Remnants remain after attempt a removal

mikel456 · 02-22-2009, 05:59 PM

A client has an infested computer. He went to a web site and got downloader trojan. I attached his drive to another system and scanned with malwarebytes and AVG which moved several files to a vault. The system boots up now, but there are messages from RUNDLL about modules that cannot be found:

1. Error loading C:\WINDOWS\System32\yavipoma.dll
2. Error loading C:\WINDOWS\System32\yedejava.dll
3. Error loading C:\WINDOWS\System32\mafolibu.dll

The DDS log is below

DDS (Ver_09-02-01.01) - NTFSx86
Run by Timothy Flagerman at 16:13:31.68 on Sun 02/22/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.503 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Windows Live OneCare *On-access scanning enabled* (Outdated)
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Timothy Flagerman\Desktop\techsupportforum\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar =
uStart Page = hxxp://www.bruceb.com/favorites
uInternet Settings,ProxyOverride = *.local
BHO: {e7aba305-cc6e-135a-d634-74eb482e6310}: {0136e284-be47-436d-a531-e6cc503aba7e} - c:\windows\system32\pfkrby.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {0a590b2b-27ae-4aec-8371-7ed5a5722663} - c:\windows\system32\vudatedi.dll
BHO: WinGDI Class: {12c7290a-157b-4f43-b109-97e792c598ed} - c:\windows\iehost.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\_helper.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EleFunAnimatedWallpaper]
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Amazing3DAquariumWallpaper]
mRun: [bijajofuve] Rundll32.exe "c:\windows\system32\yavipoma.dll",s
mRun: [Lretuwaqiqa] rundll32.exe "c:\windows\Klolupadewiyoh.dll",e
mRun: [Ynaxu] rundll32.exe "c:\windows\ewuruzon.dll",e
mRun: [dc7e3f5a] rundll32.exe "c:\windows\system32\yedejava.dll",b
mRun: [CPMdf4d0cc6] Rundll32.exe "c:\windows\system32\mafolibu.dll",a
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: text/html - {c9a67d26-2eff-4f05-bb48-2b9ec3de8fa9} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\jadeveyu.dll pfkrby.dll c:\windows\system32\mafolibu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mafolibu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\mafolibu.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\jadeveyu.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-19 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-19 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-12 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-19 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-19 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]

=============== Created Last 30 ================

2009-02-20 16:58 21,504 a------- c:\windows\system32\hidserv.dll
2009-02-20 16:58 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-02-20 16:57 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-02-20 16:57 32,128 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-02-19 19:06 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-19 19:05 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-19 19:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-19 19:05 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-19 19:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-19 19:05 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-19 19:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-19 19:05 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-19 19:05 <DIR> --d----- C:\85df2eaad604c0d8cbdae060a131
2009-02-19 16:50 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-19 16:42 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-19 16:42 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-19 16:42 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-19 16:42 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-19 16:42 <DIR> --d----- c:\docume~1\timoth~1\applic~1\AVGTOOLBAR
2009-02-19 16:41 <DIR> --d----- c:\program files\AVG
2009-02-19 16:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-19 14:32 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-19 13:45 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-19 13:44 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-19 13:44 <DIR> --d----- c:\program files\Lavasoft
2009-02-19 12:55 <DIR> --dsh--- c:\documents and settings\timothy flagerman\IECompatCache
2009-02-19 12:54 <DIR> --dsh--- c:\documents and settings\timothy flagerman\PrivacIE
2009-02-19 12:54 <DIR> --dsh--- c:\documents and settings\timothy flagerman\IETldCache
2009-02-19 12:48 <DIR> -cd-h--- c:\windows\ie8
2009-02-19 12:20 <DIR> --d----- C:\ProgramData
2009-02-19 12:15 <DIR> --d----- c:\program files\XPPoliceAntivirus
2009-02-19 12:15 15,360 a------- c:\windows\iehost.dll
2009-02-19 12:07 1,608,273 ---sh--- c:\windows\system32\avajedey.ini
2009-02-19 12:07 144,896 a--sh--- c:\windows\system32\pfkrby.dll
2009-02-18 15:11 134,656 a------- c:\windows\ewuruzon.dll
2009-02-18 14:59 39,424 a------- c:\windows\Klolupadewiyoh.dll
2009-02-18 13:59 1,602,200 ---sh--- c:\windows\system32\ezukusum.ini
2009-02-18 13:47 <DIR> --d----- c:\program files\EleFun Desktops
2009-02-18 13:47 2,262,648 a------- c:\windows\system32\Flash9b.ocx
2009-02-18 13:47 <DIR> --d----- c:\docume~1\timoth~1\applic~1\elefundesktops
2009-02-18 13:47 <DIR> --d----- c:\program files\common files\Download Manager

