kb0892619.dll - Dangerous
kb0892619.dll
Manual removal instructions:
Antivirus Report of kb0892619.dll:
kb0892619.dll
We suggest you to remove kb0892619.dll from your computer as soon as possible.
Kb0892619.dll is Trojan/Backdoor.
Kill the file kb0892619.dll and remove kb0892619.dll from Windows startup.
Malware dropper: qvodsetup3.exe
Removed: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf
C:\WINDOWS\Fonts\kb0892619.dll
C:\WINDOWS\SYSTEM32\COMRES.DLL
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
F-Secure 8.0.14470.0 2009.10.06 Trojan-Dropper.Win32.Parc.v
Kaspersky 7.0.0.125 2009.10.06 Trojan-Dropper.Win32.Parc.v
McAfee 5762 2009.10.05 potentially unwanted program Suspect-26!EAF02133596F
Microsoft 1.5101 2009.10.05 TrojanDropper:Win32/Microjoin.gen!C
NOD32 4482 2009.10.05 a variant of Win32/TrojanDropper.Delf.NQJ
Symantec 1.4.4.12 2009.10.06 Infostealer.Gampass
Additional information
File size: 179060 bytes
MD5 : eaf02133596fcb32fbd9bb762466949e
SHA1 : 94740c49299cb8a38e66086f4961435352de2fb2
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:10
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}
HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}
HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000
HKLM\SYSTEM\CurrentControlSet\Services\vb
HKLM\SYSTEM\CurrentControlSet\Services\vb\Security
----------------------------------
Values deleted:1
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: ""
----------------------------------
Values added:21
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}\InprocServer32\: "C:\WINDOWS\Fonts\kb0892619.dll"
HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32\: "C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf"
HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}: ""
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger: "services.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: "C:\WINDOWS\Fonts\kb0892619.dll"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Service: "vb"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\DeviceDesc: "vb"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe:*:Disabled:QvodInstall Module"
HKLM\SYSTEM\CurrentControlSet\Services\vb\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\vb\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\vb\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\vb\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\vb\ImagePath: "\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.ex"
HKLM\SYSTEM\CurrentControlSet\Services\vb\DisplayName: "vb"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:11
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\a33.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~3526.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~cb5e.dat
C:\WINDOWS\Fonts\AeioFs.dat
C:\WINDOWS\Fonts\Encionc_ch.dat
C:\WINDOWS\Fonts\kb0892619.dll
C:\WINDOWS\system32\2AwdJ.exe
C:\WINDOWS\system32\dfc8ac3ed7da.dll
C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf
C:\WINDOWS\Tasks\kZdWDEpQcNC2NwDe.ico
----------------------------------
Files deleted:1
----------------------------------
C:\WINDOWS\system32\verclsid.exe
----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\system32\comres.dll
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:45
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP GET http://txt.ggadb.com/xx.txt
HTTP GET http://1.gudxw.com/img/1.exe
HTTP GET http://1.gudxw.com/img/2.exe
-------------------------------------------------------------------------------------
Detected by UnHackMe:
Item Name: {A2BCFCEE-C939-433F-A32A-7353A6E720DB}
Author: Unknown
Related File: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf
Type: Shell Execute Hooks
Item Name: {9B1AE382-2647-4c4a-A313-B36B6CA34BD7}
Author: Unknown
Related File: C:\WINDOWS\Fonts\kb0892619.dll
Type: Shell Execute Hooks
Item Name: AppInit_DLLs
Author: Unknown
Related File: C:\WINDOWS\Fonts\kb0892619.dll
Type: List of Injected DLLs
Item Name: COMRES.DLL
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\COMRES.DLL
Type: Infected System Files
After first reboot detected by UnHackMe:
Item Name: {9B1AE382-2647-4c4a-A313-B36B6CA34BD7}
Author:
Related File: C:\WINDOWS\Fonts\kb0892619.dll
Type: Shell Execute Hooks
Item Name: {A2BCFCEE-C939-433F-A32A-7353A6E720DB}
Author:
Related File: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf
Type: Shell Execute Hooks
Item Name: vb
Author:
Related File: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.exe
Type: Services detected by Partizan
Removal Results: Success
Number of reboot: 2
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
kb0892619.dll | Malware |
kb0892619.dll | Dangerous |
kb0892619.dll | High Risk |
Kb0892619.dll is Trojan/Backdoor.
