What the Tech logo
Welcome! Register for a free account (or login) > How does it work?
  1. Quickly register. It will only take 60 seconds.
  2. Start a new topic. Ask your question. Wait for an email reply.
  3. Is your system infected? Begin reading the malware removal guide.
 register button
Closed TopicStart new topic
> [Resolved] ie popups/slow system/gorumiba.dll
harlequin
post Nov 5 2009, 04:16 PM
Post #1


New Member
*

Group: Authentic Member
Posts: 9
Joined: 5-November 09
From: Atlanta, GA
Member No.: 88,683
Operating System: Windows XP Home
I recently started receiving pop ups as well as my system is running slower i jumped into msconfig and noticed gorumiba.dll in the start up list. I disabled it in start up and ra adaware to remove it. I also downloaded avast (wanted to get everything done in one reboot) . Now when I boot up the computer I get a RUNDLL error stating: "Error loading c:\windows\system32\gorumbia.dll The specified module could not be found." And avast is telling me a Trojan has been found:

File name: C:\WINDOWS\system32\hivezuto.dll
Malware name: Win32:Y dss-DL [Trj]
Malware type: Trojan Horse
VPS version: 091105-2, 11/05/09

when i try to move it to the chest it says it cannot process the file

I've also downloaded Malwarebytes only it wont run >.< I click the file and nothing happens. HijackThis log below.

Edit: Since the time I posted this I've received several more alerts from Avast:


11/5/2009 5:21:22 PM Alyssa 2340 Sign of "Win32:Tdss-DL [Trj]" has been found in "c:\windows\system32\ketedoti.dll" file.
11/5/2009 5:21:28 PM Alyssa 2340 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\logon.exe" file.
11/5/2009 5:21:57 PM Alyssa 2340 Sign of "Win32:Tdss-DL [Trj]" has been found in "c:\windows\system32\trz7.tmp" file.
11/5/2009 5:30:37 PM Alyssa 2956 Sign of "Win32:Tdss-DL [Trj]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003334.dll" file.
11/5/2009 5:30:45 PM Alyssa 2956 Sign of "Win32:Tdss-DL [Trj]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003346.dll" file.
11/5/2009 5:30:53 PM Alyssa 2956 Sign of "Win32:Tdss-DL [Trj]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP16\A0003347.dll" file.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:20 PM, on 11/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Flock\flock.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [voduruduy] Rundll32.exe "c:\windows\system32\gorumiba.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless USB 2.0 Adapter HW.14 V.1.00\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1257224427117
O20 - AppInit_DLLs: c:\windows\system32\gorumiba.dll,hivezuto.dll
O21 - SSODL: kelizevef - {c2da0289-41e9-4410-bb2f-d2ebc8824772} - c:\windows\system32\gorumiba.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {c2da0289-41e9-4410-bb2f-d2ebc8824772} - c:\windows\system32\gorumiba.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7667 bytes

This post has been edited by harlequindreamsx: Nov 5 2009, 04:41 PM
Go to the top of the page
 
+Quote Post

Posts in this topic
- harlequindreamsx   [Resolved] ie popups/slow system/gorumiba.dll   Nov 5 2009, 04:16 PM
- - SweetTech   Hello! Please be advised, as I am still in...   Nov 5 2009, 04:52 PM
- - harlequindreamsx   ok, thanks   Nov 5 2009, 04:54 PM
- - SweetTech   My name is SweetTech. I would be glad to take a lo...   Nov 5 2009, 07:40 PM
- - harlequindreamsx   DDS (Ver_09-10-26.01) - NTFSx86 Run by Alyssa at...   Nov 5 2009, 08:27 PM
- - SweetTech   STEP 1. While reviewing your logs I noticed that y...   Nov 6 2009, 09:14 AM
- - harlequindreamsx   The computer is running fine with intermittent tim...   Nov 6 2009, 09:50 AM
- - SweetTech   One or more of the identified infections is a back...   Nov 6 2009, 12:24 PM
- - harlequindreamsx   ComboFix 09-11-05.05 - Alyssa 11/06/2009 13:42.2.2...   Nov 6 2009, 12:53 PM
- - SweetTech   STEP 1. Malwarebytes' Anti-Malware I ...   Nov 6 2009, 09:58 PM
- - harlequindreamsx   I'm just posting to say I haven't had a ch...   Nov 7 2009, 09:31 PM
- - SweetTech   No worries! Thanks for letting me know. I appr...   Nov 7 2009, 11:04 PM
- - harlequindreamsx   Malwarebytes' Anti-Malware 1.41 Database versi...   Nov 9 2009, 01:42 PM
- - SweetTech   Clean-Up Time: The following will implement some c...   Nov 9 2009, 05:59 PM
- - harlequindreamsx   thanks so much for all of your help   Nov 9 2009, 06:10 PM
- - SweetTech   You are very welcome. Stay Safe! SweetTech.   Nov 9 2009, 06:11 PM
- - CatByte   Since this issue appears to be resolved ... this T...   Nov 11 2009, 07:20 AM

« Next Oldest · Infections Removal · Next Newest »
 

Closed TopicStart new topic

 
RSS Time is now: 16th March 2010 - 06:34 PM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2010  IPS, Inc.