0

Recently i have been having these popups with ips like.
http://89.188.16.43/go//?cmp=nm_firefox_rn&uid=00C2C7DAA3F911DDB0A9150044CFFFFF&rid=zdez&guid=18F0032549E7424087A87FF6D789E65C&affid=150044&lid=http&url=%7Bhttp:%2F%2F%5B0-9a-zA-Z%5C+%5C%%5C.%5C;%5C,%5C-%5C_%5C%3F%5C%23%26%5C=%5C%7B%5C%7D%5C%5B%5C%5D%5C%2F%5C%5C%5C$%5C:%5C@%5C%5E%5C~%5C%60%5D+%7D&v=1156&m=irq4
http://82.98.235.35/go//?cmp=nm_firefox_rn&uid=00C2C7DAA3F911DDB0A9150044CFFFFF&rid=zdez&guid=18F0032549E7424087A87FF6D789E65C&affid=150044&lid=http&url=http:%2F%2F192.168.100.1%2F&v=1156&m=irq4
after which they redirect to a antispyware website.
I have tried varies things but nothing seems to sort it out.
I have tried AVG, antispyware, combofix, smitfraud, antimalware etc...
they have found many things but not solve this issue.
Here is a copy of hijackthis log i do not see anything wrong there.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:33:46, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Real\RealPlayer\realplay.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\WINDOWS\system32\wscntfy.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe
D:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3793 bytes

Also the computer has become slow to start and the browsers are taking a lot of mem usage like firefox 70000k and explorer 40000k.
here is a list of process
Process list saved on 13:47:16, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
564 D:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
660 D:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
704 D:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
716 D:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
900 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1092 D:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1320 D:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1604 D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.1.36 GRISOFT s.r.o.
1612 D:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1792 D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 8.1.159.0 McAfee, Inc.
1812 d:\program files\common files\mcafee\mna\mcnasvc.exe 2.1.143.0 McAfee, Inc.
1872 d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 2.0.150.0 McAfee, Inc.
1928 D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 14.0.0.349 McAfee, Inc.
220 D:\Program Files\McAfee\MPF\MPFSrv.exe 9.0.136.0 McAfee, Inc.
408 D:\WINDOWS\system32\nvsvc32.exe 6.14.10.6693 NVIDIA Corporation
428 D:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.1.45 RealNetworks, Inc.
916 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1424 D:\PROGRA~1\McAfee.com\Agent\mcagent.exe 8.0.237.0 McAfee, Inc.
1772 D:\Program Files\Viewpoint\Common\ViewpointService.exe 2.0.0.54 Viewpoint Corporation
2728 D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 12.1.111.0 McAfee, Inc.
2824 D:\WINDOWS\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation
3440 d:\PROGRA~1\mcafee\msc\mcuimgr.exe 8.0.226.0 McAfee, Inc.
3748 D:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation
2356 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20080.17373 Mozilla Corporation
2700 D:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.

2
Contributors
29
Replies
30
Views
8 Years
Discussion Span
Last Post by jholland1964
0

Hi and welcome to daniweb.
First of all I must caution all who may be reading this that several of the programs you have said that you ran should NOT have been run without FIRST being told to do so by a helper or somebody assisting you with problems. The main one I am concerned about is combofix. This is a very powerful tool which produces a very long and complicated log after doing it's work. It takes quite awhile to read and interpret one of these logs. Since you didn't post any of the logs from the programs you ran and you say "they have found many things but not solve this issue" we have absolutely no idea what was found or what was removed OR where they were located on the system. We really are not certain what programs you did run really except for combofix, smitfraud and AVG Anti-Spyware 7.5, which is no longer available as a stand alone product so it cannot be counted on as doing the work anymore, and than you say "antimalware etc..." What "antimalware"?
Your auto starting program and auto starting services list is extremely small showing only graphics card software, realplayer update, your McAfee program and Viewpoint Manager Service (which is actually considered to be malware and should be removed). The running processes list you posted shows exactly the same thing as the Running Processes list from the HiJackThis log so there is nothing different or unusual there. We don't know what version of Firefox you are running. What version is it?
I would like to see both the combofix log and the smitfraud log and any other logs from all the other programs that you ran. Post those here first.
THEN;

