How do I remove .qsp Trojan/Virus under Win2003?

Hijackthis log looks clean. the virus could be a rootkit and Hijackthis couldn't detect anything. Please run GMER and attach the log file

Hi, please send a lint to Symantec site with virus description

Thanks for the quick reply xmachine.
1) I am using Symantec Endpoint Protection version 11.0.4010.19.
2) Please see attached file.
Will do 3, 4 & 5.
6) Can't run Endpoint in safe mode.  (Is there a way to run it in safe mode?)

C:\TEMP\Clt-Inst\vpremote.exe
What is it? it is in your hijack log...

Hi xmachine,

Here is the GMER log.

Hi anvanster,

I believe vpremote.exe is one of the Symantec client setup file.

@anvanster

This a part of Symantec Endpoint Protection remote client installation utility.

@asllin

Please do the following:

1) Run CCleaner again to clear TEMP folders

2) Open SEP > Quarantine > delete all

3) Download & run Symantec's Intelligent Updater to install latest virus definitions and overrides corrupted ones.  

http://definitions.symantec.com/defs/20090606-039-v5i32.exe

4) Run a full virus scan in safe mode

Just finished the CCleaner.  For step 3, is this a different version of Symantec that can be use under safe mode?  My current version of Endpoint is not able to do the scanning under safe mode.

This guy is so new (actually a new flavor of an old one) that almost every link reports it; but, has no cure.

However; according to this posting ( http://www.spywarepoint.com/need-help-remove-virus-adware-im-not-sure-t57285.html ), Ad-Aware, updated and then run in Safe Mode will take care of it. http://www.lavasoft.com/products/ad_aware_free.php

Hi Davis,

I did try this, but like what I said, I am not as lucky as the person on this post and this post was back in 2006, might be a much stronger virus.

Hi xmachine,

When I try to run SEP in safe mode, I got the following error:
"Failed to start the Symantec Management Client service.  Error code returned: 0.8007043c"

OK, IMHO, Symantec probably won't cut it anyway and, as this is a new flavor of the old guy, we may have to dig into it and brute force dig it out.

Since this is server 2003, one thought I have is to check in users and shares to see if there is an odd user logged in and whether Open Files in Shared Folders lists any of the files.  If there is an odd user, kick them out and disable the account temporarilly which may allow Norton to find something.

If you get no joy that way, try Driver Manager ( http://www.freewarefiles.com/DriverManager_program_3740.html ) to look for suspicious drivers (Rootkits) or Process Explorer ( http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx ) to dig out the process accessing those files.  It generally works better to disable a rogue driver as that prevents it from creating a new copy on reboot and, if there is a Rootkit driver, disable it, reboot and try your Norton and Ad-Aware again.

1) Download & run Symantec's Intelligent Updater to install latest virus definitions and overrides corrupted ones.  

http://definitions.symantec.com/defs/20090606-039-v5i32.exe


This just to install the latest virus definitions. Some corrupted ones could produce similar issues. This is not a virus scanning utility or removal tool.

2) Regarding the error, check the following KB article:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/2c9cdb6529c29068882573af0067a679?OpenDocument

3) To run a virus scan in safe mode, check the following KB article:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d77f9ee39aac2ba7882574e80064e3fe?OpenDocument

As an alternative, download and install Kaspersky anti virus. Get all updates and create system restore CD. Boot it and scan for viruses, or boot to "safe mode" and scan there. Kaspersky can scan in safe mode. You probably have to disable system restore to clean your system completely, so before doing any scanning make a System state backup with ntbackup.

Took 10 hours to scan...didn't find any virus using SEP in safe mode.

GMER's log looks fine. What's the current status?

Do I need to worry about "sector 63: rootkit-like behavior; copy of MBR" in the GMER log?

Status:  Server still slow without high CPU usage.

No, but to make sure that your system is rootkit-free.

1) Please download RootkitRevealer then extract it to C:\

(http://download.sysinternals.com/Files/RootkitRevealer.zip)

2) From CMD, type the following command:

C:\rootkitrevealer.exe -a c:\rootkit.log

3) Attach the log file here

O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://mgt.nowmynetworks.com/inc/kaxRemote.dll

I understand this is a legit application for remote access ala Bomgar / Webex ,etc... ?

if this is a legit installation that you know should exist, then I can say the HJT log looks fine.

in order to ensure the startup is clean & nothing is bypassing HJT , let us try to see a log for Autoruns

please download & run the tool, let it load startup , then File>save>Autoruns.arn

rename the file autoruns.arn to autoruns.txt , attach the file here.

In Process Explorer (see my earlier post), you can do Find -> Handle, type in one of those pesky files (4504E2AF.qsp, for example), and it will find the process which is using it.  That should be a big help towards pointing us in the right direction!  You then have the ability to kill the process which might let Norton see the bastard.

Also, I regularly use a device manager with the SET DEVMGR_SHOW_NONPRESENT_DEVICES=1 variable set; but, Driver Manager will also let you see the loaded drivers and disable them.  You need to reboot afterwards and disabling, rather than deleting, prevents the driver from being recreated and loaded at the next boot.  Excepting PE Trojans which embed themselves within a file, ALL of the others load a ROOTKIT DRIVER whose sole purpose is to intercept API calls and mask a given string.  You can always see the driver and disabling it reveals the rest of the bad guy as he is no longer hidden.

Were it not for the rogue files you report, I would be suggesting you use the free version of http://www.hdtune.com to see if  one of your drives is on the verge of failing and will mention that it sure wouldn't hurt anything to check.

Hi xmachine,
Here is the rootkit log.

Hi Admin3k,
"O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://mgt.nowmynetworks.com/inc/kaxRemote.dll" is a legit app for remote access.  I'll try the autoruns and upload the file here.

Hi Davis,
I'll try your suggestion as well.

Thank you all.

You may also want to empty the contents of %TEMP% directory, as well as temporary internet files /browser cache for rootkit revealer to get more accurate results

you can also  try malwarebytes scan in safe mode

finally , if this server hosts critical information, I would honestly suggest to backup critical data & rebuild the system from a clean image , I find this safer in case of similar undocumented rootkit behaviour , no one can tell you for sure what this piece of malware has done to your system & what type of access it could have allowed to your network , I have learnt to better be safe than sorry in such situations :).

1) Rootkit Revealer's log didn't give anything ...

2) Do you still have these files in TEMP folder ? If yes, upload some of them to virustotal.com for testing

For the last 24 hours, there were 26 notifications from SEP.  Most of them had "clean failed", "quarantine failed" and "access denied".  Some with "pending side effects analysis".  All files have .qsp extension and located in c:\windows\temp.  

OK, you definitely have a rootkit driver or malware has infected one of the boot/kernel components.  Have you tried DriverManager yet?

I've seen this behavior before...I think it's a false-positive due to some corrupted virus definitions. Please try the following:

1) Run CCleaner again (i know that you've already done that, but we need to erase all junk/corrupted files)

2) Clear out current definitions, check the following on how to do it:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/691fb01f62f2a700882573c2006d6de7?OpenDocument

3) Download & run Symantec Intelligent Updater to install the latest SEP's definitions

http://definitions.symantec.com/defs/20090608-051-v5i32.exe

If you tried to download it and got an error like (file not found), this means that they've replaced it with a newer one. Go to this link

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce

then download the first executable that looks like (20090608-051-v5i32.exe)

4) If you still receive the same pop-up, do the following:

1) Stop SEP (Start > Run > net stop "symantec endpoint protection")

2) Go to www.virustotal.com

3) upload one of the detected file before

4) attach a screenshot of the virus scanning results

Everything I have found points to this:  http://www.spywarelib.com/remove--trojan-backdoor-ircbot-arq.html
AND, it is interesting that Symantec's link shows an update today (6/10/2009): http://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99&tabid=2
BUT; it you don't have either the extra MDM.EXE entries or the WINAPII.EXE listed in your Hijaak This log.

If the updated NORTON still doesn't get it (and I don't think it will), how bout we try Nirsoft's Current Ports ( http://www.nirsoft.net/utils/cports.html ) to see if we do indeed have an IRC open to some foreign IP Address. Most IRC's use ports between 6000 & 7000.

Hi xmachine,

I am not able to stop the "symantec management client" service even after I disabled "tamper protection".  Any suggestion?

Hi Davis,

I don't think mdm.exe and winapii.exe apply to my situation.

1) Start > run > 

net stop "symantec endpoint protection"

should work for you


2) Or go Start > run > services.msc

change the startup type of Symantec endpoint protection service to "disabled", then reboot your system

I have no problem stopping "symantec endpoint protection" service, but the instruction ask to stop "symantec management client", which I was not able to.

When I try to stop "symantec management client" service using command line (net stop "symantec management client"), I got the following message:
The requested pause, continue, or stop is not vaild for this service.

go Start > run > services.msc

change the startup type of "symantec management client" service to "disabled", then reboot your system

After you finish everything, you need to restore it back to "automatic"

I tried that already.  After reboot, it is back to automatic and service started.