Removed: sdra64.exe, SVC.EXE, winamnc.dll, WINBUDUMP.EXE, opeF.exe, BINFIX7080010000.EXE, DSKCLNWIZ.DLL, ssqpqp.dll Restored: TERMDD.SYS (multi trojan – Zbot and TDSS)

I use UnHackMe for cleaning adware and viruses from my friend's computers, because it is extremely fast and effective.

Download free e-book [PDF]: "How to Easily Remove Malware with UnHackMe"

Join us on Facebook
Click to Download
Solved! The issue has been fixed!
5 Stars (5 / 5)


Malware: g9aaf1.exe

Removed: C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\SVC.EXE
C:\WINDOWS\system32\winamnc.dll
C:\WINDOWS\SYSTEM32\WINBUDUMP.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\opeF.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\BINFIX7080010000.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\DESKTOP CLEANUP WIZARD\DSKCLNWIZ.DLL
C:\WINDOWS\system32\ssqpqp.dll
Restored: C:\WINDOWS\SYSTEM32\DRIVERS\TERMDD.SYS

—————————————————————————————————————————-
Detected by RegRun Warrior:

1. RegRun Reanimator:


Your Vote?
0 0

Item Name: UserInit
Author: Unknown
Related File: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
Type: UserInit Value

Item Name: termdd.sys – restored
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\DRIVERS\TERMDD.SYS
Type: System Drivers Infected by Rootkit

Item Name: netc
Author: Unknown
Related File: C:\WINDOWS\SVC.EXE
Type: Registry Run

Item Name: AppInit_DLLs
Author: Unknown
Related File: C:\WINDOWS\system32\winamnc.dll
Type: List of Injected DLLs

Item Name: winbackupdumper-id19g6SX8qbazr
Author:
Related File: C:\WINDOWS\SYSTEM32\WINBUDUMP.EXE
Type: Drivers

Item Name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\opeF.exe
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\OPEF.EXE
Type: Registry Run

Item Name: binfix7080010000.exe
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\BINFIX7080010000.EXE
Type: Registry Run

Item Name: iifeebsys
Author: foobar2000.org
Related File: SSQPQP.DLL
Type: Registry Run

Item Name: Acronis Toolbar Helper
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\DESKTOP CLEANUP WIZARD\DSKCLNWIZ.DLL
Type: Registry Run

2. Multi AntiVirus scan:

- none -

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.09.13 Suspicious:W32/Malware!Gemini
Kaspersky 7.0.0.125 2010.09.13 -
Microsoft 1.6103 2010.09.12 -
NOD32 5446 2010.09.13 -

—————————————————————————————————————————-
Additional information
MD5 : 9c7f3c812b44c4659784c264de41f854
SHA1 : 9418b4066c8d55eee4d088af97e81b0bdc1e2528
SHA256: c3cab53fffd7f107b7107ab68fff131c61b5b5743bc8df9a8c472e792e8dac49
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:10
———————————-
HKLM\Software\Microsoft\Amnesiac
HKLM\Software\Microsoft\DownloadManager
HKLM\Software\Microsoft\Notepad
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP\0000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR\0000
HKLM\System\CurrentControlSet\Services\puycwkbdriubvsp
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr\Security

———————————-
Values added:33
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\opeF.exe : “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\opeF.exe ”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\netc: “C:\WINDOWS\svc.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\binfix7080010000.exe: “”C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\binfix7080010000.exe””
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\iifeebsys: “rundll32.exe “ssqpqp.dll”,s”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Acronis Toolbar Helper: “rundll32.exe “C:\Documents and Settings\Administrator\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll”, StartProt”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Network\UID: “PC_FOR_TEST_201_00009848″
HKLM\Software\Microsoft\Amnesiac\Keywords: 5E 47 45 54 5C 73 5C 2F 28 73 65 61 72 63 68 29 5C 3F 2E 2A 3F 71 3D 5B 5E 26 5C 72 5D 2B 2E 2A 3F 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 48 6F 73 74 3A 5C 73 77 77 77 5C 2E 62 69 6E 67 5C 2E 63 6F 6D 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 5C 72 5C 6E 00 5E 47 45 54 5C 73 5C 2F 28 73 65 61 72 63 68 7C 77 65 62 68 70 29 5C 3F 2E 2A 3F 71 3D 5B 5E 26 5C 72 5D 2B 2E 2A 3F 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 48 6F 73 74 3A 5C 73 77 77 77 5C 2E 67 6F 6F 67 6C 65 5C 2E 5B 61 2D 7A 5C 2E 5D 7B 32 2C 36 7D 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 5C 72 5C 6E 00 5E 47 45 54 5C 73 5C 2F 28 73 65 61 72 63 68 29 28 5C 3F 7C 5C 3B 29 2E 2A 3F 70 3D 5B 5E 26 5C 72 5D 2B 2E 2A 3F 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 48 6F 73 74 3A 5C 73 5B 61 2D 7A 5C 2E 5D 2A 3F 73 65 61 72 63 68 5C 2E 79 61 68 6F 6F 5C 2E 63 6F 6D 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 5C 72 5C 6E 00 5E 47 45 54 5C 73 5C 2F 28 77 65 62 29 5C 3F 2E 2A 3F 71 3D 5B 5E 26 5C 72 5D 2B 2E 2A 3F 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 48 6F 73 74 3A 5C 73 5B 61 2D 7A 5C 2E 5D 2B 3F 61 73 6B 5C 2E 63 6F 6D 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 5C 72 5C 6E 00 5E 47 45 54 5C 73 5C 2F 5C 73 2E 2A 3F 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 48 6F 73 74 3A 5C 73 77 77 77 5C 2E 61 70 6F 72 74 5C 2E 72 75 5C 72 5C 6E 00 5E 47 45 54 5C 73 5C 2F 5C 73 2E 2A 3F 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 48 6F 73 74 3A 5C 73 5B 61 2D 7A 5C 2E 5D 2B 3F 79 61 6E 64 65 78 5C 2E 5B 61 2D 7A 5D 7B 31 2C 33 7D 5C 72 5C 6E 28 2E 2B 3F 5C 72 5C 6E 29 2A 3F 5C 72 5C 6E 00 00
HKLM\Software\Microsoft\Notepad\rheVz0U3Ahp: “rO37SvbT2us0geIOL0UvzhvOpbImRh9o8h2eP0MVz0Cb”
HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 5F 4F 52 39 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 5F 4F 52 43 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 61 64 6D 69 6E 69 7E 31 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 6D 69 72 61 67 67 65 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 63 61 63 31 31 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 61 67 67 72 65 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 31 37 2E 74 6D 70 00 00 00
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP\0000\Service: “puycwkbdriubvsp”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP\0000\DeviceDesc: “puycwkbdriubvsp”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PUYCWKBDRIUBVSP\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR\0000\Service: “winbackupdumper-id19g6SX8qbazr”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR\0000\DeviceDesc: “Windows System Backup Dumper”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINBACKUPDUMPER-ID19G6SX8QBAZR\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4_pinnew.exe: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4_pinnew.exe:*:Enabled:Enabled”
HKLM\System\CurrentControlSet\Services\puycwkbdriubvsp\imagepath: “\??\C:\WINDOWS\TEMP\16.tmp”
HKLM\System\CurrentControlSet\Services\puycwkbdriubvsp\type: 0×00000001
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr\Type: 0×00000120
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr\Start: 0×00000002
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr\ErrorControl: 0×00000000
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr\ImagePath: “C:\WINDOWS\system32\winbudump.exe”
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr\DisplayName: “Windows System Backup Dumper”
HKLM\System\CurrentControlSet\Services\winbackupdumper-id19g6SX8qbazr\ObjectName: “LocalSystem”

———————————-
Values modified:7
———————————-
(-) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\Name: “iexplore.exe”
(+) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\Name: “1your_exe.exe”
(-) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\ID: 0x48ACC122
(+) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\ID: 0x479DB18C
(-) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: “”
(+) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: “C:\WINDOWS\system32\winamnc.dll”
(-) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “C:\WINDOWS\system32\userinit.exe,”
(+) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,”
(-) HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages: ‘msv1_0′
(+) HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages: ‘msv1_0 ssqpqp.dll’
(-) HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: “C:\WINDOWS\system32\ESENT.dll”
(+) HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: “c:\windows\system32\ESENT.dll”
(-) HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: “C:\WINDOWS\system32\ESENT.dll”
(+) HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: “c:\windows\system32\ESENT.dll”

———————————-
Files added:38
———————————-
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D\mainapp708dl.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\15.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\17.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\1your_exe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\1_goo.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\4_pinnew.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\60325cahp25ca0.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\6_ldry3no.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\avto.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\binfix7080010000.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\cac11.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\dussfx.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\fFollower.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\miragge.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\neqlua.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\opeF.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\opeF.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\pxomqfxj.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\q1.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\qihkqlk.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\svchosty.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\uaoil.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\yfhf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\_OR9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\_ORC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\_TPE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\_TU8.tmp
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\pcre3.dll
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\ssqpqp.dll
C:\WINDOWS\system32\winamnc.dll
C:\WINDOWS\system32\winamnc_backup.dll
C:\WINDOWS\system32\winbudump.exe
C:\WINDOWS\Temp\16.tmp
C:\WINDOWS\svc.exe

———————————-
Files [attributes?] modified:3
———————————-
C:\Documents and Settings\NetworkService\Cookies\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

———————————-
Folders added:3
———————————-
C:\Documents and Settings\Administrator\Application Data\B34B7AF9CB40065433C8C631C37A9A2D
C:\Documents and Settings\Administrator\Local Settings\Application Data\Desktop Cleanup Wizard
C:\WINDOWS\system32\lowsec

———————————-
Folders attributes changed:2
———————————-
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

———————————-
Total changes:96
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning adware and viruses from my friend's computers, because it is extremely fast and effective.

Download it here




1. Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

What to do if you are unable to solve a problem?

UnHackMe Remote Assistant
  1. Open UnHackMe main screen.
  2. Click on a Remote Assistant button.
  3. Follow instructions on a screen.
  4. We will contact you and send a solution of your problem.
  5. Remote assistance is free during trial period.

Enjoy!