• Home
  • Blog
  • Online Scan
  • Update History
  • Online Scan: Analyze sqlite3.dll file and fix runtime errors, Fix System Error
    Welcome to my blog. I found a malicious code that was added into the sqlite3.dll file. Due to infection by malicious code, the file contents changed. The MD5 value of the infected file is: 004f43b008a67dd279e320fc0b927546, and the file size is: 868 K ( 889,275 bytes )
    Risk level of malicious code
     
     
     
     
     
    ( 4 stars by 149 users )
    Behavior of malicious code ( 303 votes ) If you know more this malicious code, please vote. We sincerely hope you may share your information with other computer users and help them.
    1. Infect file
    14.52% (44)
    2. Intentionally destroy data
    13.2% (40)
    3. Steal personal privacy
    12.54% (38)
    4. Infect other computers through the Internet
    11.22% (34)
    5. Install the backdoor program so that the computer is controlled remotely
    12.21% (37)
    6. Cheat or threaten users to buy something
    10.89% (33)
    7. Download and install other programs without permission in the background
    11.55% (35)
    8. Pop up various advertisements and induce users to click
    13.86% (42)
    Binary Code Analysis:
    When the program runs, the PE loader will try to load the file to 0x10000000 in the virtual address space, Address Of Entry Point: 0x00084000. This file has 6 SECTION.
    DOS Header
    DOS Stub
    ...
     
    NT File Signature
    NT HEADER
    FILE HEADER
     
    OPTIONAL HEADER
    Data Directory
    .text SECTION #1
    .rdata SECTION #2
    .data SECTION #3
    .rsrc SECTION #4
    .reloc SECTION #5
    .text SECTION #6
    About this malicious code
    This malicious code is a 32-bit program that infects an DLL file. When the file is run or the file is loaded, the malicious code in the file is run first. Later, this malicious code also infects the following files:

    • sqlite3.dll
    • sqlite3.sys

    Tip: There is something I must emphasize. The file names listed above are infected by malicious code. It does not mean that all files named by these names are malicious files. It is inaccurate to determine whether a file is a malicious program based on its file name.

    The malicious code also infects files on the following path:

