Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot remove nobuwika.dll


  • This topic is locked This topic is locked
2 replies to this topic

#1 dharris

dharris

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 03 December 2009 - 02:21 PM

I cannot locate removal directions for a machine infected with nobuwika.dll and it has also indicated a trojan virus Trojan.Vondo!gen1. I appreciate your help in clearing this.

Don



DDS (Ver_09-12-01.01) - NTFSx86
Run by dharris at 11:50:55.23 on Thu 12/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.507 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\dharris.USDLOCAL\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\dharris.USDLOCAL\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80229
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80229
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [DevconDefaultDB] c:\windows\READREG /PSCONV={NO}
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32 /S CTASIO.DLL
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [melukehor] Rundll32.exe "c:\windows\system32\nobuwika.dll",a
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
uPolicies-system: DisableChangePassword = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/pm/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230657106611
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230657098394
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://www.its.usd.edu/antivirus/nav-inst/departmental/webinst.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://clubgames.pogo.com/online2/pogop/insaniquarium/popcaploader_v6.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\nabehiti.dll c:\windows\system32\nobuwika.dll,kibeluwe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: jikejuroz - {89720f94-05a3-43f4-b1e2-26504b5ca37f} -
SSODL: legadeyuj - {176b497d-7081-4d29-b473-f7c447b655f9} -
SSODL: wisizihim - {decfe670-23c0-40fb-bafd-57ce0920b4e6} - c:\windows\system32\nobuwika.dll
SSODL: natagofej - {d0ddd793-c25c-4ba9-8de2-797e9b4bec7a} - c:\windows\system32\nobuwika.dll
SSODL: lahifipig - {556d2689-4587-48bf-8e9c-c17a5911d7cc} - c:\windows\system32\nobuwika.dll
STS: {89720f94-05a3-43f4-b1e2-26504b5ca37f}: gahurihor
STS: {176b497d-7081-4d29-b473-f7c447b655f9}: mujuzedij
STS: gahurihor: {decfe670-23c0-40fb-bafd-57ce0920b4e6} - c:\windows\system32\nobuwika.dll
STS: tokatiluy: {d0ddd793-c25c-4ba9-8de2-797e9b4bec7a} - c:\windows\system32\nobuwika.dll
STS: tokatiluy: {556d2689-4587-48bf-8e9c-c17a5911d7cc} - c:\windows\system32\nabehiti.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli selutanu.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-7-21 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-7-21 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-7-21 2234296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091202.024\NAVENG.SYS [2009-12-3 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091202.024\NAVEX15.SYS [2009-12-3 1323568]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2001-8-23 14336]

=============== Created Last 30 ================

2009-12-03 17:13:05 574 ----a-w- C:\cleanup.bat
2009-12-03 17:13:05 19286 ----a-w- C:\cleanup.exe
2009-12-03 17:13:05 135168 ----a-w- C:\zip.exe
2009-12-03 14:49:33 0 d-----w- c:\docume~1\dharri~1.usd\applic~1\alot
2009-11-17 14:18:07 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-17 14:18:07 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-17 14:18:07 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-17 14:18:02 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-13 22:40:06 0 d-----w- c:\windows\system32\winrm
2009-11-13 22:40:06 0 d-----w- c:\windows\system32\GroupPolicy
2009-11-13 22:39:59 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$

==================== Find3M ====================

2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 22:23:10 1107456 ------w- c:\windows\system32\WsmSvc.dll
2009-10-09 22:23:08 178176 ------w- c:\windows\system32\wevtfwd.dll
2009-10-09 22:22:58 368640 ------w- c:\windows\system32\WsmRes.dll
2009-10-09 22:22:56 69632 ------w- c:\windows\system32\winrs.exe
2009-10-09 22:22:52 42496 ------w- c:\windows\system32\pwrshplugin.dll
2009-10-09 20:56:20 209408 ------w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 20:56:18 14848 ------w- c:\windows\system32\wsmprovhost.exe
2009-10-09 20:56:16 22528 ------w- c:\windows\system32\winrshost.exe
2009-10-09 20:56:14 25088 ------w- c:\windows\system32\winrmprov.dll
2009-10-09 20:56:10 12288 ------w- c:\windows\system32\wsmplpxy.dll
2009-10-09 20:56:08 2048 ------w- c:\windows\system32\winrsmgr.dll
2009-10-09 20:56:06 233984 ------w- c:\windows\system32\winrscmd.dll
2009-10-09 20:56:04 225280 ------w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 20:56:04 12288 ------w- c:\windows\system32\winrssrv.dll
2009-10-09 20:56:02 139776 ------w- c:\windows\system32\WsmAuto.dll
2009-10-08 20:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 20:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 20:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 04:31:11 61440 --sha-w- c:\windows\system32\gahiboru.dll
2009-09-02 04:31:11 39424 --sha-w- c:\windows\system32\miweyahu.dll
2009-09-01 16:31:10 94208 --sha-w- c:\windows\system32\nabehiti.dll
2009-09-02 04:31:11 93696 --sha-w- c:\windows\system32\nobuwika.dll
2009-09-01 16:31:10 39424 --sha-w- c:\windows\system32\zegetade.dll

============= FINISH: 11:52:32.54 ===============

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:30 AM

Posted 17 December 2009 - 09:29 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:30 AM

Posted 21 December 2009 - 04:19 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users