v3avie0.dll – trojan Scar

May 26, 2011 by NightWatcher
Filed under: Malware 
: Solved!

You should Download Removal Tool here...

The file v3avie0.dll is identified as the Trojan Program that is used for stealing bank information and users passwords.
To delete v3avie0.dll we suggest you should use UnHackMe:
http://www.unhackme.com

Malware Analysis of v3avie0.dll
Executed: 0i86rk.exe
Removed: v3avie0.dll. Full path: C:\WINDOWS\system32\v3avie0.dll

—————————————————————————————————————————-
How to quickly detect malware presence?

Files:
C:\WINDOWS\system32\cyban.exe
C:\WINDOWS\system32\cyban0.dll
C:\WINDOWS\system32\ieban0.dll
C:\WINDOWS\system32\v3avast.exe
C:\WINDOWS\system32\v3avie0.dll
C:\WINDOWS\system32\v3avmn0.dll
C:\WINDOWS\system32\wuaucldt.exe
C:\0i86rk.exe
C:\autorun.inf
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16440.0 2011.05.23 Win32.Virtob.Gen.12
Kaspersky 9.0.0.837 2011.05.23 Virus.Win32.Virut.ce
Microsoft 1.6903 2011.05.23 Virus:Win32/Virut.BN
NOD32 6145 2011.05.23 Win32/Virut.NBP

—————————————————————————————————————————-

MD5 48352ad2836dea631ba829a800ee9440

SHA1 6716bc82bcad79fcca18948a41d43470d7e8a7f2

SHA256 8eeb661352f2f60a440320ed69ad19de97ab84f8f00dd710603e1e4d961460a1

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:38
———————————-
HKLM\Software\Classes\CLSID\MNDOWN
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\InprocServer32
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\ProgID
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\Programmable
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\VersionIndependentProgID
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\Programmable
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}\ProxyStubClsid
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}\ProxyStubClsid32
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}\TypeLib
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0\0
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0\0\win32
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0\FLAGS
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0\HELPDIR
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR
HKLM\Software\Classes\IEHlprObj.IEHlprObj
HKLM\Software\Classes\IEHlprObj.IEHlprObj\CurVer
HKLM\Software\Classes\IEHlprObj.IEHlprObj.1
HKLM\Software\Classes\IEHlprObj.IEHlprObj.1\CLSID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EB54244-231D-4ED0-8518-3A50F06096A3}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}
HKLM\Software\Microsoft\DownloadManager