    • c:\games\lol2\gamedata\room\
    • c:\public\thunder network\pusher\pusher\
    • c:\program files (x86)\ahnlab\apc2\policy agent\
    • c:\documents and settings\administrator\application data\360se6\application\7.1.1.601\
    • c:\arquivos de programas\winzip\utils\wzsysscan\
    • c:\program files (x86)\tweakbit\pcsuite\
    • c:\program files\kingsoft\pcdoctor\
    • c:\program files (x86)\jetstart\
    • c:\mamp\bin\python\bin\
    • c:\program files\bitdefender\antivirus free edition\
    • c:\user\appdata\local\miphonemanager\main\
    • c:\swsetup\cpwrdd\setup\utility\interoppalette\x64\lib\
    • c:\~\quarantine\files\atkmxchhabhaspxznltcuifxxmpgcdkt\surfing protection\
    • c:\osgeo4w\bin\
    • c:\program files\simnet\simple sticky notes\
    • c:\games\lol2\gamedata\bbtalk\
    • c:\programdata\torrent_search_ped\
    • c:\program files (x86)\dell\stage remote\
    • c:\program files\nusphere\phped\
    • c:\program files\dragondb mvb\v1\tools\db explorer\
    • c:\programmi\avira\antivir desktop\
    • c:\program\0.103.44.0\purplizer\
    • c:\games\broforce\broforce_beta_data\plugins\
    • c:\~\quarantine\files\iafmflhnvpokqjxbgoazvabixnmrywnp\duplicate file finder\
    • c:\anaconda3\dlls\
    • c:\progra~2\aimp3\
    • c:\psapa\_20171112\xbmc\system\
    • c:\program files (x86)\avira\antivir desktop\
    • c:\bitnami\wordpress-4.9.4-6\sqlite\
    • c:\program files (x86)\microsoft visual studio 14.0\common7\ide\extensions\pxvnayfn.jmy\x86\
    • c:\davdai\appdata\roaming\360se6\application\8.1.1.258\
    • c:\osgeo4w64\bin\
    • c:\program files (x86)\thunder\program\
    • c:\music\download\odpos\
    • c:\windows\infusedapps\applications\evernote.evernote_3.0.2.58_x86__q4d96b2w5wcc2\
    • c:\program files (x86)\garena plus\
    • c:\program files (x86)\cyberlink\youcam\koan\
    • c:\sas.planet.release.160707\
    • c:\program files (x86)\kodi\
    • c:\windows\temp\fb_icb\
    • c:\program files (x86)\simnet\simple sticky notes\
    • f:\online game\pointblank garena\gamedata\bbtalk\
    • c:\~\quarantine\files\dorcgldxmqmldlxbxbqlhcuvhjbamkoj\
    • c:\program files\htc\htc sync 3.0\
    • c:\program files\remo recover 4.0\32\
    • c:\program files\jetbrains\clion 2017.3.1\bin\gdb\bin\
    • c:\documents and settings\sortted_software\anti_virus_iobit\iobituninstallerportable\app\uninstaller\
    • c:\program files\common files\apple\apple application support\
    • d:\ihaier\
    • c:\program files (x86)\newtech infosystems\acer backup manager\
    • c:\autodesk\autodesk_3ds_max_2017_efgjkps_win_64bit\x64\max\autodesk\3ds max 2017\python\dlls\
    • c:\windows\infusedapps\applications\f5080380.photodirector8forasus_8.0.2811.0_x64__tfv7c950n6xcr\photodirector8\
    • c:\program files\congstar\internet-manager\bin\
    • f:\program files\auslogics\registry defrag\
    • c:\program files (x86)\fonepaw\fonepaw ios system recovery\
    • c:\program files (x86)\common files\acronis\home\
    • c:\program files\sony\sony pc companion\
    • c:\program files\magicplus\
    • c:\powerdvd17\common\koan\
    • c:\program files (x86)\acer\acer crystal eye webcam\koan\
    • c:\games\ue_4.20\engine\extras\thirdpartynotue\emsdk\win64\python\2.7.5.3_64bit\dlls\
    • c:\program files (x86)\intel\intelappstore\bin\
    • c:\program files (x86)\connection manager\bin\
    • c:\program files (x86)\nti\nti backup now ez\
    • c:\autodesk\autodesk_maya_2018_en_jp_zh_win_64bit_dlm\x64\maya\autodesk\maya2018\python\dlls\
    • c:\program files (x86)\tomtom home 2\xulrunner\
    • c:\xampp\apache\bin\
    • c:\drcom\drupdateclient\
    • c:\program files\myantivirus\myantivirus\
    • c:\program files\common files\managemint\
    • c:\psapa\_20171112\pidginportable\app\pidgin\
    • c:\program files\dell\supportassistagent\techniciantoolkit\
    • c:\~\quarantine\files\gqnewinwhpwzhdelczpirhejfarbkzjr\func\
    • c:\arquivos de programas\auslogics\diskdefrag\
    • c:\~\quarantine\files\atkmxchhabhaspxznltcuifxxmpgcdkt\
    • a:\新建文件夹 (3)\program\
    • c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\bin\
    • c:\documents and settings\administrateur\extracted files\nonlocalized\
    • c:\program files (x86)\common files\apple\apple application support\
    • c:\psapa\blenderportable\app\blender\2.64\python\lib\
    • c:\sqlite\
    • c:\program files\baidu\baidu browser\
    • c:\program files\elex-tech\yac\
    • c:\liberkey\apps\aimp\app\aimp\
    • c:\program files (x86)\openoffice 4\program\
    • c:\aems_client\client\bin\
    • c:\arquivos de programas\gnubg\
    • c:\program files (x86)\seagate\seagate dashboard 2.0\
    • c:\dell\appdata\local\background_fault\
    • c:\program files (x86)\hewlett-packard\hp connection manager\
    • c:\program files (x86)\iobit\iobit malware fighter\adsremoval\ie\
    • c:\sasplanet.nightly.171130.9738\
    • c:\windows\infusedapps\applications\f5080380.photodirector8forasus_8.0.2811.0_x64__tfv7c950n6xcr\photodirector8\koan\
    • c:\program files (x86)\clashfarmer\
    • c:\program files (x86)\wordinn\urdu dictionary\bin\
    • c:\windows\infusedapps\packages\microsoft.microsoftstickynotes_2.0.13.0_x86__8wekyb3d8bbwe\
    • c:\esupport\edriver\software\trendmicro\tis2011\win7_32_win7_64_3.0\setup64\amsp\
    • c:\programme\mtv networks\urge\
    • c:\program files (x86)\nti\acer backup manager\
