Trojan.vundo.dvs

scottohno · April 2008

I've contracted this last night and feel like taking a sledgehammer to the laptop at the moment. When I first downloaded it, it started giving me the popup from bitDefender saying it's blocked. After I click ok to blocking it, the taskbar and all the icons from the desktop dissapear. When I restart, it never finishes loading everything, it freezes until I open task manager and start ending processes. I've read the other topics on this subject and have taken some of the preliminary steps outlined by most people responding.

I also have a screenshot of the boxes coming up from BitDefender and Spyware Doctor.

I ran silent runners, and this is what I got (I have no idea how to interpret it):

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"TOSCDSPD" = "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" ["TOSHIBA"]

"Aim6" = (empty string) [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]

"00THotkey" = "C:\WINDOWS\system320THotkey.exe" ["TOSHIBA Corporation"]

"TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]

"TPSODDCtl" = "TPSODDCtl.exe" ["TOSHIBA Corporation"]

"PadTouch" = "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" ["TOSHIBA"]

"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]

"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]

"Tvs" = "C:\Program Files\Toshiba\Tvs\TvsTray.exe" ["TOSHIBA Corporation"]

"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]

"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]

"Pinger" = "c:\toshiba\ivp\ism\pinger.exe /run" ["TOSHIBA Corporation"]

"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]

"CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

"WinampAgent" = ""C:\Program Files\Winamp\winampa.exe"" [null data]

"LXCGCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16" [MS]

"lxcgmon.exe" = ""C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"" ["Lexmark International, Inc."]

"EzPrint" = ""C:\Program Files\Lexmark 2300 Series\ezprint.exe"" ["Lexmark International Inc."]

"BitDefender Antiphishing Helper" = ""C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"" ["BitDefender"]

"BDAgent" = ""C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"" ["BitDefender S.R.L."]

"ISTray" = ""C:\Program Files\Spyware Doctor\pctsTray.exe"" ["PC Tools"]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"

\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)

-> {HKLM...CLSID} = "DriveLetterAccess"

\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{BD57D2D6-2F55-45AA-B239-E8ED381AB411}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\ssqPiIXN.dll" [null data]

{F50B3F5E-856E-4757-9BB1-B35D46CA7719}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\vtuuTnMF.dll" [null data]

{F87141CE-278D-49A0-AE0A-C33EBB863537}\(Default) = (no title provided)

-> {HKLM...CLSID} = "DVA Storm"

\InProcServer32\(Default) = "C:\WINDOWS\qnmargolxpg.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"

-> {HKLM...CLSID} = "TouchShellExt Class"

\InProcServer32\(Default) = "C:\Program Files\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]

"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"

-> {HKLM...CLSID} = "DriveLetterAccess"

\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]

"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"

-> {HKLM...CLSID} = "RecordNow! SendToExt"

\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Office2K\Office\" [file not found]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\Office2K\Office\OLKFSTUB.DLL" [MS]

"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

-> {HKLM...CLSID} = "iTunes"

\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"

-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"

\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

<<!>> "{F50B3F5E-856E-4757-9BB1-B35D46CA7719}" = "*a" (unwritable string)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\vtuuTnMF.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

"vadokmxt" = "{B70566AC-448C-461D-9A2B-DC1CEE520E5A}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\vadokmxt.dll" [null data]

"wdpoefan" = "{DE9E3BC2-58DA-4D8A-8272-89739CB8AF20}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\wdpoefan.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\

<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\ssqPiIXN"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]

<<!>> vtuuTnMF\DLLName = "vtuuTnMF.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"NoCDBurning" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoUpdateCheck" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme

{unrecognized setting}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\onacious\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\

"FriendlyName" = "Privacy Protection"

"Source" = "file:///C:\WINDOWS\privacy_danger\index.htm"

"SubscribedURL" = ""

Startup items in "onacious" & "All Users" startup folders:

----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"Extender Resource Monitor" -> shortcut to: "C:\WINDOWS\ehome\RMSysTry.exe" [MS]

"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."]

Enabled Scheduled Tasks:

------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{381FFDE8-2394-4F90-B10D-FC6124A40F8C}" = "IEToolbar"

-> {HKLM...CLSID} = "BitDefender Toolbar"

\InProcServer32\(Default) = "C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll" ["Bitdefender"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points

------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

Missing lines (compared with English-language version):

[strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]

BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service" ["BitDefender"]

BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service" ["BitDefender SRL"]

BitDefender Threat Scanner, scan, "C:\WINDOWS\System32\svchost.exe -kbdx" {"C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll" ["S.C. BitDefender S.R.L"]}

BitDefender Virus Shield, VSSERV, ""C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service" ["BitDefender S.R.L."]

ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]

EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]

lxcg_device, lxcg_device, "C:\WINDOWS\system32\lxcgcoms.exe -service" [" "]

Media Center Extender Resource Monitor, RMSvc, "C:\WINDOWS\ehome\RMSvc.exe" [MS]

Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\McrdSvc.exe" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\pctsAuxs.exe" ["PC Tools"]

PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\pctsSvc.exe" ["PC Tools"]

RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]

Swupdtmr, Swupdtmr, "c:\TOSHIBA\IVP\swupdate\swupdtmr.exe" [null data]

Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]

Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]

Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}

Print Monitors:

---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

2300 Series Port\Driver = "lxcglmpm.dll" [" "]

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

---------- (launch time: 2008-04-22 08:36:39)

<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the ****** checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 61 seconds, including 11 seconds for message boxes)

Chesda · April 2008

Silent Runners isn't unable to fix anything but it shows what is running.

In order to fix the malware please download ComboFix and Hijackthis. Run them and produce a scan log and post it here.

Trojan.vundo.dvs

Comments

All Time Leaders

Categories

Defenders of the month - March