Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde virus? (fogizezu.dll error boxes)


  • This topic is locked This topic is locked
2 replies to this topic

#1 brianch

brianch

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 27 November 2009 - 03:23 PM

When one of the users logs into my pc, they receive error boxes:

Error loading c:|WINDOWSsystem32fogizezu.dll
The spcified module could not be found.

two similar boxes pop up with file names: wibalovo.dll and fotuliza.dll


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:42 PM, on 11/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesJavajre6binjqs.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesMcAfeeMPFMPFSrv.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesLinksys Wireless-G USB Wireless Network MonitorWLService.exe
C:Program FilesYahoo!SoftwareUpdateYahooAUService.exe
C:WINDOWSSystem32svchost.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Program FilesLinksys Wireless-G USB Wireless Network MonitorWUSB54Gv42.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSExplorer.EXE
C:Program FilesMcAfee.comAgentmcagent.exe
C:Program FilesQuickTimeqttask.exe
C:WINDOWSsystem32lexpps.exe
C:Program FilesYahoo!Search ProtectionSearchProtection.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCommon FilesMicrosoft SharedWorks SharedWkCalRem.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesCompaq Connections6750491ProgramCompaq Connections.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesMalwarebytes' Anti-Malwarembam.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScanscriptsn.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:Program FilesYahoo!CompanionInstallscpn0YTSingleInstance.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:Program FilesMSNToolbar3.0.0988.2msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:Program FilesAskBarDisbarbinaskBar.dll (file missing)
O4 - HKLM..Run: [mcagent_exe] "C:Program FilesMcAfee.comAgentmcagent.exe" /runkey
O4 - HKLM..Run: [YSearchProtection] "C:Program FilesYahoo!Search ProtectionSearchProtection.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..RunOnce: [Malwarebytes' Anti-Malware] C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe /install /silent
O4 - HKCU..Run: [Search Protection] C:Program FilesYahoo!Search ProtectionSearchProtection.exe
O4 - HKCU..Run: [YSearchProtection] C:Program FilesYahoo!Search ProtectionSearchProtection.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-21-3669721045-2840872882-747233439-1012..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe (User 'spider-man& ja-smell')
O4 - HKUSS-1-5-21-3669721045-2840872882-747233439-1012..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe (User 'spider-man& ja-smell')
O4 - HKUSS-1-5-21-3669721045-2840872882-747233439-1012..Run: [sudusezepa] Rundll32.exe "C:WINDOWSsystem32fogizezu.dll",s (User 'spider-man& ja-smell')
O4 - HKUSS-1-5-21-3669721045-2840872882-747233439-1012..Run: [braviax] C:WINDOWSsystem32braviax.exe (User 'spider-man& ja-smell')
O4 - HKUSS-1-5-21-3669721045-2840872882-747233439-1012..Run: [vapebuhon] Rundll32.exe "c:windowssystem32wibalovo.dll",a (User 'spider-man& ja-smell')
O4 - HKUSS-1-5-21-3669721045-2840872882-747233439-1012..Run: [38df8bc6] rundll32.exe "C:WINDOWSsystem32fotuliza.dll",b (User 'spider-man& ja-smell')
O4 - HKUSS-1-5-21-3669721045-2840872882-747233439-1012..Run: [Search Protection] C:Program FilesYahoo!Search ProtectionSearchProtection.exe (User 'spider-man& ja-smell')
O4 - S-1-5-21-3669721045-2840872882-747233439-1012 Startup: .security (User 'spider-man& ja-smell')
O4 - S-1-5-21-3669721045-2840872882-747233439-1012 User Startup: .security (User 'spider-man& ja-smell')
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: wkcalrem.LNK = C:Program FilesCommon FilesMicrosoft SharedWorks SharedWkCalRem.exe
O4 - Global Startup: Compaq Connections.lnk = C:Program FilesCompaq Connections6750491ProgramCompaq Connections.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:PROGRA~1HEWLET~1COMPAQ~1bin/module.main/favoritesie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MI1933~1Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MI1933~1Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MI1933~1Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MI1933~1Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:Program FilesYahoo!CommonYinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167247145171
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh/games/web_games/popca...aploader_v6.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:Program FilesMcAfeeMBKMBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:Program FilesMcAfeeMPFMPFSrv.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:Program FilesLinksys Wireless-G USB Wireless Network MonitorWLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:Program FilesYahoo!SoftwareUpdateYahooAUService.exe

--
End of file - 8871 bytes

I am running a full scan with Malwarebyes' Anti-Malware right now

Merged posts. ~ OB

Edited by Orange Blossom, 27 November 2009 - 03:52 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:33 PM

Posted 02 December 2009 - 11:07 AM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:33 PM

Posted 07 December 2009 - 09:51 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users