DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)

- Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)

- - popups in firefox (http://www.daniweb.com/forums/thread155855.html)

Re: popups in firefox

What happened when you tried to remove combofix?
Yes, you can just delete it though it will not remove any backups these multiple runnings have done.

Re: popups in firefox

i have done all the scans and the way you asked me to do.
ATF-Cleaner: once again i could not use the firefox option but now i know why because firefox is actually not installed in the windows i run the copy form my previous installation of windows which i deleted a year back.However while running the CCleaner it was able to delete the firefox files and there is no history or cookies left.
Then i ran MBA-M and here is the report:
Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 5.1.2600 Service Pack 2

11/9/2008 1:09:59 PM
mbam-log-2008-11-09 (13-09-59).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 48967
Time elapsed: 47 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\ssqNGvtT.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88ad8087-a4fa-4c3c-9613-63bc69d0bd11} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88ad8087-a4fa-4c3c-9613-63bc69d0bd11} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\ssqngvtt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\ssqngvtt -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\ssqNGvtT.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\TtvGNqss.ini (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\TtvGNqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\rvjogjrk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\krjgojvr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

After which the HJTloj looks like this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:31, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {49DC26F5-43C2-4312-B885-AE9080736D93} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6A044BCA-7D52-4619-B36C-96FD0A436DD7} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099} - D:\WINDOWS\system32\fccbBSkk.dll
O2 - BHO: (no name) - {A957451F-324E-472A-BE5C-B8B8E68EDA5A} - (no file)
O2 - BHO: (no name) - {EE528997-7B75-45EA-AB8A-0298C5D3F04D} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fccbBSkk - D:\WINDOWS\SYSTEM32\fccbBSkk.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4348 bytes

The computer appears to be running smoothly now.
Although there are no more popups coming now but i am still not a 100% sure.

Re: popups in firefox

Please recommend what to do withe the Firefox do i install the new version(I have downloaded it already).
Since the previous Firefox was actually not installed from the OS i am running now, what do i need to do to remove it completely (i.e registry,cookies etc...) as it is my default browser and IE is uninstall from the Add/Remove windows components

Re: popups in firefox

You need to do the following;
Download SmitFraudFix and save it to your desktop.
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps.
Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.

When your computer has started in safe mode, and you see the desktop, close all open Windows.

Now, double-click on the SmitFraudfix icon that should be residing on your desktop.

When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

You will now see a menu. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
The program will start cleaning your computer and go through a series of cleanup processes. When SmitFraudFix is done, it will automatically start the Disk Cleanup program

This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with the next step.

When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.

When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.
Reboot the computer and run a new HJT scan. Post back here with that log and the Smitfraudfix log.
We will deal with the Firefox problems shortly.
Judy

Re: popups in firefox

Quote:

Originally Posted by jazzyjaj (Post 731754)

Firefox HAS to be installed or it would not be running. Looking at your logs it is running from "C" drive, in fact it is the only program I see running from "C" drive. This is why you cannot get anything to scan it, because you are not telling it to scan "C" drive.
Run that MBA-M again, updating it first and this time also have it scan "C" drive.
When you choose Full Scan you should get a box which allows you to tell the program which drives to scan. Be sure to put a check mark in BOTH "C" and "D" drives. Obviously Firefox cannot be the only thing on "C" drive so there are probably a lot of files never scanned with the MBA-M program. Run that and of course have it fix everything found. Post back here with that log before running any other program I have told you to run.
Judy

Re: popups in firefox

Quote:

Originally Posted by jholland1964 (Post 731995)

I did do the full scan with all my drives and updated it, please refer to the previous MBA-M

Re: popups in firefox

I did the smitfraud like you said but for some reason it did not reboot as you mentioned, ithink it could be because i had run this program previously but this time it was a fresh copy(as id eleted the previous one) and i did as you told. anyways here is the log:
SmitFraudFix v2.374

Scan done at 13:54:31.54, 2008-11-10
Run from D:\Documents and Settings\Jahanzeb\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

for some reason my HJT is not able to create a log it closes down by saying an error although i can scan but cannot create a log. The scan looks the same except this
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
and all the other (no file) ones are not there here is the process list from HJT, for some reason it works.

Process list saved on 14:27:55, on 2008-11-10
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
560 D:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
656 D:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
700 D:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
712 D:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
896 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1088 D:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1296 D:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1400 D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 8.1.159.0 McAfee, Inc.
1412 d:\program files\common files\mcafee\mna\mcnasvc.exe 2.1.143.0 McAfee, Inc.
1468 d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 2.0.150.0 McAfee, Inc.
1520 D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 14.0.0.349 McAfee, Inc.
1568 D:\Program Files\McAfee\MPF\MPFSrv.exe 9.0.136.0 McAfee, Inc.
1604 D:\WINDOWS\system32\nvsvc32.exe 6.14.10.6693 NVIDIA Corporation
1772 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1180 D:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
972 D:\PROGRA~1\McAfee.com\Agent\mcagent.exe 8.0.237.0 McAfee, Inc.
2100 D:\WINDOWS\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation
3120 D:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.1.45 RealNetworks, Inc.
3648 D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 12.1.111.0 McAfee, Inc.
948 d:\PROGRA~1\mcafee\msc\mcuimgr.exe 8.0.226.0 McAfee, Inc.
2636 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20080.17373 Mozilla Corporation
1728 D:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.

I will try reinstalling it then i will post it if it works.

Re: popups in firefox

At last it worked here is th log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:49, on 2008-11-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3376 bytes

Re: popups in firefox

This log looks better. I know you requested that MBA-M scan all drives but it appears that it didn't scan "C" drive where your Firefox is located. Can you try it once more, click Full Scan but when the box opens just put a check mark in "C" and take it out of the others. Let's see if it WILL scan "C" by itself.
Judy

Re: popups in firefox

This is the MBA-M log:

Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 5.1.2600 Service Pack 2

2008-11-11 12:25:00
mbam-log-2008-11-11 (12-25-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 20418
Time elapsed: 12 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\opnlllKA.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b31c1c0-a374-4cf8-91f8-027c91495b2f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0b31c1c0-a374-4cf8-91f8-027c91495b2f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\opnlllka -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\opnlllka -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\opnlllKA.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\AKlllnpo.ini (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\AKlllnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xqamhktj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\jtkhmaqx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

I think the malware keeps on coming back today i had a pop up from ip
http://83.149.115.148/go//?cmp=nm_fi...&v=1156&m=irq4
and then later another http://personalantispy.com/.ware/ind...52454b06015b52

well anyways here is my HJTlog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:29, on 2008-11-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {49DC26F5-43C2-4312-B885-AE9080736D93} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6A044BCA-7D52-4619-B36C-96FD0A436DD7} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099} - D:\WINDOWS\system32\fccbBSkk.dll
O2 - BHO: (no name) - {A957451F-324E-472A-BE5C-B8B8E68EDA5A} - (no file)
O2 - BHO: (no name) - {EE528997-7B75-45EA-AB8A-0298C5D3F04D} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fccbBSkk - D:\WINDOWS\SYSTEM32\fccbBSkk.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4271 bytes

the nofile things are back too.