What is msoia.exe? Should I remove it (How)? It starts at startup. Update Cancel. Ad by ManageEngine ADSolutions.
Welcome to my blog. I found a malicious code that was added into the faxcool.exe file. Due to infection by malicious code, the file contents changed. The MD5 value of the infected file is: adeb5993fb9cc6768f87c8021fc16bde, and the file size is: 521 K ( 534,016 bytes ) Behavior of malicious code ( 413 votes ) If you know more this malicious code, please vote. We sincerely hope you may share your information with other computer users and help them.
1. Infect file2. Intentionally destroy data14.04% (58)
3. Steal personal privacy4. Infect other computers through the Internet12.11% (50)
5. Install the backdoor program so that the computer is controlled remotely6. Cheat or threaten users to buy something10.9% (45)
7. Download and install other programs without permission in the background8. Pop up various advertisements and induce users to click12.59% (52)
Binary Code Analysis:
When the program runs, the PE loader will try to load the file to 0x00400000 in the virtual address space, Address Of Entry Point: 0x00072814. This file has 9 SECTION.
DOS Stub
...
...
NT File Signature
NT HEADER
OPTIONAL HEADER
.itext SECTION #2
.bss SECTION #4
.tls SECTION #6
.reloc SECTION #8
- Name
- Virtual Size
- Virtual Address
- Size Of Raw Data
- Pointer To Raw Data
- Pointer To Relocations
- Pointer To Linenumbers
- Number Of Relocations
- Number Of Linenumbers
- Characteristics
- SECTION #1
- .text
- 0x0007002C
- 0x00001000
- 0x00070200
- 0x00000400
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0x60000020
- SECTION #2
- .itext
- 0x00000874
- 0x00072000
- 0x00000A00
- 0x00070600
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0x60000020
- SECTION #3
- .data
- 0x000024CC
- 0x00073000
- 0x00002600
- 0x00071000
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0xC0000040
- SECTION #4
- .bss
- 0x00004CE8
- 0x00076000
- 0x00000000
- 0x00073600
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0xC0000000
- SECTION #5
- .idata
- 0x00002A64
- 0x0007B000
- 0x00002C00
- 0x00073600
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0xC0000040
- Name
- Virtual Size
- Virtual Address
- Size Of Raw Data
- Pointer To Raw Data
- Pointer To Relocations
- Pointer To Linenumbers
- Number Of Relocations
- Number Of Linenumbers
- Characteristics
- SECTION #6
- .tls
- 0x00000034
- 0x0007E000
- 0x00000000
- 0x00076200
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0xC0000000
- SECTION #7
- .rdata
- 0x00000018
- 0x0007F000
- 0x00000200
- 0x00076200
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0x40000040
- SECTION #8
- .reloc
- 0x00006630
- 0x00080000
- 0x00006800
- 0x00076400
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0x42000040
- SECTION #9
- .rsrc
- 0x0000583C
- 0x00087000
- 0x00005A00
- 0x0007CC00
- 0x00000000
- 0x00000000
- 0x00000000
- 0x00000000
- 0xE0000060
• faxcool.exe
Tip: There is something I must emphasize. The file names listed above are infected by malicious code. It does not mean that all files named by these names are malicious files. It is inaccurate to determine whether a file is a malicious program based on its file name.
The malicious code also infects files on the following path:
• c:windowsapppatchen-us• c:windowssystem32driversumdfru-ru
• c:windowssystem32sr-latn-rs
• c:windowssystem32langtvwizardita
• c:windowstempusb3intel21langit-it
• c:windowssystem32spoolxpsepamd64amd64
• c:windowscnxtrollbackoem3.infsa3
• c:windowsfr
• c:windowsdiagnosticssystembluetoothar-sa
• c:windowswin2farsi_tools_toolsinternet download manager 6
• c:windowssyswow64siscardplugins
• c:windowssoftcampcontrolsharevista_x64
• c:windowsinfusedappsframeworksmicrosoft.net.native.runtime.1.6_1.6.24903.0_x64__8wekyb3d8bbwe
• c:windowssystem32prs-af
• c:windowsconfigsetrootdriverslanintelintelwin10pro1000winx64ndis64
• c:windowstemp_av_iup.tm~a04032
• c:windowses4
• c:windowsassemblynativeimages_v2.0.50727_64microsoft.visualstu#05d3278c99eb007a1494cc4ac78693d0
• c:windowsresourcesthemesaeroaerolite.msstyleswindows xp (royale)
• c:windowssyswow64windowspowershellv1.0modulesmsdtcfr
Tip: The code of most malicious files is fixed, rarely changed, which means, this type of malicious files regardless of which computer they are in, will copy themselves into the pre-set path, so we can go to the path listed above to find this file, and there is a great chance to find it.
Are all the files with the same file name listed above and with the same path malicious files?
Of course not. The file name is just the identification of the file. Strictly speaking, the file is modified by malicious code.The following are methods commonly used by malicious code in order to confuse users:
• Deliberately modify their own file name to some system file name, or some well-known software name.
• Generate malicious files in the system folder or in the installation folder of some well-known software, and even name their own folder with an antivirus software name (actually the user did not install this antivirus software). In fact, these malicious files are not system files, nor part of the famous software.
For example, one of the most common system file names is: explorer.exe, and under normal circumstances, the system only has an explorer.exe process. When you open the Task Manager and find that there are two or more explorer.exe processes, it is likely the camouflage of some malicious viruses. As shown in the following figure, there are two explorer.exe processes in Task Manager.
When I find the path where the file is located, it will be clear that the real explorer.exe system file is located under 'C: Windows', and the malicious file that pretends to be system process is under the other path.
The running status of the faxcool.exe file that is infected with malicious code:
Take up memory 595K
Occupy CPU resources between 51% - 60%
Run the program with the SYSTEM permissions.
Occupy CPU resources between 51% - 60%
Run the program with the SYSTEM permissions.
At runtime, 17 Windows system files, 0 external files (not owned by the Windows system), are called
Windows system filesIn general, the most accurate way to determine if a file is a malicious file is to analyze its code and see what happens when these functions are called while the program is running. Does it have malicious behavior (destroying data or stealing data)? I have listed the functions called by this file and some internal data, but there is too much data, I can't show them all here. →Click here← to see the full binary code analysis page.
The advapi32.dll dynamic link library is loaded and the functions in the file are called: ( Advapi32.dll is part of a high-level API application interface service library that contains functions related to object security, registry manipulation, and event logging. It is generally located in the system directory: WINDOWSsystem32 )
The kernel32.dll dynamic link library is loaded and the functions in the file are called: ( Kernel32.dll is a very important 32-bit dynamic link library file in the Windows operating system. It is a kernel-level file. It controls the system's memory management, data input and output operations and interrupt handling. When the Windows operating system starts, kernel32.dll resides in a specific write-protected area of memory, so that other programs cannot occupy this memory area. )
The kernel32.dll dynamic link library is loaded and the functions in the file are called: ( Kernel32.dll is a very important 32-bit dynamic link library file in the Windows operating system. It is a kernel-level file. It controls the system's memory management, data input and output operations and interrupt handling. When the Windows operating system starts, kernel32.dll resides in a specific write-protected area of memory, so that other programs cannot occupy this memory area. )
The user32.dll dynamic link library is loaded and the functions in the file are called: ( User32.dlll is a Windows user interface related application program interface for Windows processing, basic user interface and other features, such as creating windows and sending messages. )
The kernel32.dll dynamic link library is loaded and the functions in the file are called: ( Kernel32.dll is a very important 32-bit dynamic link library file in the Windows operating system. It is a kernel-level file. It controls the system's memory management, data input and output operations and interrupt handling. When the Windows operating system starts, kernel32.dll resides in a specific write-protected area of memory, so that other programs cannot occupy this memory area. )
![Faxcool Faxcool](/uploads/1/2/5/8/125876320/305312246.jpg)
The advapi32.dll dynamic link library is loaded and the functions in the file are called: ( Advapi32.dll is part of a high-level API application interface service library that contains functions related to object security, registry manipulation, and event logging. It is generally located in the system directory: WINDOWSsystem32 )
The shell32.dll dynamic link library is loaded and the functions in the file are called: ( Shell32.dll is an important file stored in the WindowsSystem32 folder. Normally it is created automatically during the installation of the operating system and is critical to the normal operation of the system. Under normal circumstances, users are not advised to make arbitrary modifications to this type of file. Its existence plays an important role in maintaining the stability of the computer system. )
The following files have been identified as malicious files. Some files are variants of faxcool.exe; some files are another type of malicious file, but use the same file name as faxcool.exe.
It is a simple and effective way to determine whether a file is a malicious file by a hash value, which has lower false detection rate than the 'static signature' method. So, if the MD5 value of a file on the computer is the same as the MD5 value listed below, then it is sure that the file is a malicious file.
This is my analysis results to the code of each malicious below, mainly provided to industry professionals who engage in the maintenance of computer security. If you are interested, you can also have a view, but it may require certain computer knowledge. - File Md5
- File Size
- File Bit
- File Type
- Binary Code Analysis
- adeb5993fb9cc6768f87c8021fc16bde
- 521 K
- 32 bit
- EXE
Method 1: Manual Removal
• Reboot the system and then enter safe mode (Click here to see how each Windows version (XP/Vista/7/8/10) goes into safe mode)
• Open Task Manager and if faxcool.exe is running, end this program.
• Show all hidden files.
Step: 'My Computer' -> 'Floder Options' ->'View' -> 'Show hidden files, folders, and drives'
Step: 'My Computer' -> 'Floder Options' ->'View' -> 'Show hidden files, folders, and drives'
• Malicious code used to generate or infect files on the following paths, so you need to one by one go into the following path, and delete all files [ faxcool.exe ]
• c:windowsapppatchen-us
• c:windowssystem32driversumdfru-ru
• c:windowssystem32sr-latn-rs
• c:windowssystem32langtvwizardita
• c:windowstempusb3intel21langit-it
• c:windowssystem32spoolxpsepamd64amd64
• c:windowssystem32driversumdfru-ru
• c:windowssystem32sr-latn-rs
• c:windowssystem32langtvwizardita
• c:windowstempusb3intel21langit-it
• c:windowssystem32spoolxpsepamd64amd64
• Finally, restart your computer.
Method 2: Automatic Removal Using Tools (Recommended)
This is free virus detection software, and it can be well compatible with many well-known anti-virus software, so users do not have to uninstall anti-virus software on the computer.
It is 'environmentally friendly' for computers. After downloading, it can be used by decompression and without installation. In the process of running, it will not write any information to the registry, nor create any new files to the Windows folder of the system disk. When you do not need it, you can delete it. It will not leave any spam information on your computer.
When you find your operating system is abnormal, and the file name listed above appears in the Task Manager, or there are several processes in running with the same name as the core file name, it is best to download the anti-virus software to check your system.
If you don't know if faxcool.exe is infected with malicious code on your computer, you may also use online scan tool.
• Use the following online detection function to check the file.
How do I use the T21 engine for online scanning?
T21 can detect unknown files online, mainly using 'behavior-based' judgment mechanism. It is very simple to use T21.
1. Click the 'Upload File' button, select the file you want to detect, and then click 'Submit'. 2. The next step is to wait for the system to check, which may take a little time, so please be patient.
3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below: • If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool. If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.
Other captured malicious files:
igfxsrvc.exe file analysis
igfxpers.exe file analysis
tvwsetup.exe file analysis
wusetupv.exe file analysis
unnerobackitup.exe file analysis
unneromediahome.exe file analysis
dllparam.dll file analysis
32ad6c4c7d46f8a871617b2db566f09f.exe file analysis
e362cc6a85eae781152c7679c99c70dd.exe file analysis
Dec 10, 2015, 16:29 pm (This post was last modified: Dec 10, 2015, 17:09 pm by asterastrip.)
Hello all.
I downloaded and installed THIS version of windows a few years ago and it works great.
The version i installed is windows 7 home premium 64bit sp1
I didn't have to do anything during installation, everything done automatically by whatever type of crack is included in the torrent.
The torrent description mentions 'This release has integrated RemoveWAT 2.2.6.0.'
I always downloaded the latest windows updates and never had any issues.
Until today when i downloaded the updates and at the bottom right corner of the desktop i got this message.
Here's the list of the latest updates i grabbed
I'm an utter noob, i don't even know how to check if my windows is registered/activated and why i got this message all of a sudden
Apparently i'm not the only one with this issue. Other users had the same problem after today's updates.
Any help chaps?
**EDIT**
in the path C:WindowsSetupscripts is located faxcool.exe
I right click and run as admin and i get this message:
**EDIT 2**
I did a system restore and the message is gone now.
Just have to find out which update caused it so as not to download it again
I downloaded and installed THIS version of windows a few years ago and it works great.
The version i installed is windows 7 home premium 64bit sp1
I didn't have to do anything during installation, everything done automatically by whatever type of crack is included in the torrent.
The torrent description mentions 'This release has integrated RemoveWAT 2.2.6.0.'
I always downloaded the latest windows updates and never had any issues.
Until today when i downloaded the updates and at the bottom right corner of the desktop i got this message.
Here's the list of the latest updates i grabbed
I'm an utter noob, i don't even know how to check if my windows is registered/activated and why i got this message all of a sudden
Apparently i'm not the only one with this issue. Other users had the same problem after today's updates.
Any help chaps?
**EDIT**
in the path C:WindowsSetupscripts is located faxcool.exe
I right click and run as admin and i get this message:
**EDIT 2**
I did a system restore and the message is gone now.
Just have to find out which update caused it so as not to download it again