fhexj6825097.exe Trojan Masquerades as Win32.Netsky.Q 1

[reporting]

While searching the web, I must have picked this one up on some web page… At one point, my computer suddenly restarted!

I logged back in and saw a “Security Center Alert”:

To help protect your computer, Windows Firewall has blocked activity of harmful software.

Do you want to block this suspicious software?

Name: Win32.Netsky.Q
Risk Level: High
Description: Netsky.Q is a worm Trojan program that records keystrokes and takes screen shots of the computer, stealing personal financial information.

There were three buttons at the bottom: Keep Blocking, Unblock, and Enable Protection

Strangely enough, Keep Blocking and Unblock are grayed out. When I clicked on Enable Protection, it brought me to the following web site (entered as code because I didn't want it to be clickable...):

[URL unfurl="true"]http://www.defender-review.com/?a=112[/URL]

That was too weird for me (I expected Microsoft or something similar) so I rebooted my machine…

After logging in, I again received the Windows Firewall with “Win32.Netsky.Q” message. I looked up that virus and found that Symantec had a fix for it. I downloaded “FxNetsky.exe” from their web site and ran it on that machine.

I was very surprised when it found nothing! I started freaking out and, fearful that it would spread to other machines on our network, I unplugged the network cable for the infected computer.

We use Trend Micro here so I ran a manual scan of the Client/Server Security Agent on all of our machines! Fortunately, none of the others were infected!

On the infected machine, there were entries for TROJ_RENOS.EO, TSC_GENCLEAN, BKDR_TDSS.AU, BKDR_TDSS.AV, BKDR_TDSS.T, BKDR_TDSS.V, and TROJ_AGENT.WCF. TROJ_RENOS.EO & TSC_GENCLEAN were repeated again.

All were marked as cleaned or quarantined except TROJ_RENOS.EO. It was marked as “Virus successfully detected, but infected file cannot be quarantined.”

I rebooted the machine … and the Windows Firewall image with “Win32.Netsky.Q” message came back after logging in!

I ran the Client/Server Security Agent again ... with the same result. It was obviously not cleaning this Trojan off the machine…

It was getting late so I signed off for the day.

Yesterday before leaving to visit my client for the day, I turned off all the Run commands using MSCONFIG. After rebooting, no Windows Firewall with that “Win32.Netsky.Q” message! I knew I was on to something!

When I arrived back at the office late yesterday, I printed the screen shots I had taken yesterday. I decided to search for all files created yesterday. Using the time results from the scan, I took a close look at the files that were created 2008.12.14 @ 19:18: fhexj6825097.exe looked like the culprit…

I did a search in the registry and found this entry in HKEY_USERS\ S-1-5-21-1604742963-1434321308-2771401211-500\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\windpipe: "C:\Documents and Settings\Administrator\Application Data\Google\fhexj6825097.exe" 2

I renamed it to “zzz windpipe”…

HKEY_USERS\ S-1-5-21-1604742963-1434321308-2771401211-500\SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache had the path to “fhexj6825097.exe” as the name and the data was “fhexj6825097.exe”. I deleted that one…

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\windpipe contained a number of entries:
Command: "C:\Documents and Settings\Administrator\Application Data\Google\fhexj6825097.exe" 2
Hkey: HKCU
Item: fhexj6825097
… and so on!

I renamed the key to HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zzz windpipe

C:\Documents and Settings\Administrator\Application Data\Google contained two directories: Gmail & Local Search History, and two files: fhexj6825097.exe and mjkdpl.dll. I figured that, if it really had something to do with Google or my GMail account, Google and/or GMail would recreate it.

Rebooted the machine after turning back on the Run commands … and it was gone! No more Windows Firewall with the “Win32.Netsky.Q” message!

What a relief! I didn’t have to reformat my primary desktop machine!

I called up Trend Micro and reported it. They told me it was new to them…

HTH someone out there in Tek-Tips land!

John Marrett
Crystal Reports Trainer & Consultant

http://www.e-reporting.ca

 

[BadBigBen]

John,

thanks for that exhausting description of the problem and what fixed it for you...

now, I would have run CCleaner first (to clean out MUI cache, TEMP folders/files etc.) and then HiJackThis and looked at what it reported... can be downloaded from Trend Micro website...

fyi -

HKEY_USERS\ S-1-5-21-1604742963-1434321308-2771401211-500\SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache

is actually the cache for places (url and local directories/files) visited...


and you can delete the said files from the subfolders under

C:\Documents and Settings\Administrator\Application Data\Google

PS: I hope you had sent TrendMicro a copy of the file, for them to analyze...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[reporting]

Thanks Ben. I called them up and asked why it missed it. It's a new one...

