Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Help with recent Malware causing pop-ups and slow performance

This is a discussion on Help with recent Malware causing pop-ups and slow performance within the Resolved HJT Threads forums, part of the Tech Support Forum category. I believe that I picked up something off of a download link on a forum yesterday. Since the time of


 
 
Thread Tools Search this Thread
Old 12-05-2008, 06:08 PM   #1
Guest
 
Join Date: Dec 2008
Posts: 5
OS:



I believe that I picked up something off of a download link on a forum yesterday. Since the time of infection, I get pop-ups every 5 minutes or so to pantomi.com and precata.com which then redirect me to various sites including anti-virus, reunion, and coupon offerings.

I dropped my system into safe mode and ran Symantec anti-virus (sigs as of 12/5) and it detected and quarantined trojan.vundo. I also ran spybot and ad-aware which still didn't fix the problem. Please take a look at my attached logs and help me out if you can as I'm stumped.

Thanks,

Gene


DDS (Version 1.0) - NTFSx86
Run by Administrator at 18:33:38.67 on Fri 12/05/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1363 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\trojan.vundo\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {e42130e3-2fc3-46e8-bf90-a5ad552a9636} - c:\windows\system32\tadezuzu.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hanozukaki] Rundll32.exe "c:\windows\system32\wowinule.dll",s
mRun: [40fa08da] rundll32.exe "c:\windows\system32\vidasasa.dll",b
mRun: [CPM43c93b46] Rundll32.exe "c:\windows\system32\davotudo.dll",a
mExplorerRun: [ZboardTray] "c:\program files\ideazon\zboard software\driver\ZboardTray.exe" /autolaunch
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\silent hunter wolves of the pacific\registrationreminder\RegistrationReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - d:\program files\microtek\scanwizard 5\ScannerFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - d:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - d:\program files\microsoft office\office\1033\OLFSNT40.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Zboard - Winlognotif.dll
AppInit_DLLs: c:\windows\system32\lotonene.dll c:\windows\system32\davotudo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\davotudo.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\davotudo.dll
LSA: Notification Packages = scecli c:\windows\system32\lotonene.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-4-8 161392]
R2 PfDetNT;PfDetNT;\??\c:\windows\system32\drivers\PfModNT.sys [2005-12-8 8192]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-4-17 1706176]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\naveng.sys [2008-12-5 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\navex15.sys [2008-12-5 876112]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-4-8 83568]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [2006-9-3 31744]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-4-17 124608]

=============== Created Last 30 ================

2008-12-05 18:16 250 a------- c:\windows\gmer.ini
2008-12-05 18:05 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 15:35 1,428,212 ---sh--- c:\windows\system32\ovinutow.ini
2008-12-05 10:53 <DIR> --d----- c:\windows\pss
2008-12-04 23:43 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-04 23:33 1,430,066 ---sh--- c:\windows\system32\asasadiv.ini

==================== Find3M ====================

2008-12-05 18:29 <DIR> --d----- c:\docume~1\admini~1\applic~1\DNA
2008-12-05 17:59 <DIR> --d----- c:\program files\Symantec AntiVirus
2008-12-05 17:59 <DIR> --d----- c:\program files\DNA
2008-12-05 15:35 64,565 a--sh--- c:\windows\system32\luhuwuji.dll
2008-12-05 15:35 93,237 a--sh--- c:\windows\system32\davotudo.dll
2008-12-05 15:35 88,117 a--sh--- c:\windows\system32\wotunivo.dll
2008-12-05 10:22 <DIR> --d----- c:\program files\Lavasoft
2008-12-05 10:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-05 08:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-05 08:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-04 23:33 88,629 a--sh--- c:\windows\system32\vidasasa.dll
2008-11-23 11:29 <DIR> --d----- c:\program files\GameShadow
2008-11-22 19:37 <DIR> --d----- c:\program files\Quicken Backup
2008-10-07 23:06 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent
2008-09-20 17:34 3,798 a------- c:\windows\system32\ealregsnapshot1.reg
2008-03-12 22:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent DNA
2008-01-04 00:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2007-08-18 00:31 <DIR> --d----- c:\docume~1\admini~1\applic~1\Kazaa Lite
2007-07-22 16:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\River Past G3
2007-07-22 16:28 <DIR> --d----- c:\docume~1\admini~1\applic~1\River Past G3
2006-12-16 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Intuit
2006-12-16 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-08-26 17:24 <DIR> --d----- c:\docume~1\admini~1\applic~1\Ideazon
2006-08-16 23:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\ICAClient
2006-02-28 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Microsoft Web Folders
2006-02-21 23:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\lotonene.dll
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\tadezuzu.dll
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\wowinule.dll

============= FINISH: 18:34:54.34 ===============
Attached Files
File Type: txt Attach.txt (11.9 KB, 18 views)
File Type: txt gmer.txt (11.4 KB, 17 views)
emt1976 is offline  
Sponsored Links
Advertisement
 
Old 12-06-2008, 02:32 PM   #2
TSF Team, Emeritus
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,582
OS: Vista



Please visit this webpage for download links, and instructions for running combofix:

https://www.bleepingcomputer.com/comb...o-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Old 12-06-2008, 03:48 PM   #3
Guest
 
Join Date: Dec 2008
Posts: 5
OS:



Thanks for your help. Combofix log is attached as requested. I disabled AV, Ad-Aware, and SpyBot before scanning. Spybot's Teatimer seemed to start up after the reboot though. If that caused a problem, let me know and I will remove it totally and resend log files.
Attached Files
File Type: txt ComboFix.txt (11.4 KB, 15 views)
emt1976 is offline  
Sponsored Links
Advertisement
 
Old 12-06-2008, 04:56 PM   #4
TSF Team, Emeritus
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,582
OS: Vista



Hi,

*Configure your machine to view hidden files:
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.