    • c:\program files\bitdefender\bitdefender security\
    • c:\program files (x86)\incredimail\bin\
    • c:\program files (x86)\iobit\iobit uninstaller\
    • d:\program files (x86)\thunder network\thunder9\program\
    • c:\temp\commongamedownloader\105_1493368751_21968\
    • c:\windows\winsxs\amd64_sony.vaio.sqliteengine_0a6f6ab66b2734f7_3.7.4.0_none_31569c70c3285295\
    • c:\rosko\appdata\roaming\curse client\bin\
    • c:\program files\blazz connect\bin\
    • c:\program files\linotype fontexplorer x\
    • c:\kwic\kiss\bin\
    • c:\python32\dlls\
    • c:\program files\fortinet\forticlient\
    • c:\windows\softwaredistribution\download\9eaee87abab23b313c5b7697b9a103ad\amd64_microsoft.modernapps.client.professional~~amd64~~10.0.17134.1\microsoft.skypeapp_kzf8qxf38zg5c\microsoft.skypeapp_12.13.274.0_x64__kzf8qxf38zg5c\
    • c:\program files (x86)\microsoft visual studio\2017\community\common7\servicehub\services\microsoft.developer.settings\
    • c:\program files (x86)\avira\antivirus\
    • c:\programme\paretologic\regcure pro\
    • c:\esau (archivos instalados)\allmytube\
    • c:\windows\infusedapps\applications\db6ea5db.mediasuiteessentialsfordell_2.4.1606.0_x86__mcezb6ze687jp\media suite\koan\
    • c:\program files\libreoffice 5\program\
    • c:\dta_client\dms_at\
    • c:\program files (x86)\common files\thunder network\pusher\pusher\
    • c:\esupport\edriver\software\trendmicro\tis2011\win7_32_win7_64_3.0\setup32\amsp\
    • c:\program files\sony\vaio care\
    • c:\program files\mozilla firefox\
    • c:\program files\driverscloud.com\
    • c:\music\odpos\
    • c:\archivos de programa\aimp2\
    • c:\program files\novell\zenworks\bin\
    • c:\thunder\program\
    • c:\~\quarantine\files\gjucukncbfxgcnovilxjnqcoffrialhc\fixmypc\
    • c:\program files\panda security\panda security protection\
    • c:\twincat\3.1\components\plc\docscripting\3.5.10.0\
    • c:\program files (x86)\thunder network\thundervip\program\
    • c:\program files (x86)\plex\plex media server\
    • e:\cyberindoserver\
    • c:\python26\dlls\
    • c:\imanager u2000 v200r016c10spc240 client\client\client\lib\thirdtools\sqlite\
    • c:\program files\bluesprig\jetclean\
    • c:\appl\emula_disco_d\chiave portable usb\portableapps\thunderbirdportable\app\thunderbird\
    • c:\program files\ostotosoft\ostoto pc speeder\
    • c:\gsm flasher tools\4se-tool-2.0.4\
    • c:\python25\dlls\
    • c:\archivos de programa\autoplay media studio 8 personal edition\data\databases\luasql\
    • c:\program files (x86)\nero\nero 2018\nero backitup\
    • c:\python27\dlls\
    • c:\administrator\appdata\roaming\360notify\bin\
    • c:\windows\winsxs\x86_sony.vaio.sqliteengine_1bcc0b985b6fcb91_3.7.8.0_none_8704b1cc7eadf55c\
    • c:\program files\intel\sur\queencreek\x64\
    • c:\program files\dll care\
    • c:\program files (x86)\spybot - search & destroy 2\
    • c:\program files (x86)\iobit\game booster 3\
    • c:\psapa\firefoxportable_1\app\firefox\
    • c:\kings\kos\
    • c:\liberkey\apps\firefox\app\firefox\
    • c:\program files (x86)\embarcadero\studio\17.0\bin\
    • c:\archivos de programa\corel\corel paintshop pro x7\python libraries\dlls\
    • c:\python26\arcgis10.0\dlls\
    • c:\documents and settings\zana\anaconda2\dlls\
    • c:\esau (archivos instalados)\allmytube\cookies\sqlite\
    • c:\~\quarantine\files\zvyacufqpxeulhgkypfwcelodqmuqfic\1.0.6.1\
    • c:\roque\appdata\roaming\desktopcal\
    • c:\windows\infusedapps\packages\microsoft.xboxapp_25.25.13009.0_x64__8wekyb3d8bbwe\
    • c:\program files (x86)\baidu\baidu browser\
    • c:\windows\infusedapps\packages\lenovocorporation.lenovosettings_3.130.4.0_x86__4642shxvsv8s2\
    • c:\program files\mysql\mysql workbench 6.3 ce\
    • c:\autodesk\wi\autodesk 3ds max 2018\x64\max\autodesk\3ds max 2018\python\dlls\
    • c:\anaconda2\dlls\
    • c:\windows\system32\all file dll\
    • c:\tispro2010\setup\framework\32bit\200\
    • c:\program files\mcafee security scan\3.11.266\
    • c:\program files\avira\antivir desktop\
    • c:\hypack 2012a\
    • c:\program files (x86)\innovative solutions\advanced uninstaller pro\
    • c:\program files\speedtest\speedtest_data\plugins\
    • c:\program files\billp studios\winpatrol\
    • c:\program files (x86)\escan\
    • c:\program files\garena plus\bbtalk\
    • c:\program files\eagleget\
    • c:\program files (x86)\mcafee\telemetry\
    • c:\cyberdigm\destinysolutionmgr\ssl\
    • c:\program files\fichiers communs\apple\mobile device support\bin\
    • c:\program files\mcafee security scan\3.11.569\
    • c:\program files\devicevm\browser configuration utility\
    • c:\swsetup\sp77573\setup\utility\interoppalette\x64\lib\
    • c:\open_office\
    • c:\progra~2\common~1\mcafee\msc\
    • c:\program files (x86)\tc up\plugins\media\aimp\
    • d:\program files\kingroot\
    • c:\program files\ecp\
    • c:\program files\dell\supportassistagent\sre\
    • c:\windows\winsxs\x86_sony.vaio.sqliteengine_0a6f6ab66b2734f7_3.6.23.1_none_70a14d71e9121810\
    • c:\~\quarantine\files\rtmddamvusoxrbhroqlfomjbawybbnqx\qqphonemanager\applications\5.6.1.5077\
    • c:\program files (x86)\security task manager\
    • c:\program files\lenovo drivers management\
    • c:\program files (x86)\intel\intel(r) me fw recovery agent\bin\
    • c:\unlock\
