edih.dll - Dangerous

edih.dll

Manual removal instructions:

Antivirus Report of edih.dll:
edih.dll Malware
edih.dllDangerous
edih.dllHigh Risk
edih.dll
We suggest you to remove wacult.exe from your computer as soon as possible.
Wacult.exe is Trojan/Backdoor.
Kill the process wacult.exe and remove wacult.exe from Windows startup.

File: ddos.exe (C:\sand-box\ddos.exe)
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.14 Unix:Malware-gen
AVG 8.5.0.406 2009.08.15 Generic13.QFH
BitDefender 7.2 2009.08.15 IRC-Worm.Generic.5575
Comodo 1964 2009.08.14 Backdoor.IRC.Kelebek.NAA
DrWeb 5.0.0.12182 2009.08.15 BackDoor.IRC.based
F-Secure 8.0.14470.0 2009.08.15 Client-IRC.Win32.mIRC.602
Kaspersky 7.0.0.125 2009.08.15 not-a-virus:Client-IRC.Win32.mIRC.602
Microsoft 1.4903 2009.08.15 Backdoor:Win32/Kirsun.A
NOD32 4337 2009.08.15 IRC/Flood.NAE
Symantec 1.4.4.12 2009.08.15 Backdoor.Trojan

Additional information
File size: 670789 bytes
MD5 : 48c78960fbed11a90810c57c8fafec6a
SHA1 : 91710d954b0e3287fa27673a6af44dd64e571f92

-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
-------------------------------------------------------------------------------------
Internet activity:

----------------------------------
Keys added:24
----------------------------------
HKLM\SOFTWARE\Classes\.cha
HKLM\SOFTWARE\Classes\.chat
HKLM\SOFTWARE\Classes\ChatFile
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon
HKLM\SOFTWARE\Classes\ChatFile\Shell
HKLM\SOFTWARE\Classes\ChatFile\Shell\open
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Classes\irc
HKLM\SOFTWARE\Classes\irc\DefaultIcon
HKLM\SOFTWARE\Classes\irc\Shell
HKLM\SOFTWARE\Classes\irc\Shell\open
HKLM\SOFTWARE\Classes\irc\Shell\open\command
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32
HKCU\Software\Microsoft\Microsoft Agent
HKCU\Software\ms32
HKCU\Software\ms32\DateUsed

----------------------------------
Values added:44
----------------------------------
HKLM\SOFTWARE\Classes\.cha\: "ChatFile"
HKLM\SOFTWARE\Classes\.chat\: "ChatFile"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\: "mIRC"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command\: ""c:\WINDOWS\System32\wacult.exe" -noconnect"
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon\: ""c:\WINDOWS\System32\wacult.exe""
HKLM\SOFTWARE\Classes\ChatFile\: "Chat File"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\: "mIRC"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\command\: ""c:\WINDOWS\System32\wacult.exe" -noconnect"
HKLM\SOFTWARE\Classes\irc\DefaultIcon\: ""c:\WINDOWS\System32\wacult.exe""
HKLM\SOFTWARE\Classes\irc\: "URL:IRC Protocol"
HKLM\SOFTWARE\Classes\irc\EditFlags: 02 00 00 00
HKLM\SOFTWARE\Classes\irc\URL Protocol: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinXPService: "c:\WINDOWS\System32\wacult.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32\DisplayName: "ms32"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32\UninstallString: ""c:\WINDOWS\System32\wacult.exe" -uninstall"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\wacult.exe: "C:\WINDOWS\system32\wacult.exe:*:Disabled:mIRC"
HKCU\Software\Microsoft\Microsoft Agent\VoiceEnabled: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseVoiceTips: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\KeyHoldHotKey: 0x00000091
HKCU\Software\Microsoft\Microsoft Agent\UseBeepSRPrompt: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SRTimerDelay: 0x000007D0
HKCU\Software\Microsoft\Microsoft Agent\SRModeID: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\Microsoft Agent\EnableSpeaking: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseBalloon: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseCharacterFont: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseSoundEffects: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SpeakingSpeed: 0x00000005
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetX: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetY: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetWidth: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetHeight: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetPage: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLeft: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowTop: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowWidth: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowHeight: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLocationSet: 0x00000000
HKCU\Software\ms32\DateUsed\: "1250506358"

----------------------------------
Values modified:0
----------------------------------

----------------------------------
Files added:6
----------------------------------
C:\WINDOWS\system32\edih.dll
C:\WINDOWS\system32\ms32.sys
C:\WINDOWS\system32\remote.ini
C:\WINDOWS\system32\system32\msconfg.dll
C:\WINDOWS\system32\system32\Systemx.dll
C:\WINDOWS\system32\wacult.exe

----------------------------------
Files [attributes?] modified:0
----------------------------------

----------------------------------
Folders added:1
----------------------------------
C:\WINDOWS\system32\system32

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:75
----------------------------------

-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: vmtest
Author:
Related File: C:\sand-box\files\wacult.exe
Type: Registry Run

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)



Remove edih.dll now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.