Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Symatec says 'Trojan.Mundo' present, both tools say 'clean'

  • Please log in to reply
4 replies to this topic

#1 svswan


  • Members
  • 5 posts
  • Local time:05:28 PM

Posted 17 December 2009 - 03:43 PM

Hi all - I'm working with a Toshiba Satellite running XP Media SP2. When I set this up for my girlfriends Mom I installed Symantec Antivirus Corporate. Pop ups about virus infections tricked her into clicking on some of the screens, I don't know which. I tried to update Symantec but cannot get the most recent update to stick, even when I download a manual update with my computer and transfer it to the Toshiba. I followed the instructions on Symantec to remove the virus but none of the reg keys to be removed that are listed on symantec's site are in the list when I run regedit. In serching on line I found this form and since the forums name is appropriat at the moment I started reading. I have run both the Vundo removal tools suggested in the 'fix infections' post and they both say the computer is clean. When I reboot Symantec runs a quick scan and tells me 6 files are still infected, file name 'dinizuha.dll', which is a different file name than the last file name is listed as affected. I did most of my research on my Dell, then when I started the scans to post here I got some pop-ups, but seemingly less than Joyce the Tosh Owner was getting. One what about a multi level marketing biz with a recoding that played to fast so it sounded like an elf talking about how you can make 7 to 10K a month - kinda funny.

Hopefully this is a thorow enough description. I am posting this from the infected computer so no BSOD or anything that drastic. I did turn off system restore and work in safe mode while trying the Symantec fix. Any help would be greatly appreciated. I'll be a hero if I can fix my girlfriends Mom's computer while we are 'home' for the holidays ;-}


DDS (Ver_09-12-01.01) - NTFSx86
Run by Toshiba Owner at 14:47:47.84 on Thu 12/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.321 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Toshiba Owner\Local Settings\Temporary Internet Files\Content.IE5\7XEOP0LK\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [system tool] c:\windows\sysguard.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9d.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [TPSMain] TPSMain.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TFncKy] TFncKy.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [serisejeh] Rundll32.exe "c:\windows\system32\dinizuha.dll",a
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {8E870E19-045E-4D12-A2A4-DB0D9A5214AE} =
TCP: {C174BF1E-50CE-4E85-BACB-03F77C2E03F0} =
Filter: text/html - {6a7eda1d-5041-4ccf-8e31-e43c5cd70bf7} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\hibunevo.dll c:\windows\system32\keturige.dll c:\windows\system32\lodivime.dll c:\windows\system32\jozoyona.dll c:\windows\system32\ruyebana.dll c:\windows\system32\todolaze.dll c:\windows\system32\funeroga.dll c:\windows\system32\telopezo.dll c:\windows\system32\hajigira.dll c:\windows\system32\wevetora.dll c:\windows\system32\hobavana.dll c:\windows\system32\fejolave.dll voyuwuzo.dll zarebeba.dll nusoyeta.dll c:\windows\system32\vagiwara.dll c:\windows\system32\renazuvi.dll c:\windows\system32\huzivewe.dll c:\windows\system32\dinizuha.dll
SSODL: wibopuhew - {b1ee4c59-e6c9-4b43-ac93-5f4b28065db4} - c:\windows\system32\hibunevo.dll
SSODL: tetujimen - {b0bdc93f-8f2d-4796-aecd-a3c11f6c28ca} - c:\windows\system32\lodivime.dll
SSODL: gonobisoh - {2eef2df6-64ad-4c78-b3d7-2936a5f2ad33} - c:\windows\system32\dejufedu.dll
SSODL: webasihom - {70ebfefc-de33-4da9-b9a7-ea1822374d1f} - c:\windows\system32\dejufedu.dll
SSODL: dipepufep - {33b40184-fb67-4682-8a13-1947c7b99534} - c:\windows\system32\dejufedu.dll
SSODL: parabuyey - {79ff523f-4bae-441c-8519-fb8ec4131bee} - c:\windows\system32\ruyebana.dll
SSODL: tekolisav - {b6e6c886-dfc2-4f2d-a077-96352c900450} - c:\windows\system32\ruyebana.dll
SSODL: newujihez - {9ccf8413-6647-42bf-b527-7f81feff8dfe} - c:\windows\system32\feyimupa.dll
SSODL: sudodefuf - {7a5c3acd-7d0c-4be8-b25f-f4e47ca45037} - c:\windows\system32\feyimupa.dll
SSODL: kofayelun - {6be20d27-d3b8-40e1-ba5b-fd516e1244bd} - c:\windows\system32\wifufulu.dll
SSODL: mupihabez - {3b134a1f-1026-449a-a00d-46bc30593f78} - c:\windows\system32\dinizuha.dll
STS: gahurihor: {b1ee4c59-e6c9-4b43-ac93-5f4b28065db4} - c:\windows\system32\hibunevo.dll
STS: mujuzedij: {b0bdc93f-8f2d-4796-aecd-a3c11f6c28ca} - c:\windows\system32\lodivime.dll
STS: jugezatag: {2eef2df6-64ad-4c78-b3d7-2936a5f2ad33} - c:\windows\system32\dejufedu.dll
STS: mujuzedij: {70ebfefc-de33-4da9-b9a7-ea1822374d1f} - c:\windows\system32\dejufedu.dll
STS: gahurihor: {33b40184-fb67-4682-8a13-1947c7b99534} - c:\windows\system32\dejufedu.dll
STS: tokatiluy: {79ff523f-4bae-441c-8519-fb8ec4131bee} - c:\windows\system32\ruyebana.dll
STS: mujuzedij: {b6e6c886-dfc2-4f2d-a077-96352c900450} - c:\windows\system32\ruyebana.dll
STS: mujuzedij: {9ccf8413-6647-42bf-b527-7f81feff8dfe} - c:\windows\system32\feyimupa.dll
STS: kupuhivus: {7a5c3acd-7d0c-4be8-b25f-f4e47ca45037} - c:\windows\system32\feyimupa.dll
STS: jugezatag: {6be20d27-d3b8-40e1-ba5b-fd516e1244bd} - c:\windows\system32\wifufulu.dll
STS: kupuhivus: {3b134a1f-1026-449a-a00d-46bc30593f78} - c:\windows\system32\dinizuha.dll
LSA: Notification Packages = scecli hupezivu.dll yetugayu.dll ruyutego.dll
Hosts: browser-security.microsoft.com
Hosts: antiwareprotect.com
Hosts: www.antiwareprotect.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\toshib~1\applic~1\mozilla\firefox\profiles\m62vzrek.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0yahoo&bm=yh_home
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091216.003\naveng.sys [2009-12-16 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091216.003\navex15.sys [2009-12-16 1323568]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2007-12-16 219648]
S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2007-12-16 475264]

=============== Created Last 30 ================

2009-12-17 18:09:01 0 d-----w- C:\VundoFix Backups
2009-12-17 04:34:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-17 01:43:39 0 d-----w- c:\program files\CleanUp!
2009-11-20 04:04:14 0 d-----w- c:\docume~1\toshib~1\applic~1\webex
2009-11-20 04:03:16 0 d-----w- c:\program files\WebEx

==================== Find3M ====================

2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-17 02:40:04 61440 --sha-w- c:\windows\system32\bonopefo.dll
2009-09-10 03:09:41 38400 --sha-w- c:\windows\system32\dahogemu.dll
2009-09-17 18:12:05 92160 --sha-w- c:\windows\system32\dinizuha.dll
2009-09-09 01:14:31 52736 --sha-w- c:\windows\system32\ferazolu.dll
2009-09-10 21:11:54 38400 --sha-w- c:\windows\system32\foburune.dll
2009-09-04 22:43:52 38912 --sha-w- c:\windows\system32\gojidisi.dll
2009-09-13 16:15:21 38400 --sha-w- c:\windows\system32\joduharu.dll
2009-09-10 03:12:30 51712 --sha-w- c:\windows\system32\kagohaku.dll
2009-09-10 03:09:42 51712 --sha-w- c:\windows\system32\kujonuva.dll
2009-09-17 02:40:04 92672 --sha-w- c:\windows\system32\liwadefi.dll
2009-09-17 18:12:05 38400 --sha-w- c:\windows\system32\liwinise.dll
2009-09-07 15:57:55 38400 --sha-w- c:\windows\system32\lodayija.dll
2009-09-05 16:00:14 39424 --sha-w- c:\windows\system32\musowewo.dll
2009-09-11 22:34:27 38400 --sha-w- c:\windows\system32\muyinepa.dll
2009-09-09 01:14:31 92672 --sha-w- c:\windows\system32\puvutabo.dll
2009-09-17 02:40:04 38400 --sha-w- c:\windows\system32\rurirovi.dll
2009-09-06 14:51:37 1 --sha-w- c:\windows\system32\sawubiyi.dll
2009-09-17 18:12:05 61952 --sha-w- c:\windows\system32\tasasifu.dll
2009-09-06 14:51:37 51712 --sha-w- c:\windows\system32\tumaveko.dll
2009-09-09 01:14:31 39424 --sha-w- c:\windows\system32\tuvikize.dll
2009-09-05 16:00:14 52736 --sha-w- c:\windows\system32\wamejulu.dll
2009-09-10 03:12:30 51712 --sha-w- c:\windows\system32\yetugayu.dll
2009-09-10 03:12:30 51712 --sha-w- c:\windows\system32\zarebeba.dll

============= FINISH: 14:49:09.98 ===============

Attached Files

BC AdBot (Login to Remove)


#2 svswan

  • Topic Starter

  • Members
  • 5 posts
  • Local time:05:28 PM

Posted 17 December 2009 - 04:59 PM

another note - on some programs the names on the file bar are highlighted in white. I just ran Autorun to see what I can do on this and File, Edit, View and the rest of the tabs on the program have white background where the rest is gray like usual. I saw this on another program but forgot which one. Thought I would post if it helps...

and now I've found an Autorun entry called 'serisejeh' with no Description or Publisher located under c:\windows\system32\dinizuha.dll - which is the file name Symantec says was infected. This Autorun is not in the System Startup database on this site, or at least I can't find it.

When I open c:\windows\system32 I can't find dinizuha.dll, but more curious than that I have what appear to be hundreds of files in the \windows directory that are all variants on `$NtUninstallKB873333$ ' in blue. The file \windows\system32 has a whole bunch of blue text files that look just like all the rest.

Edited by svswan, 17 December 2009 - 05:27 PM.

#3 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:09:28 AM

Posted 18 December 2009 - 08:58 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running our fixes.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download this program by sUBs and save it to your Desktop. Then after you disable all security programs, simply run it (double-click it)

If the program asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while the program is running.. Just let it finishes..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#4 svswan

  • Topic Starter

  • Members
  • 5 posts
  • Local time:05:28 PM

Posted 19 December 2009 - 10:46 AM

Thanks fenzodahl512 -

While hunting down the different autorun apps that I could not ID via the autorun DB on this site I came across a link to a program that claimed it could remove the virus associated with the autorun file I was googling. Late that night I tried it because I had to leave in the morning and would have no time to check for a response. It worked, as far as I can tell. I am visiting another branch of my girlfriends family and will run the program you have posted when I return to the infected computer Sunday evening. Thanks for your help.

#5 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:09:28 AM

Posted 19 December 2009 - 10:51 AM

no problem.. May I know what the tool that you run? It could be nice addition to my arsenal :D

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users