|
|
UnHackMe Warrior Removing rootkits is best done from the "clean" Windows!
Blog: New viruses/malware/rootkits. Everyday!
Blog: How to remove malware/Trojans/rootkits using UnHackMe or manually. We know how to remove malware.
Shortcut Antivirus protects against Microsoft LNK and PIF vulnerability, notify a user about found threats and give possibility to immediately remove threats.
StuxnetRemover - free of charge Stuxnet/Tmphider rootkit removal tool.
|
 kb0892619.dll - Dangerous
Fix it immediately
Kb0892619.dll is Trojan/Backdoor. Kill the file kb0892619.dll and remove kb0892619.dll from Windows startup. Malware dropper: qvodsetup3.exe Removed: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf C:\WINDOWS\Fonts\kb0892619.dll C:\WINDOWS\SYSTEM32\COMRES.DLL C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.exe ------------------------------------------------------------------------------------- Classification: Code: Antivirus Version Last Update Result F-Secure 8.0.14470.0 2009.10.06 Trojan-Dropper.Win32.Parc.v Kaspersky 7.0.0.125 2009.10.06 Trojan-Dropper.Win32.Parc.v McAfee 5762 2009.10.05 potentially unwanted program Suspect-26!EAF02133596F Microsoft 1.5101 2009.10.05 TrojanDropper:Win32/Microjoin.gen!C NOD32 4482 2009.10.05 a variant of Win32/TrojanDropper.Delf.NQJ Symantec 1.4.4.12 2009.10.06 Infostealer.Gampass Additional information File size: 179060 bytes MD5 : eaf02133596fcb32fbd9bb762466949e SHA1 : 94740c49299cb8a38e66086f4961435352de2fb2 ------------------------------------------------------------------------------------- Installation When the program is executed, it creates the following registry subkeys and values: ---------------------------------- Keys added:10 ---------------------------------- HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7} HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}\InprocServer32 HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB} HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe HKLM\SOFTWARE\Microsoft\DownloadManager HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000 HKLM\SYSTEM\CurrentControlSet\Services\vb HKLM\SYSTEM\CurrentControlSet\Services\vb\Security ---------------------------------- Values deleted:1 ---------------------------------- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: "" ---------------------------------- Values added:21 ---------------------------------- HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}\InprocServer32\: "C:\WINDOWS\Fonts\kb0892619.dll" HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32\: "C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf" HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32\ThreadingModel: "Apartment" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}: "" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}: "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger: "services.exe" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: "C:\WINDOWS\Fonts\kb0892619.dll" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Service: "vb" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Legacy: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Class: "LegacyDriver" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\DeviceDesc: "vb" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe:*:Disabled:QvodInstall Module" HKLM\SYSTEM\CurrentControlSet\Services\vb\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\vb\Type: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\vb\Start: 0x00000003 HKLM\SYSTEM\CurrentControlSet\Services\vb\ErrorControl: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\vb\ImagePath: "\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.ex" HKLM\SYSTEM\CurrentControlSet\Services\vb\DisplayName: "vb" ---------------------------------- Values modified:0 ---------------------------------- ---------------------------------- Files added:11 ---------------------------------- C:\Documents and Settings\Administrator\Local Settings\Temp\a33.exe C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe C:\Documents and Settings\Administrator\Local Settings\Temp\~3526.exe C:\Documents and Settings\Administrator\Local Settings\Temp\~cb5e.dat C:\WINDOWS\Fonts\AeioFs.dat C:\WINDOWS\Fonts\Encionc_ch.dat C:\WINDOWS\Fonts\kb0892619.dll C:\WINDOWS\system32\2AwdJ.exe C:\WINDOWS\system32\dfc8ac3ed7da.dll C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf C:\WINDOWS\Tasks\kZdWDEpQcNC2NwDe.ico ---------------------------------- Files deleted:1 ---------------------------------- C:\WINDOWS\system32\verclsid.exe ---------------------------------- Files [attributes?] modified:1 ---------------------------------- C:\WINDOWS\system32\comres.dll ---------------------------------- Folders added:0 ---------------------------------- ---------------------------------- Folders deleted:0 ---------------------------------- ---------------------------------- Total changes:45 ---------------------------------- ------------------------------------------------------------------------------------- Internet activity: Code: HTTP GET http://txt.ggadb.com/xx.txt HTTP GET http://1.gudxw.com/img/1.exe HTTP GET http://1.gudxw.com/img/2.exe ------------------------------------------------------------------------------------- Detected by UnHackMe: Item Name: {A2BCFCEE-C939-433F-A32A-7353A6E720DB} Author: Unknown Related File: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf Type: Shell Execute Hooks Item Name: {9B1AE382-2647-4c4a-A313-B36B6CA34BD7} Author: Unknown Related File: C:\WINDOWS\Fonts\kb0892619.dll Type: Shell Execute Hooks Item Name: AppInit_DLLs Author: Unknown Related File: C:\WINDOWS\Fonts\kb0892619.dll Type: List of Injected DLLs Item Name: COMRES.DLL Author: Unknown Related File: C:\WINDOWS\SYSTEM32\COMRES.DLL Type: Infected System Files After first reboot detected by UnHackMe: Item Name: {9B1AE382-2647-4c4a-A313-B36B6CA34BD7} Author: Related File: C:\WINDOWS\Fonts\kb0892619.dll Type: Shell Execute Hooks Item Name: {A2BCFCEE-C939-433F-A32A-7353A6E720DB} Author: Related File: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf Type: Shell Execute Hooks Item Name: vb Author: Related File: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.exe Type: Services detected by Partizan Removal Results: Success Number of reboot: 2 ------------------------------------------------------------------------------------- Recommended software: UnHackMe anti-rootkit and anti-malware http://www.unhackme.com RegRun Security Suite (Good choice for removal and protection)
Virus Problem? Google Redirects? Ads? Slow?
Constantly updated. Last update: February 5 2012
Fix Windows PC's Fast! Automated Software Repairs damaged & slow windows systems in 1 click.
|
|
