Jump to content

Mysterious startup DLL


Recommended Posts

I found the following item in my HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run list:

Aweholibugi rundll32.exe "C:\WINDOWS\ufuzewugowize.dll",Startup

Any ideas what this is? Anti-malware, AdAware, and SpyBot S&D don't seem to find anything wrong with it, and what's really strange is that neither the keyname nor the DLL name appear anywhere in Google. I haven't yet tried booting in safe mode and removing it, I thought I'd run it by others first.


-- Carl

Link to post
Share on other sites

That's a sure sign that it is new malware.

Ad-Aware has not kept up to the times like Malwarebytes and Spybot S&D is OK if you do not have Malawarebytes Pro installed to prevent new infections.

Link to post
Share on other sites

Try running the file through VirusTotal, and post back the results.

By your command... :)

a-squared 2010.04.10 Trojan.Win32.Hiloti!IK

AhnLab-V3 2010.04.10 -

AntiVir 2010.04.09 -

Antiy-AVL 2010.04.09 -

Authentium 2010.04.10 -

Avast 4.8.1351.0 2010.04.10 -

Avast5 5.0.332.0 2010.04.10 -

AVG 2010.04.10 -

BitDefender 7.2 2010.04.10 -

CAT-QuickHeal 10.00 2010.04.10 -

ClamAV 2010.04.10 -

Comodo 4560 2010.04.10 -

DrWeb 2010.04.11 Trojan.Packed.1116

eTrust-Vet 35.2.7418 2010.04.09 -

F-Prot 2010.04.10 -

F-Secure 9.0.15370.0 2010.04.10 -

Fortinet 2010.04.10 -

GData 19 2010.04.10 -

Ikarus T3. 2010.04.10 Trojan.Win32.Hiloti

Jiangmin 13.0.900 2010.04.10 -

Kaspersky 2010.04.11 -

McAfee-GW-Edition 6.8.5 2010.04.09 -

Microsoft 1.5605 2010.04.10 -

NOD32 5016 2010.04.10 -

Norman 6.04.11 2010.04.10 -

nProtect 2009.1.8.0 2010.04.06 -

Panda 2010.04.10 Suspicious file

PCTools 2010.04.10 -

Rising 2010.04.09 -

Sophos 4.52.0 2010.04.10 Mal/Hiloti-A

Sunbelt 6162 2010.04.11 Trojan.Win32.Hiloti.gen.d (v)

Symantec 20091.2.0.41 2010.04.11 -

TheHacker 2010.04.10 -

TrendMicro 2010.04.10 -

VBA32 2010.04.09 -

ViRobot 2010.4.10.2270 2010.04.10 -

VirusBuster 2010.04.10 -

Additional information

File size: 231424 bytes

MD5...: 24a6cb02992d2622cdd030cfdc18f5f1

SHA1..: eb3c024fcaaf1993899c4da187c34062a373e05b

SHA256: 66c0f929cd152dae3d30964713e55db9ce2638290fa88d3dc02d8675306f4113

ssdeep: 3072:2dVEuxre/I2qUfuj4TPE0GBZK9lK0suyVaGLpbqr7ZNwbKht/HfopLNgJdW


PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x6a08

timedatestamp.....: 0x4b4215ca (Mon Jan 04 16:22:34 2010)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x30000 0x24400 7.92 620e12f04de42bc9edb385ab105556f1

.data 0x31000 0x14000 0x13a00 6.84 e33b44d999831ad5682d934c2e7f3eb9

.rsrc 0x45000 0x1000 0x400 2.96 1e6e4a60c986d12bd1f2c150d97fd035

.reloc 0x46000 0x1000 0x200 5.46 18f0379d717c01271680f965d9b930e7

( 3 imports )

> KERNEL32.dll: CloseHandle, CompareStringA, CreateFileA, ExitProcess, FatalAppExitA, FileTimeToLocalFileTime, GetACP, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetCurrentThreadId, GetDriveTypeA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcessWorkingSetSize, GetStartupInfoA, GetTickCount, HeapAlloc, HeapCreate, HeapReAlloc, InterlockedDecrement, IsBadStringPtrA, IsValidLocale, LeaveCriticalSection, MultiByteToWideChar, OpenProcess, RaiseException, RtlUnwind, SetLastError, SetUnhandledExceptionFilter, TerminateThread, WriteConsoleA

> user32.dll: DestroyIcon, DrawTextA, EnableWindow, FindWindowA, DeleteMenu, IsDialogMessageA, ReleaseDC, ShowWindow, GetScrollInfo, CreateDialogParamA

> comdlg32.dll: PrintDlgExA

( 1 exports )


RDS...: NSRL Reference Data Set


pdfid.: -


publisher....: Sipro Lab Telecom Inc.

copyright....: Copyright © Sipro Lab Telecom Inc. 1998-99

product......: ACELP.net Audio Codec

description..: Audio codec for MS ACM

original name: sl_anet.acm

internal name: sl_anet.acm

file version.: 3.02

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

trid..: Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/...-021223-0550-99

Link to post
Share on other sites

Hi, like suspected, this is indeed malware. I suggest you post the file here: Newest malware threats , so MBAM can update it's definitions. Also do a quick scan with MBAM.

Afterwards, I strongly advise you to follow the steps below:

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Good luck :) .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.