==================== Find3M ====================

2009-02-19 12:07 144,896 a--sh--- c:\windows\system32\fumitoga.dll
2009-01-15 02:17 636,264 a------- c:\windows\system32\dllcache\iexplore.exe
2009-01-15 02:17 392,040 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 02:13 5,888,512 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-15 02:12 10,963,968 a------- c:\windows\system32\dllcache\ieframe.dll
2009-01-15 02:06 1,182,720 a------- c:\windows\system32\dllcache\urlmon.dll
2009-01-15 02:06 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-01-15 02:06 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 911,872 a------- c:\windows\system32\dllcache\wininet.dll
2009-01-15 02:05 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-01-15 02:05 109,056 a------- c:\windows\system32\dllcache\occache.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 02:04 755,200 a------- c:\windows\system32\dllcache\VGX.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:04 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-01-15 02:04 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 02:02 1,975,296 a------- c:\windows\system32\dllcache\iertutil.dll
2009-01-15 02:02 593,920 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-15 02:02 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-01-15 02:01 183,808 a------- c:\windows\system32\dllcache\iepeers.dll
2009-01-15 02:01 59,904 a------- c:\windows\system32\dllcache\icardie.dll
2009-01-15 02:01 54,272 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\dllcache\imgutil.dll
2009-01-15 02:01 348,160 a------- c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 02:01 46,592 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 02:01 216,064 a------- c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 02:01 66,560 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 02:00 45,568 a------- c:\windows\system32\dllcache\mshta.exe
2009-01-15 01:53 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-15 01:50 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-01-15 01:35 445,440 a------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-20 15:15 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-14 17:12 3,698,040 a------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-09-01 02:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 16:14:38.87 ===============

Awaiting your response.

MC

Ried · 02-26-2009, 09:58 PM

Hello mikel456,

Our apologies for the delay. If you still require assistance, please run a new scan with dds, post a fresh dds.txt , and we'll get started.

mikel456 · 02-26-2009, 10:18 PM

Actually I took heart after running another AVG scan that came up empty and simply went to the Run key in regedit and removed about five flakey looking entries that pointed to RUNDLL. I also disabled prkey in Internet Explorer add-ons, and it looks like the system is stable again.

The system is back in the hands of my client, so I don't have it available to get a fresh log.

Thanks for being available to help. Cross this one off the list for now!

Ried · 02-26-2009, 10:26 PM

Thanks for letting me know, mikel456.

Take care.

02-26-2009, 09:58 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Remnants remain after attempt a removal Hello mikel456, Our apologies for the delay. If you still require assistance, please run a new scan with dds, post a fresh dds.txt , and we'll get started. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-26-2009, 10:18 PM	#3 (permalink)
mikel456 Registered User Join Date: Nov 2008 Location: Calif. wine country Posts: 5 OS: Windows XP and Vista	Re: Remnants remain after attempt a removal Actually I took heart after running another AVG scan that came up empty and simply went to the Run key in regedit and removed about five flakey looking entries that pointed to RUNDLL. I also disabled prkey in Internet Explorer add-ons, and it looks like the system is stable again. The system is back in the hands of my client, so I don't have it available to get a fresh log. Thanks for being available to help. Cross this one off the list for now!

02-26-2009, 10:26 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Remnants remain after attempt a removal Thanks for letting me know, mikel456. Take care. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."