Removed: MSBYRBL32.dll

Malware: ScaricaMP3.exe
Removed: C:\WINDOWS\system32\MSBYRBL32.dll
—————————————————————————————————————————-
Classification:

Antivirus	Version	Last Update	Result
F-Secure	9.0.15370.0	2009.12.15	Trojan:W32/Agent.MRD
Kaspersky	7.0.0.125	2009.12.15	Trojan-Dropper.Win32.Agent.bjpm
McAfee	5833	2009.12.15	-
Microsoft	1.5302	2009.12.15	-
NOD32	4691	2009.12.15	Win32/BHO.NVR
Symantec	1.4.4.12	2009.12.15	Trojan.Adclicker

—————————————————————————————————————————-
Additional information
File size: 172544 bytes
MD5   : a385ab8a243bca4d0d0465549a2ae06e
SHA1  : 02654cb2666b980dad2adb4b6ef67c70a39f4e88
SHA256: 88685941fe57545d256039ba8ed84bbd2aac5cb280039b08f816183e792dbc61
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:27
———————————-
HKLM\SOFTWARE\Classes\AppID\mssarph.DLL
HKLM\SOFTWARE\Classes\AppID\{433AE4C6-62FF-4488-88F4-CB7ABE1E3AED}
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\Implemented Categories
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\mssarph.mssarpbho
HKLM\SOFTWARE\Classes\mssarph.mssarpbho\CLSID
HKLM\SOFTWARE\Classes\mssarph.mssarpbho\CurVer
HKLM\SOFTWARE\Classes\mssarph.mssarpbho.1
HKLM\SOFTWARE\Classes\mssarph.mssarpbho.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}

———————————-
Values added:22
———————————-
HKLM\SOFTWARE\Classes\AppID\mssarph.DLL\AppID: “{433AE4C6-62FF-4488-88F4-CB7ABE1E3AED}”
HKLM\SOFTWARE\Classes\AppID\{433AE4C6-62FF-4488-88F4-CB7ABE1E3AED}\: “mssarph”
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\VersionIndependentProgID\: “mssarph.mssarpbho”
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\TypeLib\: “{76799619-CFF6-44B2-8607-593D9324268F}”
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\ProgID\: “mssarph.mssarpbho.1″
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\InprocServer32\: “C:\WINDOWS\system32\MSBYRBL32.dll”
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\InprocServer32\ThreadingModel: “Apartment”
HKLM\SOFTWARE\Classes\CLSID\{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}\: “Windows Assistant Helper”
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}\TypeLib\: “{76799619-CFF6-44B2-8607-593D9324268F}”
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}\TypeLib\Version: “1.0″
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}\ProxyStubClsid32\: “{00020424-0000-0000-C000-000000000046}”
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}\ProxyStubClsid\: “{00020424-0000-0000-C000-000000000046}”
HKLM\SOFTWARE\Classes\Interface\{D3DC9DCF-B776-4EAD-AB2F-F0C9C82AFC91}\: “Imssarphbho”
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0\0\win32\: “C:\WINDOWS\system32\MSBYRBL32.dll”
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0\HELPDIR\: “C:\WINDOWS\system32″
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0\FLAGS\: “0″
HKLM\SOFTWARE\Classes\TypeLib\{76799619-CFF6-44B2-8607-593D9324268F}\1.0\: “Biblioteca de tipos mssarph 1.0″
HKLM\SOFTWARE\Classes\mssarph.mssarpbho\CurVer\: “mssarph.mssarpbho.1″
HKLM\SOFTWARE\Classes\mssarph.mssarpbho\CLSID\: “{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}”
HKLM\SOFTWARE\Classes\mssarph.mssarpbho\: “Windows Assistant Helper”
HKLM\SOFTWARE\Classes\mssarph.mssarpbho.1\CLSID\: “{2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}”
HKLM\SOFTWARE\Classes\mssarph.mssarpbho.1\: “Windows Assistant Helper”

———————————-
Files added:2
———————————-
C:\WINDOWS\system32\MSBYRBL32.dll
C:\WINDOWS\system32\MSBYRBL64.dll

———————————-
Total changes:51
———————————-

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: {2F77CDB7-D730-4B5C-A64F-1515DF0BFB12}
Author:
Related File: C:\WINDOWS\system32\MSBYRBL32.dll
Type: Browser Helper Objects

Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

Comments

• Greatis Software

  • Free Download
  • Send a file

• AverScanner

  AverScaner- EveryDay Malware Scan

• Testimonials

  People say

  Greg

  I spent over 10 hours trying to manually hunt down and remove a rootkit and browser hijacker from my computer. That was a mistake!

