Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Infection - lodayiji.dll and repozuyi.dll


  • This topic is locked This topic is locked
2 replies to this topic

#1 dputz

dputz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 20 April 2009 - 06:24 PM

To forum members:
First, thanks for taking the time to read about my PC infection problem. Much appreciated.

Symptoms:
When shut down the computer is not able to stop process rundll32.exe.

The dll files lodayija.dll and repozuyi.dll are inserted into the registry and run at start-up. Disabling them has no effect, as they are reinserted when the computer is restarted. They can not be deleted or modified while the computer is running in normal mode. The dll files do not appear when the computer is running in safe mode.

Even when browsing in Firefox, Internet Explorer opens pop-up windows with advertising on top of Firefox. The ads seem to be for all sorts of things, not just virus software. I have changed the name of iexplorer.exe to iexplorer.exx. and the pop-ups have stopped. This leads me to believe that virus/malware is not taking over Firefox.

The date today is 4/20/09. I started to notice the pop-ups about three days ago 4/17/09 or so.

Thanks again for any ideas folks might have. Avast does not seem to be able to deal with the infection.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Bigmark at 18:01:42.12 on Mon 04/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.105 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090420-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avast software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Avast software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\PROGRA~1\AVASTS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Avast software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Avast software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Documents and Settings\Bigmark\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/products/illustrator/main.html
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: {28459b38-04b0-48cd-9534-2897acc81320} - c:\windows\system32\juteruno.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [avast!] c:\progra~1\avasts~1\avast4\ashDisp.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [CPM1f473e7e] Rundll32.exe "c:\windows\system32\lodayija.dll",a
mRun: [walopibofe] Rundll32.exe "c:\windows\system32\repozuyi.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Crawler Search - tbr:iemenu
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: listen.com\www
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231527925250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {048DE623-F851-4E1D-939E-BFB10E19D83C} = 207.69.188.185,207.69.188.186
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: c:\windows\system32\lodayija.dll,c:\windows\system32\fubatuzo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lodayija.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\lodayija.dll
LSA: Notification Packages = scecli c:\windows\system32\fubatuzo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bigmark\applic~1\mozilla\firefox\profiles\9i53crpx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\program files\crawler\toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xshared.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xwsg.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-19 64160]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-4-20 51472]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-4-20 39184]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2001-4-3 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2001-4-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast4\ashServ.exe [2005-11-8 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [2009-1-29 189952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast software\avast4\ashMaiSv.exe [2005-11-8 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast software\avast4\ashWebSv.exe [2005-11-8 352920]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-4-20 33040]
S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\drivers\EMUXMIDI.sys [2006-8-19 134912]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2001-9-9 17976]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2005-7-20 10379]

=============== Created Last 30 ================

2009-04-20 17:41 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-20 11:03 51,472 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-04-20 11:03 39,184 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-04-20 11:03 33,040 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-04-20 11:03 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-04-20 11:03 <DIR> --d----- c:\program files\ThreatFire
2009-04-20 11:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-20 10:04 1,409,571 ---sh--- c:\windows\system32\omijuzas.ini
2009-04-20 10:04 <DIR> --d----- c:\program files\Crawler
2009-04-20 10:04 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-04-20 10:04 <DIR> --d----- c:\docume~1\bigmark\applic~1\Spyware Terminator
2009-04-20 10:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-04-20 10:03 <DIR> --d----- c:\program files\Spyware Terminator
2009-04-19 23:50 80,384 a------- c:\windows\system32\o4Patch.exe
2009-04-19 23:50 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-04-19 23:50 82,944 a------- c:\windows\system32\IEDFix.C.exe
2009-04-19 23:50 82,432 a------- c:\windows\system32\404Fix.exe
2009-04-19 23:50 25,600 a------- c:\windows\system32\WS2Fix.exe
2009-04-19 23:49 289,144 a------- c:\windows\system32\VCCLSID.exe
2009-04-19 23:49 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-04-19 23:49 79,360 a------- c:\windows\system32\swxcacls.exe
2009-04-19 23:49 51,200 a------- c:\windows\system32\dumphive.exe
2009-04-19 23:49 135,168 a------- c:\windows\system32\swreg.exe
2009-04-19 23:49 53,248 a------- c:\windows\system32\Process.exe
2009-04-19 23:45 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-19 22:01 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-19 21:57 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 21:57 <DIR> --d----- c:\program files\Lavasoft
2009-04-19 16:03 1,409,580 ---sh--- c:\windows\system32\otonenaf.ini
2009-04-16 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LunarFrog
2009-04-16 14:42 <DIR> --d----- c:\program files\TaggedFrog
2009-04-05 12:14 <DIR> --d----- c:\docume~1\bigmark\applic~1\ICAClient
2009-04-05 12:14 <DIR> --d----- c:\docume~1\bigmark\applic~1\Runaware
2009-04-03 17:04 1,409 a------- c:\windows\system32\PGTEXTJ_.FOT
2009-04-03 17:04 1,409 a------- c:\windows\system32\PGTEXT.FOT
2009-04-03 17:04 1,409 a------- c:\windows\system32\PGCHORDS.FOT
2009-04-03 15:29 1,409 a------- c:\windows\system32\PGMUS.FOT
2009-04-03 15:29 1,409 a------- c:\windows\system32\pgjazz__.FOT
2009-04-03 15:11 <DIR> --d----- c:\program files\Jazz_Guitar_Solos_Vol_1-4
2009-04-03 15:11 <DIR> --d----- c:\program files\flatpick_guitar_solos
2009-04-03 15:10 <DIR> --d----- c:\program files\Roland
2009-04-03 15:09 <DIR> --d----- c:\program files\PowerTracks DirectX Plugins
2009-04-03 15:08 153,064 a------- c:\windows\system32\Pgchords.ttf
2009-04-03 15:08 153,064 a------- c:\windows\system\Pgchords.ttf
2009-04-03 15:08 59,004 a------- c:\windows\system32\Pgtextj_.ttf
2009-04-03 15:08 59,004 a------- c:\windows\system\Pgtextj_.ttf
2009-04-03 15:08 51,864 a------- c:\windows\system32\Pgtextje.ttf
2009-04-03 15:08 51,864 a------- c:\windows\system\Pgtextje.ttf
2009-04-03 15:08 49,896 a------- c:\windows\system32\Pgtext.ttf
2009-04-03 15:08 49,896 a------- c:\windows\system\Pgtext.ttf
2009-04-03 15:08 48,072 a------- c:\windows\system32\Pgjazz__.ttf
2009-04-03 15:08 48,072 a------- c:\windows\system\Pgjazz__.ttf
2009-04-03 15:08 47,252 a------- c:\windows\system32\pgmus.ttf
2009-04-03 15:08 47,252 a------- c:\windows\system\pgmus.ttf
2009-04-03 15:05 <DIR> --d----- c:\program files\bb
2009-03-26 21:15 <DIR> --d----- c:\program files\DOSBox-0.72
2009-03-26 20:59 <DIR> --d----- c:\program files\Quake

==================== Find3M ====================

2009-04-20 10:05 50,176 a--sh--- c:\windows\system32\yamomenu.dll
2009-04-20 10:04 89,088 a---h--- c:\windows\system32\lodayija.dll
2009-04-20 10:04 81,408 a--sh--- c:\windows\system32\sazujimo.dll
2009-04-20 10:04 47,104 a--sh--- c:\windows\system32\mayotomo.exe
2009-04-19 16:03 47,104 a--sh--- c:\windows\system32\sumonibe.exe
2009-04-19 16:03 89,088 a--sh--- c:\windows\system32\welatili.dll
2009-04-19 16:03 81,408 -------- c:\windows\system32\fanenoto.dll
2009-03-12 16:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-12 15:52 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-03-08 11:11 54,272 a------- c:\windows\857547.exe
2009-03-07 12:27 94,720 a------- c:\windows\7464631314.exe
2009-03-01 21:48 172,140 a------- c:\windows\56353534.exe
2009-02-27 00:22 54,272 a------- c:\windows\74431238621.exe
2009-02-16 21:30 94,720 a------- c:\windows\3535345.exe
2009-02-10 16:52 94,720 a------- c:\windows\535354.exe
2006-05-24 17:54 244,224 a--shr-- c:\windows\system32\plugin.dat

============= FINISH: 18:03:21.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 dputz

dputz
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 20 April 2009 - 10:19 PM

:thumbup2: I just wanted to post an update: After reading a number of other threads on the forum I tried Malwarebytes' Anti-malware, as it was commonly prescribed for symptoms similar to what I was experiencing. Anti-malware found 24 files infected with the Vundo virus, and got rid of them. So far, it seems to have fixed the problem. So if anyone is experiencing similar symptoms give it a try.

Cheers.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:11 PM

Posted 03 May 2009 - 11:25 PM

Thanks for informing us.

Good Luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users