Tech Support Forum - View Single Post - Infected with mimoyibi.dll, muvetuvo.dll,gitalobo.dll, all started with tivivapi.dll

ashkel · 12-05-2008, 10:39 PM

System: Windows XP SP3

Current problem:
When run System Configuration Utility (SCU), see suspicious “Rundll32.exe” running

C:\WINDOWS\system32\mimoyibi.dll
C:\WINDOWS\system32\muvetuvo.dll
C:\WINDOWS\system32\gitalobo.dll

When uncheck these lines in SCU and reboot, the processes reappear in SCU.

IE runs slowly, often non-responsive, cannot connect to some sites. Long booting and often “Windows is shutting down …” does not complete.

Several times had “ Avast! Warning, File name: C:\WINDOWS\SYSTEM32\KUJAKURI.DLL, Win32:Trojan-gen {Other}, Malware type: Virus/Worm, VPS version: 081204-0, 12/04/2008.

This is how it started:

The problem started when I downloaded an executable form what I thought was a trusted site, run the file to install software and it started downloading some strange links (a lot of regrets I’ve done it). First I was getting two error windows during the reboot: rundll errors “Windows cannot find tivivapi.dll” and “Windows cannot find jumovasi.dll”. This problem somehow disappeared (and the current problems appeared). Even though anti-spyware scans were finding Trojans and seemingly fixing , the problems and errors reappeared after each reboot.

DDS (Version 1.0) - NTFSx86
Run by Administrator at 21:51:48.04 on Thu 12/04/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.459 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\System Recovery\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {d513cef2-7fe9-44a6-bc7c-56ba4a5a15f7} - c:\windows\system32\royomuya.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe
mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [vesesaroli] Rundll32.exe "c:\windows\system32\mimoyibi.dll",s
mRun: [640e5c82] rundll32.exe "c:\windows\system32\muvetuvo.dll",b
mRun: [CPM673d6f1e] Rundll32.exe "c:\windows\system32\gitalobo.dll",a
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\nonabefa.dll c:\windows\system32\balinoto.dll c:\windows\system32\gitalobo.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gitalobo.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gitalobo.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\balinoto.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-3 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-3 20560]
R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2008-8-15 9344]

=============== Created Last 30 ================

2008-12-04 21:18 250 a------- c:\windows\gmer.ini
2008-12-04 15:00 1,430,057 ---sh--- c:\windows\system32\ovutevum.ini
2008-12-03 23:18 1,387,472 ---sh--- c:\windows\system32\amiritip.ini
2008-12-03 11:18 1,387,472 ---sh--- c:\windows\system32\obeyisak.ini
2008-12-02 23:18 1,355,518 ---sh--- c:\windows\system32\erikatih.ini
2008-12-02 11:18 1,355,509 ---sh--- c:\windows\system32\isabegif.ini
2008-12-01 23:17 1,333,214 ---sh--- c:\windows\system32\irukajuk.ini
2008-11-30 11:17 1,296,258 ---sh--- c:\windows\system32\awefulit.ini
2008-11-30 01:19 <DIR> --d----- c:\windows\pss
2008-11-30 00:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Uniblue
2008-11-29 02:07 <DIR> --d----- c:\program files\FixTunes
2008-11-29 01:45 <DIR> --d----- c:\program files\FlashGet
2008-11-28 16:54 <DIR> --d----- c:\program files\Zortam Mp3 Media Studio
2008-11-28 16:19 <DIR> --d----- c:\program files\TagScanner
2008-11-27 13:22 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-11-27 13:22 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-27 13:22 <DIR> --d----- c:\program files\iPod
2008-11-27 13:22 <DIR> --d----- c:\program files\iTunes
2008-11-27 13:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-27 13:21 <DIR> --d----- c:\program files\Bonjour
2008-11-24 23:20 10,368 a------- c:\windows\system32\drivers\pfc.sys
2008-11-24 23:20 <DIR> --d----- c:\program files\MemoriesOnTV4
2008-11-12 09:50 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:49 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-04 15:00 65,589 a--sh--- c:\windows\system32\worukehe.dll
2008-12-04 15:00 92,725 a--sh--- c:\windows\system32\gitalobo.dll
2008-12-04 15:00 87,093 a--sh--- c:\windows\system32\muvetuvo.dll
2008-12-03 23:18 94,261 a--sh--- c:\windows\system32\pirabumo.dll
2008-12-03 23:18 85,557 a--sh--- c:\windows\system32\pitirima.dll
2008-12-03 11:18 64,565 a--sh--- c:\windows\system32\wuwijaba.dll
2008-12-03 11:18 94,261 a--sh--- c:\windows\system32\sapayuse.dll
2008-12-02 23:18 93,749 a--sh--- c:\windows\system32\jedevihi.dll
2008-12-02 11:17 93,749 a--sh--- c:\windows\system32\vadihihe.dll
2008-12-01 23:17 65,076 a--sh--- c:\windows\system32\tozujozo.dll
2008-12-01 23:17 86,580 a--sh--- c:\windows\system32\kujakuri.dll
2008-12-01 23:17 93,748 a--sh--- c:\windows\system32\zijodope.dll
2008-11-30 10:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 13:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\ZoomBrowser EX
2008-10-19 09:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TomTom
2008-10-19 09:25 <DIR> --d----- c:\program files\TomTom HOME 2
2008-10-19 09:21 <DIR> --d----- c:\docume~1\admini~1\applic~1\TomTom
2008-10-17 00:01 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2008-10-17 00:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-10-16 22:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-10-16 22:50 <DIR> --d----- c:\program files\Lavasoft
2008-10-16 22:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-21 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-08-15 22:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Network Associates
2008-09-04 15:00 65,589 a--sh--- c:\windows\system32\balinoto.dll
2008-09-04 15:00 65,589 a--sh--- c:\windows\system32\mimoyibi.dll
2008-09-04 15:00 65,589 a--sh--- c:\windows\system32\royomuya.dll

============= FINISH: 21:54:15.96 ===============