Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with multiple random .dll files (Virtumonde?)


  • Please log in to reply
3 replies to this topic

#1 Randall Pink

Randall Pink

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 14 August 2009 - 02:36 AM

Hello,

PrevX Home (free) has discovered a plethora of randomly-generated .dll files. Some names include "boruyani.dll" and "toginefi.dll". However, since it's the free edition, it will not remove them.

Some other symptoms I'm experiencing are:

Performance slow down
Pop-Up Ads
Web Pages not loading completely

Any help would be appreciated.

Thank You,

Randall

-----------------------------------------------------------

DDS Log

DDS (Ver_09-07-30.01) - NTFSx86
Run by Randy at 0:07:20.34 on Fri 08/14/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.853 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SEGA\Medieval II Total War\kingdoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Randy\Desktop\dds.scr

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: {349ffc4e-a0fb-435d-ac26-973dfc4f4913} - c:\windows\system32\keturige.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [biyitegotu] Rundll32.exe "c:\windows\system32\zumevaha.dll",s
mRun: [CPMabacfe55] Rundll32.exe "c:\windows\system32\vepazasu.dll",a
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\luzotahu.dll c:\windows\system32\vepazasu.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vepazasu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\vepazasu.dll
LSA: Notification Packages = scecli c:\windows\system32\luzotahu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\randy\applic~1\mozilla\firefox\profiles\fi0xgwef.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://forums.horrorcore.com/forumdisplay.php?forumid=14
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-5-17 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-5-17 27656]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-5-17 4368952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-17 24652]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-5-17 335104]

=============== Created Last 30 ================

2009-08-10 01:34 <DIR> --d----- c:\program files\jtgdqp
2009-08-05 22:43 <DIR> --d----- c:\windows\pss
2009-08-03 22:08 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-03 21:58 <DIR> a-dshr-- C:\cmdcons
2009-08-03 21:57 216,064 a------- c:\windows\PEV.exe
2009-08-03 21:57 161,792 a------- c:\windows\SWREG.exe
2009-08-03 21:57 98,816 a------- c:\windows\sed.exe
2009-07-23 21:11 <DIR> --d----- c:\windows\system32\URTTEMP
2009-07-23 20:56 <DIR> --d----- c:\program files\SEGA
2009-07-23 20:54 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-23 01:05 754 a------- c:\windows\WORDPAD.INI
2009-07-22 00:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-22 00:28 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-08-13 22:14 83,968 a--sh--- c:\windows\system32\vepazasu.dll
2009-08-13 22:14 38,400 a--sh--- c:\windows\system32\watalove.dll
2009-08-13 10:14 84,992 a--sh--- c:\windows\system32\wakepule.dll
2009-08-13 10:14 37,376 a--sh--- c:\windows\system32\lekupeyi.dll
2009-08-12 22:15 50,176 a--sh--- c:\windows\system32\zimusure.dll
2009-08-12 22:14 84,992 a--sh--- c:\windows\system32\bonafefa.dll
2009-08-12 22:14 38,400 a--sh--- c:\windows\system32\fewusopa.dll
2009-08-12 10:14 83,968 a--sh--- c:\windows\system32\pagapobo.dll
2009-08-12 10:14 37,376 a--sh--- c:\windows\system32\vegapaye.dll
2009-08-11 22:06 84,992 a--sh--- c:\windows\system32\tesirolo.dll
2009-08-11 22:06 37,376 a--sh--- c:\windows\system32\wokozupi.dll
2009-08-11 10:06 84,992 a--sh--- c:\windows\system32\zafufovi.dll
2009-08-11 10:06 37,376 a--sh--- c:\windows\system32\higalepo.dll
2009-08-10 21:22 50,176 a--sh--- c:\windows\system32\mirajehi.dll
2009-08-09 22:36 83,968 a--sh--- c:\windows\system32\kanelewu.dll
2009-08-08 12:59 84,992 a--sh--- c:\windows\system32\hulifeki.dll
2009-08-06 21:07 83,968 a--sh--- c:\windows\system32\rezakaju.dll
2009-08-05 11:11 49,664 a--sh--- c:\windows\system32\boruyani.dll
2009-08-05 11:10 84,992 a--sh--- c:\windows\system32\koyopibi.dll
2009-08-04 23:10 85,504 a--sh--- c:\windows\system32\lusanuwo.dll
2009-08-04 11:10 84,992 a--sh--- c:\windows\system32\duguyubi.dll
2009-08-03 23:07 84,992 a--sh--- c:\windows\system32\dafirulo.dll
2009-08-03 11:07 50,688 a--sh--- c:\windows\system32\hoguforu.dll
2009-08-02 11:06 83,968 a--sh--- c:\windows\system32\tomipojo.dll
2009-08-01 23:07 49,152 a--sh--- c:\windows\system32\libukifu.dll
2009-08-01 23:06 83,968 a--sh--- c:\windows\system32\rodudaya.dll
2009-08-01 11:06 83,968 a--sh--- c:\windows\system32\tuwarage.dll
2009-07-16 14:35 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-07-16 14:35 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-06-26 11:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 11:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-21 21:57 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-19 19:33 35,862 a------- c:\windows\DIIUnin.dat
2009-05-19 19:33 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-05-19 19:33 17,212 a------t c:\windows\system32\SIntf32.dll
2009-05-19 19:33 12,067 a------t c:\windows\system32\SIntf16.dll
2009-05-19 19:26 94,208 a------- c:\windows\DIIUnin.exe
2009-05-19 19:26 2,829 a------- c:\windows\DIIUnin.pif
2009-05-17 19:25 315,392 a------- c:\windows\HideWin.exe
2009-05-17 19:05 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-12 22:15 50,176 a--sh--- c:\windows\system32\keturige.dll
2009-05-12 22:15 50,176 a--sh--- c:\windows\system32\luzotahu.dll
2009-05-12 22:15 50,176 a--sh--- c:\windows\system32\zumevaha.dll