I'm in the training & consulting biz so I sent Trend a 6 pager with screen shots. Just got an e-mail back thanking me for my contribution in the fight against malware. As Trend doesn't have a user forum, I figured I would post here so that word would get out about this one!

I was unaware of CCleaner and HijackThis. I will add them to my system portfolio.

All the best,

John

John Marrett
Crystal Reports Trainer & Consultant

http://www.e-reporting.ca

 

[BadBigBen]

No problem, John...

CCleaner is a neat little tool to have, as it cleans out temp files and can do a lot more to keep the system up and running...

HiJackThis, is a tool that will look at almost all start ramps and nooks and crannies that the OS has, where malware will start from or hide... here you will need a bit of analytical skill to discern what is legit and what is not, with practice one can spot baddies from just reading the log... for the purpose of analyzing the LOG file, there is a great website that will do it for you, but be aware that it is only a guideline and people do make mistakes.

here is the website I mentioned:

http://www.hijackthis.de/en

PS: thanx for the star...

and all the best to you too...



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[deankn]

I'm dealing with a problem that started this exact same way - Windows firewall netsky message and sudden reboot. Somehow it screwed with the DNS so if I try to go to any anti-malware sites or even Microsoft sites I am directed to 127.0.0.1. Any antivirus or antispyware software(hijack this, malwarebytes, adaware, etc) will not install or if it is installed will not run or update. Windows is unable to update. I have been able to to some antivirus checks and some viruses were found and supposedly removed, but the problems continue. CCleaner did run but had no effect. I had Comodo installed at the time but apparently it didn't prevent infection. Anyhow, I am prepared to wipe the drive and reinstall windows(it would have been much quicker than trying to solve the problems), but haven't out of shear bullheadedness. Any ideas before I give up?

Dean

 

[2ffat]

Somehow it screwed with the DNS so if I try to go to any anti-malware sites or even Microsoft sites I am directed to 127.0.0.1.

Sounds like your hosts file is hosed. This is usually found in C:\windows\System32\drivers\etc. It should look something like this if it is clean:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Clear out all entries except the localhost and try it again. if you set the file to read only you might be able to get online long enough to download a program.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[deankn]

Actually, the hosts file is the first thing I checked - no abnormal entries. System restore seems to have been hosed because there were available dates to restore to but none would work. Also I did a repair on the Windows installation from the XP CD - no help.
Dean

 

[BadBigBen]

Most likely the winsocks got scrambled or bent...

in a CLI window (START >> RUN >> type CMD >> hit enter) type the following command:

netsh winsock reset catalog

also turning off Windows RESTORE is a start...

now I would go ahead and DL onto a USB stick, from a clean working PC, the following app and update it on there...

Portable ClamWin AV

http://portableapps.com/apps/utilities/clamwin_portable

place HiJackThis onto the same USB stick, and attempt to run it from there, alternatively (for both apps) run them from SAFE MODE...

and if that fails... take the updated ClamWin AV and integrate it unto a BartPE CD, and run the antiviral scan from there!!!

also worth a look, the bootable AntiViral CD from Avira...

Avira AntiVir Rescue System ISO (fifth (5th) link from the top)

http://www.avira.de/de/support/support_downloads.html

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[stormsurge]

I've got the same problem as Dean. Did anyone ever find a definite way to get rid of this? Two weeks of profanity has my throat sore.

 

[smah]

If you can't update or run your normal antimalware tools under windows, try using this linux live CD to scan the system thread760-1521235

 

[stormsurge]

For anyone else who happens to be literally suffering through this, this is how to get rid of it:
First I went in and deleted files fhexj6825097. One was in the prefetch and another in the Google applications. Also in the Google applications is mjkdpl.dll which also needs to be deleted but I couldn't find it doing a search. I just happened to see it once inside the Google applications folder when deleting the other. I had to delete these from safemode. This will stop the pesky Windows Firewall popup and stop the computer from locking up and you will also be able to get a browser to work but the url hijacking will still be there. To stop that, I downloaded Combo Fix from another computer. Once I saved it to the infected computer, I had to change the name before it would run. Once Combo Fix runs the problem of the url hijacking and antivirus programs not working should be solved.