Removed: clspackxq.exe, wscsvc32.exe
Malware: C:\sand-box\eH91f19c35V0100f070006R42f94ddd102Tdad788d5201l001d.exe
Removed: C:\Documents and Settings\Administrator\Local Settings\Temp\clspackxq.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wscsvc32.exe
—————————————————————————————————————————-
Classification:
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| F-Secure | 9.0.15370.0 | 2009.12.14 | - |
| Kaspersky | 7.0.0.125 | 2009.12.14 | Packed.Win32.TDSS.aa |
| Microsoft | 1.5302 | 2009.12.14 | Trojan:Win32/Alureon.DA |
| NOD32 | 4687 | 2009.12.14 | a variant of Win32/Kryptik.BIM |
| Symantec | 1.4.4.12 | 2009.12.14 | - |
—————————————————————————————————————————-
Additional information
File size: 16896 bytes
MD5 : 8baf31f01e6417acc07f65340b3171a2
SHA1 : 0922e5daf9bf32c67e7ea8be52dcedcc119655e4
SHA256: 3328be17706bf33b0fc37ff2af7d680f02cd7352b1c6f3080d8c0ebbe34006d2
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:
———————————-
Keys added:1
———————————-
HKCU\Software\Mozilla
———————————-
Values added:6
———————————-
HKCU\Software\eee0bd2f-ff2e-46ef-83fb-d4fda84462a3: “”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\clspackxq.exe: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\clspackxq.exe”
HKCU\Software\Mozilla\affid: “216″
HKCU\Software\Mozilla\subid: “new”
HKCU\Software\Mozilla\itime: E0 68 98 FD 9A 7D CA 01
HKCU\Software\Mozilla\ver: “1.0″
———————————-
Values modified:4
———————————-
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0×00000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0×00000002
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0×00000004
———————————-
Files added:4
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\clspackxq.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\H8SRTf712.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\H8SRTfaea.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\wscsvc32.exe
———————————-
Files deleted:1
———————————-
C:\sand-box\eH91f19c35V0100f070006R42f94ddd102Tdad788d5201l001d.exe
———————————-
Total changes:16
———————————-
—————————————————————————————————————————-
Detected by UnHackMe:
Item Name: wscsvc32.exe
Author: Microsoft Corporation
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\WSCSVC32.EXE
Type: Running Processes
Item Name: clspackxq.exe
Author: Microsoft Corporation
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\clspackxq.exe
Type: Registry Run
Item Name: clspackxq.exe
Author: Microsoft Corporation
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\CLSPACKXQ.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Comments
One Comment on Removed: clspackxq.exe, wscsvc32.exe
-
MChase on
Mon, 21st Dec 2009 2:30 am
I had Antimalware 2009 This helped alot to get rid of it but the virus made it changes to the registry that prevents programs like spybot, adware, and malwarebytes to work or download. Some how Antimalware 2009 hyjacked my laptop touch pad pointing device, when i try to down load these or use them it locks up the screen and I have to reboot. Ive update the touch pad pointing device driver but the computer still locks up when trying to access these programs My anti virus program is running and up dated but does not detect any proroblems.
Antimalware 2009 also deleted my restore points on my registry back up program thats built into the computer, so i can revert to a previous date that my registry was saved on.
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
- Remember: the best way to remove rootkits is from the outside!
