Removed: eapqec32.dll, efsadu32.dll, lsass.exe

Malware: update_for_media_player_(KB972036).exe
Removed: C:\WINDOWS\System32\eapqec32.dll
C:\WINDOWS\System32\efsadu32.dll
C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
—————————————————————————————————————————-
Classification:

Antivirus	Version	Last Update	Result
F-Secure	9.0.15370.0	2010.02.07	Suspicious:W32/Riskware!Online
Kaspersky	7.0.0.125	2010.02.07	P2P-Worm.Win32.Agent.xu
McAfee	5884	2010.02.06	-
Microsoft	1.5406	2010.02.07	-
NOD32	4844	2010.02.07	-

—————————————————————————————————————————-
Additional information
File size: 561664 bytes
MD5 : 7fced3cea42cb0f7f1dda7d7817d04eb
SHA1 : 2da02f20d420aeb75c81b5ced0971ce440e694fa
SHA256: 8218522f8676f187d8048f10f422028de4e6035fe77b3fee76cdfc09ef879175
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:13
———————————-
HKLM\SOFTWARE\Classes\CLSID\{3E24BDF1-E690-4EDD-8885-608956891736}
HKLM\SOFTWARE\Classes\CLSID\{3E24BDF1-E690-4EDD-8885-608956891736}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{fa0dccd7-c14b-4980-806b-4307421a2211}
HKLM\SOFTWARE\Classes\.fsharproj
HKLM\SOFTWARE\Classes\.fsharproj\PersistentHandler
HKLM\SOFTWARE\Classes\Sxrqtupxsb
HKLM\SOFTWARE\Classes\Sxrqtupxsb\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E24BDF1-E690-4EDD-8885-608956891736}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ac332ff6777
HKCU\Software\Sxrqtupxsb
HKCU\Software\Sxrqtupxsb\CLSID

———————————-
Values added:20
———————————-
HKLM\SOFTWARE\Classes\CLSID\{3E24BDF1-E690-4EDD-8885-608956891736}\InprocServer32\: “C:\WINDOWS\System32\efsadu32.dll”
HKLM\SOFTWARE\Classes\CLSID\{3E24BDF1-E690-4EDD-8885-608956891736}\InprocServer32\ThreadingModel: “Both”
HKLM\SOFTWARE\Classes\.fsharproj\PersistentHandler\: “{6cf66467-9c5b-4fa9-aa93-080c502719bf}”
HKLM\SOFTWARE\Classes\Sxrqtupxsb\CLSID\: “{fa0dccd7-c14b-4980-806b-4307421a2211}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ac332ff6: 70 1C 4D 84 59 A9 CA 01
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\RTHDBPL: 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 53 79 73 74 65 6D 50 72 6F 63 5C 6C 73 61 73 73 2E 65 78 65 00 3F 00 3F 6E 00 00 54 6E 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 00 3F 3F 6E 3F 00 3F 6E 00 00 00 00 01 00 3F 6E 00 00 01 00 00 3F 3F 3F 3F 6E 01 00 3F 6E 10 11
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ac332ff6777\DllName: “C:\WINDOWS\System32\eapqec32.dll”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ac332ff6777\Startup: “EventStartup”
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: “C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer”
HKCU\Identities\Curr version: 31 33 00 3F 3F
HKCU\Identities\Last Date: 39 2D 32 2D 32 30 31 30 00 65 6D 50 72 6F 63 5C 6C 73 61 73 73 2E 65 78 65 00
HKCU\Identities\Send Inst: 6F 6B 00 3F 3F 3F 3F 3F 01 00 C5 3F 3F 3F 3F 12 C5 3F CE 3F 3F 12 24 02 3F
HKCU\Identities\Inst Date: 39 2D 32 2D 32 30 31 30 00 00 00 00 00 00 08 0A 3F 3F 3F 00 00 00 3F 12 00
HKCU\Identities\Popup count: 30 00 3F 12 3F 12 3F 00 3F 3F 00 00 00 00 4D 00 3F 12 3F 3F 4D 00 02 00 3F
HKCU\Identities\Popup time: 30 00 00 41 3F 12 3F 3F 00 00 00 00 3F 12 C5 3F CE 3F 3F 00 3F 12 3F 12 3F
HKCU\Identities\Popup date: 30 00 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41
HKCU\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default: F1 BD 24 3E 90 E6 DD 4E 88 85 60 89 56 89 17 36
HKCU\Software\Microsoft\Internet Explorer\Main\ToolBarPosition: 0x4B710EB9
HKCU\Software\Sxrqtupxsb\CLSID\: “{fa0dccd7-c14b-4980-806b-4307421a2211}”

———————————-
Values modified:4
———————————-
HKLM\SOFTWARE\Microsoft\DrWatson\NumberOfCrashes: 0×00000000
HKLM\SOFTWARE\Microsoft\DrWatson\NumberOfCrashes: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: “”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: “C:\WINDOWS\System32\eapqec32.dll”

———————————-
Files added:34
———————————-
C:\Documents and Settings\Administrator\Application Data\0200000072c17529777C.manifest
C:\Documents and Settings\Administrator\Application Data\0200000072c17529777O.manifest
C:\Documents and Settings\Administrator\Application Data\0200000072c17529777P.manifest
C:\Documents and Settings\Administrator\Application Data\0200000072c17529777S.manifest
C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\2086895526
C:\WINDOWS\system32\741552118
C:\WINDOWS\system32\eapqec32.dll
C:\WINDOWS\system32\efsadu32.dll
C:\WINDOWS\system32\SysWoW32\mi1986622892v4
C:\WINDOWS\system32\SysWoW32\mi1986622892v4.kwd
C:\WINDOWS\system32\SysWoW32\mi1986622892v6
C:\WINDOWS\system32\SysWoW32\mi1986622892v6.kwd
C:\WINDOWS\system32\SysWoW32\mi1986622892v7
C:\WINDOWS\system32\SysWoW32\mi1986622892v7.kwd
C:\WINDOWS\system32\SysWoW32\mu1986622892v5
C:\WINDOWS\system32\SysWoW32\mu1986622892v5.kwd
C:\WINDOWS\system32\SysWoW32\wu1986622892v0
C:\WINDOWS\system32\SysWoW32\wu1986622892v0.kwd
C:\WINDOWS\system32\SysWoW32\wu1986622892v1
C:\WINDOWS\system32\SysWoW32\wu1986622892v1.kwd
C:\WINDOWS\system32\SysWoW32\wu1986622892v2
C:\WINDOWS\system32\SysWoW32\wu1986622892v2.kwd
C:\WINDOWS\system32\SysWoW32\wu1986622892v3
C:\WINDOWS\system32\SysWoW32\wu1986622892v3.kwd
C:\WINDOWS\system32\SysWoW32\_u1986622892v0
C:\WINDOWS\system32\SysWoW32\_u1986622892v1
C:\WINDOWS\system32\unrar.exe

———————————-
Files [attributes?] modified:3
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

———————————-
Folders added:7
———————————-
C:\Documents and Settings\Administrator\Application Data\SystemProc
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content
C:\WINDOWS\system32\503400593
C:\WINDOWS\system32\SysWoW32

———————————-
Total changes:81
———————————-

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: ac332ff6777
Author:
Related File: C:\WINDOWS\System32\eapqec32.dll
Type: Winlogon Notification

Item Name: AppInit_DLLs
Author: Unknown
Related File: C:\WINDOWS\System32\eapqec32.dll
Type: List of Injected DLLs

Item Name: {3E24BDF1-E690-4EDD-8885-608956891736}
Author: Unknown
Related File: C:\WINDOWS\System32\efsadu32.dll
Type: Browser Helper Objects

Item Name: RTHDBPL
Author: Unknown
Related File: C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
Type: Explorer Run

Item Name: lsass.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SYSTEMPROC\LSASS.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

Comments

• Greatis Software

  • Free Download
  • Send a file

• AverScanner

  AverScaner- EveryDay Malware Scan

• Testimonials

  People say

  Greg

  I spent over 10 hours trying to manually hunt down and remove a rootkit and browser hijacker from my computer. That was a mistake!