Did you follow the steps given in Read me before posting a request for assistance thread at the top of this page?
Ignore the Deckard Scanner program as it is not available but I would like you to follow ALL of the other steps, including ATF-Cleaner, Malwarebytes' Anti-Malware, ESET online scanner. Be sure to reboot the computer AFTER running MBA-M. Once you have done those steps then post back here with those NEW logs and a new HJT scan log completed AFTER you have followed the steps given in the "Read Me Before" sticky.
Judy

0

i am using a pentium 3 863MHz with Winxp sp2
I use firefox 2, and use this computer mainly for browsing purposes.
the anitmalware i mentioned is the same malwarebytes anitmalware mentioned in the read me before request. However i had performed a quick scan previously, but will perform a full scan later.
here is the log of the earlier scan:
Malwarebytes' Anti-Malware 1.30
Database version: 1343
Windows 5.1.2600 Service Pack 2

2008-10-31 20:51:16
mbam-log-2008-10-31 (20-51-16).txt

Scan type: Quick Scan
Objects scanned: 47052
Time elapsed: 9 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\mstbvgpb.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\urqRHaWQ.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b9997de8-1685-47d1-903f-f2a862fef950} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\z444.z444mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\z444.z444mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{030a0f33-5b99-482e-83f5-2eeb8457878b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e0ff4138 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\urqrhawq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdptp.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: d:\windows\system32\urqrhawq -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{92d437af-0b8a-4735-975e-2d5679051dba}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.164,85.255.112.81 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{92d437af-0b8a-4735-975e-2d5679051dba}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.164,85.255.112.81 -> Delete on reboot.

Folders Infected:
D:\WINDOWS\system32\675873 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
D:\WINDOWS\system32\urqRHaWQ.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\QWaHRqru.ini (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\QWaHRqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\iekwwjgj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\jgjwwkei.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\mstbvgpb.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\bpgvbtsm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\mtggixei.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\iexiggtm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\rkrwacpk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\kpcawrkr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xrfvadoh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\hodavfrx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xymnejph.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\hpjenmyx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\kdptp.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
D:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\fxddodac.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\kgblktnm.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\rpcnyufi.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ufvfcshx.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ypcumgog.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\Documents and Settings\Other\Local Settings\Temporary Internet Files\Content.IE5\8DUZ05YV\kb20010911[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\Documents and Settings\Other\Local Settings\Temporary Internet Files\Content.IE5\ENW8807K\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jahanzeb\Local Settings\Temporary Internet Files\Content.IE5\GHUBSHYV\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jahanzeb\Local Settings\Temporary Internet Files\Content.IE5\GXMJ0TEV\kb20010911[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\675873\675873.dll (Trojan.BHO) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
D:\USM2Trial.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

0

This post will have the logs of all the other scans i had performed:


VundoFix V7.0.6

Scan started at 17:20:42 2008-10-28

Listing files found while scanning....

D:\Windows\system32\NCTAudioCDGrabber2.dll
D:\Windows\system32\NCTAudioFile2.dll
D:\Windows\system32\NCTAudioPlayer2.dll
D:\Windows\system32\NCTAudioRecord2.dll
D:\Windows\system32\NCTAVIFile.dll
D:\Windows\system32\NCTQuickTimeFile.dll
D:\Windows\system32\NCTVideoCoreM.dll
D:\Windows\system32\NCTWMAFile2.dll

Beginning removal...

Attempting to delete D:\Windows\system32\NCTAudioCDGrabber2.dll
D:\Windows\system32\NCTAudioCDGrabber2.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTAudioFile2.dll
D:\Windows\system32\NCTAudioFile2.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTAudioPlayer2.dll
D:\Windows\system32\NCTAudioPlayer2.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTAudioRecord2.dll
D:\Windows\system32\NCTAudioRecord2.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTAVIFile.dll
D:\Windows\system32\NCTAVIFile.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTQuickTimeFile.dll
D:\Windows\system32\NCTQuickTimeFile.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTVideoCoreM.dll
D:\Windows\system32\NCTVideoCoreM.dll Has been deleted!

