Has anyone seen or know what MSUVR0.DLL does?
It looks like a Microsoft DLL but it might not be, it might be rogue.
It appears to be Browser Help Object of IE
If you Google for it, I find one reference across the web (In a HiJack log) and no explanation.
One of my colleagues has it on his PC and it is not on mine.
I have asked him to send me a copy.
Thanks
Stephen Howe
| Hi
| Thanks
| Stephen Howe
If/when you get it, upload it to Virus Total and post the results as well as upload it to http://www.uploadmalware.com/
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Done, results below.
It is weird. 2 colleagues of mine have seen this. They have 20-30 add ons in IE.
No version information. And the imports look alarming.
Stephen Howe
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.15 -
AhnLab-V3 5.0.0.2 2009.12.15 -
AntiVir 7.9.1.108 2009.12.15 -
Antiy-AVL 2.0.3.7 2009.12.15 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.15 -
AVG 8.5.0.427 2009.12.15 -
BitDefender 7.2 2009.12.15 -
CAT-QuickHeal 10.00 2009.12.15 -
ClamAV 0.94.1 2009.12.15 -
Comodo 3251 2009.12.15 -
DrWeb 5.0.0.12182 2009.12.15 -
eSafe 7.0.17.0 2009.12.14 -
eTrust-Vet 35.1.7176 2009.12.15 -
F-Prot 4.5.1.85 2009.12.14 -
F-Secure 9.0.15370.0 2009.12.15 -
Fortinet 4.0.14.0 2009.12.15 -
GData 19 2009.12.15 -
Ikarus T3.1.1.74.0 2009.12.15 -
Jiangmin 13.0.900 2009.12.15 -
K7AntiVirus 7.10.920 2009.12.14 -
Kaspersky 7.0.0.125 2009.12.15 -
McAfee 5832 2009.12.14 -
McAfee+Artemis 5832 2009.12.14 -
McAfee-GW-Edition 6.8.5 2009.12.15 -
Microsoft 1.5302 2009.12.15 -
NOD32 4689 2009.12.15 -
Norman 6.04.03 2009.12.15 -
nProtect 2009.1.8.0 2009.12.15 -
Panda 10.0.2.2 2009.12.14 -
PCTools 7.0.3.5 2009.12.15 -
Prevx 3.0 2009.12.15 -
Rising 22.26.01.01 2009.12.15 -
Sophos 4.48.0 2009.12.15 -
Sunbelt 3.2.1858.2 2009.12.15 -
Symantec 1.4.4.12 2009.12.15 -
TheHacker 6.5.0.2.093 2009.12.15 -
TrendMicro 9.100.0.1001 2009.12.15 -
VBA32 3.12.12.0 2009.12.15 -
ViRobot 2009.12.15.2089 2009.12.15 -
VirusBuster 5.0.21.0 2009.12.14 -
Additional information
File size: 520704 bytes
MD5...: 71c4948620f8cb675152d99e342ca0bf
SHA1..: c144c2a68cc4eb7002da5e26e2cf7a1269188e1f
SHA256: 9fe182e82d1d800549d33986e3b6ac2b54a0e22b97b26d839f0ec265c02b0932
ssdeep: 12288:8mpgPyTbexIMkucMI1AlN/jGGptmg17BbMbj7jbySH16tqNPcPHu:8lPyT
bJMkucMI1AT7JabySH16WOH
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x4364ea86 (Sun Oct 30 15:45:10 2005)
machinetype.......: 0x14c (I386)
( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x73494 0x73600 6.12 d798463774899848eb04b802afd7ff17
.data 0x75000 0x270 0x400 1.33 f134437a9bf0b7bb7f5608cb29329f26
.rdata 0x76000 0x6720 0x6800 5.65 532eea44e3df537497fb12129a01a39d
.bss 0x7d000 0x4cd0 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.edata 0x82000 0x8d 0x200 1.65 fef9615b9eb0b04cf018f1e84b1da1f4
.idata 0x83000 0xe88 0x1000 4.71 e987ea16b90d7c514b6be16f3201810e
.reloc 0x84000 0x39f0 0x3a00 6.72 ed49e6cc6269377f9d846f1ed71c839e
( 9 imports )
> ADVAPI32.DLL: RegCloseKey, RegCreateKeyA, RegDeleteKeyA, RegOpenKeyA, RegSetValueA, RegSetValueExA
> KERNEL32.dll: AddAtomA, CloseHandle, CreateFileA, CreateFileMappingA, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerA, FindAtomA, FormatMessageA, FreeLibrary, GetAtomNameA, GetCurrentThreadId, GetLastError, GetModuleFileNameA, GetProcAddress, GetProcessHeap, GetSystemDirectoryA, GetVersionExA, HeapAlloc, HeapFree, InterlockedDecrement, InterlockedIncrement, LoadLibraryA, LocalFree, MapViewOfFile, OpenFileMappingA, ReleaseMutex, ReleaseSemaphore, SetLastError, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnmapViewOfFile, WaitForSingleObject
> msvcrt.dll: _close, _fdopen, _lseek, _open, _read, _stat, _strdup, _unlink, _write
> msvcrt.dll: __dllonexit, __mb_cur_max, _assert, _ctype, _errno, _filelengthi64, _fstati64, _iob, _isctype, _lseeki64, _pctype, _stricmp, _strnicmp, _vsnprintf, abort, bsearch, exit, fclose, fflush, fgetpos, fopen, fprintf, fread, free, fsetpos, fwrite, getc, getenv, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, printf, putc, qsort, realloc, remove, setlocale, setvbuf, sprintf, strcmp, strcoll, strcpy, strftime, strlen, strtod, strtol, strxfrm, time, ungetc, wcslen, wcstombs
> USER32.dll: KillTimer, MessageBoxA, SetTimer
> MSVCP60.DLL: wctob
> OLE32.dll: CoInitializeEx, CoTaskMemFree, StringFromCLSID
> OLEAUT32.DLL: DispGetIDsOfNames, LoadRegTypeLib, SysAllocString
> WININET.DLL: HttpQueryInfoA, InternetCloseHandle, InternetGetConnectedState, InternetOpenA, InternetOpenUrlA, InternetReadFile
( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllInstall, DllMain
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.1%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>If/when you get it, upload it to Virus Total and post the results
| Done, results below.
| It is weird. 2 colleagues of mine have seen this. They have 20-30 add ons in IE.
| No version information. And the imports look alarming.
| Stephen Howe
Got it!
Thank you.