Viruses, Spyware and...

RSS

popups in firefox

Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums

Thread Solved

Page 1 of 3

Last »

•

Posts: 82

Reputation: jazzyjaj is an unknown quantity at this point

Solved Threads: 0

jazzyjaj

Offline

Junior Poster in Training

popups in firefox

Nov 7th, 2008

Recently i have been having these popups with ips like.
http://89.188.16.43/go//?cmp=nm_firefox_rn&uid=00C2C7DAA3F911DDB0A9150044CFFFFF&rid=zdez&guid=18F0032549E7424087A87FF6D789E65C&affid=150044&lid=http&url=%7Bhttp:%2F%2F%5B0-9a-zA-Z%5C+%5C%%5C.%5C;%5C,%5C-%5C_%5C%3F%5C%23%26%5C=%5C%7B%5C%7D%5C%5B%5C%5D%5C%2F%5C%5C%5C$%5C:%5C@%5C%5E%5C~%5C%60%5D+%7D&v=1156&m=irq4
http://82.98.235.35/go//?cmp=nm_fire...&v=1156&m=irq4
after which they redirect to a antispyware website.
I have tried varies things but nothing seems to sort it out.
I have tried AVG, antispyware, combofix, smitfraud, antimalware etc...
they have found many things but not solve this issue.
Here is a copy of hijackthis log i do not see anything wrong there.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:33:46, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Real\RealPlayer\realplay.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\WINDOWS\system32\wscntfy.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe
D:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3793 bytes

Also the computer has become slow to start and the browsers are taking a lot of mem usage like firefox 70000k and explorer 40000k.
here is a list of process
Process list saved on 13:47:16, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
564 D:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
660 D:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
704 D:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
716 D:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
900 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1092 D:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1320 D:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1604 D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.1.36 GRISOFT s.r.o.
1612 D:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1792 D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 8.1.159.0 McAfee, Inc.
1812 d:\program files\common files\mcafee\mna\mcnasvc.exe 2.1.143.0 McAfee, Inc.
1872 d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 2.0.150.0 McAfee, Inc.
1928 D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 14.0.0.349 McAfee, Inc.
220 D:\Program Files\McAfee\MPF\MPFSrv.exe 9.0.136.0 McAfee, Inc.
408 D:\WINDOWS\system32\nvsvc32.exe 6.14.10.6693 NVIDIA Corporation
428 D:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.1.45 RealNetworks, Inc.
916 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1424 D:\PROGRA~1\McAfee.com\Agent\mcagent.exe 8.0.237.0 McAfee, Inc.
1772 D:\Program Files\Viewpoint\Common\ViewpointService.exe 2.0.0.54 Viewpoint Corporation
2728 D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 12.1.111.0 McAfee, Inc.
2824 D:\WINDOWS\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation
3440 d:\PROGRA~1\mcafee\msc\mcuimgr.exe 8.0.226.0 McAfee, Inc.
3748 D:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation
2356 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20080.17373 Mozilla Corporation
2700 D:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.

•

Posts: 2,204

Reputation: jholland1964 is just really nice

Solved Threads: 135

jholland1964 jholland1964 is online now

Online

Nearly a Posting Maven

Re: popups in firefox

Nov 7th, 2008

Hi and welcome to daniweb.
First of all I must caution all who may be reading this that several of the programs you have said that you ran should NOT have been run without FIRST being told to do so by a helper or somebody assisting you with problems. The main one I am concerned about is combofix. This is a very powerful tool which produces a very long and complicated log after doing it's work. It takes quite awhile to read and interpret one of these logs. Since you didn't post any of the logs from the programs you ran and you say "they have found many things but not solve this issue" we have absolutely no idea what was found or what was removed OR where they were located on the system. We really are not certain what programs you did run really except for combofix, smitfraud and AVG Anti-Spyware 7.5, which is no longer available as a stand alone product so it cannot be counted on as doing the work anymore, and than you say "antimalware etc..." What "antimalware"?
Your auto starting program and auto starting services list is extremely small showing only graphics card software, realplayer update, your McAfee program and Viewpoint Manager Service (which is actually considered to be malware and should be removed). The running processes list you posted shows exactly the same thing as the Running Processes list from the HiJackThis log so there is nothing different or unusual there. We don't know what version of Firefox you are running. What version is it?
I would like to see both the combofix log and the smitfraud log and any other logs from all the other programs that you ran. Post those here first.
THEN;
Did you follow the steps given in Read me before posting a request for assistance thread at the top of this page?
Ignore the Deckard Scanner program as it is not available but I would like you to follow ALL of the other steps, including ATF-Cleaner, Malwarebytes' Anti-Malware, ESET online scanner. Be sure to reboot the computer AFTER running MBA-M. Once you have done those steps then post back here with those NEW logs and a new HJT scan log completed AFTER you have followed the steps given in the "Read Me Before" sticky.
Judy

•

Posts: 82

Reputation: jazzyjaj is an unknown quantity at this point

Solved Threads: 0

jazzyjaj

Offline

Junior Poster in Training

Re: popups in firefox

Nov 8th, 2008

i am using a pentium 3 863MHz with Winxp sp2
I use firefox 2, and use this computer mainly for browsing purposes.
the anitmalware i mentioned is the same malwarebytes anitmalware mentioned in the read me before request. However i had performed a quick scan previously, but will perform a full scan later.
here is the log of the earlier scan:
Malwarebytes' Anti-Malware 1.30
Database version: 1343
Windows 5.1.2600 Service Pack 2

2008-10-31 20:51:16
mbam-log-2008-10-31 (20-51-16).txt

Scan type: Quick Scan
Objects scanned: 47052
Time elapsed: 9 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\mstbvgpb.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\urqRHaWQ.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\z444.z444mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\z444.z444mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e0ff4138 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\urqrhawq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdptp.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: d:\windows\system32\urqrhawq -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{92d437af-0b8a-4735-975e-2d5679051dba}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.164,85.255.112.81 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{92d437af-0b8a-4735-975e-2d5679051dba}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.164,85.255.112.81 -> Delete on reboot.

Folders Infected:
D:\WINDOWS\system32\675873 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
D:\WINDOWS\system32\urqRHaWQ.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\QWaHRqru.ini (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\QWaHRqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\iekwwjgj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\jgjwwkei.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\mstbvgpb.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\bpgvbtsm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\mtggixei.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\iexiggtm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\rkrwacpk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\kpcawrkr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xrfvadoh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\hodavfrx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xymnejph.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\hpjenmyx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\kdptp.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
D:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\fxddodac.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\kgblktnm.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\rpcnyufi.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ufvfcshx.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ypcumgog.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\Documents and Settings\Other\Local Settings\Temporary Internet Files\Content.IE5\8DUZ05YV\kb20010911[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\Documents and Settings\Other\Local Settings\Temporary Internet Files\Content.IE5\ENW8807K\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jahanzeb\Local Settings\Temporary Internet Files\Content.IE5\GHUBSHYV\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jahanzeb\Local Settings\Temporary Internet Files\Content.IE5\GXMJ0TEV\kb20010911[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\675873\675873.dll (Trojan.BHO) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
D:\USM2Trial.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

•

Posts: 82

Reputation: jazzyjaj is an unknown quantity at this point

Solved Threads: 0

jazzyjaj

Offline

Junior Poster in Training

Re: popups in firefox

Nov 8th, 2008

This post will have the logs of all the other scans i had performed:

VundoFix V7.0.6

Scan started at 17:20:42 2008-10-28

Listing files found while scanning....

D:\Windows\system32\NCTAudioCDGrabber2.dll
D:\Windows\system32\NCTAudioFile2.dll
D:\Windows\system32\NCTAudioPlayer2.dll
D:\Windows\system32\NCTAudioRecord2.dll
D:\Windows\system32\NCTAVIFile.dll
D:\Windows\system32\NCTQuickTimeFile.dll
D:\Windows\system32\NCTVideoCoreM.dll
D:\Windows\system32\NCTWMAFile2.dll

Beginning removal...

Attempting to delete D:\Windows\system32\NCTAudioCDGrabber2.dll
D:\Windows\system32\NCTAudioCDGrabber2.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTAudioFile2.dll
D:\Windows\system32\NCTAudioFile2.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTAudioPlayer2.dll
D:\Windows\system32\NCTAudioPlayer2.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTAudioRecord2.dll
D:\Windows\system32\NCTAudioRecord2.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTAVIFile.dll
D:\Windows\system32\NCTAVIFile.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTQuickTimeFile.dll
D:\Windows\system32\NCTQuickTimeFile.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTVideoCoreM.dll
D:\Windows\system32\NCTVideoCoreM.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTWMAFile2.dll
D:\Windows\system32\NCTWMAFile2.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.6

Scan started at 1:32:48 PM 11/2/2008

Listing files found while scanning....

No infected files were found.

Combofix: I used this application i think three times:
"Other" - 2008-11-04 19:56:32 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "D:\"

((((((((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 ))))))))))))))))))))))))))))))))))

2008-11-04 18:55 72,192 --a------ D:\WINDOWS\system32\lpqewhng.dll
2008-11-03 16:22 72,192 --a------ D:\WINDOWS\system32\sgincsoh.dll
2008-11-02 11:12 72,192 --a------ D:\WINDOWS\system32\mkecmtiy.dll
2008-11-02 10:39 71,680 --a------ D:\WINDOWS\system32\udcrfrup.dll
2008-11-01 10:36 311,667 --ahs---- D:\WINDOWS\system32\edeLRqru.ini2
2008-11-01 10:35 282,112 --a------ D:\WINDOWS\system32\urqRLede.dll
2008-10-31 20:38 <DIR> d-------- D:\DOCUME~1\Jahanzeb\APPLIC~1\Malwarebytes
2008-10-31 20:03 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\Malwarebytes
2008-10-31 20:02 38,496 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-31 20:02 15,504 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-10-31 20:02 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-10-31 20:02 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-10-28 19:04 7,507,296 --a------ D:\rminstall.exe
2008-10-28 18:41 812,344 --a------ D:\HJTInstall.exe
2008-10-28 18:41 15,083,520 --a------ D:\spybotsd160.exe
2008-10-28 17:20 <DIR> d-------- D:\VundoFix Backups
2008-10-28 12:53 880 --a------ D:\WINDOWS\system32\tmp.reg
2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix
2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT
2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe
2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe
2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe
2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger
2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe
2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe
2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It!
2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll
2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM
2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live
2008-10-09 13:57 <DIR> d-------- D:\Documents and Settings\Other\Contacts
2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts
2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-11-04 13:58:33 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\Skype
2008-11-04 13:31:25 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\skypePM
2008-11-04 08:15:44 -------- d-----w D:\Program Files\DC++
2008-10-31 12:23:46 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\uTorrent
2008-10-30 11:23:37 1,427 ----a-w D:\WINDOWS\mozver.dat
2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-09-29 17:32:30 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\dvdcss
2008-09-19 16:00:50 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\Creative
2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34]
{53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51]
{8FBC6088-3303-4856-9992-EE901F543755}=D:\WINDOWS\system32\urqRLede.dll [2008-11-01 10:36]
{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk]
fccbBSkk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 D:\WINDOWS\system32\urqRLede

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"srservice"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RemoteRegistry"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McODS"=3 (0x3)
"LmHosts"=3 (0x3)
"lanmanworkstation"=3 (0x3)
"lanmanserver"=3 (0x3)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"dmadmin"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=3 (0x3)
"BITS"=3 (0x3)
"AppMgmt"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job
2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 20:00:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2008-11-04 20:02:45
D:\ComboFix-quarantined-files.txt ... 2008-11-04 20:02
D:\ComboFix2.txt ... 2008-11-02 13:29
D:\ComboFix3.txt ... 2008-10-28 15:54

--- E O F ---

"Jahanzeb" - 2008-11-02 13:23:41 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "D:\"

((((((((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 ))))))))))))))))))))))))))))))))))

2008-11-02 11:12 72,192 --a------ D:\WINDOWS\system32\mkecmtiy.dll
2008-11-02 10:39 71,680 --a------ D:\WINDOWS\system32\udcrfrup.dll
2008-11-01 10:36 328,688 --ahs---- D:\WINDOWS\system32\edeLRqru.ini2
2008-11-01 10:35 282,112 --a------ D:\WINDOWS\system32\urqRLede.dll
2008-10-31 20:38 <DIR> d-------- D:\DOCUME~1\Jahanzeb\APPLIC~1\Malwarebytes
2008-10-31 20:03 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\Malwarebytes
2008-10-31 20:02 38,496 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-31 20:02 15,504 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-10-31 20:02 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-10-31 20:02 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-10-28 19:04 7,507,296 --a------ D:\rminstall.exe
2008-10-28 18:41 812,344 --a------ D:\HJTInstall.exe
2008-10-28 18:41 15,083,520 --a------ D:\spybotsd160.exe
2008-10-28 17:20 <DIR> d-------- D:\VundoFix Backups
2008-10-28 12:53 880 --a------ D:\WINDOWS\system32\tmp.reg
2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix
2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT
2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe
2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe
2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe
2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger
2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe
2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe
2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It!
2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll
2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM
2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live
2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts
2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-11-01 17:22:48 -------- d-----w D:\Program Files\DC++
2008-10-30 11:23:37 1,427 ----a-w D:\WINDOWS\mozver.dat
2008-10-28 14:35:52 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\uTorrent
2008-10-28 12:55:54 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\Orbit
2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34]
{53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25]
{61C44C25-C3DA-4DE4-B568-BB010772382A}=D:\WINDOWS\system32\urqRLede.dll [2008-11-01 10:36]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51]
{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pop-Up-Blocker"="" []
"TransparentIcons"="" []
"BlockAds"="" []
"Tweak-XP"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk]
fccbBSkk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 D:\WINDOWS\system32\urqRLede

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"srservice"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RemoteRegistry"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McODS"=3 (0x3)
"LmHosts"=3 (0x3)
"lanmanworkstation"=3 (0x3)
"lanmanserver"=3 (0x3)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"dmadmin"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=3 (0x3)
"BITS"=3 (0x3)
"AppMgmt"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job
2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 13:27:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2008-11-02 13:29:55
D:\ComboFix-quarantined-files.txt ... 2008-11-02 13:29
D:\ComboFix2.txt ... 2008-10-28 15:54
D:\ComboFix3.txt ... 2008-10-27 21:40

--- E O F ---

"Jahanzeb" - 2008-10-28 13:35:19 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "D:\"

((((((((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 ))))))))))))))))))))))))))))))))))

2008-10-28 13:05 <DIR> dr-hs---- D:\resycled
2008-10-28 12:53 600 --a------ D:\WINDOWS\system32\tmp.reg
2008-10-28 12:50 88,576 --a------ D:\WINDOWS\system32\AntiXPVSTFix.exe
2008-10-28 12:50 87,552 --a------ D:\WINDOWS\system32\VACFix.exe
2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\o4Patch.exe
2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\IEDFix.exe
2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\IEDFix.C.exe
2008-10-28 12:50 82,432 --a------ D:\WINDOWS\system32\404Fix.exe
2008-10-28 12:50 53,248 --a------ D:\WINDOWS\system32\Process.exe
2008-10-28 12:50 51,200 --a------ D:\WINDOWS\system32\dumphive.exe
2008-10-28 12:50 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
2008-10-28 12:50 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
2008-10-28 12:50 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe
2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix
2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT
2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe
2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe
2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe
2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger
2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe
2008-10-27 21:02 2,048 --a------ D:\WINDOWS\system32\kgblktnm.exe
2008-10-27 20:59 71,680 --a------ D:\WINDOWS\system32\xymnejph.dll
2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe
2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It!
2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-10-27 13:56 2,048 --a------ D:\WINDOWS\system32\fxddodac.exe
2008-10-27 13:55 71,680 --a------ D:\WINDOWS\system32\rkrwacpk.dll
2008-10-27 12:32 71,680 --------- D:\WINDOWS\system32\iekwwjgj.dll
2008-10-27 12:31 355,431 --ahs---- D:\WINDOWS\system32\QWaHRqru.ini2
2008-10-27 12:29 281,600 --------- D:\WINDOWS\system32\urqRHaWQ.dll
2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll
2008-10-27 12:24 <DIR> d-------- D:\WINDOWS\system32\675873
2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM
2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live
2008-10-09 13:57 <DIR> d-------- D:\Documents and Settings\Other\Contacts
2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts
2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-10-28 03:53:11 -------- d-----w D:\Program Files\DC++
2008-10-19 05:39:20 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\Orbit
2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-09-27 08:19:12 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\uTorrent
2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34]
{476CC7E8-4123-4298-B064-35F12003B861}=D:\WINDOWS\system32\urqRHaWQ.dll [2008-10-27 12:30]
{53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51]
{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Tok-Cirrhatus"="D:\Documents and Settings\Other\Local Settings\Application Data\smss.exe" []
"MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk]
fccbBSkk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 D:\WINDOWS\system32\urqRHaWQ

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"srservice"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RemoteRegistry"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McODS"=3 (0x3)
"LmHosts"=3 (0x3)
"lanmanworkstation"=3 (0x3)
"lanmanserver"=3 (0x3)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"dmadmin"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=3 (0x3)
"BITS"=3 (0x3)
"AppMgmt"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c12-86d6-11dc-8690-806d6172696f}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com c:
Open\command- C:\resycled\boot.com c:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c13-86d6-11dc-8690-806d6172696f}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
Open\command- D:\resycled\boot.com d:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c14-86d6-11dc-8690-806d6172696f}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com e:
Open\command- E:\resycled\boot.com e:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c15-86d6-11dc-8690-806d6172696f}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
Open\command- F:\resycled\boot.com f:

Contents of the 'Scheduled Tasks' folder
2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job
2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 15:48:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2008-10-28 15:54:21 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2008-10-28 15:54
D:\ComboFix2.txt ... 2008-10-27 21:40

--- E O F ---

Help with Code Tags

(Toggle Plain Text)

2004-08-04 03:56      69120    --a------    D:\Qoobox\Quarantine\D\WINDOWS\system32\kdbnl.exe.vir
2008-08-15 10:11      26624    --a------    D:\Qoobox\Quarantine\D\WINDOWS\system32\a.exe.vir
2008-10-28 13:38      24692    --a------    D:\Qoobox\Quarantine\Registry_backups\winlogon.reg.cf


Folder PATH listing
Volume serial number is 9C49-5401
D:\QOOBOX
\---Quarantine
    +---D
    |   \---WINDOWS
    |       \---system32
    |               a.exe.vir
    |               kdbnl.exe.vir
    |               
    \---Registry_backups
            winlogon.reg.cf

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Completed script processing.

*******************

Finished! Terminate.

SmitFraudFix v2.367

Scan done at 20:20:12.81, 2008-11-04
Run from D:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Description: Intel(R) PRO/100+ Management Adapter with Alert On LAN* - Packet Scheduler Miniport
DNS Server Search Order: 203.81.204.3
DNS Server Search Order: 203.81.204.23

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: Intel(R) PRO/100+ Management Adapter with Alert On LAN* - Packet Scheduler Miniport
DNS Server Search Order: 203.81.204.3
DNS Server Search Order: 203.81.204.23

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23

•

Posts: 82

Reputation: jazzyjaj is an unknown quantity at this point

Solved Threads: 0

jazzyjaj

Offline

Junior Poster in Training

Re: popups in firefox

Nov 8th, 2008

for some reason i cannot run Microsoft® Windows® Malicious Software Removal Tool (KB890830)
Also i have used softwares spybot search and destoy and cleanup

•

Posts: 82

Reputation: jazzyjaj is an unknown quantity at this point

Solved Threads: 0

jazzyjaj

Offline

Junior Poster in Training

Re: popups in firefox

Nov 8th, 2008

i have used ATF-cleaner but could not use the firefox option in it.
mean while another poup with a different ip opened.
http://85.17.166.181/go//?cmp=nm_firefox_rn&uid=00C2C7DAA3F911DDB0A9150044CFFFFF&rid=zdez&guid=18F0032549E7424087A87FF6D789E65C&affid=150044&lid=http&url=%7Bhttp:%2F%2F%5B0-9a-zA-Z%5C+%5C%%5C.%5C;%5C,%5C-%5C_%5C%3F%5C%23%26%5C=%5C%7B%5C%7D%5C%5B%5C%5D%5C%2F%5C%5C%5C$%5C:%5C@%5C%5E%5C~%5C%60%5D+%7D&v=1156&m=irq4

•

Posts: 82

Reputation: jazzyjaj is an unknown quantity at this point

Solved Threads: 0

jazzyjaj

Offline

Junior Poster in Training

Re: popups in firefox

Nov 8th, 2008

a popup came up with an ip of 85.something after a little while this opened.
http://quick-antivirus-scan.com/2009...u=770522150044
i did not download anything form that website.

•

Posts: 82

Reputation: jazzyjaj is an unknown quantity at this point

Solved Threads: 0

jazzyjaj

Offline

Junior Poster in Training

Re: popups in firefox

Nov 8th, 2008

i ran the eset scanner online but could only manage an hour, it was scanning my c drive while the OS is on D.
here is the log
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3596 (20081107)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=db0c41f44b777846bdf11f40760fbe12
# end=stopped
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-08 09:59:19
# local_time=2008-11-08 02:59:19 (+0500, West Asia Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=79470
# found=4
# scan_time=3499
C:\Program Files\AIM\WxBug.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B
C:\Program Files\AIM\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B
C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000

i can try any other software from eset like the nod32, if you want.

•

Posts: 2,204

Reputation: jholland1964 is just really nice

Solved Threads: 135

jholland1964 jholland1964 is online now

Online

Nearly a Posting Maven

Re: popups in firefox

Nov 8th, 2008

•

i can try any other software from eset like the nod32, if you want.

You have done this, that was the ESET Scanner.

You need to go in and UNINSTALL all those extra programs you used; Combofix, vundofix, Avenger, SmitFraudFix. KEEP Malwarebytes Anti-Malware and Spybot. Also keep the ATF-Cleaner. Don't worry about the Microsoft® Windows® Malicious Software Removal Tool, for whatever reasons many cannot run this tool.
To uninstall combofix do the following;
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
I cannot stress enough here again for others who may be reading this that Combofix is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again.
One of the things that shouldn't be done is use this tool over and over, it should be used one time unless directed to do it again. When that is done it is usually recommended that the original be removed and a new copy downloaded if needed again.
Please remove it from your system.
VundoFix and SmitfraudFix are also infection specific tools, indicated when these two infections are present but not to be used for general cleaning of the computer.

These days Malwarebytes' Anti-Malware is the tool most often recommended as a FIRST step because it updates frequently (often times DAILY) AND it does remove many, many infections including Vundo infections.

Now since the problem only happens with Firefox AND you could not use the ATF Firefox option then this says to me that your copy of Firefox is probably infected and very likely corrupted. You said you are using Firefox 2 so it is out of date. Current version is version 3.0.3.
I hate to have you download a new copy before getting that infection out of there and risk having that one infected too so let's try to see if we can get that cleaned out.

Update the MBA-M program, then download CCleaner.

Shut down completely, disconnect the internet cable from the computer this way the computer cannot go online.
Then reboot to Safe Mode
1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.

Once the computer is in Safe Mode then first run the ATF-Cleaner, again do both clean up options, first IE and then Firefox.

Next run the CCleaner on the default cleaning options, which is exactly how it will be when you open the program. It will scan the computer, list files which can be removed. Let it remove all it finds.

Next run a Full system scan with MBA-M and allow it to clean all it finds.

Shut down the computer.
Re-attach the internet cable to the computer and reboot to normal mode.
Run a new HJT scan and post back here with the MBA-M log and the HJT log.
Judy

Last edited by jholland1964 : Nov 8th, 2008 at 11:08 am.

•

Posts: 82

Reputation: jazzyjaj is an unknown quantity at this point

Solved Threads: 0

jazzyjaj

Offline

Junior Poster in Training

Re: popups in firefox

#10

Nov 9th, 2008

Yesterday i ran MBA-M, here is the log:

Malwarebytes' Anti-Malware 1.30
Database version: 1343
Windows 5.1.2600 Service Pack 2

11/8/2008 5:18:42 PM
mbam-log-2008-11-08 (17-18-41).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 41708
Time elapsed: 55 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\wvUkHBUm.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\wvukhbum -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\wvukhbum -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\wvUkHBUm.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\mUBHkUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\mUBHkUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\hxwawvge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\egvwawxh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\jgtdehvq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\qvhedtgj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\rjxwnyni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\inynwxjr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

after which today so far there are no popups.

i could not uninstall combofix the way you asked, could i just delete it.
i uninstalled viewpoint. I hope that removes it.
Now i will do the instructions as you asked.
Thank you