klan.sys - Dangerous

klan.sys

Manual removal instructions:

Antivirus Report of klan.sys:
klan.sys Malware
klan.sysDangerous
klan.sysHigh Risk
klan.sys
We suggest you to remove klan.sys from your computer as soon as possible.
Klan.sys is Trojan/Backdoor.
Kill the file klan.sys and remove klan.sys from Windows startup.

File: av.exe(C:\sand-box\av.exe)

Classification:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.04 Win32:Trojan-gen {Other}
AVG 8.5.0.406 2009.08.03 Generic14.OXM
BitDefender 7.2 2009.08.04 -
Comodo 1858 2009.08.04 -
DrWeb 5.0.0.12182 2009.08.04 Trojan.MulDrop.33094
F-Secure 8.0.14470.0 2009.08.04 Trojan.Win32.Small.cba
Kaspersky 7.0.0.125 2009.08.04 Trojan.Win32.Small.cba
Microsoft 1.4903 2009.08.03 Trojan:Win32/Killav.DK
NOD32 4302 2009.08.03 Win32/TrojanDownloader.Agent.PJT
Symantec 1.4.4.12 2009.08.04 Trojan.Dropper
Additional information
File size: 15360 bytes
MD5 : 5d65a6c0751f27acccbf58540b0b4d79
SHA1 : f0a993752ae98049fcb72ff19b10fb531bfb0036

Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys deleted:1
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider

----------------------------------
Keys added:126
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe
...
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xnlscn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\???¤??.exe>?Nw?©?€?
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000
HKLM\SYSTEM\CurrentControlSet\Services\klan
HKLM\SYSTEM\CurrentControlSet\Services\klan\Security

----------------------------------
Values deleted:2
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider\EventMessageFile: "C:\WINDOWS\System32\h323.tsp"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider\TypesSupported: 0x00000007

----------------------------------
Values added:140
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\Debugger: "ntsd -d"
...
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webproxy.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xnlscn.exe\Debugger: "ntsd -d"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Service: "AppMgmt"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\DeviceDesc: "Application Management"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Service: "klan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\DeviceDesc: "klan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\klan\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\klan\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\klan\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\klan\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\klan\ImagePath: "\??\C:\WINDOWS\system32\drivers\klan.sys"
HKLM\SYSTEM\CurrentControlSet\Services\klan\DisplayName: "klan"

----------------------------------
Values modified:2
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Start: 0x00000002

----------------------------------
Files added:2
----------------------------------
C:\WINDOWS\system32\dllcache\appmgmts.dll
C:\WINDOWS\system32\drivers\klan.sys

----------------------------------
Files deleted:1
----------------------------------
C:\sand-box\av.exe

----------------------------------
Files [attributes?] modified:4
----------------------------------
C:\Documents and Settings\NetworkService\Cookies\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\WINDOWS\system32\appmgmts.dll

----------------------------------
Folders added:0
----------------------------------

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Folders attributes changed:2
----------------------------------
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

----------------------------------
Total changes:280
----------------------------------

-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: APPMGMTS.DLL
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\APPMGMTS.DLL
Type: Infected System Files

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator in Deep Level Scanning mode:

Item Name: klan
Author:
Related File: \??\C:\WINDOWS\system32\drivers\klan.sys
Type: Services detected by Partizan

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
appmgmts.dll

Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.04 Win32:Trojan-gen {Other}
AVG 8.5.0.406 2009.08.04 Generic14.OJH
BitDefender 7.2 2009.08.05 Generic.Malware.P!.52668DA7
Comodo 1871 2009.08.05 -
DrWeb 5.0.0.12182 2009.08.05 Trojan.DownLoad.42096
F-Secure 8.0.14470.0 2009.08.05 Trojan.Win32.Small.cbb
Kaspersky 7.0.0.125 2009.08.05 Trojan.Win32.Small.cbb
Microsoft 1.4903 2009.08.04 Trojan:Win32/Killav.DK
NOD32 4306 2009.08.04 Win32/TrojanDownloader.Agent.PJT
Symantec 1.4.4.12 2009.08.05 Trojan.KillAV

Additional information
File size: 9216 bytes
MD5...: c2a741030a5912caef39c6ce11611c7a
SHA1..: 1a319f94d9102aec0fb38505c7d816f784569a5c
-------------------------------------------------------------------------------------
klan.sys

Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.03 -
AVG 8.5.0.406 2009.08.03 -
BitDefender 7.2 2009.08.03 -
Comodo 1843 2009.08.03 -
DrWeb 5.0.0.12182 2009.08.03 Trojan.NtRootKit.3211
F-Secure 8.0.14470.0 2009.08.03 Rootkit.Win32.Agent.nrb
Kaspersky 7.0.0.125 2009.08.03 Rootkit.Win32.Agent.nrb
Microsoft 1.4903 2009.08.03 -
NOD32 4302 2009.08.03 Win32/TrojanDownloader.Agent.PJT
Symantec 1.4.4.12 2009.08.03 -

Additional information
File size: 3328 bytes
MD5 : 3a24f1b4fa633642a4eed4c0050f194d
SHA1 : 8978b19fe26125fc5f5775a6fca60277a8f94b1b
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove klan.sys now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.