Jump to content

Mysterious startup DLL

cbkuck

By cbkuck
in Other Tools

 Share

Recommended Posts

cbkuck

cbkuck

Posted
Posted

I found the following item in my HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run list:

Aweholibugi rundll32.exe "C:\WINDOWS\ufuzewugowize.dll",Startup

Any ideas what this is? Anti-malware, AdAware, and SpyBot S&D don't seem to find anything wrong with it, and what's really strange is that neither the keyname nor the DLL name appear anywhere in Google. I haven't yet tried booting in safe mode and removing it, I thought I'd run it by others first.

Thanks!

-- Carl

Link to post
Share on other sites
YoKenny1

YoKenny1

Posted
Posted

That's a sure sign that it is new malware.

Ad-Aware has not kept up to the times like Malwarebytes and Spybot S&D is OK if you do not have Malawarebytes Pro installed to prevent new infections.

Link to post
Share on other sites
cbkuck

cbkuck

Posted
  • Author
Posted
Try running the file through VirusTotal, and post back the results.

By your command... :)

a-squared 4.5.0.50 2010.04.10 Trojan.Win32.Hiloti!IK

AhnLab-V3 5.0.0.2 2010.04.10 -

AntiVir 7.10.6.55 2010.04.09 -

Antiy-AVL 2.0.3.7 2010.04.09 -

Authentium 5.2.0.5 2010.04.10 -

Avast 4.8.1351.0 2010.04.10 -

Avast5 5.0.332.0 2010.04.10 -

AVG 9.0.0.787 2010.04.10 -

BitDefender 7.2 2010.04.10 -

CAT-QuickHeal 10.00 2010.04.10 -

ClamAV 0.96.0.3-git 2010.04.10 -

Comodo 4560 2010.04.10 -

DrWeb 5.0.2.03300 2010.04.11 Trojan.Packed.1116

eTrust-Vet 35.2.7418 2010.04.09 -

F-Prot 4.5.1.85 2010.04.10 -

F-Secure 9.0.15370.0 2010.04.10 -

Fortinet 4.0.14.0 2010.04.10 -

GData 19 2010.04.10 -

Ikarus T3.1.1.80.0 2010.04.10 Trojan.Win32.Hiloti

Jiangmin 13.0.900 2010.04.10 -

Kaspersky 7.0.0.125 2010.04.11 -

McAfee-GW-Edition 6.8.5 2010.04.09 -

Microsoft 1.5605 2010.04.10 -

NOD32 5016 2010.04.10 -

Norman 6.04.11 2010.04.10 -

nProtect 2009.1.8.0 2010.04.06 -

Panda 10.0.2.2 2010.04.10 Suspicious file

PCTools 7.0.3.5 2010.04.10 -

Rising 22.42.04.03 2010.04.09 -

Sophos 4.52.0 2010.04.10 Mal/Hiloti-A

Sunbelt 6162 2010.04.11 Trojan.Win32.Hiloti.gen.d (v)

Symantec 20091.2.0.41 2010.04.11 -

TheHacker 6.5.2.0.259 2010.04.10 -

TrendMicro 9.120.0.1004 2010.04.10 -

VBA32 3.12.12.4 2010.04.09 -

ViRobot 2010.4.10.2270 2010.04.10 -

VirusBuster 5.0.27.0 2010.04.10 -

Additional information

File size: 231424 bytes

MD5...: 24a6cb02992d2622cdd030cfdc18f5f1

SHA1..: eb3c024fcaaf1993899c4da187c34062a373e05b

SHA256: 66c0f929cd152dae3d30964713e55db9ce2638290fa88d3dc02d8675306f4113

ssdeep: 3072:2dVEuxre/I2qUfuj4TPE0GBZK9lK0suyVaGLpbqr7ZNwbKht/HfopLNgJdW

v1yXn:2dxnlUaKcfBU94ruyUGLyZ5vqs8o

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x6a08

timedatestamp.....: 0x4b4215ca (Mon Jan 04 16:22:34 2010)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x30000 0x24400 7.92 620e12f04de42bc9edb385ab105556f1

.data 0x31000 0x14000 0x13a00 6.84 e33b44d999831ad5682d934c2e7f3eb9

.rsrc 0x45000 0x1000 0x400 2.96 1e6e4a60c986d12bd1f2c150d97fd035

.reloc 0x46000 0x1000 0x200 5.46 18f0379d717c01271680f965d9b930e7

( 3 imports )

> KERNEL32.dll: CloseHandle, CompareStringA, CreateFileA, ExitProcess, FatalAppExitA, FileTimeToLocalFileTime, GetACP, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetCurrentThreadId, GetDriveTypeA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcessWorkingSetSize, GetStartupInfoA, GetTickCount, HeapAlloc, HeapCreate, HeapReAlloc, InterlockedDecrement, IsBadStringPtrA, IsValidLocale, LeaveCriticalSection, MultiByteToWideChar, OpenProcess, RaiseException, RtlUnwind, SetLastError, SetUnhandledExceptionFilter, TerminateThread, WriteConsoleA

> user32.dll: DestroyIcon, DrawTextA, EnableWindow, FindWindowA, DeleteMenu, IsDialogMessageA, ReleaseDC, ShowWindow, GetScrollInfo, CreateDialogParamA

> comdlg32.dll: PrintDlgExA

( 1 exports )

EnumWZCDbLogRecords

RDS...: NSRL Reference Data Set

-

pdfid.: -

sigcheck:

publisher....: Sipro Lab Telecom Inc.

copyright....: Copyright © Sipro Lab Telecom Inc. 1998-99

product......: ACELP.net Audio Codec

description..: Audio codec for MS ACM

original name: sl_anet.acm

internal name: sl_anet.acm

file version.: 3.02

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

trid..: Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/...-021223-0550-99

Link to post
Share on other sites
Blaze

Blaze

Posted
Posted

Hi, like suspected, this is indeed malware. I suggest you post the file here: Newest malware threats , so MBAM can update it's definitions. Also do a quick scan with MBAM.

Afterwards, I strongly advise you to follow the steps below:

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Good luck :) .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.