msghqu.exe - Dangerous

msghqu.exe

Manual removal instructions:

Antivirus Report of msghqu.exe:
msghqu.exe Malware
msghqu.exeDangerous
msghqu.exeHigh Risk
msghqu.exe
We suggest you to remove msghqu.exe from your computer as soon as possible.
Msghqu.exe is Trojan/Backdoor.
Kill the process msghqu.exe and remove msghqu.exe from Windows startup.

File: winres.exe (C:\sand-box\winres.exe)

Classification:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.07.01 Win32:VB-LYG
AVG 8.5.0.386 2009.07.01 -
BitDefender 7.2 2009.07.02 -
Comodo 1537 2009.07.01 -
DrWeb 5.0.0.12182 2009.07.02 -
F-Secure 8.0.14470.0 2009.07.02 -
Kaspersky 7.0.0.125 2009.07.02 -
Microsoft 1.4803 2009.07.01 -
NOD32 4206 2009.07.02 -
Symantec 1.4.4.12 2009.07.02 -

Additional information
File size: 127488 bytes
MD5 : 2dcdb1fe16a317288940254d90268696
SHA1 : 21dbb76d8d9fb71e632ec5d6e97fbe9aa73efde1

Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys added:10
----------------------------------
HKLM\SOFTWARE\Classes\csfile
HKLM\SOFTWARE\Classes\csfile\DefaultIcon
HKLM\SOFTWARE\Classes\csfile\shell
HKLM\SOFTWARE\Classes\csfile\shell\open
HKLM\SOFTWARE\Classes\csfile\shell\open\command
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Extensions
HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping

----------------------------------
Values deleted:0
----------------------------------

----------------------------------
Values added:12
----------------------------------
HKLM\SOFTWARE\Classes\csfile\shell\open\command\: "C:\WINDOWS\system32\msbffc.exe "%1" %*"
HKLM\SOFTWARE\Classes\csfile\DefaultIcon\: "%1"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest: "yes"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS\CheckedValue: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\exec: "C:\WINDOWS\system32\msiwoe.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\fonts\services.exe: "C:\WINDOWS\fonts\services.exe:*:Enabled:services.exe"
HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{e2e2dd38-d088-4134-82b7-f2ba38496583}: 0x00002000
HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\NextId: 0x00002001
HKCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest: "yes"
HKCU\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE: "yes"
HKCU\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error: "no"

----------------------------------
Values modified:24
----------------------------------
HKLM\SOFTWARE\Classes\.bat\: "batfile"
HKLM\SOFTWARE\Classes\.bat\: "csfile"
HKLM\SOFTWARE\Classes\.com\: "comfile"
HKLM\SOFTWARE\Classes\.com\: "csfile"
HKLM\SOFTWARE\Classes\.exe\: "exefile"
HKLM\SOFTWARE\Classes\.exe\: "csfile"
HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\: "C:\WINDOWS\system32\mswinsck.ocx"
HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\: "C:\WINDOWS\system32\MSWINSCK.OCX"
HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\: "C:\WINDOWS\system32\mswinsck.ocx, 1"
HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\: "C:\WINDOWS\system32\MSWINSCK.OCX, 1"
HKLM\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\: "C:\WINDOWS\system32\mswinsck.ocx"
HKLM\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\: "C:\WINDOWS\system32\MSWINSCK.OCX"
HKLM\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\: "C:\WINDOWS\system32\mswinsck.ocx"
HKLM\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\: "C:\WINDOWS\system32\MSWINSCK.OCX"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto: "1"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto: "0"
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current\: "%SystemRoot%\media\Windows Navigation Start.wav"
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current\: ""
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: "C:\WINDOWS\system32\msghqu.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run: ""
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run: "C:\WINDOWS\system32\msbkn.exe"

----------------------------------
Files added:14
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF17EF.tmp
C:\WINDOWS\Fonts\cooecp.tlb
C:\WINDOWS\Fonts\logcde.dll
C:\WINDOWS\Fonts\services.exe
C:\WINDOWS\Fonts\windef.dll
C:\WINDOWS\Fonts\windef.Log
C:\WINDOWS\Fonts\winpaged.ocx
C:\WINDOWS\system32\msbffc.exe
C:\WINDOWS\system32\msbnz.exe
C:\WINDOWS\system32\mscquw.exe
C:\WINDOWS\system32\msghqu.exe
C:\WINDOWS\system32\msiwoe.exe
C:\WINDOWS\system32\mswub.exe
C:\WINDOWS\system32\mswvrsxk.exe

----------------------------------
Files deleted:1
----------------------------------
C:\sand-box\winres.exe

----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\system32\wbem\Logs\wbemcore.log

----------------------------------
Folders added:0
----------------------------------

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:62
----------------------------------

-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: .exe
Author: Unknown
Related File: C:\WINDOWS\system32\mscwbky.exe "%1" %*
Type: Main File Extensions

Item Name: .com
Author: Unknown
Related File: C:\WINDOWS\system32\mscwbky.exe "%1" %*
Type: Main File Extensions

Item Name: .bat
Author: Unknown
Related File: C:\WINDOWS\system32\mscwbky.exe "%1" %*
Type: Main File Extensions

Item Name: exec
Author: -
Related File: C:\WINDOWS\system32\msabyxfx.exe
Type: Explorer Run

Item Name: load
Author: Unknown
Related File: C:\WINDOWS\system32\msqslx.exe
Type: Win.ini

Item Name: run
Author: Unknown
Related File: C:\WINDOWS\system32\mspqctl.exe
Type: Win.ini

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove msghqu.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.