Self recreating .dll file virus. Please help.

B

Balthraka

New Member
Hey everybody.
I have a problem with some viruses that have appeared on my system.
Any help would be appreciated!
:-)

I noticed today while having a look through "Startup Control Panel" that I have two programs booting on startup both which I do not recognise and that are .dll files.
They are:
-rundll32.exe ''ljihee.dll'',s
-rundll32.exe ''geebaw.dll'',DllRegisterServer

I first searched both of these on Google but get absolutely no results which seemed very unusual to me...

Then I tried to untick them in Startup Control Panel.
They untick, but then immediately recreate themselves with a different nonsense file name (although the .dll name remains steady the whole time.)

I also checked the startup things on Spybot S&D.
They appear there too, and if I untick them they reappear once I change page in Spybot and then go back.

I also did the same thing in CCleaner startup tool.
And they reappear immediately upon changing the page.

Spybot, Ad-Aware and AVG do not pick up any errors in my system.

I have CCleaned my system and done a Disk and Registry Defrag with Auslogics programs too.

Revo Uninstaller isnt picking up anything unusal that has been installed.
Nor is the Windows Add/Remove.

I can't delete the files through Windows\System32 because they are .dll files.

I tried renaming them and while that works, they just recreate themselves upon restart.




The only thing they seem to be doing is causing some links in Google to divert to obviously fake pages and occasioanlly making Firefox crash.
But that's enough for me not to want them there.

Any ideas?
Cheers.
-B
 
To add to that last post.

I have been running Malwarebytes Anti Malware.
It immediately found the geebaw.dll and was able to remove it. I think that that problem has been fixed.
The ljihee.dll on the other hand is still causing grief.
Everytime I run Anti Malware it finds 3 or 4 Trojan.agent and a Trojan.vundo whose names match the nonsense names that the ljihee uses.
I tell it to fix them and it says it has removed them, but the .dll still says it will be starting on startup and still self replicates if I try to untick it in Startup Control Panel, Spybot or CCleaner.

Also.
The ljihee.dll appears to have dissapeared from the system.
It is no longer in Windows\System32.

-B
 
Ok.

Well, as I already said.
I have been running Malwarebytes Anti Malware.
It immediately found the geebaw.dll and was able to remove it. I think that that problem has been fixed.
The ljihee.dll on the other hand is still causing grief.
Everytime I run Anti Malware it finds 3 or 4 Trojan.agent and a Trojan.vundo whose names match the nonsense names that the ljihee uses.
I tell it to fix them and it says it has removed them, but the .dll still says it will be starting on startup and still self replicates if I try to untick it in Startup Control Panel, Spybot or CCleaner.
I will post the log though in this post though.


I have attached the HijackThis log too.



Cheers
-B
 

Attachments

Last edited:
Please copy the contents of the two logs and paste them in your next post. Many of us prefer not to open attached files.
 
Sorry.

-------------------------------------------------------


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4153

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29/05/2010 17:56:52
mbam-log-2010-05-29 (17-56-52).txt

Scan type: Quick scan
Objects scanned: 114483
Time elapsed: 1 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tutttsdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hgfefddrv (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:54:42, on 29/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ClipX\clipx.exe
C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\THEKMP~1\KMPlayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15187&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [ClipX] C:\Program Files\ClipX\clipx.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [hgfefddrv] rundll32.exe "ljihee.dll",s
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" -automount
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tutttsdrv] rundll32.exe "ljihee.dll",s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1274423226443
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe

--
End of file - 6470 bytes


--------------------------------------------------

Cheers.
-B
 
------ Next Step ------
* Put all downloads on your desktop or in another location you can access quickly and easily.
* Print these instructions for use while operating in safe mode

--- DOWNLOAD STEP ---

-- RKill
Download all these RKill types. Don't run any of them yet, we'll get to that in a moment.
Download Rkill:
- RKill.exe from Bleeping Computer
- RKill.com from Bleeping Computer
- RKill.scr from Bleeping Computer


-- SuperAntiSpyware
Now download SuperAntiSpyware, install it and update it but dont run any scans with it just yet.

Download here: SuperAntiSpyware
(SAS's homepage: http://www.superantispyware.com/)

Just don't run any scans yet.

-- Malwarebytes
Since you already have Malwarebytes, just go into it and update the program and make sure that you have REMOVED all found infections from previous scans.

Just don't run any scans yet.


-- Flash Disinfector
If you have flash drives they may be infected as well, so here is the tool to clean them as well. Download it, but don't do anything more with it. If you have any flash drives plugged in, take the chance now to unplug them so that they can't reinfect you.
Download: sUBs Flash Disinfector.exe


--- Running ---
* Remember, if in vista to run these programs as ADMINISTRATOR.

Reboot into "Safe Mode" (without networking) and wait until your computer is running stable. Once running smoothly as possible follow the instructions below very closely.

1. If the .exe save will not activate, then use the .com save, and if the .com does not activate then run the .scr save

NOTE: Do not reboot until we are completely finished with the malware removal, as rebooting will de-activate RKill.


2. Run Malwarebytes and then remove all infections found. Close program once finished with it.


3. Run SuperAntiSpyware and then go to the quarantine sections of the program and delete all infections found. Close program once finished with it.


4.
A) Before you run Flash Disinfector turn off your anti-virus software and close all malware removal programs.
B) Click the downloaded Flash_Disinfector file and follow any steps it gives you.
C) When it asks you to insert flash drives, do so while holding down the SHIFT key so that the Windows auto-play feature is disabled. Hold the shift key while inserting the flash drive until the flash drive is found and the "Options" menu appears.
D) Flash Disinfector will scan and complete.
E) Remove all Flash drives


5. Restart Windows normally.


6. Once OS is stable in normal mode, re-run HiJackThis and post the log, also post the logs from Malwarebytes and Superantispyware. Then tell us how the computer is running.
 
Last edited:
He needs to run combofix but I can't post the links as I'm on my blackberry. I will post the instructions when I get home unless someone else can post the link for it.
 
johnb35 said:
He needs to run combofix but I can't post the links as I'm on my blackberry. I will post the instructions when I get home unless someone else can post the link for it.
Click to expand...

:)

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
NOTE: IF COMBOFIX FAILS TO RUN TRY RENAMING THE FILE TO 'ANYTHING.EXE' WITHOUT THE QUOTES

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply i will need:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
You must log in or register to reply here.
Back
Top