Attempting to delete D:\Windows\system32\NCTWMAFile2.dll
D:\Windows\system32\NCTWMAFile2.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.6

Scan started at 1:32:48 PM 11/2/2008

Listing files found while scanning....

No infected files were found.

Combofix: I used this application i think three times:
"Other" - 2008-11-04 19:56:32 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "D:\"


((((((((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 ))))))))))))))))))))))))))))))))))


2008-11-04 18:55 72,192 --a------ D:\WINDOWS\system32\lpqewhng.dll
2008-11-03 16:22 72,192 --a------ D:\WINDOWS\system32\sgincsoh.dll
2008-11-02 11:12 72,192 --a------ D:\WINDOWS\system32\mkecmtiy.dll
2008-11-02 10:39 71,680 --a------ D:\WINDOWS\system32\udcrfrup.dll
2008-11-01 10:36 311,667 --ahs---- D:\WINDOWS\system32\edeLRqru.ini2
2008-11-01 10:35 282,112 --a------ D:\WINDOWS\system32\urqRLede.dll
2008-10-31 20:38 <DIR> d-------- D:\DOCUME~1\Jahanzeb\APPLIC~1\Malwarebytes
2008-10-31 20:03 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\Malwarebytes
2008-10-31 20:02 38,496 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-31 20:02 15,504 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-10-31 20:02 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-10-31 20:02 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-10-28 19:04 7,507,296 --a------ D:\rminstall.exe
2008-10-28 18:41 812,344 --a------ D:\HJTInstall.exe
2008-10-28 18:41 15,083,520 --a------ D:\spybotsd160.exe
2008-10-28 17:20 <DIR> d-------- D:\VundoFix Backups
2008-10-28 12:53 880 --a------ D:\WINDOWS\system32\tmp.reg
2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix
2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT
2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe
2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe
2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe
2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger
2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe
2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe
2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It!
2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll
2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM
2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live
2008-10-09 13:57 <DIR> d-------- D:\Documents and Settings\Other\Contacts
2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts
2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-11-04 13:58:33 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\Skype
2008-11-04 13:31:25 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\skypePM
2008-11-04 08:15:44 -------- d-----w D:\Program Files\DC++
2008-10-31 12:23:46 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\uTorrent
2008-10-30 11:23:37 1,427 ----a-w D:\WINDOWS\mozver.dat
2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-09-29 17:32:30 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\dvdcss
2008-09-19 16:00:50 -------- d-----w D:\DOCUME~1\Other\APPLIC~1\Creative
2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34]
{53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51]
{8FBC6088-3303-4856-9992-EE901F543755}=D:\WINDOWS\system32\urqRLede.dll [2008-11-01 10:36]
{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk]
fccbBSkk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 D:\WINDOWS\system32\urqRLede

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"srservice"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RemoteRegistry"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McODS"=3 (0x3)
"LmHosts"=3 (0x3)
"lanmanworkstation"=3 (0x3)
"lanmanserver"=3 (0x3)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"dmadmin"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=3 (0x3)
"BITS"=3 (0x3)
"AppMgmt"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job
2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 20:00:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2008-11-04 20:02:45
D:\ComboFix-quarantined-files.txt ... 2008-11-04 20:02
D:\ComboFix2.txt ... 2008-11-02 13:29
D:\ComboFix3.txt ... 2008-10-28 15:54

--- E O F ---

"Jahanzeb" - 2008-11-02 13:23:41 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "D:\"


((((((((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 ))))))))))))))))))))))))))))))))))


