Prevx Research Division
QSERVICE.EXE
Cloaked MalwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove QSERVICE.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware group:
- Cloaked Malware
File Behavior
QSERVICE.EXE has been seen to perform the following behavior:
- This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
- Executes Processes stored in Temporary Folders
- This process creates other processes on disk
- Writes to another Process's Virtual Memory (Process Hijacking)
- This Process Deletes Other Processes From Disk
- Executes a Process
- Registers a Dynamic Link Library File
- Copies files
- Injects code into other processes
- The Process is packed and/or encrypted using a software packing process
- This Process uses Anti Dissasembly Tricks to avoid analysis by security products
- The Process is polymorphic and can change its structure
QSERVICE.EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Executed as a Process
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- Copied to multiple locations on the system
Country Of Origin
The filename QSERVICE.EXE was first seen on May 14 2007 in the following geographical regions of the Webroot community:
- The United States on May 14 2007
- Spain on Apr 21 2008
- Jordan on Apr 21 2008
- The United Kingdom on Jul 30 2008
- Italy on Nov 24 2009
File Name Aliases
QSERVICE.EXE can also use the following file names:
- KO PEDAL.EXE
- KO_PEDAL.EXE
- KO PEDAL[n].EXE
- KOPYASı EHUHU.EXE
- 46551937.EXE
- 54850191.EXE
- 32995005.EXE
- 22929841.EXE
Filesizes
The following file size has been seen:
- 3,682,304 bytes
- 312,849 bytes
- 310,399 bytes
- 451,325 bytes
- 3,264,636 bytes
File Type
The filename QSERVICE.EXE is used by multiple object types including executable programs,objects.
File Activity
One or more files with the name QSERVICE.EXE creates, deletes, copies or moves the following files and folders:
- Deletes c:\windows\qservice.exe
- Creates c:\windows\system32\win_a32.exe
- Creates c:\windows\system32\win_b32.exe
- Deletes c:\Documents.exe
- Deletes c:\windows\services.dll
- Copies filec:\windows\system32\win_a32.exe to c:\windows\system32\dtxservice.exe
- Deletes c:\docume~1\user\locals~1\temp\DPTRER~1.EXE
- Deletes c:\docume~1\user\locals~1\temp\DPTRER~1.BAT
- Creates c:\windows\wmiprvse.exe
- Opens/modifes c:\autoexec.bat
- Creates c:\windows\fps.exe
- Creates c:\windows\mps.exe
- Creates c:\windows\icq.dll
- Creates c:\windows\iss32.exe
- Creates c:\windows\CRSS.EXE
- Creates c:\windows\kdd32.atm
- Creates c:\windows\kt.atm
- Creates c:\windows\ktd32.atm
- Creates c:\windows\fps.atm
- Creates c:\windows\mps.atm
Network Activity
One or more files with the name QSERVICE.EXE performs the following network events:
- DNS Lookup192.168.0.7 SAMANTHA-3AB6EA52
- DNS Lookup66.98.253.2 prohack.net
Website Activity
One or more files with the name QSERVICE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:66.98.253.2:25 Port:17
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.