Troj Vundo.eox

[NEW2IT]

I we have a dell laptop on our network that was brought home by my boss and was returned infected. When she plugged it in, our Trend network security immediately alerted me of the infection on the pc. It said the infection is troj vundo.eox. It said the infected file is c:\windows\system32\rqRHxvtk.dll. Thanks!

DDS (Ver_09-03-16.01) - NTFSx86
Run by cemr at 10:22:14.07 on Thu 03/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.648 [GMT -5:00]

FW: Trend Micro Client-Server Security Agent Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\cemr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.new.rr.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = 132.147.161.1:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCCtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153233201078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: rqRHxvTK -
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-24 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 NICICCS;NICICCS;c:\windows\system32\drivers\niciccs.sys [2006-7-17 454384]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2008-5-19 36368]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-6-1 87936]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\OfcPfwSvc.exe [2008-5-19 278608]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2008-5-19 205328]
S3 BM;Novell Virtual Private Network Miniport;c:\windows\system32\drivers\vptunnel.sys [2006-7-17 140124]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [2007-8-28 191104]
S3 VmbInfce;VmbInfce;c:\windows\system32\drivers\vmbinfce.sys [2007-1-29 95104]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

=============== Created Last 30 ================

2009-03-25 11:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-25 11:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-25 11:56 <DIR> --d----- c:\docume~1\cemr\applic~1\SUPERAntiSpyware.com
2009-03-25 11:56 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-25 11:44 <DIR> --d----- C:\VundoFix Backups
2009-03-25 03:16 <DIR> --d----- c:\windows\Recent
2009-03-25 03:16 <DIR> --d----- c:\windows\Cookies
2009-03-24 14:34 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-24 14:20 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-24 14:20 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 14:20 <DIR> --d----- c:\program files\Lavasoft
2009-03-24 11:32 <DIR> --d----- c:\program files\CCleaner
2009-03-24 11:28 <DIR> --d----- c:\documents and settings\cemr\DoctorWeb
2009-03-24 10:04 <DIR> --d----- c:\docume~1\cemr\applic~1\Malwarebytes
2009-03-24 10:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 10:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 10:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-24 10:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 20:59 1,641,749 ---sh--- c:\windows\system32\sskumxnu.ini
2009-03-20 12:14 1,918,361 ---sh--- c:\windows\system32\wnqgrlly.ini
2009-03-15 18:55 1,918,361 ---sh--- c:\windows\system32\oytgquks.ini
2009-03-13 19:02 1,918,352 ---sh--- c:\windows\system32\kuodaxlp.ini
2009-03-11 18:08 1,918,352 ---sh--- c:\windows\system32\skjqtgdv.ini
2009-03-08 20:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 20:13 1,813,461 ---sh--- c:\windows\system32\lccjswuv.ini
2009-03-06 19:10 1,813,461 ---sh--- c:\windows\system32\nkklpwhh.ini
2009-03-05 06:31 1,800,758 ---sh--- c:\windows\system32\hytagsde.ini
2009-03-05 06:28 1,800,758 ---sh--- c:\windows\system32\bqsodhls.ini
2009-03-03 22:22 1,628,265 ---sh--- c:\windows\system32\wepqjebd.ini
2009-03-02 20:58 1,628,232 ---sh--- c:\windows\system32\ombngxyc.ini

==================== Find3M ====================

2009-03-25 11:15 23,178 a------- c:\windows\system32\nvModes.dat
2009-03-24 09:47 10,752 a------- c:\windows\DCEBoot.exe

============= FINISH: 10:22:22.31 ===============

[sjb007]

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[NEW2IT]

I have attached the combofix.txt file. Thanks.

[sjb007]

Hi there

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
• At the next prompt, click 'No' to exit ComboFix scan.

Next....

Please open Notepad and copy and paste the following in the Code box into Notepad.

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/360252-troj-vundo-eox.html#post2046987
SkipFix::

Collect::
c:\windows\DCEBoot.exe 

File::
c:\windows\system32\tuvVPfeD.dl

AtJob::

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.



Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.



Click OK.

Combofix will then upload the files automatically. Please do not close Combofix's window.

Do not mouse click on Combofix while it is running. That may cause it to stall.

===================================

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===================================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

===================================

Please post back with the following logs..

>> The new combofix log
>> The log from Kaspersky

Can I also ask that you post them directly into your reply, rather than add as attachment as this makes it easier for analysis, thank you.

[NEW2IT]

Thanks for the help so far. I am sorry for the delay in my reply. This is a pc I did not have access to over the weekend. I am currently running the Kaspersky scan and will post the logs when it is done. Thanks.

