McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Adware-Zquest

• Panda Antivirus: Adware/Deskwizz

• Symantec: Adware.ZQuest

Characteristics

-- Update February 21, 2006 --
This threat was reclassified from Adware-Zquest potentially unwanted program, to Zquest trojan.

This trojan injects advertising content at the top and bottom of webpages.  It's also responsible for many Popup ads.

Privacy :
No license agreement is displayed during installation, although one could be displayed by another installer if bundled with another application. No EULA or privacy policy related to the software could be found.

Installation:
File name: mdm-ZQInContextactx1.exe
MD5Hash: a043bfe5087dbe19daeafc2a9cf95086

File name: ltndmain.dll
MD5Hash: 7a07dbedf87cf0a9c5357c2cb038ded8

On executing the application some of the registry keys which get added are:

• HKEY_CLASSES_ROOT\CLSID\
  {C5AF2622-8C75-4dfb-9693-23AB7686A456}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\Browser Helper Objects\
  {C5AF2622-8C75-4dfb-9693-23AB7686A456}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Uninstall\DH
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Uninstall\
  {22131A58-5F9A-3EAA-28A7-C3059A3D0632}

Following files are dropped in the windows folder :

• c:\WINDOWS\DH.dll
• c:\WINDOWS\dh.ini
• c:\WINDOWS\DHU.exe
• c:\WINDOWS\z00096.exe

Popup example

Content Injection Example

Symptoms

• Mainstream webpages displaying enormous and out of place advertisements.
• Presence of the aforementioned files.
• TCP connections to z-quest.com and/or deskwizz.com

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Adware-Zquest

• Panda Antivirus: Adware/Deskwizz

• Symantec: Adware.ZQuest

Characteristics

Characteristics -

-- Update February 21, 2006 --
This threat was reclassified from Adware-Zquest potentially unwanted program, to Zquest trojan.

This trojan injects advertising content at the top and bottom of webpages.  It's also responsible for many Popup ads.

Privacy :
No license agreement is displayed during installation, although one could be displayed by another installer if bundled with another application. No EULA or privacy policy related to the software could be found.

Installation:
File name: mdm-ZQInContextactx1.exe
MD5Hash: a043bfe5087dbe19daeafc2a9cf95086

File name: ltndmain.dll
MD5Hash: 7a07dbedf87cf0a9c5357c2cb038ded8

On executing the application some of the registry keys which get added are:

• HKEY_CLASSES_ROOT\CLSID\
  {C5AF2622-8C75-4dfb-9693-23AB7686A456}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\Browser Helper Objects\
  {C5AF2622-8C75-4dfb-9693-23AB7686A456}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Uninstall\DH
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Uninstall\
  {22131A58-5F9A-3EAA-28A7-C3059A3D0632}

Following files are dropped in the windows folder :

• c:\WINDOWS\DH.dll
• c:\WINDOWS\dh.ini
• c:\WINDOWS\DHU.exe
• c:\WINDOWS\z00096.exe

Popup example

Content Injection Example

Symptoms

Symptoms -

• Mainstream webpages displaying enormous and out of place advertisements.
• Presence of the aforementioned files.
• TCP connections to z-quest.com and/or deskwizz.com

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A