtfbso.dll
MALEWARE NAME: Win32:Fasec [tri]

RobertDecember 29th, 2008 at 9:53 pm

@jim try to do this:

1) go in safe mode (press f8 when windows start)
2) give permissions with regedt32
3) localize the keys:
HKLM\SOFTWARE\Classes\msqpdxvx
HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys

NOTE:
check also the possible presence of other registry keys as hans found other keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys

Then delete the keys and look if are present these files in the harddisk:

C:\DOCUME~1\user\LOCALS~1\Temp\jah30006.exe
C:\autorun.inf
C:\Program Files\homeview
C:\Program Files\homeview\Uninstall.exe
C:\Documents and Settings\user\Start Menu\Programs\homeview\Uninstall.lnk
C:\resycled\boot.com
C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys
C:\WINDOWS\system32\msqpdxosvnnrse.dll

If these files are present just delete them, now restart your PC and check (with the anti rootkit or manually with regedit) if the registry keys are present.

@Andy from the HiJackThis Log seem that your computer is clean, anyway try to scan your PC with Rootkit Revealer (you can find it here http://novirusthanks.org/blog/?p=16) and paste here the logs : )

-Robert

]]> By: Kris Williams http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-462 Kris Williams Thu, 08 Jan 2009 08:00:13 +0000 http://novirusthanks.org/blog/?p=526#comment-462 Thank you so much Simon, been searching for this answer for hours Thank you so much Simon, been searching for this answer for hours

]]> By: michi http://blog.novirusthanks.org/2008/12/fake-flash-player-and-trojan-dnschangergen/#comment-441 michi Tue, 06 Jan 2009 09:39:58 +0000 http://novirusthanks.org/blog/?p=526#comment-441 FOR ANYONE WITH THIS ISSUE: quickest way to get rid of this is COMBOFIX, works even when your system is not running anymore virus scanners. this virus took me three hours! good luck everyone FOR ANYONE WITH THIS ISSUE:

quickest way to get rid of this is COMBOFIX, works even when your system is not running anymore virus scanners.

this virus took me three hours!

good luck everyone

]]>