    • c:\program files (x86)\baidu\spark\
    • c:\program files (x86)\newsxpresso\
    • c:\program files\z3x\
    • c:\sandayscott\appdata\local\programs\speedyfixer\
    • c:\python33\dlls\
    • c:\gurobi752\win64\python27\dlls\
    • c:\program files\ludashi\
    • c:\program files (x86)\thunder network\xmp\xmp5_instdir\bin\
    • c:\program files (x86)\auslogics\disk defrag\
    • c:\bc\appdata\local\mzwinstaller\com\
    • c:\max\appdata\roaming\acestream\engine\lib\
    • c:\program files\intel\sur\queencreek\
    • c:\program files\andy\
    • c:\~\quarantine\files\gjucukncbfxgcnovilxjnqcoffrialhc\driver updater\
    • c:\program files (x86)\em client\sqlite\x86\
    • c:\program files (x86)\mcafee\temp\qxze4f7\
    • c:\~\quarantine\files\mnxxdvqlclurfeuxqbgdzswsxpvpjwnu\
    • c:\autodesk\autocad_civil3d_2017_spanish_win_64bit_dlm\x64\acadmap\common files\autodesk shared\gis\impexp\11.0\fmepython27\dlls\
    • c:\program files (x86)\aimp\
    • c:\program files (x86)\tweakbit\fixmypc\
    • c:\cd_storici_2015\programmipaghe\portale\
    • c:\program files (x86)\aiseesoft studio\aiseesoft fonelab\
    • c:\program files (x86)\speedyfixer\
    • c:\program files (x86)\quicktime alternative\aas\
    • c:\~\quarantine\files\amyyxkzvefmkpvmhcqhgizvcpvqpakmu\phone saver\
    • c:\auslogics boostspeed 5.3.0.0 portable\auslogics boostspeed v5.3.0.0 portable\app\boostspeed\
    • c:\program files\dvdvideosoft\free youtube download\
    • c:\program files (x86)\broffice.org 3\program\
    • c:\program files\calibre2\app\dlls\
    • c:\program files (x86)\iobit\iobit malware fighter\
    • c:\programme\mozilla firefox\
    • c:\drugsbazaar\
    • c:\appl\emula_disco_d\chiave portable usb\portableapps\pidginportable\app\pidgin\
    • c:\program files\incredimail\bin\
    • c:\program files (x86)\iobit\classic start\
    • c:\program files\haozhuomobilemgr\
    • c:\program files\dell\supportassistagent\bin\x86\
    • c:\program files\cyberlink\powerdvd18\common\koan\
    • c:\program files (x86)\pfu\scansnap\cardminder\
    • c:\files\dvdvideosoft\free coub download\
    • c:\windows\infusedapps\packages\7906aac0.trurecorder_1.5.0.1_x86__nvaxck9xhg5vg\
    • c:\minesight\mpython\python\2.7\dlls\
    • c:\windows\infusedapps\packages\microsoft.bingweather_4.21.2492.0_x64__8wekyb3d8bbwe\
    • c:\program files (x86)\lg software\lg smart share\dms\
    • c:\program files (x86)\aimp3\
    • c:\program files (x86)\auslogics\boostspeed\
    • c:\appserv\apache24\bin\
    • c:\tispro2010\setup\framework\64bit\200\
    • c:\portablefirefox\app\firefox\
    • c:\ms4w\apache\cgi-bin\
    • c:\windows\infusedapps\packages\microsoft.microsoftstickynotes_1.4.101.0_x64__8wekyb3d8bbwe\
    • c:\cau_temp_2559-07-04_10-14-01\frame\nmsroot\client\client\lib\thirdtools\sqlite\
    • c:\carlos\informacion\kosmo-3.1\bin\resources\dao\ogr\bin\
    • c:\program files\z3x\samsung\samsungtoolpro\
    • d:\program files\z3x\samsung\samsungtoolpro\
    • c:\program files (x86)\total commander\plugins\wdx\mediainfo\
    • c:\orcad\orcad_16.6_lite\tools\firefox\bin\
    • c:\apache2.4.18\bin\
    • c:\program files (x86)\boinc\
    • f:\program files\auslogics\boostspeed\
    • c:\program files (x86)\thunder network\thunder9\program\
    • c:\z - program files - old\lenovo1\lenovo photo master\subsys\advphotoeditor\koan\
    • c:\cis\appdata\roaming\imvuclient\
    • c:\psapa\inkscapeportable_\app\inkscape\python\dlls\
    • c:\esupport\edriver\software\trendmicro\setup\framework\32bit\200\
    • c:\psapa\gpodderportable\app\python\dlls\
    • c:\program files\bitdefender\bitdefender device management\
    • c:\program files\nuance\nuance cloud connector\
    • c:\program files (x86)\pidgin\
    • c:\program files\opentrust\opentrust scm client\xulrunner\
    • c:\psapa\openofficeportable\app\openoffice\program\
    • c:\program files\iobit\classic start\
    • c:\autodesk\autodesk_maya_2017_en_jp_zh_win_64bit_dlm\x64\maya\autodesk\maya2017\python\dlls\
    • c:\program files\avira\antivirus\
    • c:\z - program files - old\lenovo1\lenovo photo master\subsys\advphotoeditor\
    • c:\
    • c:\program files (x86)\nuance\nuance cloud connector\
    • c:\program files (x86)\webcammax\
    • c:\program files\common files\mcafee\msc\
    • c:\handysoft\handyuc\
    • e:\online games\garena+\bbtalk\
    • c:\progra~1\raptri~1\playstv\
    • c:\program files (x86)\tweakbit\file recovery\
    • c:\duzonbizon\smarta_cpa\dblib\
    • c:\antivir\spybot old\spybot - search & destroy\
    • c:\windows\softsecurity\touchen\safe\antiddospro\
    • c:\program files\z3x\lg\lgtool\
    • c:\program files (x86)\thunder network\thunder\program\
    • c:\program files\aimp\
    • c:\program files (x86)\ccbcomponents\plugins\caroot\
    • c:\tdm-gcc-64\gdb64\bin\dlls\
    • c:\program files (x86)\vivo\vivo mobile assistant\
    • c:\z - program files - old\lenovo1\energy manager\
    • c:\temp\clnextor\pccnt\win64\x64\
    • c:\program files (x86)\eagleget\
    • c:\arquivos de programas\arquivos comuns\apple\apple application support\
    • c:\~\
    • c:\program files\iolo\system mechanic professional\
    • c:\program files (x86)\mobo\mobomarket\
    • c:\program files\sagethumbs\32\
    • c:\python34\dlls\
    • c:\program files\4shared desktop\
    • c:\windows.old\program files\3utools\
