Is this a new Virus/Rootkit I have?

[Web-Junkie]

Got a few laptops from where I work and they all have these files in the system32 folder:

Trapkey.dll
InfectDirectx.dll
MaskMessage.dll
Qicksnk.sys
and probably wpa.dbl (but think that's Windows Product Activation but it gets created each logon)

Can't seem to find the cuplrit as the files come back if deleted in DOS mode and can't see anything suspicious in the Registry RUN keys or Startup menu or Task Scheduler!! Task Manager doesn't seem to show anything suspicious either. We run Sophos Anti Virus that gets updated via a server and that's not found anything, so a nasty rootkit or new virus then?

http://www.extremetech.com/article2/...1151566,00.asp wpa.dbl looks legit

[Web-Junkie]

yeah zing, I think wpa.dbl is legit.

Those other files are not packed or encrypted as you can put them in a Hex editor and scan the file, this is what the InfectDirectx.dll has inside it:

f:\RControl\InfectDDrawEx\Release\InfectDDrawEx.pd b

This is the same for the other files:

f:\RControl\MaskMessage\Release\MaskMessage.pdb
f:\RControl\TrapKey\Release\TrapKey.pdb
F:\RControl\HookDisplay\objfre\i386\HookDisplay.pd b

So they all part of the same infection. Disabled all Startup items and deleted the files in DOS but they still come back, even in safe mode!!

Bit of a bugger to pin down.

any unusual network traffic? anything suss in hijackthis?. If they come back there is a run command in reg somewhere for them

---------- Post added at 19:38 ---------- Previous post was at 19:36 ----------

I had a machine here the other week with a fake AV that was to new for malwarebytes. It had fixes for older versions but even running it from safe mode with command prompt and running explorer from there it couldnt shift it

[Web-Junkie]

Just ran a Malwarebytes scan with Database version 4149 and nothing found!

We have had few laptops have their wireless connections stop working, they can see the networks but fail to connect, wired connections work fine!

Got to pop out for a few hours so i'll look at them later and run a Hijackthis scan and see if it finds anything!

Keep you posted zing!

[Web-Junkie]

OK zing, I think it's a false alarm!

Ran Hijackthis and couldn't see anything suspicious in the list it generated so I downloaded Unlocker 1.8.9 and used it see what was attached to InfectDirectx.dll and got these 2 files:

ImperoRemoteControlServer.exe
Marker.exe

These are two programs that run anyway on our laptops.

ImperoRemoteControlServer.exe is from Impero, a program that remotely monitors a PC/Laptop and can take full control of it or lockout anybody/thing the controller wants, it's installed as a client/server so those files are exactly like spyware/malware and do infact take remote control of a computer as it's supposed to, but in this case legit!

Marker.exe is part of SMARTBoard software for Interactive Whiteboards so you can attach a PC/Laptop to a projector and use the Interactive board like a touchscreen to control your PC/Laptop!

Impero creates these files when run:
Quiksnk.sys
MaskMessage.dll
InfectDirectx.dll

Not sure where TrapKey.dll comes into it as it's attached to Winlogon.exe which is a valid file with a digital cert attached but I'd guess it's also part of Impero so it traps ALT+CTRL+DEL!!

So I think after running Malwarebytes, Sophos and Hijackthis and not finding anything remotely (no pun intended) suspicious I think I can safely say this is NOT a rootkit/virus!!

But of a letdown in the end, hoped I'd found something new and be the first to say I'd got it

[Dai]

I guess it would take a very stupid virus writer to give his files such obvious names. Normally they try very hard to disguise them as legit system-related files.

Still, it would have been exciting to discover something new. (Until you got to the rebuilding all the laptops stage anyway)

[Web-Junkie]

That thought had crosed my mind, usually they compress/encrypt the files so the fact they were not compressed nor encrypted and no virus/spyware scan found them suspicious made me dig a bit deeper until I found what they were!

Still, the satisfaction of finding out exactly what those files are is some small reward.