============= FINISH: 0:15:32.33 ===============

Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 14, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 14, 2009 07:54:35
Records in database: 2624558
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 135617
Threats found: 11
Infected objects found: 22
Suspicious objects found: 1
Scan duration: 01:42:38


File name / Threat / Threats count
C:\WINDOWS\system32\zumevaha.dll/C:\WINDOWS\system32\zumevaha.dll Infected: Trojan.Win32.Stuh.wrn 8
C:\Documents and Settings\Randy\Desktop\From Mom's\Messages\Local Folders (1)\Recovered M 29\08-27-2008 823\Local Folders\Sent Items\5C6D5883-AEE46EA0.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dazisitu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir Infected: Trojan.Win32.BHO.whc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jebonuve.dll.vir Infected: Trojan.Win32.Migotrup.ff 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kipufase.dll.vir Infected: Trojan.Win32.Migotrup.gl 1
C:\WINDOWS\system32\bonafefa.dll Infected: Trojan.Win32.Migotrup.bem 1
C:\WINDOWS\system32\dafirulo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\WINDOWS\system32\dibiyowa.dll.tmp Infected: Trojan.Win32.Stuh.ujx 1
C:\WINDOWS\system32\duguyubi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\WINDOWS\system32\hoguforu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\WINDOWS\system32\koyopibi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\WINDOWS\system32\lefopiwo.dll.tmp Infected: Trojan.Win32.Stuh.ufn 1
C:\WINDOWS\system32\lusanuwo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\WINDOWS\system32\rodudaya.dll Infected: Trojan.Win32.Migotrup.dn 1
C:\WINDOWS\system32\zumevaha.dll Infected: Trojan.Win32.Stuh.wrn 1

Selected area has been scanned.

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:52 AM

Posted 22 August 2009 - 07:47 AM

hi Randall Pink,

Sorry for delay, no shortage of posters. If you still need help, reply to my post.

How Can I Reduce My Risk to Malware?


#3 Randall Pink

Randall Pink
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 24 August 2009 - 10:15 AM

Yes Shelf Life, help would be greatly appreciated!

It seems that whatever it is that's infecting my computer keeps replicating and producing more .dll files, so I'm sure that by now the logs I posted are outdated.

I'll await any instructions from you.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:52 AM

Posted 24 August 2009 - 05:04 PM

We will start with Malwarebytes:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer most likely will be required to remove some items.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users