    • c:\windows\infusedapps\applications\nextissue.nextissuemagazines_1.5.18.0_x64__91pt4qm2m3xcw\
    • e:\program files\dll suite\
    • c:\z - program files - old\lenovo1\lenovo photo master\koan\
    • c:\program files\windowsapps\microsoft.microsoftstickynotes_1.7.1.0_x86__8wekyb3d8bbwe\
    • c:\program files\baidu\baidupinyin\uiframe\1.0.0.151\
    • c:\program files\windowsapps\microsoft.bingnews_4.20.1102.0_x86__8wekyb3d8bbwe\
    • c:\~\quarantine\files\gjucukncbfxgcnovilxjnqcoffrialhc\pcspeedup\
    • c:\program files\premiumsoft\navicat for mysql\
    • c:\esupport\edriver\software\trendmicro\setup\framework\64bit\200\
    • c:\program files (x86)\polaris office\
    • c:\program files (x86)\aatrix software\aatrix forms\sto\
    • c:\program files (x86)\iobit\start menu 8\
    • c:\program files\intel\intel(r) me fw recovery agent\bin\
    • c:\softz\downloads\tcmd\wlx_synwrite\dlls\
    • c:\program files\avg\avg pc tuneup\
    • c:\program files (x86)\jeppesen\jeppview for windows\
    • c:\python27\arcgis10.3\dlls\
    • c:\windows\softwaredistribution\download\9eaee87abab23b313c5b7697b9a103ad\amd64_microsoft.modernapps.client.all~~amd64~~10.0.17134.1\microsoft.microsoftstickynotes_8wekyb3d8bbwe\microsoft.microsoftstickynotes_2.0.13.0_x64__8wekyb3d8bbwe\
    • c:\python27\arcgisx6410.5\dlls\
    • c:\program files\htc\htc sync manager\
    • c:\program files\dell\supportassistagent\bin\x64\
    • c:\program files\auslogics\auslogics disk defrag\
    • c:\windows\winsxs\amd64_sony.vaio.sqliteengine_0a6f6ab66b2734f7_3.6.23.1_none_28f4169ad495ef0a\
    • c:\program files (x86)\wise\wise disk cleaner\
    • c:\program files\360\360sd\softmgr\
    • c:\preboot\python26\dlls\
    • c:\python27\arcgis10.4\dlls\
    • c:\progra~1\raptri~1\raptr\
    • c:\dt2016.9.1.0_oversea\dt2016.9.1.0\
    • c:\esupport\edriver\software\modern_application\asus\asus_photodirector_v2\win8_64_win81_32_win81_64_2.0.2425.0\f5080380.asusphotodirector_2.0.2425.0_x86__tfv7c950n6xcr.main\
    • c:\program files\aimp3\
    • c:\hira\ihiradur\
    • c:\program files\innovative solutions\orange defender antivirus\
    • c:\app\ddc\bin\
    • c:\administrator\appdata\roaming\ldrvsvc\
    • c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\xre\components\
    • c:\postgresql\python2\dlls\
    • c:\program files\trend micro\officescan client\
    • c:\program files\acer\acer crystal eye webcam\koan\
    • c:\windows\infusedapps\packages\microsoft.microsoftstickynotes_1.0.136.0_x86__8wekyb3d8bbwe\
    • d:\program files\netease\网易闪电邮\
    • d:\demian\appdata\roaming\phrozensoft\pkll\
    • f:\program files\auslogics\registry cleaner\
    • c:\program files\thunder network\thunder\program\
    • c:\infinitybox\best\
    • c:\program files (x86)\wise\wise program uninstaller\
    • c:\program files (x86)\acer\abphoto\
    • c:\archivos de programa\blender foundation\blender\2.69\python\lib\
    • c:\windows\winsxs\x86_sony.vaio.sqliteengine_0a6f6ab66b2734f7_3.7.4.0_none_7903d347d7a47b9b\
    • c:\program files (x86)\ibm\connections desktop plugins\
    • c:\program files\cyberlink\powerdvd18\common\
    • c:\arquivos de programas\adobe\adobe prelude cs6\scriptalign\
    • c:\documents and settings\zana\anaconda2\library\bin\
    • c:\imanager u2000 v200r016c10spc240 client\client\script\lib\3rd_tool\python\dlls\
    • c:\program files (x86)\auslogics\duplicate file finder\
    • c:\program files\mcafee security scan\3.11.766\
    • c:\bernardo\onedrive\imágenes\gdofficial\geometry dash\
    • c:\kinco\kinco hmiware v2.4\
    • c:\program files\andyofflineinstaller43\andy\x64\
    • c:\infinitybox\cm2qlm\
    • c:\program files\bitdefender\bitdefender 2017\
    • c:\program files (x86)\linkchecker\
    • c:\program files\ostotosoft\drivertalent\
    • c:\program files\syncios\
    • c:\program files (x86)\andriller\
    • c:\windows\infusedapps\packages\microsoft.microsoftstickynotes_1.0.136.0_x64__8wekyb3d8bbwe\
    • c:\program files\networx\
    • c:\windows\infusedapps\packages\microsoft.windowsmaps_5.1611.10393.0_x86__8wekyb3d8bbwe\
    • c:\windows\ccmcache\11\plugins\compareplugin\
    • c:\torrent search\ieef\
    • c:\windows\system32\
    • c:\arquivos de programas\iobit\driver booster\4.3.0\
    • c:\arquivos de programas\aimersoft\video converter ultimate\
    • c:\windows\infusedapps\packages\microsoft.xboxapp_25.25.13009.0_x86__8wekyb3d8bbwe\
    • c:\osgeo4w\apps\python36\dlls\
    • c:\windows\infusedapps\packages\microsoft.windowsmaps_5.1611.10393.0_x64__8wekyb3d8bbwe\
    • c:\2018\appdata\local\amazon drive\
    • c:\~\quarantine\files\axicjowsihclyvhdiqduoxylvazcjfky\diskdefrag\
    • c:\program files (x86)\ifunsoft\iotransfer\
    • c:\program files\itunes\
    • c:\program files\postgresql\10\pgadmin 4\venv\dlls\
    Tip: The code of most malicious files is fixed, rarely changed, which means, this type of malicious files regardless of which computer they are in, will copy themselves into the pre-set path, so we can go to the path listed above to find this file, and there is a great chance to find it.
    Are all the files with the same file name listed above and with the same path malicious files?
    Of course not. The file name is just the identification of the file. Strictly speaking, the file is modified by malicious code.

