Help with recent Malware causing pop-ups and slow performance

[emt1976]

I believe that I picked up something off of a download link on a forum yesterday. Since the time of infection, I get pop-ups every 5 minutes or so to pantomi.com and precata.com which then redirect me to various sites including anti-virus, reunion, and coupon offerings.

I dropped my system into safe mode and ran Symantec anti-virus (sigs as of 12/5) and it detected and quarantined trojan.vundo. I also ran spybot and ad-aware which still didn't fix the problem. Please take a look at my attached logs and help me out if you can as I'm stumped.

Thanks,

Gene


DDS (Version 1.0) - NTFSx86
Run by Administrator at 18:33:38.67 on Fri 12/05/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1363 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\trojan.vundo\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {e42130e3-2fc3-46e8-bf90-a5ad552a9636} - c:\windows\system32\tadezuzu.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hanozukaki] Rundll32.exe "c:\windows\system32\wowinule.dll",s
mRun: [40fa08da] rundll32.exe "c:\windows\system32\vidasasa.dll",b
mRun: [CPM43c93b46] Rundll32.exe "c:\windows\system32\davotudo.dll",a
mExplorerRun: [ZboardTray] "c:\program files\ideazon\zboard software\driver\ZboardTray.exe" /autolaunch
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\silent hunter wolves of the pacific\registrationreminder\RegistrationReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - d:\program files\microtek\scanwizard 5\ScannerFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - d:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - d:\program files\microsoft office\office\1033\OLFSNT40.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Zboard - Winlognotif.dll
AppInit_DLLs: c:\windows\system32\lotonene.dll c:\windows\system32\davotudo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\davotudo.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\davotudo.dll
LSA: Notification Packages = scecli c:\windows\system32\lotonene.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-4-8 161392]
R2 PfDetNT;PfDetNT;\??\c:\windows\system32\drivers\PfModNT.sys [2005-12-8 8192]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-4-17 1706176]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\naveng.sys [2008-12-5 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\navex15.sys [2008-12-5 876112]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-4-8 83568]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [2006-9-3 31744]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-4-17 124608]

=============== Created Last 30 ================

2008-12-05 18:16 250 a------- c:\windows\gmer.ini
2008-12-05 18:05 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 15:35 1,428,212 ---sh--- c:\windows\system32\ovinutow.ini
2008-12-05 10:53 <DIR> --d----- c:\windows\pss
2008-12-04 23:43 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-04 23:33 1,430,066 ---sh--- c:\windows\system32\asasadiv.ini

==================== Find3M ====================

2008-12-05 18:29 <DIR> --d----- c:\docume~1\admini~1\applic~1\DNA
2008-12-05 17:59 <DIR> --d----- c:\program files\Symantec AntiVirus
2008-12-05 17:59 <DIR> --d----- c:\program files\DNA
2008-12-05 15:35 64,565 a--sh--- c:\windows\system32\luhuwuji.dll
2008-12-05 15:35 93,237 a--sh--- c:\windows\system32\davotudo.dll
2008-12-05 15:35 88,117 a--sh--- c:\windows\system32\wotunivo.dll
2008-12-05 10:22 <DIR> --d----- c:\program files\Lavasoft
2008-12-05 10:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-05 08:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-05 08:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-04 23:33 88,629 a--sh--- c:\windows\system32\vidasasa.dll
2008-11-23 11:29 <DIR> --d----- c:\program files\GameShadow
2008-11-22 19:37 <DIR> --d----- c:\program files\Quicken Backup
2008-10-07 23:06 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent
2008-09-20 17:34 3,798 a------- c:\windows\system32\ealregsnapshot1.reg
2008-03-12 22:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent DNA
2008-01-04 00:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2007-08-18 00:31 <DIR> --d----- c:\docume~1\admini~1\applic~1\Kazaa Lite
2007-07-22 16:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\River Past G3
2007-07-22 16:28 <DIR> --d----- c:\docume~1\admini~1\applic~1\River Past G3
2006-12-16 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Intuit
2006-12-16 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-08-26 17:24 <DIR> --d----- c:\docume~1\admini~1\applic~1\Ideazon
2006-08-16 23:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\ICAClient
2006-02-28 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Microsoft Web Folders
2006-02-21 23:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\lotonene.dll
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\tadezuzu.dll
2008-09-05 15:35 64,565 a--sh--- c:\windows\system32\wowinule.dll

============= FINISH: 18:34:54.34 ===============

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[emt1976]

Thanks for your help. Combofix log is attached as requested. I disabled AV, Ad-Aware, and SpyBot before scanning. Spybot's Teatimer seemed to start up after the reboot though. If that caused a problem, let me know and I will remove it totally and resend log files.

[Angelfire777]

Hi,

*Configure your machine to view hidden files:

• Click Start.
• Open My Computer..
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the "Hidden files and folders" heading select Show hidden files and folders.
• Uncheck the Hide Protected Operating System Files Option.
• Click Yes to confirm.
• Click OK.