Kill the file kb0892619.dll and remove kb0892619.dll from Windows startup.
Malware dropper: qvodsetup3.exe
Removed: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf
C:\WINDOWS\Fonts\kb0892619.dll
C:\WINDOWS\SYSTEM32\COMRES.DLL
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
F-Secure 8.0.14470.0 2009.10.06 Trojan-Dropper.Win32.Parc.v
Kaspersky 7.0.0.125 2009.10.06 Trojan-Dropper.Win32.Parc.v
McAfee 5762 2009.10.05 potentially unwanted program Suspect-26!EAF02133596F
Microsoft 1.5101 2009.10.05 TrojanDropper:Win32/Microjoin.gen!C
NOD32 4482 2009.10.05 a variant of Win32/TrojanDropper.Delf.NQJ
Symantec 1.4.4.12 2009.10.06 Infostealer.Gampass
Additional information
File size: 179060 bytes
MD5 : eaf02133596fcb32fbd9bb762466949e
SHA1 : 94740c49299cb8a38e66086f4961435352de2fb2
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:10
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}
HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}
HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000
HKLM\SYSTEM\CurrentControlSet\Services\vb
HKLM\SYSTEM\CurrentControlSet\Services\vb\Security
----------------------------------
Values deleted:1
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: ""
----------------------------------
Values added:21
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}\InprocServer32\: "C:\WINDOWS\Fonts\kb0892619.dll"
HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32\: "C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf"
HKLM\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}: ""
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger: "services.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: "C:\WINDOWS\Fonts\kb0892619.dll"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Service: "vb"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\0000\DeviceDesc: "vb"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VB\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe: "C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe:*:Disabled:QvodInstall Module"
HKLM\SYSTEM\CurrentControlSet\Services\vb\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\vb\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\vb\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\vb\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\vb\ImagePath: "\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.ex"
HKLM\SYSTEM\CurrentControlSet\Services\vb\DisplayName: "vb"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:11
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\a33.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\QvodSetupPlus3.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~3526.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~cb5e.dat
C:\WINDOWS\Fonts\AeioFs.dat
C:\WINDOWS\Fonts\Encionc_ch.dat
C:\WINDOWS\Fonts\kb0892619.dll
C:\WINDOWS\system32\2AwdJ.exe
C:\WINDOWS\system32\dfc8ac3ed7da.dll
C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf
C:\WINDOWS\Tasks\kZdWDEpQcNC2NwDe.ico
----------------------------------
Files deleted:1
----------------------------------
C:\WINDOWS\system32\verclsid.exe
----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\system32\comres.dll
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:45
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP GET http://txt.ggadb.com/xx.txt
HTTP GET http://1.gudxw.com/img/1.exe
HTTP GET http://1.gudxw.com/img/2.exe
-------------------------------------------------------------------------------------
Detected by UnHackMe:
Item Name: {A2BCFCEE-C939-433F-A32A-7353A6E720DB}
Author: Unknown
Related File: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf
Type: Shell Execute Hooks
Item Name: {9B1AE382-2647-4c4a-A313-B36B6CA34BD7}
Author: Unknown
Related File: C:\WINDOWS\Fonts\kb0892619.dll
Type: Shell Execute Hooks
Item Name: AppInit_DLLs
Author: Unknown
Related File: C:\WINDOWS\Fonts\kb0892619.dll
Type: List of Injected DLLs
Item Name: COMRES.DLL
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\COMRES.DLL
Type: Infected System Files
After first reboot detected by UnHackMe:
Item Name: {9B1AE382-2647-4c4a-A313-B36B6CA34BD7}
Author:
Related File: C:\WINDOWS\Fonts\kb0892619.dll
Type: Shell Execute Hooks
Item Name: {A2BCFCEE-C939-433F-A32A-7353A6E720DB}
Author:
Related File: C:\WINDOWS\Tasks\JJX5r8wnsqUnNxGwpwn.inf
Type: Shell Execute Hooks
Item Name: vb
Author:
Related File: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~3526.exe
Type: Services detected by Partizan
Removal Results: Success
Number of reboot: 2
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.