    The following are methods commonly used by malicious code in order to confuse users:

    • Deliberately modify their own file name to some system file name, or some well-known software name.
    • Generate malicious files in the system folder or in the installation folder of some well-known software, and even name their own folder with an antivirus software name (actually the user did not install this antivirus software). In fact, these malicious files are not system files, nor part of the famous software.

    For example, one of the most common system file names is: explorer.exe, and under normal circumstances, the system only has an explorer.exe process. When you open the Task Manager and find that there are two or more explorer.exe processes, it is likely the camouflage of some malicious viruses. As shown in the following figure, there are two explorer.exe processes in Task Manager.

    When I find the path where the file is located, it will be clear that the real explorer.exe system file is located under "C:\ Windows\", and the malicious file that pretends to be system process is under the other path.

    At runtime, 1 Windows system files, 0 external files (not owned by the Windows system), are called
    Windows system files
  • File name
  • Number of calling functions
  • KERNEL32.dll
  • 95
  • Not owned by the windows system
  • File name
  • Number of calling functions
  • In general, the most accurate way to determine if a file is a malicious file is to analyze its code and see what happens when these functions are called while the program is running. Does it have malicious behavior (destroying data or stealing data)? I have listed the functions called by this file and some internal data, but there is too much data, I can't show them all here. →Click here← to see the full binary code analysis page.
    Export function:
    The following function is a function provided by this file. The export function is useful for analyzing the specific behavior of a runtime file, starting from the function entry address, and debugging the code line by line. You can get a lot of data generated by this file.
    Export File - sqlite3.dll
  • Ordinals
  • Function Name
  • Entry Address
  • 0x00000001
  • sqlite3_aggregate_context
  • 0x00063350
  • 0x00000002
  • sqlite3_aggregate_count
  • 0x000634B0
  • 0x00000003
  • sqlite3_auto_extension
  • 0x00046A00
  • 0x00000004
  • sqlite3_backup_finish
  • 0x0001D710
  • 0x00000005
  • sqlite3_backup_init
  • 0x0001C930
  • 0x00000006
  • sqlite3_backup_pagecount
  • 0x0001D830
  • 0x00000007
  • sqlite3_backup_remaining
  • 0x0001D820
  • 0x00000008
  • sqlite3_backup_step
  • 0x0001CD20
  • 0x00000009
  • sqlite3_bind_blob
  • 0x00063F90
  • 0x0000000A
  • sqlite3_bind_double
  • 0x00063FC0
  • 0x0000000B
  • sqlite3_bind_int
  • 0x00064020
  • 0x0000000C
  • sqlite3_bind_int64
  • 0x00064040
  • 0x0000000D
  • sqlite3_bind_null
  • 0x000640C0
  • 0x0000000E
  • sqlite3_bind_parameter_count
  • 0x00064370
  • 0x0000000F
  • sqlite3_bind_parameter_index
  • 0x000644E0
  • 0x00000010
  • sqlite3_bind_parameter_name
  • 0x000643F0
  • 0x00000011
  • sqlite3_bind_text
  • 0x000640F0
  • 0x00000012
  • sqlite3_bind_text16
  • 0x00064120
  • 0x00000013
  • sqlite3_bind_value
  • 0x00064150
  • 0x00000014
  • sqlite3_bind_zeroblob
  • 0x000642E0
  • 0x00000015
  • sqlite3_blob_bytes
  • 0x0006B600
  • 0x00000016
  • sqlite3_blob_close
  • 0x0006B430
  • 0x00000017
  • sqlite3_blob_open
  • 0x0006A9B0
  • 0x00000018
  • sqlite3_blob_read
  • 0x0006B5A0
  • 0x00000019
  • sqlite3_blob_write
  • 0x0006B5D0
  • 0x0000001A
  • sqlite3_busy_handler
  • 0x001A3960
  • 0x0000001B
  • sqlite3_busy_timeout
  • 0x001A3A20
  • 0x0000001C
  • sqlite3_changes
  • 0x001A2FD0
  • 0x0000001D
  • sqlite3_clear_bindings
  • 0x00062430
  • 0x0000001E
  • sqlite3_close
  • 0x001A30E0
  • 0x0000001F
  • sqlite3_collation_needed
  • 0x001A4F70
  • 0x00000020
  • sqlite3_collation_needed16
  • 0x001A4FC0
  • 0x00000021
  • sqlite3_column_blob
  • 0x00063570
  • 0x00000022
  • sqlite3_column_bytes
  • 0x00063620
  • 0x00000023
  • sqlite3_column_bytes16
  • 0x000636C0
  • 0x00000024
  • sqlite3_column_count
  • 0x000634C0
  • 0x00000025
  • sqlite3_column_decltype
  • 0x00063C70
  • 0x00000026
  • sqlite3_column_decltype16
  • 0x00063CE0
  • 0x00000027
  • sqlite3_column_double
  • 0x00063760
  • 0x00000028
  • sqlite3_column_int
  • 0x00063820
  • 0x00000029
  • sqlite3_column_int64
  • 0x000638A0
  • 0x0000002A
  • sqlite3_column_name
  • 0x00063B90
  • 0x0000002B
  • sqlite3_column_name16
  • 0x00063C00
  • 0x0000002C
  • sqlite3_column_text
  • 0x00063980
  • 0x0000002D
  • sqlite3_column_text16
  • 0x00063A90
  • 0x0000002E
  • sqlite3_column_type
  • 0x00063B10
  • 0x0000002F
  • sqlite3_column_value
  • 0x00063A00
  • 0x00000030
  • sqlite3_commit_hook
  • 0x001A3F70
  • 0x00000031
  • sqlite3_complete
  • 0x001A2320
  • 0x00000032
  • sqlite3_complete16
  • 0x001A27B0
  • 0x00000033
  • sqlite3_context_db_handle
  • 0x00063250
  • 0x00000034
  • sqlite3_create_collation
  • 0x001A4DD0
  • 0x00000035
  • sqlite3_create_collation16
  • 0x001A4ED0
  • 0x00000036
  • sqlite3_create_collation_v2
  • 0x001A4E50
  • 0x00000037
  • sqlite3_create_function
  • 0x001A3C60
  • 0x00000038
  • sqlite3_create_function16
  • 0x001A3D80
  • 0x00000039
  • sqlite3_create_module
  • 0x00057C30
  • 0x0000003A
  • sqlite3_create_module_v2
  • 0x00057C50
  • 0x0000003B
  • sqlite3_data_count
  • 0x000634E0
  • 0x0000003C
  • sqlite3_db_handle
  • 0x00064720
  • 0x0000003D
  • sqlite3_declare_vtab
  • 0x00058720
  • 0x0000003E
  • sqlite3_enable_load_extension
  • 0x000469B0
  • 0x0000003F
  • sqlite3_enable_shared_cache
  • 0x00011F20
  • 0x00000040
  • sqlite3_errcode
  • 0x001A4580
  • 0x00000041
  • sqlite3_errmsg
  • 0x001A42D0
  • 0x00000042
  • sqlite3_errmsg16
  • 0x001A43C0
  • 0x00000043
  • sqlite3_exec
  • 0x00045F50
  • 0x00000044
  • sqlite3_expired
  • 0x000622C0
  • 0x00000045
  • sqlite3_extended_result_codes
  • 0x001A50B0
  • 0x00000046
  • sqlite3_file_control
  • 0x001A5100
  • 0x00000047
  • sqlite3_finalize
  • 0x000622E0
  • 0x00000048
  • sqlite3_free
  • 0x00003480
  • 0x00000049
  • sqlite3_free_table
  • 0x00053110
  • 0x0000004A
  • sqlite3_get_autocommit
  • 0x001A5010
  • 0x0000004B
  • sqlite3_get_auxdata
  • 0x000633D0
  • 0x0000004C
  • sqlite3_get_table
  • 0x00052F60
  • 0x0000004D
  • sqlite3_global_recover
  • 0x00002C00
  • 0x0000004E
  • sqlite3_interrupt
  • 0x001A3AA0
  • 0x0000004F
  • sqlite3_last_insert_rowid
  • 0x001A2FC0
  • 0x00000050
  • sqlite3_libversion
  • 0x001A2910
  • 0x00000051
  • sqlite3_libversion_number
  • 0x001A2930
  • 0x00000052
  • sqlite3_limit
  • 0x001A4840
  • 0x00000053
  • sqlite3_load_extension
  • 0x00046890
  • 0x00000054
  • sqlite3_malloc
  • 0x00003230
  • 0x00000055
  • sqlite3_memory_alarm
  • 0x00002E10
  • 0x00000056
  • sqlite3_memory_highwater
  • 0x00003040
  • 0x00000057
  • sqlite3_memory_used
  • 0x00003030
  • 0x00000058
  • sqlite3_mprintf
  • 0x00004B80
  • 0x00000059
  • sqlite3_mutex_alloc
  • 0x00002B50
  • 0x0000005A
  • sqlite3_mutex_enter
  • 0x00002B90
  • 0x0000005B
  • sqlite3_mutex_free
  • 0x00002B70
  • 0x0000005C
  • sqlite3_mutex_leave
  • 0x00002BD0
  • 0x0000005D
  • sqlite3_mutex_try
  • 0x00002BB0
  • 0x0000005E
  • sqlite3_open
  • 0x001A4C20
