Removed: 30609.exe, IGwqNKmplw.exe (Fake System Tool – HDD Diagnostic)

Malware: file.exe

Removed: C:\Documents and Settings\Administrator\Local Settings\Temp\30609.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IGwqNKmplw.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: IGwqNKmplw.exe
Author: MEDIA Corporation
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\IGWQNKMPLW.EXE
Type: Registry Run

Item Name: 30609
Author: HDD Corporation
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\30609.EXE
Type: Registry Run

Item Name: 30609.exe
Author:
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\30609.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IGwqNKmplw.exe
Value: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IGwqNKmplw.exe”

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\30609
Value: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\30609.exe”

Folders:
C:\Documents and Settings\Administrator\Start Menu\Programs\HDD Diagnostic\
Files:
C:\Documents and Settings\Administrator\Desktop\HDD Diagnostic.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\30609
C:\Documents and Settings\Administrator\Local Settings\Temp\30609.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IGwqNKmplw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\QvgbQcmsAS.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp77B0.tmp.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\HDD Diagnostic\HDD Diagnostic.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\HDD Diagnostic\Uninstall HDD Diagnostic.lnk
—————————————————————————————————————————-
Classification:

Antivirus	Version	Last Update	Result
F-Secure	9.0.16160.0	2010.12.08	Trojan.Generic.KDV.83134
Kaspersky	7.0.0.125	2010.12.07	Trojan-Dropper.Win32.FrauDrop.bqb
Microsoft	1.6402	2010.12.07	Trojan:Win32/FakeSysdef
NOD32	5682	2010.12.07	Win32/TrojanDownloader.Prodatect.AU

—————————————————————————————————————————-

MD5 b2e7745e4116a3788224a005f67238d9

SHA1 4e86ea0e16856bc7314686bcc84d62a0440d1888

SHA256 2918af1ad7c36624befaabfc765ef39eb73731567b98e321ed05388c68c583b8

—————————————————————————————————————————-

Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Values added:5
———————————-
HKCU\Software\12B79064-EB17-4f82-9DFE-B975BD26D1DC: “”
HKCU\Software\Microsoft\BootData: 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 33 00 30 00 36 00 30 00 39 00 2E 00 65 00 78 00 65 00 00 00
HKCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest: “Yes”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IGwqNKmplw.exe: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IGwqNKmplw.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\30609: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\30609.exe”

———————————-
Files added:8
———————————-
C:\Documents and Settings\Administrator\Desktop\HDD Diagnostic.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\30609
C:\Documents and Settings\Administrator\Local Settings\Temp\30609.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IGwqNKmplw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\QvgbQcmsAS.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp77B0.tmp.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\HDD Diagnostic\HDD Diagnostic.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\HDD Diagnostic\Uninstall HDD Diagnostic.lnk

———————————-
Files deleted:1
———————————-
C:\sand-box\file.exe

———————————-
Folders added:1
———————————-
C:\Documents and Settings\Administrator\Start Menu\Programs\HDD Diagnostic

———————————-
Total changes:15
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

Comments

• Greatis Software

  • Error- No such interface supported
  • Fix 80073712 Error
  • Free Download
  • Popular Posts
  • Restore TCPIP.SYS
  • Send a file

• AverScanner

  AverScaner- EveryDay Malware Scan

• Testimonials

  Bob

  The UnHackMe is a real program, no spyware or phish and works great and is easy to use. Enjoy!

• Impove boot up time

  Run a free scan to diagnose your PC: Start Test!

• Blogroll

  • RegRun removes rootkits/malware that your antivirus could not.
  • Removing rootkits is best done from the outside!
  • UnHackMe – rootkit killer!
• 
•