Removed: C:\WINDOWS\system32\drivers\mrxcls.sys C:\WINDOWS\system32\drivers\mrxnet.sys (trojan Stuxnet)

I will tell you in this post how to fix the issue manually and how to clean it automatically using a special powerful removal tool. You can download the removal program for free here:

Malware: malware.exe

Removed: C:\WINDOWS\system32\drivers\mrxcls.sys
C:\WINDOWS\system32\drivers\mrxnet.sys

—————————————————————————————————————————-
Detected by UnHackMe in “Multi AntiVirus” mode:

MRXCLS.SYS
Default location: C:\WINDOWS\SYSTEM32\DRIVERS\MRXCLS.SYS
MD5: F8153747BAE8B4AE48837EE17172151E
SHA1: CB079302 9C60C0BD 059FF85D E956619F 7FDEB4FD
File Size: 26 616
Version Info:
OriginalFilename: MRXCLS.Sys
FileDescription: Windows NT CLS Minirdr
InternalName: MRxCls.sys
CompanyName: Microsoft Corporation
FileVersion: 5.1.2600.2902 (xpsp_sp2_gdr.060505-0036)
LegalCopyright: ? Microsoft Corporation. All rights reserved.
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.2902

MRXNET.SYS
Default location: C:\WINDOWS\SYSTEM32\DRIVERS\MRXNET.SYS
MD5: CC1DB5360109DE3B857654297D262CA1
SHA1: 75824061 3C362BB1 FD13E07D 3D19F357 B7F8A6DA
File Size: 17 400
Version Info:
OriginalFilename: MRXNET.Sys
FileDescription: Windows NT NET Minirdr
InternalName: MRxCls.sys
CompanyName: Microsoft Corporation
FileVersion: 5.1.2600.2902 (xpsp_sp2_gdr.060505-0036)
LegalCopyright: ? Microsoft Corporation. All rights reserved.
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.2902


Will you remove it?
1 0

Download Removal Tool for Free

People say

Visitor post

After first reboot detected by UnHackMe:

Item Name: MRxCls
Author:
Related File: \??\C:\WINDOWS\system32\Drivers\mrxcls.sys
Type: Services detected by Partizan

Item Name: MRxNet
Author:
Related File: \??\C:\WINDOWS\system32\Drivers\mrxnet.sys
Type: Services detected by Partizan

Removal Results: Success
Number of reboot: 2

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\System\CurrentControlSet\Services\MRxCls\Description
Value: “MRXCLS”

Registry: HKLM\System\CurrentControlSet\Services\MRxCls\ImagePath
Value: “\??\C:\WINDOWS\system32\Drivers\mrxcls.sys”

Registry: HKLM\System\CurrentControlSet\Services\MRxNet\Description
Value: “MRXNET”

Registry: HKLM\System\CurrentControlSet\Services\MRxNet\ImagePath
Value: “\??\C:\WINDOWS\system32\Drivers\mrxnet.sys”

Files:
C:\WINDOWS\system32\drivers\mrxcls.sys
C:\WINDOWS\system32\drivers\mrxnet.sys

—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
Kaspersky 7.0.0.125 2010.07.20 Trojan-Dropper.Win32.Stuxnet.d
Microsoft 1.6004 2010.07.20 TrojanDropper:Win32/Stuxnet.A
NOD32 5295 2010.07.20 Win32/Stuxnet.A

—————————————————————————————————————————-
Additional information
File size: 517632 bytes
MD5 : 74ddc49a7c121a61b8d06c03f92d0c13
SHA1 : 0ccbc128dd8bf73dc7b3922fb67d26bbcdbcaa89
SHA256: 743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:6
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000
HKLM\System\CurrentControlSet\Services\MRxCls
HKLM\System\CurrentControlSet\Services\MRxNet

———————————-
Values added:31
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Service: “MRxCls”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: “MRXCLS”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Service: “MRxNet”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: “MRXNET”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\MRxCls\Description: “MRXCLS”
HKLM\System\CurrentControlSet\Services\MRxCls\DisplayName: “MRXCLS”
HKLM\System\CurrentControlSet\Services\MRxCls\ErrorControl: 0×00000000
HKLM\System\CurrentControlSet\Services\MRxCls\Group: “Network”
HKLM\System\CurrentControlSet\Services\MRxCls\ImagePath: “\??\C:\WINDOWS\system32\Drivers\mrxcls.sys”
HKLM\System\CurrentControlSet\Services\MRxCls\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\MRxCls\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12 DA C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2
HKLM\System\CurrentControlSet\Services\MRxNet\Description: “MRXNET”
HKLM\System\CurrentControlSet\Services\MRxNet\DisplayName: “MRXNET”
HKLM\System\CurrentControlSet\Services\MRxNet\ErrorControl: 0×00000000
HKLM\System\CurrentControlSet\Services\MRxNet\Group: “Network”
HKLM\System\CurrentControlSet\Services\MRxNet\ImagePath: “\??\C:\WINDOWS\system32\Drivers\mrxnet.sys”
HKLM\System\CurrentControlSet\Services\MRxNet\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\MRxNet\Type: 0×00000001

———————————-
Files added:6
———————————-
C:\WINDOWS\inf\mdmcpq3.PNF
C:\WINDOWS\inf\mdmeric3.PNF
C:\WINDOWS\inf\oem6C.PNF
C:\WINDOWS\inf\oem7A.PNF
C:\WINDOWS\system32\drivers\mrxcls.sys
C:\WINDOWS\system32\drivers\mrxnet.sys

———————————-
Total changes:43
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning ads and viruses from my friend's computers, because it is extremely fast and effective.




STEP 1: Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

STEP 2: Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed the first Scan will start automatically

Review the detected threats

STEP 3: Carefully review the detected threats!

Click Remove button or False Positive.

Enjoy!

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...
  • admin

    In addition the Stuxnet Trojan infects USB flash.

    It adds to the USB devices:

    ~wtr4141.tmp – 25720 bytes DLL

    ~wtr4132.tmp – 517632 bytes Executable

    Copy of Copy of Copy of Shortcut to.lnk

    The "lnk" file is used for loading the ~wtr4141.tmp using Microsoft shell vulnerability.

    ~wtr4132.tmp is the Trojan dropper. It extracts mrxnet.sys and mrxcls.sys and creates the registry services keys.

    The ~wtr4141.tmp supports Windows Explorer and Total Commander (Wincmd).

  • http://balflear.wordpress.com Ferry CungCung

    It infect my computers too..

  • http://greatis.com/blog/ NightWatcher

    To remove the malware, use Shortcut Antivirus. http://greatis.com/security/shortcut_antivirus.ht