  • 0x0000005F
  • sqlite3_open16
  • 0x001A4C50
  • 0x00000060
  • sqlite3_open_v2
  • 0x001A4C40
  • 0x00000061
  • sqlite3_overload_function
  • 0x001A3E20
  • 0x00000062
  • sqlite3_prepare
  • 0x0004A2E0
  • 0x00000063
  • sqlite3_prepare16
  • 0x0004A450
  • 0x00000064
  • sqlite3_prepare16_v2
  • 0x0004A480
  • 0x00000065
  • sqlite3_prepare_v2
  • 0x0004A310
  • 0x00000066
  • sqlite3_profile
  • 0x001A3F20
  • 0x00000067
  • sqlite3_progress_handler
  • 0x001A39B0
  • 0x00000068
  • sqlite3_randomness
  • 0x00004DE0
  • 0x00000069
  • sqlite3_realloc
  • 0x000036F0
  • 0x0000006A
  • sqlite3_release_memory
  • 0x00002C00
  • 0x0000006B
  • sqlite3_reset
  • 0x00062380
  • 0x0000006C
  • sqlite3_reset_auto_extension
  • 0x00046AD0
  • 0x0000006D
  • sqlite3_result_blob
  • 0x00062830
  • 0x0000006E
  • sqlite3_result_double
  • 0x00062870
  • 0x0000006F
  • sqlite3_result_error
  • 0x000628A0
  • 0x00000070
  • sqlite3_result_error16
  • 0x000628D0
  • 0x00000071
  • sqlite3_result_error_code
  • 0x00062B50
  • 0x00000072
  • sqlite3_result_error_nomem
  • 0x00062D20
  • 0x00000073
  • sqlite3_result_error_toobig
  • 0x00062C70
  • 0x00000074
  • sqlite3_result_int
  • 0x00062900
  • 0x00000075
  • sqlite3_result_int64
  • 0x00062950
  • 0x00000076
  • sqlite3_result_null
  • 0x000629A0
  • 0x00000077
  • sqlite3_result_text
  • 0x000629F0
  • 0x00000078
  • sqlite3_result_text16
  • 0x00062A30
  • 0x00000079
  • sqlite3_result_text16be
  • 0x00062A60
  • 0x0000007A
  • sqlite3_result_text16le
  • 0x00062A30
  • 0x0000007B
  • sqlite3_result_value
  • 0x00062A90
  • 0x0000007C
  • sqlite3_result_zeroblob
  • 0x00062AF0
  • 0x0000007D
  • sqlite3_rollback_hook
  • 0x001A4010
  • 0x0000007E
  • sqlite3_set_authorizer
  • 0x00076190
  • 0x0000007F
  • sqlite3_set_auxdata
  • 0x00063400
  • 0x00000080
  • sqlite3_sleep
  • 0x001A5070
  • 0x00000081
  • sqlite3_snprintf
  • 0x00004BB0
  • 0x00000082
  • sqlite3_soft_heap_limit
  • 0x00002F00
  • 0x00000083
  • sqlite3_sql
  • 0x0001EE80
  • 0x00000084
  • sqlite3_step
  • 0x00062FB0
  • 0x00000085
  • sqlite3_test_control
  • 0x001A5210
  • 0x00000086
  • sqlite3_thread_cleanup
  • 0x001A5060
  • 0x00000087
  • sqlite3_threadsafe
  • 0x001A2940
  • 0x00000088
  • sqlite3_total_changes
  • 0x001A2FE0
  • 0x00000089
  • sqlite3_trace
  • 0x001A3ED0
  • 0x0000008A
  • sqlite3_transfer_bindings
  • 0x000646D0
  • 0x0000008B
  • sqlite3_update_hook
  • 0x001A3FC0
  • 0x0000008C
  • sqlite3_user_data
  • 0x00063240
  • 0x0000008D
  • sqlite3_value_blob
  • 0x000625B0
  • 0x0000008E
  • sqlite3_value_bytes
  • 0x00062600
  • 0x0000008F
  • sqlite3_value_bytes16
  • 0x00062640
  • 0x00000090
  • sqlite3_value_double
  • 0x00062680
  • 0x00000091
  • sqlite3_value_int
  • 0x000626D0
  • 0x00000092
  • sqlite3_value_int64
  • 0x00062750
  • 0x00000093
  • sqlite3_value_numeric_type
  • 0x00064D20
  • 0x00000094
  • sqlite3_value_text
  • 0x000627C0
  • 0x00000095
  • sqlite3_value_text16
  • 0x00062800
  • 0x00000096
  • sqlite3_value_text16be
  • 0x000627E0
  • 0x00000097
  • sqlite3_value_text16le
  • 0x00062800
  • 0x00000098
  • sqlite3_value_type
  • 0x00062820
  • 0x00000099
  • sqlite3_version
  • 0x001B19EC
  • 0x0000009A
  • sqlite3_vfs_find
  • 0x000027C0
  • 0x0000009B
  • sqlite3_vfs_register
  • 0x000028C0
  • 0x0000009C
  • sqlite3_vfs_unregister
  • 0x00002940
  • 0x0000009D
  • sqlite3_vmprintf
  • 0x00004AD0
  • sqlite3.dll runtime behavior analysis
    The KERNEL32.dll dynamic link library is loaded and the functions in the file are called: ( Kernel32.dll is a very important 32-bit dynamic link library file in the Windows operating system. It is a kernel-level file. It controls the system's memory management, data input and output operations and interrupt handling. When the Windows operating system starts, kernel32.dll resides in a specific write-protected area of memory, so that other programs cannot occupy this memory area. )
  • QueryPerformanceCounter: Retrieves the current value of the performance counter, which is a high resolution (<1us) time stamp that can be used for time-interval measurements.
  • InterlockedCompareExchange: Performs an atomic compare-and-exchange operation on the specified values.
  • GetTickCount: Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.
  • GetSystemTimeAsFileTime: Retrieves the current system date and time. The information is in Coordinated Universal Time (UTC) format.
  • LoadLibraryW: Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded.
  • FlushFileBuffers: Flushes the buffers of a specified file and causes all buffered data to be written to a file.
  • GetLastError: Retrieves the calling thread's last-error code value.
  • GetProcAddress: Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
  • LoadLibraryA: Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded.
  • CreateFileMappingW: Creates or opens a named or unnamed file mapping object for a specified file.
  • GetSystemInfo: Retrieves information about the current system.
  • GetCurrentProcessId: Retrieves the process identifier of the calling process.
  • GetCurrentThreadId: Retrieves the thread identifier of the calling thread.
  • TerminateProcess: Ends the calling process and all its threads.
  • GetCurrentProcess: Retrieves a pseudo handle for the current process.
  • UnhandledExceptionFilter: An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged.
  • SetUnhandledExceptionFilter: Enables an application to supersede the top-level exception handler of each thread of a process.
  • IsDebuggerPresent: Determines whether the calling process is being debugged by a user-mode debugger.
  • GetModuleHandleW: Retrieves a module handle for the specified module. The module must have been loaded by the calling process.
  • ExitProcess: Ends the calling process and all its threads.
  • GetStdHandle: Retrieves a handle to the specified standard device (standard input, standard output, or standard error).
  • GetModuleFileNameW: Retrieves the fully qualified path for the file that contains the specified module.
  • TlsAlloc: Allocates a thread local storage (TLS) index. Any thread of the process can subsequently use this index to store and retrieve values that are local to the thread, because each thread receives its own slot for the index.
  • TlsGetValue: Retrieves the value in the calling thread's thread local storage (TLS) slot for the specified TLS index. Each thread of a process has its own slot for each TLS index.
  • TlsSetValue: Stores a value in the calling thread's thread local storage (TLS) slot for the specified TLS index. Each thread of a process has its own slot for each TLS index.
  • GetStartupInfoW: Retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created.
  • GetModuleFileNameA: Retrieves the fully qualified path for the file that contains the specified module.
  • FreeEnvironmentStringsW: Frees a block of environment strings.
  • GetEnvironmentStringsW: Retrieves the environment variables for the current process.
  • RtlUnwind: Initiates an unwind of procedure call frames.
  • SetEnvironmentVariableA: Sets the contents of the specified environment variable for the current process.
  • The following files have been identified as malicious files. Some files are variants of sqlite3.dll; some files are another type of malicious file, but use the same file name as sqlite3.dll.

