pdrv.exe - Dangerous
pdrv.exe
Manual removal instructions:
Antivirus Report of pdrv.exe:
pdrv.exe
We suggest you to remove pdrv.exe from your computer as soon as possible.
Pdrv.exe is Trojan/Backdoor.
Kill the process pdrv.exe and remove pdrv.exe from Windows startup.
File:
C:\sand-box\pdrv.exe
Classification:
Antivirus Version Last Update Result
AVG 8.5.0.339 2009.06.17 Rootkit-Agent.EA
BitDefender 7.2 2009.06.18 -
Comodo 1360 2009.06.18 -
DrWeb 5.0.0.12182 2009.06.17 -
F-Secure 8.0.14470.0 2009.06.18 -
NOD32 4165 2009.06.18 Win32/Tinxy.AF
Symantec 1.4.4.12 2009.06.18 Trojan Horse
Additional information
File size: 47616 bytes
MD5 : ca557e7460c222ef90e9d36881f6ac53
SHA1 : d17746d8cd0df9bd79a4d3e5cf4765fac731f1e9
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:0
----------------------------------
----------------------------------
Keys added:54
----------------------------------
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKLM\SYSTEM\CurrentControlSet\Services\driver
HKLM\SYSTEM\CurrentControlSet\Services\driver\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\driver\Security
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\Security
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:49
----------------------------------
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ti: "1"
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\driver: 'driver'
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid: "710adbf0-ce88-40b4-a50d-231ada6593f0"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames: " NAP_TRACE_BASE NAP_TRACE_NETSH"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\Guid: "b0278a28-76f1-4e15-b1df-14b209a12613"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\BitNames: " Error Unusual Info Debug"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\ControlFlags: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\Service: "driver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\DeviceDesc: "driver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\Service: "driverdrv"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\DeviceDesc: "driverdrv"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\EventMessageFile: "%SystemRoot%\system32\lsasrv.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:TCP: "8085:TCP:*:Enabled:driver"
HKLM\SYSTEM\CurrentControlSet\Services\driver\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\driver\Parameters\ServiceDll: "C:\Program Files\driver\driver.dll"
HKLM\SYSTEM\CurrentControlSet\Services\driver\Type: 0x00000020
HKLM\SYSTEM\CurrentControlSet\Services\driver\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\driver\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\driver\ImagePath: "C:\WINDOWS\system32\svchost.exe -k driver"
HKLM\SYSTEM\CurrentControlSet\Services\driver\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\driver\FailureActions: 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\ImagePath: "\??\C:\Program Files\driver\driver.sys"
----------------------------------
Values modified:2
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched Print PptpMiniport PolicyAgent PlugPlayManager perc2 pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan ndis napipsecenf napagent Mup msfs msadlib MrxSmb MRxDAV mraid35x mouclass Modem LsaSrv LmHosts LDMS LDM lbrtfdc Kerberos kbdclass isapnp IPXSAP IPXRouterManager IPXRIP IPXCP IPSec IPRouterManager IPRIP2 IPNATHLP IPMGM IPBOOTP intelppm intelide ini910u IGMPv2 i8042prt i2omp i2omgmt Http hpn ftdisk fs_rec flpydisk Fips fdc fastfat eventlog efs dpti2o Dnscache Dnsapi dmio dmboot Distributed Link Tracking Client disk DhcpQec Dhcp DfsSvc DfsDriver DCOM dac960nt dac2w2k cpqarray cmdide changer cdrom Cdm cdfs cdaudio cd20xrnt cbidf2k Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'Schannel WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched Print PptpMiniport PolicyAgent PlugPlayManager perc2 pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan ndis napipsecenf napagent Mup msfs msadlib MrxSmb MRxDAV mraid35x mouclass Modem LsaSrv LmHosts LDMS LDM lbrtfdc Kerberos kbdclass isapnp IPXSAP IPXRouterManager IPXRIP IPXCP IPSec IPRouterManager IPRIP2 IPNATHLP IPMGM IPBOOTP intelppm intelide ini910u IGMPv2 i8042prt i2omp i2omgmt Http hpn ftdisk fs_rec flpydisk Fips fdc fastfat eventlog efs dpti2o Dnscache Dnsapi dmio dmboot Distributed Link Tracking Client disk DhcpQec Dhcp DfsSvc DfsDriver DCOM dac960nt dac2w2k cpqarray cmdide changer cdrom Cdm cdfs cdaudio cd20xrnt cbidf2k Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
----------------------------------
Files added:3
----------------------------------
C:\Program Files\driver\driver.dll
C:\Program Files\driver\driver.sys
C:\WINDOWS\Temp\Perflib_Perfdata_f0.dat
----------------------------------
Files deleted:1
----------------------------------
C:\sand-box\pdrv.exe
----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\system32\wbem\Logs\wbemcore.log
----------------------------------
Folders added:1
----------------------------------
C:\Program Files\driver
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:111
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Type: Svchost DLLs
Item Name: driver
Related File: C:\Program Files\driver\driver.dll
Removal Results: Success
Number of reboot: 1
pdrv.exe | Malware |
pdrv.exe | Dangerous |
pdrv.exe | High Risk |
Pdrv.exe is Trojan/Backdoor.
