Archive for the 'O21' Category
Friday, March 5th, 2010
overlapp32.dll is a harmful program.
Name: overlapp32
Filename: overlapp32.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck
Command: %Windir%\System32\overlapp32.dll
CLSID: {FF4EC53A-CA51-9A39-6CDD-5FFB26FB445C}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: WebCheck – {FF4EC53A-CA51-9A39-6CDD-5FFB26FB445C} – overlapp32.dll
DDS Line:
SSODL: WebCheck – {FF4EC53A-CA51-9A39-6CDD-5FFB26FB445C} – overlapp32.dll
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck – {FF4EC53A-CA51-9A39-6CDD-5FFB26FB445C} – overlapp32.dll
Description: trojan also known as Trojan-PSW.Generic [PCTools], Infostealer [Symantec], Downloader-BZS [McAfee], Trojan.KeyLogger.4260 [DrWEB], Win32:Malware-gen [AVAST]
How to remove: use HijackThis +Kaspersky virus removal tool
Posted in O21, ShellServiceObjectDelayLoad, Trojan | No Comments »
Wednesday, December 2nd, 2009
inetprovider.dll is a harmful program.
Name: inetprovider
Filename: inetprovider.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | InternetProvider
Command: C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
CLSID: {76377D16-FC8D-4505-B8E1-237EA19C401A}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: InternetProvider – {76377D16-FC8D-4505-B8E1-237EA19C401A} – C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
DDS Line:
SSODL: InternetProvider – {76377D16-FC8D-4505-B8E1-237EA19C401A} – C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
InternetProvider – {76377D16-FC8D-4505-B8E1-237EA19C401A} – C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
Description: trojan that installed with Personal Protector. Personal Protector is a rogue antispyware program.
How to remove: use HijackThis + these Personal Protector removal instructions.
Posted in O21, ShellServiceObjectDelayLoad, Trojan | No Comments »
Wednesday, December 2nd, 2009
swupdate.dll is a harmful program.
Name: swupdate
Filename: swupdate.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | SwUpdate
Command: C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
CLSID: {009541A0-3B00-1F1C-00F3-040224001C01}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: SwUpdate – {009541A0-3B00-1F1C-00F3-040224001C01} – C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
DDS Line:
SSODL: SwUpdate – {009541A0-3B00-1F1C-00F3-040224001C01} – C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
SwUpdate – {009541A0-3B00-1F1C-00F3-040224001C01} – C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
Description: trojan AdClick
How to remove: use HijackThis + Malwarebytes` Anti-malware
Posted in O21, ShellServiceObjectDelayLoad, Trojan | No Comments »
Wednesday, November 4th, 2009
This is a harmful program.
Name: sysnet
Filename: sysnet.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | SysNet
Command: C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll
CLSID: {13E9115E-2CB0-4CAB-91D0-507E9368ED1B}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: SysNet – {13E9115E-2CB0-4CAB-91D0-507E9368ED1B} – C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll
RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
SysNet – {13E9115E-2CB0-4CAB-91D0-507E9368ED1B} – C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll
Description: trojan agent that installed with a rogue antispyware program
How to remove: use HijackThis + Malwarebytes` Anti-malware
Posted in O21, ShellServiceObjectDelayLoad, Trojan | No Comments »
Monday, October 26th, 2009
mstmdm.dll is a harmful program.
Name: mstmdm
Filename: mstmdm.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | UpdateCheck
Command: C:\WINDOWS\system32\mstmdm.dll
CLSID: {3D232827-DCDB-455D-9B12-8F8C7DE41935}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: UpdateCheck – {3D232827-DCDB-455D-9B12-8F8C7DE41935} – C:\WINDOWS\system32\mstmdm.dll
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UpdateCheck – {3D232827-DCDB-455D-9B12-8F8C7DE41935} – C:\WINDOWS\system32\mstmdm.dll
Description: a trojans also known as Trojan.Win32.Agent.bve
How to remove: use Kaspersky virus removal tool
Posted in O21, ShellServiceObjectDelayLoad, Trojan | No Comments »
Sunday, September 20th, 2009
This is a harmful program.