———————————-
Values added:40
———————————-
HKLM\Software\Classes\CLSID\MNDOWN\urlinfo: “lxser.x”
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\VersionIndependentProgID\: “IEHlprObj.IEHlprObj”
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\ProgID\: “IEHlprObj.IEHlprObj.1″
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\InprocServer32\: “C:\WINDOWS\system32\v3avie0.dll”
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\InprocServer32\ThreadingModel: “Apartment”
HKLM\Software\Classes\CLSID\{6EB54244-231D-4ED0-8518-3A50F06096A3}\: “IEHlprObj Class”
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\VersionIndependentProgID\: “IEHlprObj.IEHlprObj”
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\ProgID\: “IEHlprObj.IEHlprObj.1″
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32\: “C:\WINDOWS\system32\ieban0.dll”
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\InprocServer32\ThreadingModel: “Apartment”
HKLM\Software\Classes\CLSID\{7F23592B-8F2C-4C08-83A8-BBE01BF9CC64}\: “IEHlprObj Class”
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}\TypeLib\: “{6EB5424B-231D-4ED0-8518-3A50F06096A3}”
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}\TypeLib\Version: “1.0″
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}\ProxyStubClsid32\: “{00020424-0000-0000-C000-000000000046}”
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}\ProxyStubClsid\: “{00020424-0000-0000-C000-000000000046}”
HKLM\Software\Classes\Interface\{6EB54245-231D-4ED0-8518-3A50F06096A3}\: “IIEHlprObj”
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib\: “{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}”
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\TypeLib\Version: “1.0″
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid32\: “{00020424-0000-0000-C000-000000000046}”
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\ProxyStubClsid\: “{00020424-0000-0000-C000-000000000046}”
HKLM\Software\Classes\Interface\{7F23592C-8F2C-4C08-83A8-BBE01BF9CC64}\: “IIEHlprObj”
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0\0\win32\: “C:\WINDOWS\system32\v3avie0.dll”
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0\HELPDIR\: “C:\WINDOWS\system32\”
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0\FLAGS\: “0″
HKLM\Software\Classes\TypeLib\{6EB5424B-231D-4ED0-8518-3A50F06096A3}\1.0\: “IEHelper 1.0 Type Library”
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\0\win32\: “C:\WINDOWS\system32\ieban0.dll”
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\HELPDIR\: “C:\WINDOWS\system32\”
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\FLAGS\: “0″
HKLM\Software\Classes\TypeLib\{7F235922-8F2C-4C08-83A8-BBE01BF9CC64}\1.0\: “IEHelper 1.0 Type Library”
HKLM\Software\Classes\IEHlprObj.IEHlprObj\CurVer\: “IEHlprObj.IEHlprObj.1″
HKLM\Software\Classes\IEHlprObj.IEHlprObj\: “IEHlprObj Class”
HKLM\Software\Classes\IEHlprObj.IEHlprObj.1\CLSID\: “{6EB54244-231D-4ED0-8518-3A50F06096A3}”
HKLM\Software\Classes\IEHlprObj.IEHlprObj.1\: “IEHlprObj Class”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\wuaucldt: “c:\windows\system32\wuaucldt.exe”
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe: “\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1″
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0×00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun: 0×00000091
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cybansos: “C:\WINDOWS\system32\cyban.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\V3_reg: “C:\WINDOWS\system32\v3avast.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wuaucldt: “c:\documents and settings\administrator\wuaucldt.exe”

———————————-
Values modified:2
———————————-
(-) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0×00000001
(+) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0×00000000

———————————-
Files added:21
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\History\History.IE5\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\72W0YZ74\ah1[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\72W0YZ74\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\7W6ZBGB6\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\BXXA6NDN\ah1[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\BXXA6NDN\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SJQJZ62W\desktop.ini
C:\Documents and Settings\Administrator\wuaucldt.exe
C:\WINDOWS\system32\cyban.exe
C:\WINDOWS\system32\cyban0.dll
C:\WINDOWS\system32\ieban0.dll
C:\WINDOWS\system32\v3avast.exe
C:\WINDOWS\system32\v3avie0.dll
C:\WINDOWS\system32\v3avmn0.dll
C:\WINDOWS\system32\wuaucldt.exe
C:\0i86rk.exe
C:\autorun.inf

———————————-
Files deleted:1
———————————-
C:\sand-box\0i86rk.exe

———————————-
Files [attributes?] modified:26
———————————-
C:\Program Files\MiniCap\dcuhelper.exe
C:\Program Files\MiniCap\MiniCap.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\accicons.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\cagicon.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\inficon.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\misc.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\mspicons.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\oisicon.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\opwicon.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\outicon.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\pptico.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\pubs.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\wordicon.exe
C:\WINDOWS\Installer\{90110419-6000-11D3-8CFE-0150048383C9}\xlicons.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mshearts.exe
C:\WINDOWS\system32\reg.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\Restore\rstrui.exe
C:\WINDOWS\system32\spider.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\usmt\migwiz.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\wuauclt.exe

———————————-
Folders added:9
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies
C:\Documents and Settings\Administrator\Local Settings\Temp\History
C:\Documents and Settings\Administrator\Local Settings\Temp\History\History.IE5
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\72W0YZ74
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\7W6ZBGB6
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\BXXA6NDN
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\SJQJZ62W

———————————-
Total changes:137
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.