[NEW2IT]

ComboFix 09-03-26.03 - cemr 2009-03-30 6:29:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.671 [GMT -5:00]
Running from: c:\documents and settings\cemr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cemr\Desktop\CFScript.txt
FW: Trend Micro Client-Server Security Agent Firewall *disabled*
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\windows\system32\tuvVPfeD.dl
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\DCEBoot.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-25 12:03 . 2009-03-25 12:03 <DIR> d-------- c:\documents and settings\Cheryl Marshall\Application Data\SUPERAntiSpyware.com
2009-03-25 11:57 . 2009-03-25 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-25 11:56 . 2009-03-25 11:56 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-25 11:56 . 2009-03-25 11:56 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-25 11:56 . 2009-03-25 11:56 <DIR> d-------- c:\documents and settings\cemr\Application Data\SUPERAntiSpyware.com
2009-03-25 11:44 . 2009-03-25 11:44 <DIR> d-------- C:\VundoFix Backups
2009-03-25 03:16 . 2009-03-25 03:16 <DIR> d-------- c:\windows\Recent
2009-03-25 03:16 . 2009-03-25 03:16 <DIR> d-------- c:\windows\Cookies
2009-03-24 14:34 . 2009-03-09 14:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-24 14:20 . 2009-03-24 14:20 <DIR> d-------- c:\program files\Lavasoft
2009-03-24 14:20 . 2009-03-24 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-24 14:20 . 2009-03-24 14:20 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 14:20 . 2009-03-09 14:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-24 12:36 . 2009-03-24 12:36 <DIR> d-------- c:\documents and settings\Cheryl Marshall\Application Data\Malwarebytes
2009-03-24 11:32 . 2009-03-24 11:32 <DIR> d-------- c:\program files\CCleaner
2009-03-24 11:28 . 2009-03-24 11:28 <DIR> d-------- c:\documents and settings\cemr\DoctorWeb
2009-03-24 10:04 . 2009-03-24 10:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 10:04 . 2009-03-24 10:04 <DIR> d-------- c:\documents and settings\cemr\Application Data\Malwarebytes
2009-03-24 10:04 . 2009-03-24 10:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-24 10:04 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 10:04 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 20:17 . 2009-03-08 20:16 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 11:09 --------- d-----w c:\program files\Lx_cats
2009-03-26 15:06 --------- d-----w c:\program files\Trend Micro
2009-03-25 18:26 --------- d-----w c:\program files\Common
2009-03-09 01:16 --------- d-----w c:\program files\Java
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_13.38.09.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-30 11:07:57 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_694.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-07 7118848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 136600]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2006-11-10 381005]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"nwiz"="nwiz.exe" [2005-07-07 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-06-01 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-04-06 14:58 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-01 04:17 169472 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-05 19:43 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-24 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 NICICCS;NICICCS;c:\windows\system32\drivers\niciccs.sys [2006-07-17 454384]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [2008-05-19 36368]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-06-01 87936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [2008-05-19 205328]
S3 BM;Novell Virtual Private Network Miniport;c:\windows\system32\drivers\vptunnel.sys [2006-07-17 140124]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-03-10 39424]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [2007-08-28 191104]
S3 VmbInfce;VmbInfce;c:\windows\system32\drivers\vmbinfce.sys [2007-01-29 95104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 14:06]

2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-27 c:\windows\Tasks\iioqvkal.job
- c:\windows\system32\tuvVPfeD.dll []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.new.rr.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = 132.147.161.1:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 06:29:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-03-30 6:30:26
ComboFix-quarantined-files.txt 2009-03-30 11:30:22
ComboFix2.txt 2009-03-27 18:39:00

Pre-Run: 57,843,855,360 bytes free
Post-Run: 57,829,392,384 bytes free

172 --- E O F --- 2008-08-06 20:45:54


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 30, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 30, 2009 13:01:28
Records in database: 1986507
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
K:\

Scan statistics:
Files scanned: 82032
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:13:01


File name / Threat name / Threats count
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.j 1

The selected area was scanned.

[sjb007]

Hi there

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Quote:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"c:\windows\Tasks\iioqvkal.job"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says..

Apart from that all is looking good from my side, how are things running, any more problems to report?

[NEW2IT]

After running the fix.bat it said successfully deleted, press any key to continue. After that I restarted the computer and logged on to our network. Our trend network security alerted me that it had detected viruses on 1 or more of our computers. I looked at the security dashboard and found it is still this computer. It tells me the virus/malware name is TROJ VUNDO.EOX. The infected file is listed as rqRHxvTK.dll. The path is listed as C:\WINDOWS\system32\. Trend is not able to quarantine the file. I have since disconnected the pc from the network.

