Thread: Help with recent Malware causing pop-ups and slow performance
View Single Post
Old 12-05-2008, 06:08 PM   #1 (permalink)
emt1976
Registered User
 
Join Date: Dec 2008
Posts: 5
OS: Windows XP


Help with recent Malware causing pop-ups and slow performance
I believe that I picked up something off of a download link on a forum yesterday. Since the time of infection, I get pop-ups every 5 minutes or so to pantomi.com and precata.com which then redirect me to various sites including anti-virus, reunion, and coupon offerings.

I dropped my system into safe mode and ran Symantec anti-virus (sigs as of 12/5) and it detected and quarantined trojan.vundo. I also ran spybot and ad-aware which still didn't fix the problem. Please take a look at my attached logs and help me out if you can as I'm stumped.

Thanks,

Gene


DDS (Version 1.0) - NTFSx86
Run by Administrator at 18:33:38.67 on Fri 12/05/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1363 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\trojan.vundo\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {e42130e3-2fc3-46e8-bf90-a5ad552a9636} - c:\windows\system32\tadezuzu.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hanozukaki] Rundll32.exe "c:\windows\system32\wowinule.dll",s
mRun: [40fa08da] rundll32.exe "c:\windows\system32\vidasasa.dll",b
mRun: [CPM43c93b46] Rundll32.exe "c:\windows\system32\davotudo.dll",a
mExplorerRun: [ZboardTray] "c:\program files\ideazon\zboard software\driver\ZboardTray.exe" /autolaunch
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\silent hunter wolves of the pacific\registrationreminder\RegistrationReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - d:\program files\microtek\scanwizard 5\ScannerFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - d:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - d:\program files\microsoft office\office\1033\OLFSNT40.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Zboard - Winlognotif.dll
AppInit_DLLs: c:\windows\system32\lotonene.dll c:\windows\system32\davotudo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\davotudo.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\davotudo.dll
LSA: Notification Packages = scecli c:\windows\system32\lotonene.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-4-8 161392]
R2 PfDetNT;PfDetNT;\??\c:\windows\system32\drivers\PfModNT.sys [2005-12-8 8192]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-4-17 1706176]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\naveng.sys [2008-12-5 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\navex15.sys [2008-12-5 876112]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-4-8 83568]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [2006-9-3 31744]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-4-17 124608]

=============== Created Last 30 ================

2008-12-05 18:16 250 a------- c:\windows\gmer.ini
2008-12-05 18:05 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 15:35 1,428,212 ---sh--- c:\windows\system32\ovinutow.ini
2008-12-05 10:53 <DIR> --d----- c:\windows\pss
2008-12-04 23:43 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-04 23:33 1,430,066 ---sh--- c:\windows\system32\asasadiv.ini

==================== Find3M ====================

2008-12-05 18:29 <DIR> --d----- c:\docume~1\admini~1\applic~1\DNA
2008-12-05 17:59 <DIR> --d----- c:\program files\Symantec AntiVirus
2008-12-05 17:59 <DIR> --d----- c:\program files\DNA
2008-12-05 15:35 64,565 a--sh--- c:\windows\system32\luhuwuji.dll
2008-12-05 15:35 93,237 a--sh--- c:\windows\system32\davotudo.dll
2008-12-05 15:35 88,117 a--sh--- c:\windows\system32\wotunivo.dll
2008-12-05 10:22 <DIR> --d----- c:\program files\Lavasoft
2008-12-05 10:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-05 08:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-05 08:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-04 23:33 88,629 a--sh--- c:\windows\system32\vidasasa.dll
2008-11-23 11:29 <DIR> --d----- c:\program files\GameShadow
2008-11-22 19:37 <DIR> --d----- c:\program files\Quicken Backup
2008-10-07 23:06 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent
2008-09-20 17:34 3,798 a------- c:\windows\system32\ealregsnapshot1.reg
2008-03-12 22:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent DNA
2008-01-04 00:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2007-08-18 00:31 <DIR> --d----- c:\docume~1\admini~1\applic~1\Kazaa Lite
2007-07-22 16:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\River Past G3
2007-07-22 16:28 <DIR> --d----- c:\docume~1\admini~1\applic~1\River Past G3
2006-12-16 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Intuit
2006-12-16 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-08-26 17:24 <DIR> --d----- c:\docume~1\admini~1\applic~1\Ideazon
2006-08-16 23:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\ICAClient
2006-02-28 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Microsoft Web Folders
2006-02-21 23:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\lotonene.dll
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\tadezuzu.dll
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\wowinule.dll

============= FINISH: 18:34:54.34 ===============
Attached Files
File Type: txt Attach.txt (11.9 KB, 1 views)
File Type: txt gmer.txt (11.4 KB, 1 views)
emt1976 is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here