Removed: C:\WINDOWS\system32\drivers\mrxcls.sys C:\WINDOWS\system32\drivers\mrxnet.sys (trojan Stuxnet)

I will tell you in this post how to fix the issue manually and how to clean it automatically using a special powerful removal tool. You can download the removal program for free here:

Malware: malware.exe

Removed: C:\WINDOWS\system32\drivers\mrxcls.sys
C:\WINDOWS\system32\drivers\mrxnet.sys

—————————————————————————————————————————-
Detected by UnHackMe in “Multi AntiVirus” mode:

MRXCLS.SYS
Default location: C:\WINDOWS\SYSTEM32\DRIVERS\MRXCLS.SYS
MD5: F8153747BAE8B4AE48837EE17172151E
SHA1: CB079302 9C60C0BD 059FF85D E956619F 7FDEB4FD
File Size: 26 616
Version Info:
OriginalFilename: MRXCLS.Sys
FileDescription: Windows NT CLS Minirdr
InternalName: MRxCls.sys
CompanyName: Microsoft Corporation
FileVersion: 5.1.2600.2902 (xpsp_sp2_gdr.060505-0036)
LegalCopyright: ? Microsoft Corporation. All rights reserved.
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.2902

MRXNET.SYS
Default location: C:\WINDOWS\SYSTEM32\DRIVERS\MRXNET.SYS
MD5: CC1DB5360109DE3B857654297D262CA1
SHA1: 75824061 3C362BB1 FD13E07D 3D19F357 B7F8A6DA
File Size: 17 400
Version Info:
OriginalFilename: MRXNET.Sys
FileDescription: Windows NT NET Minirdr
InternalName: MRxCls.sys
CompanyName: Microsoft Corporation
FileVersion: 5.1.2600.2902 (xpsp_sp2_gdr.060505-0036)
LegalCopyright: ? Microsoft Corporation. All rights reserved.
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.2902

After first reboot detected by UnHackMe:

Item Name: MRxCls
Author:
Related File: \??\C:\WINDOWS\system32\Drivers\mrxcls.sys
Type: Services detected by Partizan

Item Name: MRxNet
Author:
Related File: \??\C:\WINDOWS\system32\Drivers\mrxnet.sys
Type: Services detected by Partizan

Removal Results: Success
Number of reboot: 2

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\System\CurrentControlSet\Services\MRxCls\Description
Value: “MRXCLS”

Registry: HKLM\System\CurrentControlSet\Services\MRxCls\ImagePath
Value: “\??\C:\WINDOWS\system32\Drivers\mrxcls.sys”

Registry: HKLM\System\CurrentControlSet\Services\MRxNet\Description
Value: “MRXNET”

Registry: HKLM\System\CurrentControlSet\Services\MRxNet\ImagePath
Value: “\??\C:\WINDOWS\system32\Drivers\mrxnet.sys”

Files:
C:\WINDOWS\system32\drivers\mrxcls.sys
C:\WINDOWS\system32\drivers\mrxnet.sys

—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
Kaspersky 7.0.0.125 2010.07.20 Trojan-Dropper.Win32.Stuxnet.d
Microsoft 1.6004 2010.07.20 TrojanDropper:Win32/Stuxnet.A
NOD32 5295 2010.07.20 Win32/Stuxnet.A

—————————————————————————————————————————-
Additional information
File size: 517632 bytes
MD5 : 74ddc49a7c121a61b8d06c03f92d0c13
SHA1 : 0ccbc128dd8bf73dc7b3922fb67d26bbcdbcaa89
SHA256: 743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:6
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000
HKLM\System\CurrentControlSet\Services\MRxCls
HKLM\System\CurrentControlSet\Services\MRxNet

———————————-
Values added:31
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Service: “MRxCls”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: “MRXCLS”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Service: “MRxNet”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: “MRXNET”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MRXNET\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\MRxCls\Description: “MRXCLS”
HKLM\System\CurrentControlSet\Services\MRxCls\DisplayName: “MRXCLS”
HKLM\System\CurrentControlSet\Services\MRxCls\ErrorControl: 0×00000000
HKLM\System\CurrentControlSet\Services\MRxCls\Group: “Network”
HKLM\System\CurrentControlSet\Services\MRxCls\ImagePath: “\??\C:\WINDOWS\system32\Drivers\mrxcls.sys”
HKLM\System\CurrentControlSet\Services\MRxCls\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\MRxCls\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12 DA C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2
HKLM\System\CurrentControlSet\Services\MRxNet\Description: “MRXNET”
HKLM\System\CurrentControlSet\Services\MRxNet\DisplayName: “MRXNET”
HKLM\System\CurrentControlSet\Services\MRxNet\ErrorControl: 0×00000000
HKLM\System\CurrentControlSet\Services\MRxNet\Group: “Network”
HKLM\System\CurrentControlSet\Services\MRxNet\ImagePath: “\??\C:\WINDOWS\system32\Drivers\mrxnet.sys”
HKLM\System\CurrentControlSet\Services\MRxNet\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\MRxNet\Type: 0×00000001

———————————-
Files added:6
———————————-
C:\WINDOWS\inf\mdmcpq3.PNF
C:\WINDOWS\inf\mdmeric3.PNF
C:\WINDOWS\inf\oem6C.PNF
C:\WINDOWS\inf\oem7A.PNF
C:\WINDOWS\system32\drivers\mrxcls.sys
C:\WINDOWS\system32\drivers\mrxnet.sys

———————————-
Total changes:43
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning ads and viruses from my friend's computers, because it is extremely fast and effective.




1. Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

Enjoy!

  • admin

    In addition the Stuxnet Trojan infects USB flash.

    It adds to the USB devices:

    ~wtr4141.tmp – 25720 bytes DLL

    ~wtr4132.tmp – 517632 bytes Executable

    Copy of Copy of Copy of Shortcut to.lnk

    The "lnk" file is used for loading the ~wtr4141.tmp using Microsoft shell vulnerability.

    ~wtr4132.tmp is the Trojan dropper. It extracts mrxnet.sys and mrxcls.sys and creates the registry services keys.

    The ~wtr4141.tmp supports Windows Explorer and Total Commander (Wincmd).

  • http://balflear.wordpress.com Ferry CungCung

    It infect my computers too..

  • http://greatis.com/blog/ NightWatcher

    To remove the malware, use Shortcut Antivirus. http://greatis.com/security/shortcut_antivirus.ht