Possible False Positive? Win32.SharaQQ.30

Reported Win32.SharaQQ.30 as a Trojan on yesterday's (2009-06-24) update as Scan Results on two separate XP systems (one is rarely used). Latest AVG Anti-Virus shows nothing. Nothing on Symatec or AVG website regarding Win32.SharaQQ.30. Google search shows little info on this Trojan.

Anyone else showing this?
Should I try to have Spybot fix the problem?

Operating System: Windows XP Home
Browser and Version: Internet Explorer 6
Version of Spybot S&D: 1.6.2.46
Date of the latest update: 2009-06-24

--- Report generated: 2009-06-24 10:09 ---

Win32.SharaQQ.30: [SBI $78DEFE26] Data (File, nothing done)
C:\WINDOWS\system32\SVKP.sys
Properties.size=2368
Properties.md5=F05028B163B92C302A74409D683AC9B0
Properties.filedate=1072473531
Properties.filedatetext=2003-12-26 14:18:51

Win32.SharaQQ.30: [SBI $962F118B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP

Win32.SharaQQ.30: [SBI $F02BC4BB] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SVKP

Win32.SharaQQ.30: [SBI $75C09369] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC

Win32.SharaQQ.30: [SBI $A65B8F92] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WZCSVC


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-18 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-06-23 Includes\KeyloggersC.sbi (*)
2009-06-10 Includes\Malware.sbi (*)
2009-06-23 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-17 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi (*)
2009-06-23 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

This is no false positive, you should fix this on both of your computers.
This Trojan horse is contacting malicious domains in background.

Should I just let Spybot try to fix it or is there something else that I should also do?

Fixing it with Spybot S&D should be enough. If removal should fail for some reason try to fix it in Windows safe mode (press F8 before 1st Windows loading screen to enter Windows safe mode).

Worked like a charm without having to go into safe mode!

Thank you! Thank you!

Hi,

also ich habe heute genau die selbe Meldung über den Win32.SharaQQ.30 bekommen, wie jgs57.
Ich habe die svkp.sys (Dateiversion 4.0.1381.1) seit dem 02. Februar 2009 auf meinem Rechner.
Wieso ist das jetzt plötzlich ein Trojaner. :confused::confused:

Geronimo104
...

Hallo Geronimo104,

die Datei ist nicht plötzlich ein trojanisches Pferd geworden, sie ist erst jetzt von uns als solcher erkannt worden. Es liegt leider in der Natur von trojanischen Pferden sich zu tarnen und zu verstecken um möglichst lange der Erkennung zu entgehen.

Bei der Erkennung von schädlichen Dateien spielt nicht nur der Dateiname eine Rolle sondern viele andere Attribute der Datei.

Wenn Dein Scanergebnis wie bei jgs57 die gleiche md5 aufweist, handelt es sich um eine genau identische SVKP.sys welche entfernt werden sollte.

Win32.SharaQQ.30: [SBI $78DEFE26] Data (File, nothing done)
C:\WINDOWS\system32\SVKP.sys
Properties.size=2368
Properties.md5=F05028B163B92C302A74409D683AC9B0 <- MD5

Hi,

ich habe die SVKP.sys mit Spybot entfernt.
Reicht das ... :confused:

Geronimo104
...

I see there are 3 new post to my intial question regarding Win32.SharaQQ.30. Unfortuantely they appear to be in German and I'm sorry, but I don't read German. Can anyone help me? Do these state anything important that I should know?

Hi,

look at this ...

http://translate.google.com/translate_t#de|en|

;)

Very Cool! I bookmarked that one.

I had the same question as Geronimo104 and that answered it.

Thanks Yodama!

I too following the 24/6 update received exactly the same message.
After consultation with spybot I 'fixed' the problem and it was successful.
Results were submitted and it was recommended that I carry out a Rootalyzer test.
I am awaiting feedback but it looked ok to me.
Anyway, I have run all progs on my computer to see if I got a message saying that SVKP.sys was missing but all seemed fine.
Today (3/7/09) I d/l new spybot updates and carried out test.
Guess what - the same Trojan (sharaQQ) detected and when I checked the SVKP.sys file was back in place.
I have again 'fixed' it and sent in results- awaiting reply.
Incidentally Norton 360 v3 still tested clear.

In 2005 that same SVKP file caused problems on an older Norton version with a particular update from Norton. (Hacktool Rootkit virus). This turned out to be innocent and a further update from Norton rectified it.

I hope this is the same cos I am starting to get paranoid.

I've also just recently begun receiving IDENTICAL disposition (my report below) as the initial poster of this thread (jgs57).

-----------------------------------------------------------------------
Win32.SharaQQ.30: [SBI $78DEFE26] Data (File, nothing done)
C:\WINDOWS\system32\SVKP.sys
Properties.size=2368
Properties.md5=F05028B163B92C302A74409D683AC9B0
Properties.filedate=1188104952
Properties.filedatetext=2007-08-25 22:09:12

Win32.SharaQQ.30: [SBI $962F118B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP

Win32.SharaQQ.30: [SBI $F02BC4BB] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SVKP

Win32.SharaQQ.30: [SBI $75C09369] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC

Win32.SharaQQ.30: [SBI $A65B8F92] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WZCSVC

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
-----------------------------------------------------------------------

However, I believe this to be false positive. Why?

1. I have submitted the suspect file [C:\WINDOWS\system32\SVKP.sys] to VirusTotal, and it receives not even one hit from any of the 41 current and up-to-date malware scanners.

2. The subject file has been resident and unchanged (i.e., identical SHA1 checksums) on the PC for AT LEAST the past 18 months (just that I know of ... probably longer).