  This virus/malware could not be removed by Norton, ZoneLabs, MS Essentials; etc.

  In about 1 hour, I was able to download your software, create the CD-ROM, watch the instruction video and kill 3 ROOKITS from my PC. (Your software hunted down the rootkits and killed them like Spetsnaz going after the enemy!) Get it!

  Joseph

  Your product is the only one on the market that has found and removed rootkits from my system, three rootkits to be precise. I have used other products but they don't measure up to UnHackMe.

  Bob

  The UnHackMe is a real program, no spyware or phish and works great and is easy to use. Enjoy!

  Click Here to Update All your PC's Outdated drivers

• Categories

  • Adware
  • Backdoor
  • Fake Driver-Codec
  • Fake System Tool
  • FakeAV
  • Locker
  • Malware
  • Malware Domain
  • Not-a-Virus
  • Rootkit
  • unknown
  • Virus
  • Worm

• Recent Posts

  • HDAUDBUS.DLL is Rootkit ZeroAccess
  • AVGASCLN.DLL is Rootkit ZeroAccess
  • SCANEXPLICIT.DLL is Trojan Sirefef
  • IAIMTV0.DLL is Rootkit ZeroAccess
  • SVV.DLL is Rootkit ZeroAccess
  • BITVACCINE.EXE is FakeAV BitVaccine
  • VGBSHUSWUHDAS.DLL is Trojan Grobim
  • SVBXPBBQUHG.DLL is Trojan Grobim
  • ABCOJHQOHJSKS.EXE is Trojan Fosniw
  • WINUPDATEC.EXE is Backdoor Krademok

• 
• Remember: the best way to remove rootkits is from the outside!

  

• Blogroll

  • RegRun Security Suite. Detects and removes rootkits/malware/adware that your antivirus could not.
  • RegRun Warrior – Removing rootkits is best done from the outside!
  • UnHackMe – rootkit & malware killer

• Popular

  1. 3%QKM.EXE is Trojan Kryptik
  2. 2%BETTERINSTALLER.EXE is Adware Somoto
  3. 1%U997.EXE is not a virus UltraSurf
  4. 1%MSLOOP.DLL is Rootkit Zero Access
  5. 1%TEMP:WINUPD.EXE is BackDoor TDSS
  6. 1%GREP.3XE is Trojan Tool-NirCmd
  7. 1%MVSCAVAP.EXE is Trojan Banker6
  8. 1%PCOTP.EXE is Trojan Offend
  9. 1%HPDSKFLT.DLL is Rootkit ZeroAccess
  10. 1%XUAT.EXE is Trojan Rimecud
  11. 1%CHINDE.EXE is Trojan Jorik
  12. 1%SYSTEMINSTALLATION.EXE is Trojan Llac
  13. 1%RADCLOCK.DLL is Rootkit ZeroAccess
  14. 1%DLLHSTS.EXE is Trojan LockScreen
  15. 1%F16.EXE is Trojan FakeAV
  16. 1%MRTSTUB.EXE is Trojan Banker
  17. 1%QUESTBASIC.EXE is AdWare AdLoad
  18. 1%HKAVGLRJ.EXE is Trojan Banker
  19. 1%PROCEXP111.DLL is Rootkit ZeroAccess
  20. 1%MSDUBMN.BAT is Worm Gamarue

• Tags

  3308c706 Adware Agent Ainslot ATAPI.SYS AutoRun autorun.inf Backdoor Bancos Banker Banload BHO Bifrose Buzus Delf Fake AntiVirus FakeAV Injector IRCBot Jorik KeyLogger Koobface Kraddare Kryptik lsass.exe Malware Domain Oficla OnLineGames Palevo Rebhip Rootkit Scar services.exe SpyEye svchost.exe Taterf TDSS Trojan VB VBInject VBKrypt Virus winlogon.exe Worm ZeroAccess