Kill the process pdrv.exe and remove pdrv.exe from Windows startup.
File:
C:\sand-box\pdrv.exe
Classification:
Antivirus Version Last Update Result
AVG 8.5.0.339 2009.06.17 Rootkit-Agent.EA
BitDefender 7.2 2009.06.18 -
Comodo 1360 2009.06.18 -
DrWeb 5.0.0.12182 2009.06.17 -
F-Secure 8.0.14470.0 2009.06.18 -
NOD32 4165 2009.06.18 Win32/Tinxy.AF
Symantec 1.4.4.12 2009.06.18 Trojan Horse
Additional information
File size: 47616 bytes
MD5 : ca557e7460c222ef90e9d36881f6ac53
SHA1 : d17746d8cd0df9bd79a4d3e5cf4765fac731f1e9
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:0
----------------------------------
----------------------------------
Keys added:54
----------------------------------
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKLM\SYSTEM\CurrentControlSet\Services\driver
HKLM\SYSTEM\CurrentControlSet\Services\driver\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\driver\Security
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\Security
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:49
----------------------------------
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ti: "1"
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\driver: 'driver'
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid: "710adbf0-ce88-40b4-a50d-231ada6593f0"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames: " NAP_TRACE_BASE NAP_TRACE_NETSH"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\Guid: "b0278a28-76f1-4e15-b1df-14b209a12613"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\BitNames: " Error Unusual Info Debug"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\ControlFlags: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\Service: "driver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\0000\DeviceDesc: "driver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVER\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\Service: "driverdrv"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\0000\DeviceDesc: "driverdrv"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERDRV\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\EventMessageFile: "%SystemRoot%\system32\lsasrv.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:TCP: "8085:TCP:*:Enabled:driver"
HKLM\SYSTEM\CurrentControlSet\Services\driver\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\driver\Parameters\ServiceDll: "C:\Program Files\driver\driver.dll"
HKLM\SYSTEM\CurrentControlSet\Services\driver\Type: 0x00000020
HKLM\SYSTEM\CurrentControlSet\Services\driver\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\driver\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\driver\ImagePath: "C:\WINDOWS\system32\svchost.exe -k driver"
HKLM\SYSTEM\CurrentControlSet\Services\driver\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\driver\FailureActions: 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\driverdrv\ImagePath: "\??\C:\Program Files\driver\driver.sys"
----------------------------------
Values modified:2
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched Print PptpMiniport PolicyAgent PlugPlayManager perc2 pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan ndis napipsecenf napagent Mup msfs msadlib MrxSmb MRxDAV mraid35x mouclass Modem LsaSrv LmHosts LDMS LDM lbrtfdc Kerberos kbdclass isapnp IPXSAP IPXRouterManager IPXRIP IPXCP IPSec IPRouterManager IPRIP2 IPNATHLP IPMGM IPBOOTP intelppm intelide ini910u IGMPv2 i8042prt i2omp i2omgmt Http hpn ftdisk fs_rec flpydisk Fips fdc fastfat eventlog efs dpti2o Dnscache Dnsapi dmio dmboot Distributed Link Tracking Client disk DhcpQec Dhcp DfsSvc DfsDriver DCOM dac960nt dac2w2k cpqarray cmdide changer cdrom Cdm cdfs cdaudio cd20xrnt cbidf2k Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'Schannel WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched Print PptpMiniport PolicyAgent PlugPlayManager perc2 pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan ndis napipsecenf napagent Mup msfs msadlib MrxSmb MRxDAV mraid35x mouclass Modem LsaSrv LmHosts LDMS LDM lbrtfdc Kerberos kbdclass isapnp IPXSAP IPXRouterManager IPXRIP IPXCP IPSec IPRouterManager IPRIP2 IPNATHLP IPMGM IPBOOTP intelppm intelide ini910u IGMPv2 i8042prt i2omp i2omgmt Http hpn ftdisk fs_rec flpydisk Fips fdc fastfat eventlog efs dpti2o Dnscache Dnsapi dmio dmboot Distributed Link Tracking Client disk DhcpQec Dhcp DfsSvc DfsDriver DCOM dac960nt dac2w2k cpqarray cmdide changer cdrom Cdm cdfs cdaudio cd20xrnt cbidf2k Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
----------------------------------
Files added:3
----------------------------------
C:\Program Files\driver\driver.dll
C:\Program Files\driver\driver.sys
C:\WINDOWS\Temp\Perflib_Perfdata_f0.dat
----------------------------------
Files deleted:1
----------------------------------
C:\sand-box\pdrv.exe
----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\system32\wbem\Logs\wbemcore.log
----------------------------------
Folders added:1
----------------------------------
C:\Program Files\driver
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:111
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Type: Svchost DLLs
Item Name: driver
Related File: C:\Program Files\driver\driver.dll
Removal Results: Success
Number of reboot: 1
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.