What is lqoe89kr.lwp?

Discussion in 'malware problems & news' started by SystemJunkie, Nov 7, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Does anyone knows lqoe89kr.lwp? Located in system32, seems that it manipulates shlwapi.dll, because this file is mentioned in this lqoe89kr.lwp file.

    It seems to be a kind of wordpad file.
     
    Last edited: Nov 7, 2006
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    try to scan it to virustotal.com. See the results. ;)
     
  3. Texcritter

    Texcritter Registered Member

    Joined:
    May 6, 2005
    Posts:
    1,985
    Location:
    Teesside, North East England
    File extensions says it is a wordpad file from Lotus Smartsuite
     
  4. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Question? Is this on your personal home PC or work PC? Found some references to it but all were quit old. Some were legit, some were not. :eek: Do as Pykko suggested and let us know what you find out.

    Edit; Just saw your reply with results. Obviously the next question is do you have Lotus Smartsuite installed?
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I never, never used anything like Lotus and nothing like this is installed on my system. I will do the online scan right now, but I think no scanner will find anything. This file is still very unknown. Only about 5 google entries and nothing specific. Something interesting could be the fact, that if I open the file with notepad I see lots of chinese letters. If I open the file with hexedit, I see this: ?'ec:\windows\system32\drivers\isdrv120.sys (5 times)
    1 time this: ?'ec:\WINDOWS\system32\shlwapi.dll. It is my personal PC, but sometimes I also use it for work.

    When I use Advanced Anti Keylogger, it tells me that shlwapi.dll wants to make screenshots and blocks it. If I rename shlwapi, Windows stops booting, essential process of winlogon.exe.

    I rename lqoe89kr.lwp and erase it, then AAKeylogger does not show anymore that shlwapi.dll wants to make screenshots. The thing is it recreates the lqoe89kr.lwp file but with 0 bytes.

    I am not sure if it is caused by IceSword 1.20 or Gmer, but don´t think so.

    Jotti found 0.
     
    Last edited: Nov 7, 2006
  6. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    Among the things I saw in Google as well were references to a "key logger". That was the reason I asked if it was your personal PC or at work.
     
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    hm, this sounds bad, so you thought if it´d be at work that it might be prepared from the company? But it´s with high probability of chinese origin.

    If I try to delete the file, filemon shows this info:

    176 13:16:05 explorer.exe:356 QUERY INFORMATION C:\WINDOWS\system32\lqoe89kr.lwp SUCCESS Attributes: A
    177 13:16:05 explorer.exe:356 OPEN C:\WINDOWS\system32\lqoe89kr.lwp SHARING VIOLATION Options: Open Access: All
    178 13:16:05 explorer.exe:356 OPEN C:\WINDOWS\system32\lqoe89kr.lwp SHARING VIOLATION Options: Open Access: All
     
    Last edited: Nov 8, 2006
  8. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    Those were my exact thoughts. Do not know if I would push the panic button yet. Not a whole lot of information to go on, there are also legit references to that file concerning IBM computers. However, we are now getting in pretty much over my head. Sense you have already thrown several scanners at it and all show negative a "Temporary" option would be to run a firewall that enables you to log\block outgoing traffic. You would then know at the least if it or something were trying to call home. Also there are several other Forums spoke of highly here which might be of more assistance. Maybe someone else will jump in with other possible solutions.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    It could be handy to know which program on your computer handles the .lwp extension.

    Open a Command prompt and type this command:

    ASSOC .lwp <= note the space behind Assoc
    You should get a reply telling you which programs handles that extension if one has been.

    Regards,

    Pieter
     
  10. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Thank You Pieter_Arntz for poping in. Have seen your work. :thumb: I am sure the Right Man is on the job. SystemJunkie, I now leave you in very capable hands. Will continue to follow this thread with great interest.
     
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Thanks for info, I guess that´s the info you need:

    [HKEY_CLASSES_ROOT\.lwp]
    @="lwp_auto_file"

    or with assoc

    .lwp=lwp_auto_file
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That will effectively be Wordpad on most computers.
    Doesn't seem dangerous to me, but not vital either.

    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C:) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

    Then copy the part in bold below into notepad and save it as movelockedfile.bfu
    Set Filetype to "all files"


    OptionUnloadShell
    FileMove %SYSDIR%\lqoe89kr.lwp|%SYSTEMDRIVE%


    • Save it in the same folder you made earlier (c:\BFU)
    • Then, please go to Start > My Computer and navigate to the C:\BFU folder
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select movelockedfile.bfu
    • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.) Don't be scared because your taskbar and desktop will disappear for a short while.
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.

    If all goes well this will move the file to the C:\ directory (Root)
    You can delete it from there once you decide it wasn't needed by anything.

    Keep us posted,

    Pieter
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Hi Pieter, I did what you said, the explorer bar disappeared for short time and everything looked ok but the file is still there and locked in sysdir, the only way to delete it is to boot in windows safe mode or from another external windows. But then the file will be there again with 0 bytes. Actually I use Advanced Anti Keylogger, Sygate Firewall and Process Guard 3.4 free when windows starts up, nothing else, except sometimes for checking purposes anti-rootkit tools like gmer, ice sword and rkunhooker, rkrevealer. Don´t think that the file may come from these tools, isn´t it?

    Beside I also tried the trick to stop explorer.exe and erase the file via dos console, but it was still locked too.

    Another phenomenon that always appears is when I click on Lan Connections or printer and fax then Windows shows error message: "(null)" could not be found. Please be sure that you´ve entered the name correctly and retry. Click Start and then Search, to search a file.

    (a short translation of the message box content)
     
    Last edited: Nov 9, 2006
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Have you tried unlocker?
    http://ccollomb.free.fr/unlocker/

    If it works, create a file with that name yourself before you reboot.
    That will prevent the file from getting re-creatyed by something else.
    Put some text in it so you can see if it stays unchanged.

    Regards,

    Pieter
     
  15. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    It worked! I am amazed! The root process is aaksrv.exe! Thanks for your help!

    What I consider as very strange is the fact that this file is in chinese language, when I open it and with hex edit I only see shlwapi.dll, if it were
    the rules file of advanced anti-keylogger it would have more content for all files. Strange thing.

    Maybe someone know if spydex is a chinese enterprise..
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Good job. :thumb:

    Spydex:
    http://www.spy-lantern.com/about-us.html
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yeah, it is definitely the key file of Advanced Anti Keylogger. I tested it, without this file you are no more able to log into AAK Custom Security Mode.

    Spydex is indeed known for Spy Lantern, a partial polymorphic rkkeylogger.

    But some days ago I didn´t know that AAK was the same company.
     
Loading...
Thread Status:
Not open for further replies.