Help
This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.
Note: This has now morphed to redirect you to a-search.biz
An example log can be found here: http://www.bleepingcomputer.com/forums/ind...1973&hl=ssearch
You can recognize this infection if they get redirect to ssearch.biz and they have this in their log:
Quote
O4 - HKLM\..\Run: [Cache] C:\Documents and Settings\Edited Name\qcache.exe
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll
It installs a service that has the name of pnpsvc. The service can not be shutdown by conventional means such as through the services control panel. This services also loads in both forms of safe mode (network, and standard)
It uses a random named file which I have found to be in c:\windows\system32. It also creates a file called pnpservice.inf in the c:\windows\system32 directory. I am unsure what that is for.
An example file is:
KNQTWZ]`.dll with an MD5 of 2613F9159CF2AF041BA9B04282E601F4.
It downloads the file and saves the info file in c:\winnt\system32\ as pnpsvc.inf with the readonly attribute set.
pnpsvc.inf has an an md5 of: B8AA580284B94670D5B020929837575D
It creates the following registry keys:
Quote
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\\netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC
It also adds a bunch of domains and ip addresses to the ZoneMap entries.
The service monitors itself and recreates the registry entries if you remove them.
The legacy keys will need a permission change in order to delete them.
It downlads a UPX packed version of MYIE that has been altered to open to a porn site located at 206.161.124.180. It saves this file in your profile root as qcache.exe and creates a run entry in the registry like this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Cache
This file also adds itself to HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
Qcache.exe has a md5 of 6186B3CEC1D8BE225D3B41E690D6E205.
To remove it I have the user follow these steps if they are complaining about ssearch.biz redirects:
1. Get a list of their services. If you see a service name of pnpsvc with a display name of Plug and Play svc service, then they have this hijacker. Also have them fix and delete the qcache.exe entry. It wont come back on its own.
2. Find out the name of the dll by having them check the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll
3. Have them add the filename found from step 2 to hijackthis delete on reboot tool and let hijackthis reboot your computer.
4. If file is gone on complete, have them run a regfile to remove the various entries for the service. Regedit/Rlite for the LEGACIES
Then they should be clean
Hope this helps some of you as it was driving me nuts.BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.
If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.
This post has been edited by Grinler: 03 November 2004 - 10:21 AM
Back to top
