Kindly be advised we cannot cancel subscriptions or issue refunds on the forum.
You may cancel your Bitdefender subscription from Bitdefender Central or by contacting Customer Support at: https://www.bitdefender.com/consumer/support/help/

Thank you for your understanding.

Trojan.vundo.dvs

Options
scottohno
scottohno
in Malware talk

I've contracted this last night and feel like taking a sledgehammer to the laptop at the moment. When I first downloaded it, it started giving me the popup from bitDefender saying it's blocked. After I click ok to blocking it, the taskbar and all the icons from the desktop dissapear. When I restart, it never finishes loading everything, it freezes until I open task manager and start ending processes. I've read the other topics on this subject and have taken some of the preliminary steps outlined by most people responding.


I also have a screenshot of the boxes coming up from BitDefender and Spyware Doctor.


viruses.jpg


I ran silent runners, and this is what I got (I have no idea how to interpret it):


"Silent Runners.vbs", revision 56, http://www.silentrunners.org/


Operating System: Windows XP SP2


Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:


---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}


"TOSCDSPD" = "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" ["TOSHIBA"]


"Aim6" = (empty string) [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}


"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]


"00THotkey" = "C:\WINDOWS\system320THotkey.exe" ["TOSHIBA Corporation"]


"TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]


"TPSODDCtl" = "TPSODDCtl.exe" ["TOSHIBA Corporation"]


"PadTouch" = "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" ["TOSHIBA"]


"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]


"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]


"Tvs" = "C:\Program Files\Toshiba\Tvs\TvsTray.exe" ["TOSHIBA Corporation"]


"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]


"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]


"Pinger" = "c:\toshiba\ivp\ism\pinger.exe /run" ["TOSHIBA Corporation"]


"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]


"CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data]


"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]


"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]


"WinampAgent" = ""C:\Program Files\Winamp\winampa.exe"" [null data]


"LXCGCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16" [MS]


"lxcgmon.exe" = ""C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"" ["Lexmark International, Inc."]


"EzPrint" = ""C:\Program Files\Lexmark 2300 Series\ezprint.exe"" ["Lexmark International Inc."]


"BitDefender Antiphishing Helper" = ""C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"" ["BitDefender"]


"BDAgent" = ""C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"" ["BitDefender S.R.L."]


"ISTray" = ""C:\Program Files\Spyware Doctor\pctsTray.exe"" ["PC Tools"]


HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\


>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"


\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\


{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)


-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"


\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)


-> {HKLM...CLSID} = "DriveLetterAccess"


\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]


{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)


-> {HKLM...CLSID} = "SSVHelper Class"


\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]


{BD57D2D6-2F55-45AA-B239-E8ED381AB411}\(Default) = (no title provided)


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\WINDOWS\system32\ssqPiIXN.dll" [null data]


{F50B3F5E-856E-4757-9BB1-B35D46CA7719}\(Default) = (no title provided)


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\WINDOWS\system32\vtuuTnMF.dll" [null data]


{F87141CE-278D-49A0-AE0A-C33EBB863537}\(Default) = (no title provided)


-> {HKLM...CLSID} = "DVA Storm"


\InProcServer32\(Default) = "C:\WINDOWS\qnmargolxpg.dll" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\


"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"


-> {HKLM...CLSID} = "Display Panning CPL Extension"


\InProcServer32\(Default) = "deskpan.dll" [file not found]


"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"


-> {HKLM...CLSID} = "HyperTerminal Icon Ext"


\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]


"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"


-> {HKLM...CLSID} = "DesktopContext Class"


\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]


"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"


-> {HKLM...CLSID} = "Desktop Explorer"


\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]


"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]


"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"


-> {HKLM...CLSID} = "nView Desktop Context Menu"


\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]


"{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"


-> {HKLM...CLSID} = "TouchShellExt Class"


\InProcServer32\(Default) = "C:\Program Files\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]


"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"


-> {HKLM...CLSID} = "DriveLetterAccess"


\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]


"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"


-> {HKLM...CLSID} = "RecordNow! SendToExt"


\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]


"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"


-> {HKLM...CLSID} = "NVIDIA CPL Extension"


\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]


"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\Program Files\Office2K\Office\" [file not found]


"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"


-> {HKLM...CLSID} = "Outlook File Icon Extension"


\InProcServer32\(Default) = "C:\PROGRA~1\Office2K\Office\OLKFSTUB.DLL" [MS]


"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS]


"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"


-> {HKLM...CLSID} = "iTunes"


\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]


"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"


-> {HKLM...CLSID} = "Portable Media Devices Menu"


\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\


<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"


-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"


\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]


<<!>> "{F50B3F5E-856E-4757-9BB1-B35D46CA7719}" = "*a" (unwritable string)


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\WINDOWS\system32\vtuuTnMF.dll" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\


"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"


-> {HKLM...CLSID} = "WPDShServiceObj Class"


\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


"vadokmxt" = "{B70566AC-448C-461D-9A2B-DC1CEE520E5A}"


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\WINDOWS\vadokmxt.dll" [null data]


"wdpoefan" = "{DE9E3BC2-58DA-4D8A-8272-89739CB8AF20}"


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\WINDOWS\wdpoefan.dll" [null data]


HKLM\SYSTEM\CurrentControlSet\Control\Lsa\


<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\ssqPiIXN"


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\


<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]


<<!>> vtuuTnMF\DLLName = "vtuuTnMF.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\


{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"


-> {HKLM...CLSID} = "PDF Shell Extension"


\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


Group Policies {GPedit.msc branch and setting}:


-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


"NoResolveSearch" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


"NoCDBurning" = (REG_DWORD) dword:0x00000000


{unrecognized setting}


HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\


"NoUpdateCheck" = (REG_DWORD) dword:0x00000001


{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001


{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|


Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001


{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|


Devices: Allow undock without having to log on}


"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles


{unrecognized setting}


"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme


{unrecognized setting}


Active Desktop and Wallpaper:


-----------------------------


Active Desktop may be enabled at this entry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:


HKCU\Software\Microsoft\Internet Explorer\Desktop\General\


"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:


HKCU\Control Panel\Desktop\


"Wallpaper" = "C:\Documents and Settings\onacious\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Active Desktop web content (hidden if disabled):


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\


"FriendlyName" = "Privacy Protection"


"Source" = "file:///C:\WINDOWS\privacy_danger\index.htm"


"SubscribedURL" = ""


Startup items in "onacious" & "All Users" startup folders:


----------------------------------------------------------


C:\Documents and Settings\All Users\Start Menu\Programs\Startup


"Extender Resource Monitor" -> shortcut to: "C:\WINDOWS\ehome\RMSysTry.exe" [MS]


"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."]


Enabled Scheduled Tasks:


------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:


-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}


000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}


0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:


%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17


%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:


------------------------------------


Toolbars


HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\


"{381FFDE8-2394-4F90-B10D-FC6124A40F8C}" = "IEToolbar"


-> {HKLM...CLSID} = "BitDefender Toolbar"


\InProcServer32\(Default) = "C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll" ["Bitdefender"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\


{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\


"MenuText" = "Sun Java Console"


"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"


-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"


\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]


-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"


\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]


{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\


{FB5F1910-F110-11D2-BB9E-00C04F795683}\


"ButtonText" = "Messenger"


"MenuText" = "Windows Messenger"


"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points


------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):


[strings]: START_PAGE_URL=http://www.toshibadirect.com/dpdstart


Missing lines (compared with English-language version):


[strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):


------------------------------------------------------------------


Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]


BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service" ["BitDefender"]


BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service" ["BitDefender SRL"]


BitDefender Threat Scanner, scan, "C:\WINDOWS\System32\svchost.exe -kbdx" {"C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll" ["S.C. BitDefender S.R.L"]}


BitDefender Virus Shield, VSSERV, ""C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service" ["BitDefender S.R.L."]


ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]


EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]


lxcg_device, lxcg_device, "C:\WINDOWS\system32\lxcgcoms.exe -service" [" "]


Media Center Extender Resource Monitor, RMSvc, "C:\WINDOWS\ehome\RMSvc.exe" [MS]


Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\McrdSvc.exe" [MS]


NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]


PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\pctsAuxs.exe" ["PC Tools"]


PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\pctsSvc.exe" ["PC Tools"]


RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]


SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]


Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]


Swupdtmr, Swupdtmr, "c:\TOSHIBA\IVP\swupdate\swupdtmr.exe" [null data]


Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]


Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:


---------------


HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\


2300 Series Port\Driver = "lxcglmpm.dll" [" "]


Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2008-04-22 08:36:39)


<<!>>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.


+ To see *everywhere* the ****** checks and *everything* it finds,


launch it from a command prompt or a shortcut with the -all parameter.


+ To search all directories of local fixed drives for DESKTOP.INI


DLL launch points, use the -supp parameter or answer "No" at the


first message box and "Yes" at the second message box.


---------- (total run time: 61 seconds, including 11 seconds for message boxes)

Comments

  • Chesda
    Chesda
    Options

    Silent Runners isn't unable to fix anything but it shows what is running.


    In order to fix the malware please download ComboFix and Hijackthis. Run them and produce a scan log and post it here.

All Time Leaders

Categories

Defenders of the month