  This virus/malware could not be removed by Norton, ZoneLabs, MS Essentials; etc.

  In about 1 hour, I was able to download your software, create the CD-ROM, watch the instruction video and kill 3 ROOKITS from my PC. (Your software hunted down the rootkits and killed them like Spetsnaz going after the enemy!) Get it!

  Joseph

  Your product is the only one on the market that has found and removed rootkits from my system, three rootkits to be precise. I have used other products but they don't measure up to UnHackMe.

  Bob

  The UnHackMe is a real program, no spyware or phish and works great and is easy to use. Enjoy!

  Click Here to Update All your PC's Outdated drivers

• Categories

  • Adware
  • Backdoor
  • Fake Driver-Codec
  • Fake System Tool
  • FakeAV
  • Malware
  • Malware Domain
  • Not-a-Virus
  • Ransomware
  • Rootkit
  • unknown
  • Virus
  • Worm

• Recent Posts

  • LUA5.1-32.DLL
  • NVSMART.EXE is Trojan Sasfis
  • WIN32.EXE is Backdoor Fynloski
  • LIB32WAOO.EXE is Worm Roxin
  • CBEVTSVC.EXE is Trojan Agent
  • TEMP90.EXE is Backdoor Kelihos
  • HGOGLE.EXE is Backdoor Poison
  • ANTIWPA.DLL is Not-a-Virus HackTool.Wpakill
  • WEB2NET.EXE is Trojan Injector
  • SOGOUPINYINUP.EXE is Trojan QQPass

• 
• Remember: the best way to remove rootkits is from the outside!

  

• Blogroll

  • RegRun Security Suite. Detects and removes rootkits/malware/adware that your antivirus could not.
  • RegRun Warrior – Removing rootkits is best done from the outside!
  • UnHackMe – rootkit & malware killer

• Popular

  1. 1% X11.EXE is Trojan Buzus
  2. 1% SVCHOST64.EXE is Trojan BitCoinMiner
  3. 1% WAJAM.DLL is Trojan xPack
  4. 1% IMDCSC.EXE is Trojan CDur
  5. 1% MEMEK.DLL is Trojan MSIL
  6. 1% CSDRIVE32.EXE is Worm Kolab
  7. 1%COMPLITLY.DLL
  8. 1% YONTOOIECLIENT.DLL is Adware Yontoo
  9. 1% OSJK8S.EXE is Virus Virut
  10. 1% CVDRIVE32.EXE is Backdoor IRCBot
  11. 1% SANDRA.DLL is Trojan Sirefef.BV
  12. 1% NETWORKTOOLHELPER.DLL is Worm Aspxor
  13. 1% AVUPDSVC.DLL is Trojan Sirefef.BV
  14. 1%MSDUBMNA.SCR is Worm Gamarue
  15. 1% 1143.EXE is Backdoor Blackshades
  16. 1% CLARO.EXE is Trojan Spy
  17. 1%SOUNDBLASTER_FX648.EXE is Trojan LockScreen
  18. 1% 3MU4OOC1GA.EXE is Trojan Orsam
  19. 1% LSMASS.EXE is Trojan Dapato
  20. 1% MSDUBMNA.SCR is Backdoor Andromeda

• Tags

  3308c706 Adware Agent Ainslot ATAPI.SYS AutoRun autorun.inf Backdoor Bancos Banker Banload BHO Bifrose Buzus Darkbot Delf Fake AntiVirus FakeAV Injector IRCBot Jorik KeyLogger Kraddare lsass.exe Malware Domain Oficla OnLineGames Palevo Rebhip Rootkit Scar services.exe SpyEye svchost.exe Taterf TDSS Trojan VB VBInject VBKrypt Virus Votwup winlogon.exe Worm ZeroAccess