3. There's been no relative suspicious behavior at all during that period.

4. A thorough Google search of the file is conspicuously thin: Only 3 hits within past month, and only 8 hits within the past YEAR. NONE of them (except one) contain any discussion directly related to "SVKP.sys" as a malware culprit; but rather simply contained within HJT (HiJackThis) reports or the like. I would expect much more forum based activity for any true malware of this age.

CORRECTION: Oops! My above referenced Google search was for "C:\WINDOWS\system32\SVKP.sys" AND "false positive". That notwithstanding, my initial search using only the filename resulted in tellingly thin results as well, which led me to my course of (in)action that follows.

Although I have not yet determined the source/vector software which placed this file, given the facts at hand, I'm adequately confidant at this time to leave it be. However, that would not be my general advice to anyone else who is not as confidant as me. For them I would recommend allowing SpyBot S&D to go ahead and "fix" (and quarantine) it, then if/when it's definitively determined to be a false-positive, simply restore from quarantine.

If the capable SpyBot S&D folks could look into this and provide an updated report/DB update regarding this matter, it would sincerely be appreciated by me, and apparently several others as well. Thanks in advance for your attention and all your good work.

OK... now I'm really confused. Should I not have let Spybot correct this problem? SVKP.sys now only shows in my spybot/recovery fold. Right clicking on the file to show Properties indicate the date of this 3k file is 12/26/2003... if that means anything. I agree that a Google search show little info or help. What is this file for and should I restore it? Do I need it? Is it a Trojan or a False Positive?

Again, this is no false positive.
Here is an excerpt from the file version information:
Company: AntiCracking
Copyright: Copyright (C) Microsoft Corp. 1981-1999

There are more similar files which have the exact same version information including file version number and product version number but are different in size and checksum. Meaning they are different files but are declared to be identical by the "vendor" AntiCracking.

As you can see this certainly does not match for a proper Microsoft file.
Additionally the tested sample connected to a chinese domain in background.

Good news - for me anyway.
I have proved conclusively that the file SVQP.sys & assoc registry entries are created by a program on my computer. This is causing the SharaQQ trojan to be recognised???
That program is TweakXP v2.
After I had first fixed the Trojan with Spybot S&D I ran most of my programs inc TweakXP to make sure they all worked with that file quarantined.
They all were OK so I was disappointed (to say the least) when with the latest S&D update the Shara Trojan was found again.
This time I 'fixed' it and then ran every program seperately each time checking with explorer to see if the SVQP.sys file reappeared.
Lo & behold - TWEAK XP was the culprit.
I repeated the process to make sure.
Now, I have had that program on a previous computer and my current one since January 2004 and I have never noticed anything untoward.
Naturally I am relieved to have solved my situation.
So jgs57 & others exhibiting the same Trojan symptom, do you have TWEAKXP v2 ?
If not, carry out the same experiment - it may solve your problem too!!!

I have just tested the current TweakXP 2.1 from TweakXP.com.
Since it is a shareware version I was not able to test all of its components but it did not install any service and it did not the SVKP service in question here.
I also do not see any reason for TweakXP to suddenly install that service once the full features are unlocked.

If you are still convinced that SVKP is a part of TweakXP you should contact the vendors of TweakXP.

Greetings.

I have contacted the vendors of TweakXP and they have confirmed that the file SVKP.sys was indeed a part of v2.09, the one I am using.
Later versions no longer have that file.
So it looks as if in my case anyway S&D is seeing that file as the above Trojan.

Hello Salim,

thank you for your information on this. I have also received your email confirming this information.
So I have to admit that I was wrong here :oops:

The changes to our detection database did not make it for the update today so they will be released with the next update scheduled for Wednesday 2009-07-15. Until then you can mark the detection on the svkp.sys and the service belonging to it to be ignored from further searches.

Well I have never used TweakXP so what should I do? Are there other program involved using that file? Everything seems to be working OK right now.

Quote:

---

Originally Posted by jgs57

Well I have never used TweakXP so what should I do? Are there other program involved using that file? Everything seems to be working OK right now.

---

It is possible that an other application brought this SVKP service with it. However no current application appears to be using it. If all of your applications work fine you can leave it as is.

Firstly: mega-kudo's to Salim38 for your diligence in this matter. On this occasion, I simply wasn't curious enough to invest the time necessary to perform the unavoidable, labor intensive deduction you accomplished in order to determine the source program, but I'm very appreciative you were. Not coincidentally, I indeed previously had the TweakXP utility installed on my target system (~2 years ago).

Secondly: kudo's also to Yodama for the professionalism shown in admitting error ... "So I have to admit that I was wrong here". Because frankly, that statement is not true. You didn't "HAVE to admit" you were wrong, but rather, in a timely and direct manner, you CHOSE to. That PROVES character, whereas merely being right proves nothing other than you happen to be right.

Thirdly: to jgs57 ... is it possible that like me, your system did (past tense) have TweakXP installed at some point? After all, as I stated and detailed in my first post, your scan disposition is IDENTICAL to mine: the filename, path, filesize, REG-keys, and (most importantly), MD5 checksum's all match. Therefore, ipso-facto, if I'm OK, then you're OK. Regardless, if you have already allowed SpyBot S&D to "fix" and quarantine the subject file and REG-keys, AND you have not experienced any repercussion (as you report), my advice would be simply to leave in quarantine ... or hell, restore ... either way, it "ain't no thang".

Lastly: For what it's worth, I did come across one rather old 2005 forum discussion related to SVKP.sys as a malware. Its particular M.O. (modus operandi) was to place one or more of the following files on your system drive:

msdirectx.sys
xz.bat
lockx.exe

If so inclined, simply execute a search on your system drive (typically C:\) for these files (msdirectx.sys OR xz.bat OR lockx.exe), and if not found, you can safely rule that remote possibility out.