w32_ss.exe - Dangerous
%sysdir%\w32_ss.exe
Manual removal instructions:
Antivirus Report of %sysdir%\w32_ss.exe:
%sysdir%\w32_ss.exe
W32_SS.EXE is rootkit Trojan.Haxdoor-G.
W32_SS.EXE is used to hide files, processes and registry.
W32_SS.EXE is a kernel mode rootkit.
Rootkit contacts remote hacker server using HTTP session.
SDMAPI.SYS created new system drivers:
service name: "SDMAPI"
display name: "KESDM"
BOOT32.SYS created new system drivers:
service name: " BOOT32"
display name: " KEBOOT"
Related files:
%SysDir%\
%SysDir%\DEBUG.DLL
%SysDir%\SDMAPI.SYS
%SysDir%\BOOT32.SYS
%SysDir%\C3.DLL
%SysDir%\C3.SYS
%SysDir%\C4.SYS
%SysDir%\P2.INI
%SysDir%\KLOG.SYS
%SysDir%\KLOGINI.DLL
%SysDir%\IN.A3D
%SysDir%\PS.A3D
%SysDir%\ERROR.A3D
Adds the value:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\secboot
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
DllName = debugg.dll
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
EntryPoint = MemManager
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
StackSize = 0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\DllName = debugg.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Startup = MemManager
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Impersonate = 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Asynchronous = 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\MaxWait = 1
to the Windows startup registry keys.
Added to registry:
HKLM\SYSTEM\RAdminv\2.0\Parameters\DisableTrayIcon
HKLM\SYSTEM\CurrentControlSet\Control\Impersonate
HKLM\SYSTEM\CurrentControlSet\Control\Session Management\EnforceWriteProtection
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersoin\hws
| %sysdir%\w32_ss.exe | Malware |
| %sysdir%\w32_ss.exe | Dangerous |
| %sysdir%\w32_ss.exe | High Risk |
W32_SS.EXE is used to hide files, processes and registry.
W32_SS.EXE is a kernel mode rootkit.
Rootkit contacts remote hacker server using HTTP session.
SDMAPI.SYS created new system drivers:
service name: "SDMAPI"
display name: "KESDM"
BOOT32.SYS created new system drivers:
service name: " BOOT32"
display name: " KEBOOT"
Related files:
%SysDir%\
%SysDir%\DEBUG.DLL
%SysDir%\SDMAPI.SYS
%SysDir%\BOOT32.SYS
%SysDir%\C3.DLL
%SysDir%\C3.SYS
%SysDir%\C4.SYS
%SysDir%\P2.INI
%SysDir%\KLOG.SYS
%SysDir%\KLOGINI.DLL
%SysDir%\IN.A3D
%SysDir%\PS.A3D
%SysDir%\ERROR.A3D
Adds the value:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\secboot
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
DllName = debugg.dll
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
EntryPoint = MemManager
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
StackSize = 0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\DllName = debugg.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Startup = MemManager
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Impersonate = 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Asynchronous = 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\MaxWait = 1
to the Windows startup registry keys.
Added to registry:
HKLM\SYSTEM\RAdminv\2.0\Parameters\DisableTrayIcon
HKLM\SYSTEM\CurrentControlSet\Control\Impersonate
HKLM\SYSTEM\CurrentControlSet\Control\Session Management\EnforceWriteProtection
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersoin\hws
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.