[sjb007]

Hi there

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :dir 
  C:\WINDOWS\system32 /n*.dll /t50

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

[NEW2IT]

SystemLook v1.0 by jpshortstuff (02.03.09)
Log created at 07:26 on 31/03/2009 by cemr (Administrator - Elevation successful)

========== dir ==========

C:\WINDOWS\system32 - Parameters: "/n*.dll /t50"

---Files---
deploytk.dll --a--- 410984 bytes [01:17 09/03/2009] [01:16 09/03/2009]

---Folders---
1025 d----- [22:02 11/08/2004]
1028 d----- [22:02 11/08/2004]
1031 d----- [22:02 11/08/2004]
1033 d----- [22:02 11/08/2004]
1037 d----- [22:02 11/08/2004]
1041 d----- [22:02 11/08/2004]
1042 d----- [22:02 11/08/2004]
1054 d----- [22:02 11/08/2004]
2052 d----- [22:02 11/08/2004]
3076 d----- [22:02 11/08/2004]
3com_dmi d----- [22:02 11/08/2004]
appmgmt d----- [23:20 25/04/2008]
CatRoot d----- [22:06 11/08/2004]
CatRoot2 d----- [22:06 11/08/2004]
Com d----- [22:11 11/08/2004]
config d----- [22:02 11/08/2004]
dhcp d----- [22:02 11/08/2004]
DirectX d----- [22:13 11/08/2004]
dla d----- [09:18 01/06/2006]
dllcache dr-hs- [22:02 11/08/2004]
drivers d----- [08:58 01/06/2006]
DRVSTORE d----c [00:00 26/12/2008]
export d----- [22:02 11/08/2004]
FxsTmp d----- [22:11 11/08/2004]
ias d----- [22:02 11/08/2004]
icsxml d----- [22:02 11/08/2004]
IME d----- [22:02 11/08/2004]
inetsrv d----- [22:02 11/08/2004]
LogFiles d----- [20:59 17/07/2007]
Macromed d----- [22:12 11/08/2004]
Microsoft d---s- [22:20 11/08/2004]
MsDtc d----- [22:11 11/08/2004]
mui d----- [22:02 11/08/2004]
nls d----- [17:47 17/07/2006]
novell d----- [17:48 17/07/2006]
npp d----- [22:02 11/08/2004]
oobe d----- [08:57 01/06/2006]
PreInstall d----- [01:52 23/10/2007]
ras d----- [22:02 11/08/2004]
ReinstallBackups d----- [09:01 01/06/2006]
Restore d----- [22:12 11/08/2004]
Setup d----- [22:02 11/08/2004]
ShellExt d----- [22:02 11/08/2004]
SoftwareDistribution d----- [21:52 05/07/2007]
spool d----- [22:02 11/08/2004]
URTTemp d----- [22:21 11/08/2004]
usmt d----- [22:02 11/08/2004]
wbem d----- [22:02 11/08/2004]
wins d----- [22:02 11/08/2004]
xircom d----- [22:15 11/08/2004]

-=End Of File=-

[sjb007]

Hmm still not seeing anything

Lets try this...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Skipfix::

Dirlook::
C:\WINDOWS\system32

Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[NEW2IT]

Do you want me to have an active internet connection while doing this scan?

[NEW2IT]

I have attached 2 logs. I had to attach them because each one was to large to copy and paste individually. If there is a better way let me know. Log1 was created without an active internet connection . Log2 was created with and active internet connection.

[sjb007]

Hi there

Im not seeing anything related to the filename that you mention.

Please download Malwarebytes Anti-Malware (MBAM) and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

[NEW2IT]

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 2

2009-04-01 06:16:47
mbam-log-2009-04-01 (06-16-47).txt

Scan type: Quick Scan
Objects scanned: 88387
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[sjb007]

Hi there

Im still not seeing anything here. Can I just ask if trend micro creatres reports, if so, please run a full system scan with trend micro and post back with any reports that are generated.

[NEW2IT]

I scanned the pc with the trend security agent and it found nothing. It does not generate much of a report. What I don't understand is as soon as the pc is connected to the domain, the trend network security agent detects the troj vundo.eox and lists the file as c:\windows\system32\rqRHxvTK.dll. It will detect hundreds of attempts of that virus trying to access the internet.

[Ried]

Hello NEW2IT,

As sjb007 will be away from the computer for several days, I'll be continuing with you.

Vundo has been known to still try to access from VundoFix Backups. Please delete this folder:

C:\VundoFix Backups

Is Trend Micro still alerting you?

[NEW2IT]

After deleting the vundofix backups, it is still alerting me.

[NEW2IT]

Now trend is finding what it calls "possible Vundo-9". The path it specifies is C:\windows\system32\. The file name is geBuTjKb.dll. I searched for this file and found nothing. Under action taken trend says the infected file was successfully passed.