dll's missing on start up

Hi everybody!

After strange problems I gave Avst! Home a try and it promptly found and removed VunDrop trojan (and others on bootscan, but i didn’t find the log for these). So far so good. Since then I receive to small Vista pop up windows after logging in. The system can no longer open jkkLcBRL.dll and fqeseuah.dll. I don’t regret that much because both have been infected by the trojan. But I wonder what keeps trying to access these dll’s. Obviously there’s still something which shoun’t be there and the pop ups are annoying.
Of course I googled the problem but it seems that the dll names have been randomly created hence google doesnt find a single hit. What should be done?

greez
illuminon

Both haven’t been infected, both are nothing but malicious content, typically vundo randomly generated file names, as you found when you googled them you would find zero hits.

What is happening is that the files have been removed but there are still registry entries that try to run the vundo malware only to find that they aren’t there any more.

You can use HiJackThis run a scan and find the entries relating to those files and ‘fix’ them.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.

Here we go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54:05, on 05.06.2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
E:\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Users\illuminon\Desktop\ProcessMonitor\Procmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {F726BE4C-7AFA-456E-93A0-197D09BB097D} - C:\Windows\system32\xxYqQkLE.dll (file missing)
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundTray] C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM6d357f7e] Rundll32.exe "C:\Windows\system32\fqeseuah.dll",s
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\jkkLcBRL.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe

--
End of file - 5747 bytes

First you don’t appear to have an active firewall so I presume you are using the Vista firewall, which by default doesn’t check outbound traffic. Tough you can enable it, it is rule based and ‘you’ have to create the rules.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0

Fix:
O2 - BHO: (no name) - {F726BE4C-7AFA-456E-93A0-197D09BB097D} - C:\Windows\system32\xxYqQkLE.dll (file missing)
O4 - HKLM..\Run: [BM6d357f7e] Rundll32.exe “C:\Windows\system32\fqeseuah.dll”,s
O4 - HKLM..\Run: [MSServer] rundll32.exe C:\Windows\system32\jkkLcBRL.dll,#1

Other than those I don’t see anything obvious.

Do you have the Vista UAC disabled ?
The reason I ask is I though that it would popup when something tried to put files in the system folders.

Thanks, problem is fixed!
Concerning the firewall, netlimiter includes a powerful firewall checking in- and outbound trafic. It made me suspicious in the first place.
And yes, UAC is disabled. I know it would offer a better protection but it’s simply too annoying due to frequent changes in this sensible area.
HJT seems to be great. A good deal less confusing than processmonitor of sysinternals :slight_smile:

No problem, glad I could help.

Yes HJT is a good tool but does require analysis, but there are plenty of places where you can get that. ProcessMonitor has its uses, but in this case it wouldn’t have found anything as the registry entries without the files running wouldn’t have been detected.

Welcome to the forums.

By the way, how does HJT determine which regestry entries are to be showed? I mean, there are tons of them but nevertheless there was only a handful displayed. Does it only show those of processes invoked since systemstart or how does it work? What does HJT actually when scanning? Thanks for education :slight_smile:

It is simply reporting ‘running’ processes regardless of when they start, you might have noticed that it also reports itself running and you the user start that.

If a process is running because of a registry entry started it then it will show the correcponding registry entry.