Rundll32.exe - variant of Win32/Agent trojan

My laptop use ESET NOD32, and it detected rundll32.exe as a Win32/Agent trojan but unable to clean. Recently, my laptop often automatically call IE and access to a strange Chinese website. IE cannot also save history after I restart the laptop. Pls help me!

Here is log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:03 PM, on 1/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\UniKey4.0\UniKey.exe
C:\WINDOWS\system32\CAP2RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP2SWK.EXE
C:\WINDOWS\system32\30FEF0\4DE62A.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\Bin\hpqSTE08.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\DAT\Setup Files\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=Userinit.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FoxmarksDLLBHO - {A2A71ABA-3939-43B2-BD8F-8C1767EF9020} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CAP2ON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAP2ONN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\Run: [5068F7] C:\WINDOWS\system32\30FEF0\4DE62A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UniKey] C:\Program Files\UniKey4.0\UniKey.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: 8D0BF2.lnk = C:\WINDOWS\system32\30FEF0\4DE62A.EXE
O4 - Global Startup: Canon LASER SHOT LBP-1210 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP2LAK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: BigBetPoker.com - {1ca24684-a693-418e-a430-79d070271843} - C:\Documents and Settings\home1\Start Menu\Programs\BigBetPoker.com\BigBetPoker.com.lnk (file missing) (HKCU)
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262540475400
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{493BC66D-2B21-4115-A5BE-9A861107E290}: NameServer = 203.113.188.1,203.113.131.1
O23 - Service: Eset Trial Reset (.EsetTrialReset) - Unknown owner - C:\WINDOWS\reset.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7661 bytes

Please download Cheetah-Anti-Rogue, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

Thx for reply. Here it is:

Cheetah Anti-Rogue v1.0.32
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Wed 01/13/2010 22:08:28.66


-- Known infection --

C:\DOCUME~1\home1\LOCALS~1\Temp\E_N4\cnvpe.fne (Trj.Xema)
C:\Documents and Settings\home1\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (Trj.FakeAlert)


Extra message: Detection only.


EOF

Please download Malwarebytes Anti-Malware from here.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Okie. Here it is:

Malwarebytes' Anti-Malware 1.44
Database version: 3557
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/13/2010 9:28:51 PM
mbam-log-2010-01-13 (21-28-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 220245
Time elapsed: 1 hour(s), 58 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E} (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\B40469\RegEx.fnr (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT1497.tmp (Malware.Tool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\tskmgr.exe (Worm.AutoRun) -> Quarantined and deleted successfully.

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Well, Here's the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c0bc7d8d7b58f341bd5bfd51887419f0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-14 01:46:31
# local_time=2010-01-14 05:46:31 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8199 22379925 100 100 0 21045129 0 0
# scanned=105845
# found=3
# cleaned=2
# scan_time=4401
# nod_component=V3 Build:0x30000000
C:\Program Files\HFXP2\hfxp.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\reset.exe Win32/Packed.Autoit.Gen application (deleted - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\RUNDLL32.EXE probably a variant of Win32/Agent trojan (unable to clean) 00000000000000000000000000000000 I

Please go HERE. Copy and paste the following file path in to the box.

C:\WINDOWS\system32\RUNDLL32.EXE

Do the same for these two files:

C:\windows\system32\userinit.exe
C:\windows\explorer.exe

Then click submit.

Please post the results (URL) to your next reply.
Note: make sure to scan again. It will tell you it has already analyzed it, but scan again.

==

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
rundll32.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here's the link:

http://www.virustotal.com/analisis/4330b449d8fac6ae9309d6be02d7f598429540d3e6b970e7f2290b56aac6b362-1263518034

http://www.virustotal.com/analisis/5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7-1263518338

http://www.virustotal.com/analisis/8b48dd5eb2a7f8ec8b607b1b0c9cbf7278b401024347971cbb6d0c9530d1c295-1263518566


Here's the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:24 on 15/01/2010 by home1 (Administrator - Elevation successful)

========== filefind ==========

Searching for "rundll32.exe"
C:\WINDOWS\system32\dllcache\rundll32.exe --a--c 33280 bytes [21:01 28/10/2004] [07:56 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\system32\RUNDLL32.EXE --a--- 33280 bytes [21:01 28/10/2004] [07:56 04/08/2004] 1F10334471B7237FC4F34B0938BA8EDF

-=End Of File=-

Your computer is infected with a dangerous infection:
http://www.helpmyos.com/malware-threat-removal-f6/virut-information-t879.htm

We have hit a dead end. Please tell me when you have completed a reformat and reinstall.

I am sorry for the bad news. I do not understand why these mean people make such harsh viruses, and I wish there was a way to clean your system without everything being damaged. But, the problem is, cleaning the system, most files will be damaged. It is like trying to clean up a city that just had a tornado or hurricane run through it. Takes rebuilding, and time to set back up.

I think maybe I solved the problem. I just simple copy rundll32.exe from C:\WINDOWS\system32\dllcache\ to C:\WINDOWS\system32\. And everything OK now, ESET NOD32 doesn't detect rundll32.exe as a Win32/Agent anymore. Here is scan result from Virustotal.com:

http://www.virustotal.com/analisis/a46e1537ae3f1752822d72c6c0870fed8afee396c6c1bacc3ea781decd5dcddc-1263542147

OK

OK. I'm very grateful to you for helping.