*I see you have P2P software ( BitTorrent, DNA (installed with bittorrent) ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> add/remove programs

If you decide to uninstall the p2p applications, also delete these Folders if they still exist:

C:\Program Files\BitTorrent
c:\program files\DNA
c:\documents and settings\Administrator\Application Data\BitTorrent
c:\documents and settings\Administrator\Application Data\DNA
c:\documents and settings\Administrator\Application Data\BitTorrent DNA

*delete this leftover folder:

c:\documents and settings\Administrator\Application Data\Kazaa Lite


*While both Tea timer and SpyBot are closed
Right click here and click save link as
Save it as resetteatimer.bat to your desktop

• Run Spybot-S&D
• Go to the Mode menu, and make sure "Advanced Mode" is selected
• On the left hand side, choose Tools -> Resident
• Uncheck "Resident TeaTimer" and OK any prompts
• Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

Since it will not be needed again delete ResetTeaTimer.bat.

You may turn the Tea timer back on via SpyBots' tools> resident page when your computer is clean.

Note: If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.


*Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
• Click the "Download" button to the right.
• For Platform, select "Windows"
• For language, select your language
• Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  • J2SE Runtime Environment 5.0 Update 6
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• Fresh DDS log (do not run the optional scan)
• kaspersky scan log

[emt1976]

I've removed suggested programs and attached logs as requested.


DDS (Version 1.0) - NTFSx86
Run by Administrator at 8:19:17.23 on Sun 12/07/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1529 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Administrator\Desktop\trojan.vundo\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mExplorerRun: [ZboardTray] "c:\program files\ideazon\zboard software\driver\ZboardTray.exe" /autolaunch
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\silent hunter wolves of the pacific\registrationreminder\RegistrationReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - d:\program files\microtek\scanwizard 5\ScannerFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - d:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - d:\program files\microsoft office\office\1033\OLFSNT40.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Zboard - Winlognotif.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-4-8 161392]
R2 PfDetNT;PfDetNT;\??\c:\windows\system32\drivers\PfModNT.sys [2005-12-8 8192]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-4-17 1706176]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\naveng.sys [2008-12-5 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081205.008\navex15.sys [2008-12-5 876112]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-4-8 83568]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\ICDSX.sys [2006-9-3 31744]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-4-17 124608]

=============== Created Last 30 ================

2008-12-06 20:58 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-06 20:58 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-06 20:49 <DIR> --d----- c:\documents and settings\administrator\.SunDownloadManager
2008-12-06 16:34 <DIR> a-dshr-- C:\cmdcons
2008-12-06 16:33 161,792 a------- c:\windows\SWREG.exe
2008-12-06 16:33 98,816 a------- c:\windows\sed.exe
2008-12-06 16:33 <DIR> --d----- C:\ComboFix
2008-12-05 18:16 250 a------- c:\windows\gmer.ini
2008-12-05 18:05 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 10:53 <DIR> --d----- c:\windows\pss
2008-12-04 23:43 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-04 23:43 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)

==================== Find3M ====================

2008-12-06 20:58 <DIR> --d----- c:\program files\Symantec AntiVirus
2008-12-05 10:22 <DIR> --d----- c:\program files\Lavasoft
2008-12-05 10:21 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-05 08:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-05 08:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-23 11:29 <DIR> --d----- c:\program files\GameShadow
2008-11-22 19:37 <DIR> --d----- c:\program files\Quicken Backup
2008-09-20 17:34 3,798 a------- c:\windows\system32\ealregsnapshot1.reg
2008-01-04 00:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2007-07-22 16:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\River Past G3
2007-07-22 16:28 <DIR> --d----- c:\docume~1\admini~1\applic~1\River Past G3
2006-12-16 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Intuit
2006-12-16 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-08-26 17:24 <DIR> --d----- c:\docume~1\admini~1\applic~1\Ideazon
2006-08-16 23:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\ICAClient
2006-02-28 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Microsoft Web Folders
2006-02-21 23:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec

============= FINISH: 8:19:31.53 ===============

[Angelfire777]

Hi,

*Open the Symantec Control Panel
Click View | Quarantine.
Select the file or group of files.
Do one of the following:

• *Right click the file and choose Delete Permanently
  *Click the X Delete button.

Click Start Delete


*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.

Code:

@echo off 
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"D:\General Data\KazaaFiles\Spy Agent 4.0.exe"
"D:\My Documents\eugene\Eugene\Old Desktop\temp\serials2k\s2k.serials2k7.1.zip"
"H:\User Temp\1-ae824.zip"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\3\6edc3c83-15c83e23"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\43\7d3deceb-595124f9"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\60\328e8d3c-3e49c6b4"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-1a434e1-7fa8019a.class"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-48db91fd-64a89ae8.class"
"C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-7bf8fe99-6562f72e.class"
"C:\Documents and Settings\helen\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-29695a9c.zip"
) do ( 
del /a/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" 
) else echo.Deleted Successfully! 
echo. 
pause 
del %0

Locate clean.bat on your Desktop and double-click on it. Tell me what it says.

also, on your next post, let me know how's your computer running.

[emt1976]

Clean.bat ran and returned "Deleted Successfully" in its text window. Overall, my computer seems to be running better, and I'm not seeing the pop-up ads anymore.

[Angelfire777]

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[emt1976]

Thank you for all of your help.