URGENT: Need helping resolving Evenit ID problem

darael · 14 Nov 2011 at 12:34

This has been an ongoing problem for a long time now, and I've never been able to drill down to what is causing this problem.

In Event Viewer, I am getting lots of the following errors:

The qxxv3 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event ID 7028

Have looked through the registry for qxxv3, and the following registry keys are found:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_QXXV3]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_QXXV3\0000]
"Service"="qxxv3"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="qxxv3"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_QXXV3\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_QXXV3\0000\Control]
"ActiveService"="qxxv3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_QXXV3]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_QXXV3\0000]
"Service"="qxxv3"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="qxxv3"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_QXXV3\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_QXXV3]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_QXXV3\0000]
"Service"="qxxv3"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="qxxv3"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_QXXV3\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QXXV3]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QXXV3\0000]
"Service"="qxxv3"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="qxxv3"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QXXV3\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QXXV3\0000\Control]
"ActiveService"="qxxv3"

I can't find a service called qxxv3, so I'm at a loss now.

Nevram · 14 Nov 2011 at 13:19

How often do you get the problem? if i was you i'd give the SYSTEM account on your machine full access permissions to the relative keys?

see how you get on.

darael · 14 Nov 2011 at 14:13

That qxxv3 is a total pain. Used a RootRepeal, and it picked up qxxv3.sys - look with all files shown, but I couldn't see it. Made a dump of it, and analysed it with http://www.virustotal.com/ - and instantly deleted it when I saw this:

Antivirus -- Version -- Last Update -- Result
AntiVir -- 7.11.17.151 -- 2011.11.14 -- TR/Rootkit.Gen2
BitDefender -- 7.2 -- 2011.11.14 -- Gen:Rootkit.Heur.CuZ@gi!heYi
F-Secure -- 9.0.16440.0 -- 2011.11.14 -- Gen:Rootkit.Heur.CuZ@gi!heYi
GData -- 22 -- 2011.11.14 -- Gen:Rootkit.Heur.CuZ@gi!heYi
nProtect -- 2011-11-14.01 -- 2011.11.14 Gen:Rootkit.Heur.CuZ@gi!heYi

Nevram · 16 Nov 2011 at 11:25

nice work, its probably a good job you didnt add the extra permissions as suggested