*I see you have P2P software ( BitTorrent, DNA (installed with bittorrent) ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> add/remove programs

If you decide to uninstall the p2p applications, also delete these Folders if they still exist:

C:\Program Files\BitTorrent
c:\program files\DNA
c:\documents and settings\Administrator\Application Data\BitTorrent
c:\documents and settings\Administrator\Application Data\DNA
c:\documents and settings\Administrator\Application Data\BitTorrent DNA

*delete this leftover folder:

c:\documents and settings\Administrator\Application Data\Kazaa Lite


*While both Tea timer and SpyBot are closed
Right click here and click save link as
Save it as resetteatimer.bat to your desktop
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
  • Restart your computer.
Double click on resetteatimer.bat and wait for it to finish

Since it will not be needed again delete ResetTeaTimer.bat.

You may turn the Tea timer back on via SpyBots' tools> resident page when your computer is clean.

Note: If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.


*Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit https://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


On your next reply, please include a
  • Fresh DDS log (do not run the optional scan)
  • kaspersky scan log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Old 12-07-2008, 07:23 AM   #5
Guest
 
Join Date: Dec 2008
Posts: 5
OS:



I've removed suggested programs and attached logs as requested.


DDS (Version 1.0) - NTFSx86
Run by Administrator at 8:19:17.23 on Sun 12/07/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1529 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Administrator\Desktop\trojan.vundo\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mExplorerRun: [ZboardTray] "c:\program files\ideazon\zboard software\driver\ZboardTray.exe" /autolaunch
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\silent hunter wolves of the pacific\registrationreminder\RegistrationReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - d:\program files\microtek\scanwizard 5\ScannerFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - d:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - d:\program files\microsoft office\office\1033\OLFSNT40.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Zboard - Winlognotif.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-4-8 161392]
R2 PfDetNT;PfDetNT;\??\c:\windows\system32\drivers\PfModNT.sys [2005-12-8 8192]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-4-17 1706176]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\naveng.sys [2008-12-5 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\navex15.sys [2008-12-5 876112]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-4-8 83568]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [2006-9-3 31744]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-4-17 124608]

=============== Created Last 30 ================

2008-12-06 20:58 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-06 20:58 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-06 20:49 <DIR> --d----- c:\documents and settings\administrator\.SunDownloadManager
2008-12-06 16:34 <DIR> a-dshr-- C:\cmdcons
2008-12-06 16:33 161,792 a------- c:\windows\SWREG.exe
2008-12-06 16:33 98,816 a------- c:\windows\sed.exe
2008-12-06 16:33 <DIR> --d----- C:\ComboFix
2008-12-05 18:16 250 a------- c:\windows\gmer.ini
2008-12-05 18:05 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 10:53 <DIR> --d----- c:\windows\pss
2008-12-04 23:43 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)

==================== Find3M ====================

2008-12-06 20:58 <DIR> --d----- c:\program files\Symantec AntiVirus
2008-12-05 10:22 <DIR> --d----- c:\program files\Lavasoft
2008-12-05 10:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-05 08:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-05 08:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-23 11:29 <DIR> --d----- c:\program files\GameShadow
2008-11-22 19:37 <DIR> --d----- c:\program files\Quicken Backup
2008-09-20 17:34 3,798 a------- c:\windows\system32\ealregsnapshot1.reg
2008-01-04 00:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2007-07-22 16:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\River Past G3
2007-07-22 16:28 <DIR> --d----- c:\docume~1\admini~1\applic~1\River Past G3
2006-12-16 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Intuit
2006-12-16 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-08-26 17:24 <DIR> --d----- c:\docume~1\admini~1\applic~1\Ideazon
2006-08-16 23:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\ICAClient
2006-02-28 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Microsoft Web Folders
2006-02-21 23:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec

============= FINISH: 8:19:31.53 ===============
Attached Files
File Type: txt kaspersky.txt (3.5 KB, 13 views)
emt1976 is offline  
Old 12-07-2008, 01:42 PM   #6
TSF Team, Emeritus
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,582
OS: Vista



Hi,

*Open the Symantec Control Panel
Click View | Quarantine.
Select the file or group of files.
Do one of the following:
  • *Right click the file and choose Delete Permanently
    *Click the X Delete button.
Click Start Delete


*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.

Code:
@echo off 
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"D:\General Data\KazaaFiles\Spy Agent 4.0.exe"
"D:\My Documents\eugene\Eugene\Old Desktop\temp\serials2k\s2k.serials2k7.1.zip"
"H:\User Temp\1-ae824.zip"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\3\6edc3c83-15c83e23"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\43\7d3deceb-595124f9"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\60\328e8d3c-3e49c6b4"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-1a434e1-7fa8019a.class"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-48db91fd-64a89ae8.class"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-7bf8fe99-6562f72e.class"
"C:\Documents and Settings\helen\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-29695a9c.zip"
) do ( 
del /a/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" 
) else echo.Deleted Successfully! 
echo. 
pause 
del %0
Locate clean.bat on your Desktop and double-click on it. Tell me what it says.

also, on your next post, let me know how's your computer running.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Old 12-07-2008, 03:00 PM   #7
Guest
 
Join Date: Dec 2008
Posts: 5
OS:



Clean.bat ran and returned "Deleted Successfully" in its text window. Overall, my computer seems to be running better, and I'm not seeing the pop-up ads anymore.
emt1976 is offline  
Old 12-07-2008, 03:08 PM   #8
TSF Team, Emeritus
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,582
OS: Vista



Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Old 12-07-2008, 05:22 PM   #9
Guest
 
Join Date: Dec 2008
Posts: 5
OS:



Thank you for all of your help.
emt1976 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:19 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts