|
| ||
| popups in firefox Recently i have been having these popups with ips like. http://89.188.16.43/go//?cmp=nm_firefox_rn&uid=00C2C7DAA3F911DDB0A9150044CFFFFF&rid=zdez&guid=18F0032549E7424087A87FF6D789E65C&affid=150044&lid=http&url=%7Bhttp:%2F%2F%5B0-9a-zA-Z%5C+%5C%%5C.%5C;%5C,%5C-%5C_%5C%3F%5C%23%26%5C=%5C%7B%5C%7D%5C%5B%5C%5D%5C%2F%5C%5C%5C$%5C:%5C@%5C%5E%5C~%5C%60%5D+%7D&v=1156&m=irq4 http://82.98.235.35/go//?cmp=nm_fire...&v=1156&m=irq4 after which they redirect to a antispyware website. I have tried varies things but nothing seems to sort it out. I have tried AVG, antispyware, combofix, smitfraud, antimalware etc... they have found many things but not solve this issue. Here is a copy of hijackthis log i do not see anything wrong there. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:33:46, on 11/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe D:\WINDOWS\Explorer.EXE D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe d:\program files\common files\mcafee\mna\mcnasvc.exe d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe D:\Program Files\McAfee\MPF\MPFSrv.exe D:\WINDOWS\system32\nvsvc32.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\WINDOWS\system32\svchost.exe D:\PROGRA~1\McAfee.com\Agent\mcagent.exe D:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Real\RealPlayer\realplay.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe D:\WINDOWS\system32\wscntfy.exe d:\PROGRA~1\mcafee\msc\mcuimgr.exe D:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 3793 bytes Also the computer has become slow to start and the browsers are taking a lot of mem usage like firefox 70000k and explorer 40000k. here is a list of process Process list saved on 13:47:16, on 11/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) [pid] [full path to filename] [file version] [company name] 564 D:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation 660 D:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation 704 D:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation 716 D:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation 900 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation 1092 D:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation 1320 D:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation 1604 D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.1.36 GRISOFT s.r.o. 1612 D:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation 1792 D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 8.1.159.0 McAfee, Inc. 1812 d:\program files\common files\mcafee\mna\mcnasvc.exe 2.1.143.0 McAfee, Inc. 1872 d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 2.0.150.0 McAfee, Inc. 1928 D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 14.0.0.349 McAfee, Inc. 220 D:\Program Files\McAfee\MPF\MPFSrv.exe 9.0.136.0 McAfee, Inc. 408 D:\WINDOWS\system32\nvsvc32.exe 6.14.10.6693 NVIDIA Corporation 428 D:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.1.45 RealNetworks, Inc. 916 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation 1424 D:\PROGRA~1\McAfee.com\Agent\mcagent.exe 8.0.237.0 McAfee, Inc. 1772 D:\Program Files\Viewpoint\Common\ViewpointService.exe 2.0.0.54 Viewpoint Corporation 2728 D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 12.1.111.0 McAfee, Inc. 2824 D:\WINDOWS\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation 3440 d:\PROGRA~1\mcafee\msc\mcuimgr.exe 8.0.226.0 McAfee, Inc. 3748 D:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation 2356 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20080.17373 Mozilla Corporation 2700 D:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc. |
| ||
| Re: popups in firefox Hi and welcome to daniweb. First of all I must caution all who may be reading this that several of the programs you have said that you ran should NOT have been run without FIRST being told to do so by a helper or somebody assisting you with problems. The main one I am concerned about is combofix. This is a very powerful tool which produces a very long and complicated log after doing it's work. It takes quite awhile to read and interpret one of these logs. Since you didn't post any of the logs from the programs you ran and you say "they have found many things but not solve this issue" we have absolutely no idea what was found or what was removed OR where they were located on the system. We really are not certain what programs you did run really except for combofix, smitfraud and AVG Anti-Spyware 7.5, which is no longer available as a stand alone product so it cannot be counted on as doing the work anymore, and than you say "antimalware etc..." What "antimalware"? Your auto starting program and auto starting services list is extremely small showing only graphics card software, realplayer update, your McAfee program and Viewpoint Manager Service (which is actually considered to be malware and should be removed). The running processes list you posted shows exactly the same thing as the Running Processes list from the HiJackThis log so there is nothing different or unusual there. We don't know what version of Firefox you are running. What version is it? I would like to see both the combofix log and the smitfraud log and any other logs from all the other programs that you ran. Post those here first. THEN; Did you follow the steps given in Read me before posting a request for assistance thread at the top of this page? Ignore the Deckard Scanner program as it is not available but I would like you to follow ALL of the other steps, including ATF-Cleaner, Malwarebytes' Anti-Malware, ESET online scanner. Be sure to reboot the computer AFTER running MBA-M. Once you have done those steps then post back here with those NEW logs and a new HJT scan log completed AFTER you have followed the steps given in the "Read Me Before" sticky. Judy |
| ||
| Re: popups in firefox i am using a pentium 3 863MHz with Winxp sp2 I use firefox 2, and use this computer mainly for browsing purposes. the anitmalware i mentioned is the same malwarebytes anitmalware mentioned in the read me before request. However i had performed a quick scan previously, but will perform a full scan later. here is the log of the earlier scan: Malwarebytes' Anti-Malware 1.30 Database version: 1343 Windows 5.1.2600 Service Pack 2 2008-10-31 20:51:16 mbam-log-2008-10-31 (20-51-16).txt Scan type: Quick Scan Objects scanned: 47052 Time elapsed: 9 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 17 Registry Values Infected: 1 Registry Data Items Infected: 7 Folders Infected: 1 Files Infected: 29 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: D:\WINDOWS\system32\mstbvgpb.dll (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\urqRHaWQ.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\z444.z444mgr (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\z444.z444mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e0ff4138 (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\urqrhawq -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdptp.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: d:\windows\system32\urqrhawq -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{92d437af-0b8a-4735-975e-2d5679051dba}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.164,85.255.112.81 -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{92d437af-0b8a-4735-975e-2d5679051dba}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.164,85.255.112.81 -> Delete on reboot. Folders Infected: D:\WINDOWS\system32\675873 (Trojan.BHO) -> Quarantined and deleted successfully. Files Infected: D:\WINDOWS\system32\urqRHaWQ.dll (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\QWaHRqru.ini (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\QWaHRqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\iekwwjgj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\jgjwwkei.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\mstbvgpb.dll (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\bpgvbtsm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\mtggixei.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\iexiggtm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\rkrwacpk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\kpcawrkr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\xrfvadoh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\hodavfrx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\xymnejph.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\hpjenmyx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\kdptp.exe (Rootkit.DNSChanger.H) -> Delete on reboot. D:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully. D:\WINDOWS\system32\fxddodac.exe (Trojan.LowZones) -> Quarantined and deleted successfully. D:\WINDOWS\system32\kgblktnm.exe (Trojan.LowZones) -> Quarantined and deleted successfully. D:\WINDOWS\system32\rpcnyufi.exe (Trojan.LowZones) -> Quarantined and deleted successfully. D:\WINDOWS\system32\ufvfcshx.exe (Trojan.LowZones) -> Quarantined and deleted successfully. D:\WINDOWS\system32\ypcumgog.exe (Trojan.LowZones) -> Quarantined and deleted successfully. D:\Documents and Settings\Other\Local Settings\Temporary Internet Files\Content.IE5\8DUZ05YV\kb20010911[1] (Trojan.LowZones) -> Quarantined and deleted successfully. D:\Documents and Settings\Other\Local Settings\Temporary Internet Files\Content.IE5\ENW8807K\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\Documents and Settings\Jahanzeb\Local Settings\Temporary Internet Files\Content.IE5\GHUBSHYV\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\Documents and Settings\Jahanzeb\Local Settings\Temporary Internet Files\Content.IE5\GXMJ0TEV\kb20010911[1] (Trojan.LowZones) -> Quarantined and deleted successfully. D:\WINDOWS\system32\675873\675873.dll (Trojan.BHO) -> Quarantined and deleted successfully. D:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully. D:\USM2Trial.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. |
| ||
| Re: popups in firefox This post will have the logs of all the other scans i had performed: VundoFix V7.0.6 Scan started at 17:20:42 2008-10-28 Listing files found while scanning.... D:\Windows\system32\NCTAudioCDGrabber2.dll D:\Windows\system32\NCTAudioFile2.dll D:\Windows\system32\NCTAudioPlayer2.dll D:\Windows\system32\NCTAudioRecord2.dll D:\Windows\system32\NCTAVIFile.dll D:\Windows\system32\NCTQuickTimeFile.dll D:\Windows\system32\NCTVideoCoreM.dll D:\Windows\system32\NCTWMAFile2.dll Beginning removal... Attempting to delete D:\Windows\system32\NCTAudioCDGrabber2.dll D:\Windows\system32\NCTAudioCDGrabber2.dll Has been deleted! Attempting to delete D:\Windows\system32\NCTAudioFile2.dll D:\Windows\system32\NCTAudioFile2.dll Has been deleted! Attempting to delete D:\Windows\system32\NCTAudioPlayer2.dll D:\Windows\system32\NCTAudioPlayer2.dll Has been deleted! Attempting to delete D:\Windows\system32\NCTAudioRecord2.dll D:\Windows\system32\NCTAudioRecord2.dll Has been deleted! Attempting to delete D:\Windows\system32\NCTAVIFile.dll D:\Windows\system32\NCTAVIFile.dll Has been deleted! Attempting to delete D:\Windows\system32\NCTQuickTimeFile.dll D:\Windows\system32\NCTQuickTimeFile.dll Has been deleted! Attempting to delete D:\Windows\system32\NCTVideoCoreM.dll D:\Windows\system32\NCTVideoCoreM.dll Has been deleted! Attempting to delete D:\Windows\system32\NCTWMAFile2.dll D:\Windows\system32\NCTWMAFile2.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V7.0.6 Scan started at 1:32:48 PM 11/2/2008 Listing files found while scanning.... No infected files were found. Combofix: I used this application i think three times: "Other" - 2008-11-04 19:56:32 Service Pack 2 [SAFE MODE] ComboFix 07-05.27.BV - Running from: "D:\" ((((((((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))))) 2008-11-04 18:55 72,192 --a------ D:\WINDOWS\system32\lpqewhng.dll 2008-11-03 16:22 72,192 --a------ D:\WINDOWS\system32\sgincsoh.dll 2008-11-02 11:12 72,192 --a------ D:\WINDOWS\system32\mkecmtiy.dll 2008-11-02 10:39 71,680 --a------ D:\WINDOWS\system32\udcrfrup.dll 2008-11-01 10:36 311,667 --ahs---- D:\WINDOWS\system32\edeLRqru.ini2 2008-11-01 10:35 282,112 --a------ D:\WINDOWS\system32\urqRLede.dll 2008-10-31 20:38 <DIR> d-------- D:\DOCUME~1\Jahanzeb\APPLIC~1\Malwarebytes 2008-10-31 20:03 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\Malwarebytes 2008-10-31 20:02 38,496 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-31 20:02 15,504 --a------ D:\WINDOWS\system32\drivers\mbam.sys 2008-10-31 20:02 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware 2008-10-31 20:02 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes 2008-10-28 19:04 7,507,296 --a------ D:\rminstall.exe 2008-10-28 18:41 812,344 --a------ D:\HJTInstall.exe 2008-10-28 18:41 15,083,520 --a------ D:\spybotsd160.exe 2008-10-28 17:20 <DIR> d-------- D:\VundoFix Backups 2008-10-28 12:53 880 --a------ D:\WINDOWS\system32\tmp.reg 2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix 2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT 2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe 2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe 2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe 2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger 2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe 2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe 2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It! 2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro 2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys 2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll 2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll 2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM 2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus! 2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live 2008-10-09 13:57 <DIR> d-------- D:\Documents and Settings\Other\Contacts 2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts 2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2008-11-04 13:58:33 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\Skype 2008-11-04 13:31:25 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\skypePM 2008-11-04 08:15:44 -------- d-----w D:\Program Files\DC++ 2008-10-31 12:23:46 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\uTorrent 2008-10-30 11:23:37 1,427 ----a-w D:\WINDOWS\mozver.dat 2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys 2008-09-29 17:32:30 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\dvdcss 2008-09-19 16:00:50 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\Creative 2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34] {53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51] {8FBC6088-3303-4856-9992-EE901F543755}=D:\WINDOWS\system32\urqRLede.dll [2008-11-01 10:36] {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe] "TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="" [] "MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk] fccbBSkk.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 D:\WINDOWS\system32\urqRLede [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "xmlprov"=3 (0x3) "WZCSVC"=3 (0x3) "WmiApSrv"=3 (0x3) "Wmi"=3 (0x3) "WmdmPmSN"=3 (0x3) "VSS"=3 (0x3) "UPS"=3 (0x3) "upnphost"=3 (0x3) "SysmonLog"=3 (0x3) "SwPrv"=3 (0x3) "srservice"=2 (0x2) "SCardSvr"=3 (0x3) "RSVP"=3 (0x3) "RemoteRegistry"=3 (0x3) "RDSessMgr"=3 (0x3) "RasAuto"=3 (0x3) "NtmsSvc"=3 (0x3) "NtLmSsp"=3 (0x3) "NMIndexingService"=3 (0x3) "Netlogon"=3 (0x3) "MSIServer"=3 (0x3) "MSDTC"=3 (0x3) "mnmsrvc"=3 (0x3) "McODS"=3 (0x3) "LmHosts"=3 (0x3) "lanmanworkstation"=3 (0x3) "lanmanserver"=3 (0x3) "ImapiService"=3 (0x3) "HTTPFilter"=3 (0x3) "dmadmin"=3 (0x3) "COMSysApp"=3 (0x3) "CiSvc"=3 (0x3) "Browser"=3 (0x3) "BITS"=3 (0x3) "AppMgmt"=3 (0x3) "Nero BackItUp Scheduler 3"=2 (0x2) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the 'Scheduled Tasks' folder 2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job 2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-04 20:00:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2008-11-04 20:02:45 D:\ComboFix-quarantined-files.txt ... 2008-11-04 20:02 D:\ComboFix2.txt ... 2008-11-02 13:29 D:\ComboFix3.txt ... 2008-10-28 15:54 --- E O F --- "Jahanzeb" - 2008-11-02 13:23:41 Service Pack 2 [SAFE MODE] ComboFix 07-05.27.BV - Running from: "D:\" ((((((((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))))) 2008-11-02 11:12 72,192 --a------ D:\WINDOWS\system32\mkecmtiy.dll 2008-11-02 10:39 71,680 --a------ D:\WINDOWS\system32\udcrfrup.dll 2008-11-01 10:36 328,688 --ahs---- D:\WINDOWS\system32\edeLRqru.ini2 2008-11-01 10:35 282,112 --a------ D:\WINDOWS\system32\urqRLede.dll 2008-10-31 20:38 <DIR> d-------- D:\DOCUME~1\Jahanzeb\APPLIC~1\Malwarebytes 2008-10-31 20:03 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\Malwarebytes 2008-10-31 20:02 38,496 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-31 20:02 15,504 --a------ D:\WINDOWS\system32\drivers\mbam.sys 2008-10-31 20:02 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware 2008-10-31 20:02 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes 2008-10-28 19:04 7,507,296 --a------ D:\rminstall.exe 2008-10-28 18:41 812,344 --a------ D:\HJTInstall.exe 2008-10-28 18:41 15,083,520 --a------ D:\spybotsd160.exe 2008-10-28 17:20 <DIR> d-------- D:\VundoFix Backups 2008-10-28 12:53 880 --a------ D:\WINDOWS\system32\tmp.reg 2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix 2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT 2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe 2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe 2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe 2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger 2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe 2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe 2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It! 2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro 2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys 2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll 2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll 2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM 2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus! 2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live 2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts 2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2008-11-01 17:22:48 -------- d-----w D:\Program Files\DC++ 2008-10-30 11:23:37 1,427 ----a-w D:\WINDOWS\mozver.dat 2008-10-28 14:35:52 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\uTorrent 2008-10-28 12:55:54 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\Orbit 2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys 2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34] {53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25] {61C44C25-C3DA-4DE4-B568-BB010772382A}=D:\WINDOWS\system32\urqRLede.dll [2008-11-01 10:36] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51] {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe] "TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Pop-Up-Blocker"="" [] "TransparentIcons"="" [] "BlockAds"="" [] "Tweak-XP"="" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk] fccbBSkk.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 D:\WINDOWS\system32\urqRLede [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "xmlprov"=3 (0x3) "WZCSVC"=3 (0x3) "WmiApSrv"=3 (0x3) "Wmi"=3 (0x3) "WmdmPmSN"=3 (0x3) "VSS"=3 (0x3) "UPS"=3 (0x3) "upnphost"=3 (0x3) "SysmonLog"=3 (0x3) "SwPrv"=3 (0x3) "srservice"=2 (0x2) "SCardSvr"=3 (0x3) "RSVP"=3 (0x3) "RemoteRegistry"=3 (0x3) "RDSessMgr"=3 (0x3) "RasAuto"=3 (0x3) "NtmsSvc"=3 (0x3) "NtLmSsp"=3 (0x3) "NMIndexingService"=3 (0x3) "Netlogon"=3 (0x3) "MSIServer"=3 (0x3) "MSDTC"=3 (0x3) "mnmsrvc"=3 (0x3) "McODS"=3 (0x3) "LmHosts"=3 (0x3) "lanmanworkstation"=3 (0x3) "lanmanserver"=3 (0x3) "ImapiService"=3 (0x3) "HTTPFilter"=3 (0x3) "dmadmin"=3 (0x3) "COMSysApp"=3 (0x3) "CiSvc"=3 (0x3) "Browser"=3 (0x3) "BITS"=3 (0x3) "AppMgmt"=3 (0x3) "Nero BackItUp Scheduler 3"=2 (0x2) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the 'Scheduled Tasks' folder 2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job 2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-02 13:27:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2008-11-02 13:29:55 D:\ComboFix-quarantined-files.txt ... 2008-11-02 13:29 D:\ComboFix2.txt ... 2008-10-28 15:54 D:\ComboFix3.txt ... 2008-10-27 21:40 --- E O F --- "Jahanzeb" - 2008-10-28 13:35:19 Service Pack 2 [SAFE MODE] ComboFix 07-05.27.BV - Running from: "D:\" ((((((((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))))) 2008-10-28 13:05 <DIR> dr-hs---- D:\resycled 2008-10-28 12:53 600 --a------ D:\WINDOWS\system32\tmp.reg 2008-10-28 12:50 88,576 --a------ D:\WINDOWS\system32\AntiXPVSTFix.exe 2008-10-28 12:50 87,552 --a------ D:\WINDOWS\system32\VACFix.exe 2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\o4Patch.exe 2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\IEDFix.exe 2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\IEDFix.C.exe 2008-10-28 12:50 82,432 --a------ D:\WINDOWS\system32\404Fix.exe 2008-10-28 12:50 53,248 --a------ D:\WINDOWS\system32\Process.exe 2008-10-28 12:50 51,200 --a------ D:\WINDOWS\system32\dumphive.exe 2008-10-28 12:50 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe 2008-10-28 12:50 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe 2008-10-28 12:50 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe 2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix 2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT 2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe 2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe 2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe 2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger 2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe 2008-10-27 21:02 2,048 --a------ D:\WINDOWS\system32\kgblktnm.exe 2008-10-27 20:59 71,680 --a------ D:\WINDOWS\system32\xymnejph.dll 2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe 2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It! 2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro 2008-10-27 13:56 2,048 --a------ D:\WINDOWS\system32\fxddodac.exe 2008-10-27 13:55 71,680 --a------ D:\WINDOWS\system32\rkrwacpk.dll 2008-10-27 12:32 71,680 --------- D:\WINDOWS\system32\iekwwjgj.dll 2008-10-27 12:31 355,431 --ahs---- D:\WINDOWS\system32\QWaHRqru.ini2 2008-10-27 12:29 281,600 --------- D:\WINDOWS\system32\urqRHaWQ.dll 2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys 2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll 2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll 2008-10-27 12:24 <DIR> d-------- D:\WINDOWS\system32\675873 2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM 2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus! 2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live 2008-10-09 13:57 <DIR> d-------- D:\Documents and Settings\Other\Contacts 2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts 2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2008-10-28 03:53:11 -------- d-----w D:\Program Files\DC++ 2008-10-19 05:39:20 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\Orbit 2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys 2008-09-27 08:19:12 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\uTorrent 2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34] {476CC7E8-4123-4298-B064-35F12003B861}=D:\WINDOWS\system32\urqRHaWQ.dll [2008-10-27 12:30] {53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51] {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe] "TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="" [] "Tok-Cirrhatus"="D:\Documents and Settings\Other\Local Settings\Application Data\smss.exe" [] "MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk] fccbBSkk.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 D:\WINDOWS\system32\urqRHaWQ [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "xmlprov"=3 (0x3) "WZCSVC"=3 (0x3) "WmiApSrv"=3 (0x3) "Wmi"=3 (0x3) "WmdmPmSN"=3 (0x3) "VSS"=3 (0x3) "UPS"=3 (0x3) "upnphost"=3 (0x3) "SysmonLog"=3 (0x3) "SwPrv"=3 (0x3) "srservice"=2 (0x2) "SCardSvr"=3 (0x3) "RSVP"=3 (0x3) "RemoteRegistry"=3 (0x3) "RDSessMgr"=3 (0x3) "RasAuto"=3 (0x3) "NtmsSvc"=3 (0x3) "NtLmSsp"=3 (0x3) "NMIndexingService"=3 (0x3) "Netlogon"=3 (0x3) "MSIServer"=3 (0x3) "MSDTC"=3 (0x3) "mnmsrvc"=3 (0x3) "McODS"=3 (0x3) "LmHosts"=3 (0x3) "lanmanworkstation"=3 (0x3) "lanmanserver"=3 (0x3) "ImapiService"=3 (0x3) "HTTPFilter"=3 (0x3) "dmadmin"=3 (0x3) "COMSysApp"=3 (0x3) "CiSvc"=3 (0x3) "Browser"=3 (0x3) "BITS"=3 (0x3) "AppMgmt"=3 (0x3) HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c12-86d6-11dc-8690-806d6172696f}] AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com c: Open\command- C:\resycled\boot.com c: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c13-86d6-11dc-8690-806d6172696f}] AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d: Open\command- D:\resycled\boot.com d: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c14-86d6-11dc-8690-806d6172696f}] AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com e: Open\command- E:\resycled\boot.com e: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c15-86d6-11dc-8690-806d6172696f}] AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f: Open\command- F:\resycled\boot.com f: Contents of the 'Scheduled Tasks' folder 2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job 2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-28 15:48:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2008-10-28 15:54:21 - machine was rebooted D:\ComboFix-quarantined-files.txt ... 2008-10-28 15:54 D:\ComboFix2.txt ... 2008-10-27 21:40 --- E O F --- 2004-08-04 03:56 69120 --a------ D:\Qoobox\Quarantine\D\WINDOWS\system32\kdbnl.exe.vir Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at D:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Completed script processing. ******************* Finished! Terminate. SmitFraudFix v2.367 Scan done at 20:20:12.81, 2008-11-04 Run from D:\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix Description: Intel(R) PRO/100+ Management Adapter with Alert On LAN* - Packet Scheduler Miniport DNS Server Search Order: 203.81.204.3 DNS Server Search Order: 203.81.204.23 HKLM\SYSTEM\CCS\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CS2\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CS3\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23 »»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix Description: Intel(R) PRO/100+ Management Adapter with Alert On LAN* - Packet Scheduler Miniport DNS Server Search Order: 203.81.204.3 DNS Server Search Order: 203.81.204.23 HKLM\SYSTEM\CCS\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CS2\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CS3\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23 |
| ||
| Re: popups in firefox for some reason i cannot run Microsoft® Windows® Malicious Software Removal Tool (KB890830) Also i have used softwares spybot search and destoy and cleanup |
| ||
| Re: popups in firefox i have used ATF-cleaner but could not use the firefox option in it. mean while another poup with a different ip opened. http://85.17.166.181/go//?cmp=nm_firefox_rn&uid=00C2C7DAA3F911DDB0A9150044CFFFFF&rid=zdez&guid=18F0032549E7424087A87FF6D789E65C&affid=150044&lid=http&url=%7Bhttp:%2F%2F%5B0-9a-zA-Z%5C+%5C%%5C.%5C;%5C,%5C-%5C_%5C%3F%5C%23%26%5C=%5C%7B%5C%7D%5C%5B%5C%5D%5C%2F%5C%5C%5C$%5C:%5C@%5C%5E%5C~%5C%60%5D+%7D&v=1156&m=irq4 |
| ||
| Re: popups in firefox a popup came up with an ip of 85.something after a little while this opened. http://quick-antivirus-scan.com/2009...u=770522150044 i did not download anything form that website. |
| ||
| Re: popups in firefox i ran the eset scanner online but could only manage an hour, it was scanning my c drive while the OS is on D. here is the log # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3596 (20081107) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=db0c41f44b777846bdf11f40760fbe12 # end=stopped # remove_checked=false # unwanted_checked=true # utc_time=2008-11-08 09:59:19 # local_time=2008-11-08 02:59:19 (+0500, West Asia Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=79470 # found=4 # scan_time=3499 C:\Program Files\AIM\WxBug.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B C:\Program Files\AIM\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000 C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000 i can try any other software from eset like the nod32, if you want. |
| ||
| Re: popups in firefox Quote:
You need to go in and UNINSTALL all those extra programs you used; Combofix, vundofix, Avenger, SmitFraudFix. KEEP Malwarebytes Anti-Malware and Spybot. Also keep the ATF-Cleaner. Don't worry about the Microsoft® Windows® Malicious Software Removal Tool, for whatever reasons many cannot run this tool. To uninstall combofix do the following; Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there. When shown the disclaimer, Select "2" I cannot stress enough here again for others who may be reading this that Combofix is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again. One of the things that shouldn't be done is use this tool over and over, it should be used one time unless directed to do it again. When that is done it is usually recommended that the original be removed and a new copy downloaded if needed again. Please remove it from your system. VundoFix and SmitfraudFix are also infection specific tools, indicated when these two infections are present but not to be used for general cleaning of the computer. These days Malwarebytes' Anti-Malware is the tool most often recommended as a FIRST step because it updates frequently (often times DAILY) AND it does remove many, many infections including Vundo infections. Now since the problem only happens with Firefox AND you could not use the ATF Firefox option then this says to me that your copy of Firefox is probably infected and very likely corrupted. You said you are using Firefox 2 so it is out of date. Current version is version 3.0.3. I hate to have you download a new copy before getting that infection out of there and risk having that one infected too so let's try to see if we can get that cleaned out. Update the MBA-M program, then download CCleaner. Shut down completely, disconnect the internet cable from the computer this way the computer cannot go online. Then reboot to Safe Mode 1. Restart your computer. 2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. 3. Select the option for Safe Mode using the arrow keys. 4. Then press enter on your keyboard to boot into Safe Mode. Once the computer is in Safe Mode then first run the ATF-Cleaner, again do both clean up options, first IE and then Firefox. Next run the CCleaner on the default cleaning options, which is exactly how it will be when you open the program. It will scan the computer, list files which can be removed. Let it remove all it finds. Next run a Full system scan with MBA-M and allow it to clean all it finds. Shut down the computer. Re-attach the internet cable to the computer and reboot to normal mode. Run a new HJT scan and post back here with the MBA-M log and the HJT log. Judy |
| ||
| Re: popups in firefox Yesterday i ran MBA-M, here is the log: Malwarebytes' Anti-Malware 1.30 Database version: 1343 Windows 5.1.2600 Service Pack 2 11/8/2008 5:18:42 PM mbam-log-2008-11-08 (17-18-41).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 41708 Time elapsed: 55 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: D:\WINDOWS\system32\wvUkHBUm.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\wvukhbum -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\wvukhbum -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: D:\WINDOWS\system32\wvUkHBUm.dll (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\mUBHkUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\mUBHkUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\hxwawvge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\egvwawxh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\jgtdehvq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\qvhedtgj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\rjxwnyni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\inynwxjr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. after which today so far there are no popups. i could not uninstall combofix the way you asked, could i just delete it. i uninstalled viewpoint. I hope that removes it. Now i will do the instructions as you asked. Thank you |
| ||
| Re: popups in firefox What happened when you tried to remove combofix? Yes, you can just delete it though it will not remove any backups these multiple runnings have done. |
| ||
| Re: popups in firefox i have done all the scans and the way you asked me to do. ATF-Cleaner: once again i could not use the firefox option but now i know why because firefox is actually not installed in the windows i run the copy form my previous installation of windows which i deleted a year back.However while running the CCleaner it was able to delete the firefox files and there is no history or cookies left. Then i ran MBA-M and here is the report: Malwarebytes' Anti-Malware 1.30 Database version: 1375 Windows 5.1.2600 Service Pack 2 11/9/2008 1:09:59 PM mbam-log-2008-11-09 (13-09-59).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 48967 Time elapsed: 47 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: D:\WINDOWS\system32\ssqNGvtT.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88ad8087-a4fa-4c3c-9613-63bc69d0bd11} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{88ad8087-a4fa-4c3c-9613-63bc69d0bd11} (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\ssqngvtt -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\ssqngvtt -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: D:\WINDOWS\system32\ssqNGvtT.dll (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\TtvGNqss.ini (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\TtvGNqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\rvjogjrk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\krjgojvr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. After which the HJTloj looks like this Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:15:31, on 11/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe d:\program files\common files\mcafee\mna\mcnasvc.exe d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe D:\Program Files\McAfee\MPF\MPFSrv.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\wscntfy.exe D:\PROGRA~1\McAfee.com\Agent\mcagent.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe d:\PROGRA~1\mcafee\msc\mcuimgr.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: (no name) - {49DC26F5-43C2-4312-B885-AE9080736D93} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {6A044BCA-7D52-4619-B36C-96FD0A436DD7} - (no file) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099} - D:\WINDOWS\system32\fccbBSkk.dll O2 - BHO: (no name) - {A957451F-324E-472A-BE5C-B8B8E68EDA5A} - (no file) O2 - BHO: (no name) - {EE528997-7B75-45EA-AB8A-0298C5D3F04D} - (no file) O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: fccbBSkk - D:\WINDOWS\SYSTEM32\fccbBSkk.dll O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe -- End of file - 4348 bytes The computer appears to be running smoothly now. Although there are no more popups coming now but i am still not a 100% sure. |
| ||
| Re: popups in firefox Please recommend what to do withe the Firefox do i install the new version(I have downloaded it already). Since the previous Firefox was actually not installed from the OS i am running now, what do i need to do to remove it completely (i.e registry,cookies etc...) as it is my default browser and IE is uninstall from the Add/Remove windows components |
| ||
| Re: popups in firefox You need to do the following; Download SmitFraudFix and save it to your desktop. Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. Next, please reboot your computer into Safe Mode by doing the following: 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the first option, to run Windows in Safe Mode. 5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as. When your computer has started in safe mode, and you see the desktop, close all open Windows. Now, double-click on the SmitFraudfix icon that should be residing on your desktop. When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen. You will now see a menu. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended). The program will start cleaning your computer and go through a series of cleanup processes. When SmitFraudFix is done, it will automatically start the Disk Cleanup program This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with the next step. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen. Reboot the computer and run a new HJT scan. Post back here with that log and the Smitfraudfix log. We will deal with the Firefox problems shortly. Judy |
| ||
| Re: popups in firefox Quote:
Run that MBA-M again, updating it first and this time also have it scan "C" drive. When you choose Full Scan you should get a box which allows you to tell the program which drives to scan. Be sure to put a check mark in BOTH "C" and "D" drives. Obviously Firefox cannot be the only thing on "C" drive so there are probably a lot of files never scanned with the MBA-M program. Run that and of course have it fix everything found. Post back here with that log before running any other program I have told you to run. Judy |
| ||
| Re: popups in firefox Quote:
|
| ||
| Re: popups in firefox I did the smitfraud like you said but for some reason it did not reboot as you mentioned, ithink it could be because i had run this program previously but this time it was a fresh copy(as id eleted the previous one) and i did as you told. anyways here is the log: SmitFraudFix v2.374 Scan done at 13:54:31.54, 2008-11-10 Run from D:\Documents and Settings\Jahanzeb\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» RK »»»»»»»»»»»»»»»»»»»»»»»» DNS »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "system"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End for some reason my HJT is not able to create a log it closes down by saying an error although i can scan but cannot create a log. The scan looks the same except this R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank and all the other (no file) ones are not there here is the process list from HJT, for some reason it works. Process list saved on 14:27:55, on 2008-11-10 Platform: Windows XP SP2 (WinNT 5.01.2600) [pid] [full path to filename] [file version] [company name] 560 D:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation 656 D:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation 700 D:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation 712 D:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation 896 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation 1088 D:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation 1296 D:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation 1400 D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 8.1.159.0 McAfee, Inc. 1412 d:\program files\common files\mcafee\mna\mcnasvc.exe 2.1.143.0 McAfee, Inc. 1468 d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 2.0.150.0 McAfee, Inc. 1520 D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 14.0.0.349 McAfee, Inc. 1568 D:\Program Files\McAfee\MPF\MPFSrv.exe 9.0.136.0 McAfee, Inc. 1604 D:\WINDOWS\system32\nvsvc32.exe 6.14.10.6693 NVIDIA Corporation 1772 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation 1180 D:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation 972 D:\PROGRA~1\McAfee.com\Agent\mcagent.exe 8.0.237.0 McAfee, Inc. 2100 D:\WINDOWS\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation 3120 D:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.1.45 RealNetworks, Inc. 3648 D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 12.1.111.0 McAfee, Inc. 948 d:\PROGRA~1\mcafee\msc\mcuimgr.exe 8.0.226.0 McAfee, Inc. 2636 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20080.17373 Mozilla Corporation 1728 D:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc. I will try reinstalling it then i will post it if it works. |
| ||
| Re: popups in firefox At last it worked here is th log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:31:49, on 2008-11-10 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe d:\program files\common files\mcafee\mna\mcnasvc.exe d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe D:\Program Files\McAfee\MPF\MPFSrv.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\Explorer.EXE D:\PROGRA~1\McAfee.com\Agent\mcagent.exe D:\WINDOWS\system32\wscntfy.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe d:\PROGRA~1\mcafee\msc\mcuimgr.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe -- End of file - 3376 bytes |
| ||
| Re: popups in firefox This log looks better. I know you requested that MBA-M scan all drives but it appears that it didn't scan "C" drive where your Firefox is located. Can you try it once more, click Full Scan but when the box opens just put a check mark in "C" and take it out of the others. Let's see if it WILL scan "C" by itself. Judy |
| ||
| Re: popups in firefox This is the MBA-M log: Malwarebytes' Anti-Malware 1.30 Database version: 1375 Windows 5.1.2600 Service Pack 2 2008-11-11 12:25:00 mbam-log-2008-11-11 (12-25-00).txt Scan type: Full Scan (C:\|) Objects scanned: 20418 Time elapsed: 12 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: D:\WINDOWS\system32\opnlllKA.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b31c1c0-a374-4cf8-91f8-027c91495b2f} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{0b31c1c0-a374-4cf8-91f8-027c91495b2f} (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\opnlllka -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\opnlllka -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: D:\WINDOWS\system32\opnlllKA.dll (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\AKlllnpo.ini (Trojan.Vundo.H) -> Delete on reboot. D:\WINDOWS\system32\AKlllnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\xqamhktj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. D:\WINDOWS\system32\jtkhmaqx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. I think the malware keeps on coming back today i had a pop up from ip http://83.149.115.148/go//?cmp=nm_fi...&v=1156&m=irq4 and then later another http://personalantispy.com/.ware/ind...52454b06015b52 well anyways here is my HJTlog Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:31:29, on 2008-11-11 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe d:\program files\common files\mcafee\mna\mcnasvc.exe d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe D:\Program Files\McAfee\MPF\MPFSrv.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\Explorer.EXE D:\PROGRA~1\McAfee.com\Agent\mcagent.exe D:\WINDOWS\system32\wscntfy.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe d:\PROGRA~1\mcafee\msc\mcuimgr.exe O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: (no name) - {49DC26F5-43C2-4312-B885-AE9080736D93} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {6A044BCA-7D52-4619-B36C-96FD0A436DD7} - (no file) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099} - D:\WINDOWS\system32\fccbBSkk.dll O2 - BHO: (no name) - {A957451F-324E-472A-BE5C-B8B8E68EDA5A} - (no file) O2 - BHO: (no name) - {EE528997-7B75-45EA-AB8A-0298C5D3F04D} - (no file) O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: fccbBSkk - D:\WINDOWS\SYSTEM32\fccbBSkk.dll O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe -- End of file - 4271 bytes the nofile things are back too. |
| ||
| Re: popups in firefox |
| ||
| Re: popups in firefox Were these pop-ups in Firefox? I still don't know why "C" drive is not being scanned. The latest MBA-M scan shows that "D" drive was scanned, not "C" even though you told it to scan "C" drive. Can you tell me, what is on "C" drive? Firefox clearly showed it was running from "C" drive. |
| ||
| Re: popups in firefox the C drive is scan i watched it i think its all clear from c drive its just that the same vundo trojan keeps coming back. anyways yesterday i tried superantispysweeper it found many trojans mostly vundo. after whcih i ran MBA-M it found nothing. i think it could be because of registry and this software detected at least 14 errors from registry |
| ||
| Re: popups in firefox Quote:
Really sounds to me like a rootkit is on there but since you say your computer is now totally clean since running superantispysweeper. You will need to run a new HJT scan and post that log so we can complete the fixes in there before downloading the new Firefox version but go ahead and completely uninstall Firefox. It is running from "C" drive so you are going to have to go in there and uninstall it. You never answered, exactly what IS on "C" drive other than Firefox? |
| ||
| Re: popups in firefox Onmy C drive i have movies, music videos and counter strike. I used to have na OS before like one year ago but now i deleted it but still have the Documnets and settings folder. |
| ||
| Re: popups in firefox here is the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:49:05, on 2008-11-12 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe d:\program files\common files\mcafee\mna\mcnasvc.exe d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe D:\Program Files\McAfee\MPF\MPFSrv.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\Explorer.EXE D:\PROGRA~1\McAfee.com\Agent\mcagent.exe D:\WINDOWS\system32\wscntfy.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe d:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\Program Files\Real\RealPlayer\realplay.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: (no name) - {49DC26F5-43C2-4312-B885-AE9080736D93} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {6A044BCA-7D52-4619-B36C-96FD0A436DD7} - (no file) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {A957451F-324E-472A-BE5C-B8B8E68EDA5A} - (no file) O2 - BHO: (no name) - {EE528997-7B75-45EA-AB8A-0298C5D3F04D} - (no file) O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [e0ff4138] rundll32.exe "D:\WINDOWS\system32\mqqcncgr.dll",b O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe -- End of file - 4353 bytes since running the spysweeper i have this problem whenever i start it says this is missing mqqcncgr.dll. I think it was removed. |
| ||
| Re: popups in firefox Quote:
|
| ||
| Re: popups in firefox i deleted the windows folder and edited the boot.ini. Which antivirus,firewall, and spyware should i use combination or all in one. |
| ||
| Re: popups in firefox dude do you think we can mark this as solved |
| ||
| Re: popups in firefox If you feel all is running well then certainly, mark it solved. Judy |
| All times are GMT -4. The time now is 7:53 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC