RUNDLL errors and Pop ups on IE7 - poss virus

When user logs on he receives the following errors:

RUNDLL
Error loading C:\DOCUME~1\jcarter\LOCALS~1\Temp\ddaya.dll
The specified module could not be found.

RUNDLL
Error in C:\WINDOWS\system32\pqcppmmb.dll
Missing entry:run

PC runs very slowly and when he opens IE7 he gets constant pop ups & adverts for antispyware etc.

I ran spybot but it could not clear a problem called virtumonde. After searching I found that this is a known trojan called Vundo. I tried downloading VundoFix. It said it removed successfully however the user still gets the error messages above and popups. Hijackthis log attached
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:57:02, on 06/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [68da394e] rundll32.exe "C:\WINDOWS\system32\svenjrli.dll",b
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\DOCUME~1\jcarter\LOCALS~1\Temp\ddaya.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\DOCUME~1\jcarter\LOCALS~1\Temp\vtsqq.dll,c
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\WINDOWS\system32\pqcppmmb.dll",run
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202307143724
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ncgpi.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = ncgpi.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ncgpi.co.uk
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSSQL$MICROSOFTBCM - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTBCM - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE (file missing)
O24 - Desktop Component 0: (no name) - http://img491.imageshack.us/img491/6486/oddjob1x1nb.gif
 
--
End of file - 5594 bytes

Open in new window

NCGPIICTAsked:
Who is Participating?
 
IndiGenusConnect With a Mentor Commented:
Bingo...

Run HijackThis (on the user account). Put a Check in the box on the left side on these:

---------------------------------

O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\DOCUME~1\jcarter\LOCALS~1\Temp\ddaya.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\DOCUME~1\jcarter\LOCALS~1\Temp\vtsqq.dll,c
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\WINDOWS\system32\sdtumwoq.dll",run

---------------------------------

Then close all windows except HJT and press Fix checked. Reboot and hopefully the errors are gone for good.
0
 
IndiGenusCommented:
Hi,
Yes, appears to be pretty heavily infected. Vundo/conhook and possibly many others.

Download and Run ComboFix (by sUBs) You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
0
 
NCGPIICTAuthor Commented:
I have run combofix. please find attached combofix log and hijackthislog
log.txt
hijackthis.log
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
IndiGenusCommented:
1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\windows\system32\ihmoobcw.dll
C:\windows\system32\amaobvbg.dll
C:\windows\system32\svenjrli.dll
C:\DOCUME~1\jcarter\LOCALS~1\Temp\vtsqq.dll

Folder::
C:\windows\TkNH
C:\windows\system32\nGpxx01
C:\Temp\cXzz9
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{513C5B45-FC37-433C-8038-E461981A7DAE}]


---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
 
NCGPIICTAuthor Commented:
Please find attached new combofix and hijackthis log

When i log in as the user he now gets the following prompts

RUNDLL
Error loading C:\DOCUME~1\jcarter\LOCALS~1\Temp\vtsqq.dll
The specified module could not be found.

Error loading C:\DOCUME~1\jcarter\LOCALS~1\Temp\ddaya.dll
The specified module could not be found.

Error in C:\WINDOWS\system32\sdtumwoq.dll
Specified module could not be found

FYI - i run combofix logged in as administrator as the program will not run when logged in as the user
log2.txt
hijackthis2.log
0
 
IndiGenusCommented:
Did you run HijackThis from the user or admin account? Can you run it from the user account please? Those files are Vundo infected files and you certainly don't want them to run, but they are still be called out from the registry I believe. That is not showing from the last HJT log though, as I assume it's from the admin account. Hope that's clear,
Dave
0
 
NCGPIICTAuthor Commented:
hijacthis log from user account
hijackthis.log
0
 
NCGPIICTAuthor Commented:
fantastic all sorted
0
 
IndiGenusCommented:
Glad you got it! Thanks for the grade and points.
Good luck,
Dave
0
All Courses

From novice to tech pro — start learning today.