511c5dfe.sys - Dangerous

511c5dfe.sys

Manual removal instructions:

Antivirus Report of 511c5dfe.sys:
511c5dfe.sys Malware
511c5dfe.sysDangerous
511c5dfe.sysHigh Risk
511c5dfe.sys
We suggest you to remove tqqdv.exe from your computer as soon as possible.
Tqqdv.exe is Trojan/Backdoor.
Kill the process tqqdv.exe and remove tqqdv.exe from Windows startup.

File: tqqdv.exe (C:\sand-box\tqqdv.exe)
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.27 Win32:Harnig-PA
AVG 8.5.0.406 2009.08.27 SpamBot.W
BitDefender 7.2 2009.08.28 Trojan.Downloader.LoadAdv.ACG
Comodo 2114 2009.08.28 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.08.28 Trojan.Packed.2582
F-Secure 8.0.14470.0 2009.08.28 -
Kaspersky 7.0.0.125 2009.08.28 -
Microsoft 1.4903 2009.08.28 TrojanDownloader:Win32/Harnig.gen!N
NOD32 4375 2009.08.28 a variant of Win32/Kryptik.ABT
Symantec 1.4.4.12 2009.08.27 -

Additional information
File size: 9728 bytes
MD5 : 49719cee51d2716ea303f70ea3c58167
SHA1 : 74195b89ac96d4878be9c60322d880e46905fc7b
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys deleted:2
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew

----------------------------------
Keys added:4
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\extensions
HKLM\SYSTEM\CurrentControlSet\Services\511c5dfe
HKCU\Software\Microsoft\Internet Explorer\International\cpmru
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\postsetup

----------------------------------
Values deleted:0
----------------------------------

----------------------------------
Values added:13
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jfxdghs: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\r56y7u.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\extensions\.ini: "notepad.exe ^.ini"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\extensions\.txt: "notepad.exe ^.txt"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\extensions\.wtx: "notepad.exe ^.wtx"
HKLM\SYSTEM\CurrentControlSet\Services\511c5dfe\ImagePath: "\SystemRoot\System32\drivers\511c5dfe.sys"
HKLM\SYSTEM\CurrentControlSet\Services\511c5dfe\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\511c5dfe\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\511c5dfe\ErrorControl: 0x00000001
HKCU\Software\Microsoft\Internet Explorer\International\W2KLpk: 0x00000001
HKCU\Software\Microsoft\Internet Explorer\International\cpmru\Enable: 0x00000001
HKCU\Software\Microsoft\Internet Explorer\International\cpmru\Size: 0x0000000A
HKCU\Software\Microsoft\Internet Explorer\International\cpmru\InitHits: 0x00000064
HKCU\Software\Microsoft\Internet Explorer\International\cpmru\Factor: 0x00000014

----------------------------------
Values modified:4
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000004
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004

----------------------------------
Files added:8
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\r56y7u.exe
C:\WINDOWS\system32\drivers\511c5dfe.sys
C:\-1405931530
C:\fpgx.exe
C:\ljna.exe
C:\qvkanx.exe
C:\yfoxxyaw.exe

----------------------------------
Files deleted:1
----------------------------------
C:\sand-box\tqqdv.exe

----------------------------------
Files [attributes?] modified:0
----------------------------------

----------------------------------
Folders added:0
----------------------------------

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:32
----------------------------------

-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP GET http://aacompliance.com/uniq.php?id=-140...
HTTP GET http://batechpro.net/bbsuper0.php
HTTP GET http://batechpro.net/bbsuper1.php
HTTP GET http://batechpro.net/bbsuper2.php
HTTP GET http://batechpro.net/bbsuper3.php
HTTP GET http://config.iwillhavesexygirls.com:88/...
HTTP GET http://test.goldinstall.com/in.php?selid...
HTTP GET http://config.iwillhavesexygirls.com:88/...
HTTP GET http://test.goldinstall.com/in.php?selid...
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: jfxdghs
Author:
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\r56y7u.exe
Type: Registry Run

After first reboot detected by RegRun Reanimator:

Item Name: 511c5dfe
Author:
Related File: \SystemRoot\System32\drivers\511c5dfe.sys
Type: Services detected by Partizan

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove 511c5dfe.sys now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.