Jahewi's Anti-Malware Information
Back to Index
Malware-infections of the ZCodec installation-file
Details of the installed malware
File:  dmsni.exe 
MD5  db774521163aeb8d1029500b67050760 
Packers detected:  -
BitDefender  Found MemScan:Trojan.Agent.QB 
NOD32  Found a variant of Win32/Small.FB 
VBA32  Found Malware.Agent.11 (probable variant) 
File:  csrog.exe 
(Note: this file was only flagged as malware by heuristic detection(s))
MD5  ddc82d270ba6c589e38fee47ff3f1e2a 
Packers detected:  -
VBA32  Found Trojan-Downloader.Agent.32 (probable variant) 
Jotti-results for suspected files in the Browser Exploit
File: csaim.exe 
MD5  ddc82d270ba6c589e38fee47ff3f1e2a 
Packers detected:  -
NOD32  Found a variant of Win32/Small.FB 
VBA32  Found Trojan-Downloader.Agent.32 (probable variant) 
File:  csahb.exe 
MD5  ddc82d270ba6c589e38fee47ff3f1e2a 
Packers detected:  -
NOD32  Found a variant of Win32/Small.FB 
VBA32  Found Trojan-Downloader.Agent.32 (probable variant) 
File:  dmmdk.exe 
MD5  db774521163aeb8d1029500b67050760 
Packers detected:  -
BitDefender  Found MemScan:Trojan.Agent.QB 
NOD32  Found a variant of Win32/Small.FB 
VBA32  Found Malware.Agent.11 (probable variant) 
File:  dmdbw.exe 
MD5  db774521163aeb8d1029500b67050760 
Packers detected:  -
BitDefender  Found MemScan:Trojan.Agent.QB 
NOD32  Found a variant of Win32/Small.FB 
VBA32  Found Malware.Agent.11 (probable variant) 
Jotti scanning-results for suspected files in the HQ Codec
File: ymfza.exe 
MD5  7e6d7e27c5509125573215a288da62c1 
Packers detected:  -
BitDefender  Found MemScan:Trojan.Downloader.Zlob.VZ 
Kaspersky Anti-Virus  Found Trojan.Win32.DNSChanger.es 
NOD32  Found a variant of Win32/TrojanDownloader.Zlob 
VBA32  Found Trojan-Downloader.Agent.32 (probable variant) 
HijackThis-log
Logfile of HijackThis v1.99.1
Scan saved at 19:45:31, on 6-9-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Robot Genius\Spyberus\RgView.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jahewi\Bureaublad\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jahewi.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} - C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot Genius\Spyberus\Spyberus.exe /S
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [dmsni.exe] C:\WINDOWS\System32\dmsni.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE6C50DB-71AF-4577-A877-2BB25F5C3382}: NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
The trojan-infection changes constantly to avoid detection
In the HijackThis-log, the filename in the run-key has been changed. It's O4-item now shows:
O4 - HKLM\..\Run: [dmqpk.exe] C:\WINDOWS\System32\dmqpk.exe
jahewi, september 7, 2006
(this page can change, if there are new developments or changes in the analyses)
Infection starts even before the EULA is accepted.
According to the site of ZCodec, it is the best codec.
It will enhance your Media Player's ability to play movie and music.

I doubt it very much ... ;-)
After the infection was completed, ZCodec (or HQ Codec, as it calls itself in the Program Files-folder) dissapears after a while, leaving nothing but trojans!