Avast! 6.0 free and startup registry path [SOLVED]

[Sp0iLedBrAt]

I'm getting this registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CsGxeNz

with value data {3CD3DEAF-9679-7405-EF14-098E67FFF229} on startup and it is trying to connect with various system files, such as winlogon.exe, explorer.exe, lsass.exe, services.exe etc. Should I be worried? A google search on "CsGxeNz" reveals absolutely nothing.

Cheers

Edited March 17, 2011 by Sp0iLedBrAt

[allen2]

Did you found it with sysinternals autoruns ?

The reg entry {3CD3DEAF-9679-7405-EF14-098E67FFF229} should be found there:

HKEY_CLASSES_ROOT\CLSID

The subkeys inprocserver or InprocServer32 there should show which dll is loaded and you might be able to find with date/time and or version tab of the dll what is this dll.

[Sp0iLedBrAt]

The path HKEY_CLASSES_ROOT\CLSID\{3CD3DEAF-9679-7405-EF14-098E67FFF229}\InProcServer32 leads to C:\WINDOWS\system32\sbvp.dll, which is a small .dll file (32KB), which is not signed (no version) and is dated 29/10/2009 14:06. There is another REG_SZ value Apartment present in the same folder. A google search of the DLL reveals nothing.

Cheers

[allen2]

Then you should send a copy of the dll for analysis to an AV support (like the MacAffee one's) and rename the dll from safe mode or at least unregister it using regsvr32 /u C:\WINDOWS\system32\sbvp.dll (which might not work properly if it is virus/malware related.

[Sp0iLedBrAt]

It's all OK now. I copied the .dll to Desktop (to add it to quarantine and send it to their lab) and Avast! cleaned it right away. As it wasn't deleting the one in System32, I used Unlocker and saw it was connected to winlogon.exe, services.exe, explorer.exe and lsass.exe. After unlocking those processes, it was also deleted and recognized as Win32:Small-DKF Trojan

Thanks and cheers