    It is a simple and effective way to determine whether a file is a malicious file by a hash value, which has lower false detection rate than the "static signature" method. So, if the MD5 value of a file on the computer is the same as the MD5 value listed below, then it is sure that the file is a malicious file.

    This is my analysis results to the code of each malicious below, mainly provided to industry professionals who engage in the maintenance of computer security. If you are interested, you can also have a view, but it may require certain computer knowledge.
    • File Md5
    • File Size
    • File Bit
    • File Type
    • Binary Code Analysis

    How to repair or remove sqlite3.dll

    Method 1: Manual Removal

    • Reboot the system and then enter safe mode (Click here to see how each Windows version (XP/Vista/7/8/10) goes into safe mode)

    • Show all hidden files.
    Step: "My Computer" -> "Floder Options" ->"View" -> "Show hidden files, folders, and drives"

    • Malicious code used to generate or infect files on the following paths, so you need to one by one go into the following path, and delete all files [  sqlite3.dll, sqlite3.sys  ]

    • c:\games\lol2\gamedata\room\
    • c:\public\thunder network\pusher\pusher\
    • c:\program files (x86)\ahnlab\apc2\policy agent\
    • c:\documents and settings\administrator\application data\360se6\application\7.1.1.601\
    • c:\arquivos de programas\winzip\utils\wzsysscan\
    • c:\program files (x86)\tweakbit\pcsuite\

    • Finally, restart your computer.

    Method 2: Automatic Removal Using Tools (Recommended)

    1. Download Removal Tool

    2. Save it into your computer and install it step by step.

    3. During the installation process, the user interface is available in multiple languages and is easy to use.

    4. The installation process is an online installation, so after the installation is complete, the software version and virus database are up-to-date.

    5. After the installation is complete, run the antivirus software and click the "Scan Computer Now!" button to scan the whole system.

    6. Tick "Select all" and then Remove to delete all threats. Reboot your computer.

    When you find your operating system is abnormal, and the file name listed above appears in the Task Manager, or there are several processes in running with the same name as the core file name, it is best to download the anti-virus software to check your system.

    Online detection of sqlite3.dll

    If you don't know if sqlite3.dll is infected with malicious code on your computer, you may also use online scan tool.

    • Use the following online detection function to check the file.
  • • Enter the file name, or file MD5, for the query.
  • • You can also scan a file online. Click the "Upload File" button, and then click the "submit" button, to immediately detect whether the file is a virus. (Tip: The maximum size of the file uploaded cannot exceed 8MB)
  • How do I use the T21 engine for online scanning?

    T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.

    1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
    2. The next step is to wait for the system to check, which may take a little time, so please be patient.
    3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:

    • If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool.

    If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.

    Other captured malicious files:
    gatherosstate.exe file analysis
    freebl3.dll file analysis
    libsasl.dll file analysis
    addr2line.exe file analysis
    ar.exe file analysis
    as.exe file analysis
    delltouchpad.exe file analysis
    delltpad.exe file analysis
    removemysql-python.exe file analysis
    Copyright statement: The above data is obtained by my analysis, and without authorization, you may not copy or reprint it.
    Leave a Reply

    Your email address will not be published. Required fields are marked *
    If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.

    Name *

    Email

      Comment
      ToolBar:
    Preview, Read Only, Click here Edit Post.

    Copyright © 2016-2019 mygoodtools.com All rights reserved.