Removed: PRAGMAd.sys (variant of TDSS trojan – Alureon/Olmarik)

I will tell you in this post how to fix the issue manually and how to clean it automatically using a special powerful removal tool. You can download the removal program for free here:

Malware: C:\sand-box\install01.exe

Removed: C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAd.sys

—————————————————————————————————————————-
After first reboot detected by UnHackMe:

Item Name: PRAGMAqipfvcxnqq
Author:
Related File: C:\WINDOWS\PRAGMAQIPFVCXNQQ\PRAGMAD.SYS
Type: Services detected by Partizan

Removal Results: Success
Number of reboot: 2
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.05.11 Gen:Variant.TDss.20
Kaspersky 7.0.0.125 2010.05.11 Trojan-Downloader.Win32.FraudLoad.xcxu
Microsoft 1.5703 2010.05.11 Trojan:Win32/Alureon.gen!J
NOD32 5105 2010.05.11 Win32/Olmarik.YX

—————————————————————————————————————————-
Additional information
File size: 88576 bytes
MD5 : 92f841a030057e645e71d0817cca0b8a
SHA1 : b7273df7d70b60dfcbc8fe6b3e1f0ac8679cd0fa
SHA256: a58cc1595d9e5b90b1f5f0fc53cb6ba7ed808c3aeea077d7c09f7c2d8c9c66cb
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:6
———————————-
HKLM\Software\PRAGMA
HKLM\Software\PRAGMA\versions
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\modules

———————————-
Values added:17
———————————-
HKLM\Software\PRAGMA\affid: “traf”
HKLM\Software\PRAGMA\subid: “pragma”
HKLM\Software\PRAGMA\type: “no”
HKLM\Software\PRAGMA\build: “bbr”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\Service: “PRAGMAqipfvcxnqq”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\DeviceDesc: “PRAGMAqipfvcxnqq”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\modules\PRAGMAd: “\systemroot\PRAGMAqipfvcxnqq\PRAGMAd.sys”
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\modules\PRAGMAc: “\systemroot\PRAGMAqipfvcxnqq\PRAGMAc.dll”
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\start: 0×00000001
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\type: 0×00000001
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\imagepath: “\systemroot\PRAGMAqipfvcxnqq\PRAGMAd.sys”

———————————-
Values modified:2
———————————-
(-) HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000001
(+) HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000000
(-) HKLM\System\CurrentControlSet\Services\wscsvc\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\wscsvc\Start: 0×00000004

———————————-
Files added:5
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\PRAGMA7d1f.tmp
C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAc.dll
C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAcfg.ini
C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAd.sys
C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAsrcr.dat

———————————-
Files deleted:1
———————————-
C:\sand-box\install01.exe

———————————-
Files [attributes?] modified:3
———————————-
C:\Documents and Settings\NetworkService\Cookies\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

———————————-
Folders added:1
———————————-
C:\WINDOWS\PRAGMAqipfvcxnqq

———————————-
Folders attributes changed:2
———————————-
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

———————————-
Total changes:37
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning ads and viruses from my friend's computers, because it is extremely fast and effective.




1. Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

Enjoy!