Name: gitabiga
Filename: gitabiga.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | derijidob
hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler | {e826441e-0920-4e05-9b2c-84189ccd7cba}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | gefiraled
Command: c:\windows\system32\gitabiga.dll
CLSID: {e826441e-0920-4e05-9b2c-84189ccd7cba}
Startup Type: HKLM->Run, SharedTaskScheduler, ShellServiceObjectDelayLoad
HijackThis Category: O4, O21, O22
Combofix/RSIT Line:
2009-09-19 01:46 . 2009-06-19 01:46 88576 –sha-w- c:\windows\system32\gitabiga.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“derijidob”=”c:\windows\system32\gitabiga.dll” [2009-09-19 88576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
“{e826441e-0920-4e05-9b2c-84189ccd7cba}”= “c:\windows\system32\gitabiga.dll” [2009-09-19 88576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
“gefiraled”= {e826441e-0920-4e05-9b2c-84189ccd7cba} – c:\windows\system32\gitabiga.dll [2009-09-19 88576]
Description: trojan Vundo
How to remove: use Malwarebytes` Anti-malware
Posted in O21, O22, O4, Run, SharedTaskScheduler, ShellServiceObjectDelayLoad, Trojan | No Comments »
Thursday, April 16th, 2009
This is a harmful program.
Name: eewhptdpyl
Filename: eewhptdpyl.dll
Registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
| InternetConnection
Command: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\eewhptdpyl.dll
CLSID: {AB6DAA8C-F726-4FDD-8B06-9537C5878612}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: InternetConnection – {AB6DAA8C-F726-4FDD-8B06-9537C5878612} – C:\Documents and Settings\All Users\Application Data\Microsoft\Network\DLLs\eewhptdpyl.dll
Description: component of System Guard 2009
How to remove: use these instructions How to remove System Guard 2009 (Delete instructions).
Posted in O21, Rogue Antispyware/Antivirus, ShellServiceObjectDelayLoad | No Comments »
Tuesday, March 31st, 2009
This is a harmful program.
Name: bwpbwvxxvw
Filename: bwpbwvxxvw.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | InternetConnection
Command: C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\bwpbwvxxvw.dll
CLSID: {D14F8945-CF96-4231-9FA7-4BC630D80D85}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: InternetConnection – {D14F8945-CF96-4231-9FA7-4BC630D80D85} – C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\bwpbwvxxvw.dll
Description: trojan, component of rogue antispyware
How to remove: Use HijackThis + Use Malwarebytes Antimalware
Posted in O21, Rogue Antispyware/Antivirus, ShellServiceObjectDelayLoad, Trojan | No Comments »
Tuesday, March 31st, 2009
This is a harmful program.
Name: ieModule
Filename: ieModule.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | ieModule
Command: C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
CLSID:
{92CA440D-C81C-4B72-89D0-D2B464E5678B}
{77C96E10-FDA7-4AA7-B318-0631C0D27DBB}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: ieModule – {92CA440D-C81C-4B72-89D0-D2B464E5678B} – C:\ProgramData\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
Description: trojan, component of a few rogue antispyware programs
How to remove: Use HijackThis + Use Malwarebytes Antimalware
Posted in O21, Rogue Antispyware/Antivirus, ShellServiceObjectDelayLoad, Trojan | No Comments »
Monday, March 30th, 2009
This is a harmful program.
Name: vitamine
Filename: vitamine.dll
Command: c:\windows\system32\vitamine.dll
CLSID: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
Startup Type: HKLM->Run, AppInit DLL, SSODL, SharedTaskScheduler
HijackThis Category: O4, O20, O21, O22
HijackThis Line:
O4 – HKLM\..\Run: [CPMfbaed640] Rundll32.exe “c:\windows\system32\vitamine.dll”,a
O20 – AppInit_DLLs: c:\windows\system32\vitamine.dll
O21 – SSODL: SSODL – {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} – c:\windows\system32\vitamine.dll
O22 – SharedTaskScheduler: STS – {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} – c:\windows\system32\vitamine.dll
Description: trojan (Vundo)
How to remove: Use HijackThis + Use Malwarebytes Antimalware
Posted in AppInit DLLs, O20, O21, O22, O4, Run, SharedTaskScheduler, ShellServiceObjectDelayLoad, Trojan | No Comments »