2008-11-02 11:12 72,192 --a------ D:\WINDOWS\system32\mkecmtiy.dll
2008-11-02 10:39 71,680 --a------ D:\WINDOWS\system32\udcrfrup.dll
2008-11-01 10:36 328,688 --ahs---- D:\WINDOWS\system32\edeLRqru.ini2
2008-11-01 10:35 282,112 --a------ D:\WINDOWS\system32\urqRLede.dll
2008-10-31 20:38 <DIR> d-------- D:\DOCUME~1\Jahanzeb\APPLIC~1\Malwarebytes
2008-10-31 20:03 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\Malwarebytes
2008-10-31 20:02 38,496 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-31 20:02 15,504 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-10-31 20:02 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-10-31 20:02 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-10-28 19:04 7,507,296 --a------ D:\rminstall.exe
2008-10-28 18:41 812,344 --a------ D:\HJTInstall.exe
2008-10-28 18:41 15,083,520 --a------ D:\spybotsd160.exe
2008-10-28 17:20 <DIR> d-------- D:\VundoFix Backups
2008-10-28 12:53 880 --a------ D:\WINDOWS\system32\tmp.reg
2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix
2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT
2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe
2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe
2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe
2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger
2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe
2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe
2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It!
2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll
2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM
2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live
2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts
2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-11-01 17:22:48 -------- d-----w D:\Program Files\DC++
2008-10-30 11:23:37 1,427 ----a-w D:\WINDOWS\mozver.dat
2008-10-28 14:35:52 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\uTorrent
2008-10-28 12:55:54 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\Orbit
2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34]
{53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25]
{61C44C25-C3DA-4DE4-B568-BB010772382A}=D:\WINDOWS\system32\urqRLede.dll [2008-11-01 10:36]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51]
{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pop-Up-Blocker"="" []
"TransparentIcons"="" []
"BlockAds"="" []
"Tweak-XP"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk]
fccbBSkk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 D:\WINDOWS\system32\urqRLede

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"srservice"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RemoteRegistry"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McODS"=3 (0x3)
"LmHosts"=3 (0x3)
"lanmanworkstation"=3 (0x3)
"lanmanserver"=3 (0x3)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"dmadmin"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=3 (0x3)
"BITS"=3 (0x3)
"AppMgmt"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job
2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 13:27:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2008-11-02 13:29:55
D:\ComboFix-quarantined-files.txt ... 2008-11-02 13:29
D:\ComboFix2.txt ... 2008-10-28 15:54
D:\ComboFix3.txt ... 2008-10-27 21:40

--- E O F ---

"Jahanzeb" - 2008-10-28 13:35:19 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "D:\"


((((((((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 ))))))))))))))))))))))))))))))))))


2008-10-28 13:05 <DIR> dr-hs---- D:\resycled
2008-10-28 12:53 600 --a------ D:\WINDOWS\system32\tmp.reg
2008-10-28 12:50 88,576 --a------ D:\WINDOWS\system32\AntiXPVSTFix.exe
2008-10-28 12:50 87,552 --a------ D:\WINDOWS\system32\VACFix.exe
2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\o4Patch.exe
2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\IEDFix.exe
2008-10-28 12:50 82,944 --a------ D:\WINDOWS\system32\IEDFix.C.exe
2008-10-28 12:50 82,432 --a------ D:\WINDOWS\system32\404Fix.exe
2008-10-28 12:50 53,248 --a------ D:\WINDOWS\system32\Process.exe
2008-10-28 12:50 51,200 --a------ D:\WINDOWS\system32\dumphive.exe
2008-10-28 12:50 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
2008-10-28 12:50 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
2008-10-28 12:50 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe
2008-10-28 12:50 <DIR> d-------- D:\SmitfraudFix
2008-10-28 12:49 262,144 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT
2008-10-28 12:33 1,088,512 --a------ D:\ComboFix.exe
2008-10-28 12:17 119,808 --a------ D:\VundoFix.exe
2008-10-28 12:17 1,663,634 --a------ D:\SmitfraudFix.exe
2008-10-27 22:23 <DIR> d-------- D:\Program Files\Avenger
2008-10-27 21:40 49,152 --a------ D:\WINDOWS\nircmd.exe
2008-10-27 21:02 2,048 --a------ D:\WINDOWS\system32\kgblktnm.exe
2008-10-27 20:59 71,680 --a------ D:\WINDOWS\system32\xymnejph.dll
2008-10-27 20:25 388,608 --a------ D:\WINDOWS\system32\CF19354.exe
2008-10-27 14:35 <DIR> d-------- D:\Program Files\Exterminate It!
2008-10-27 14:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-10-27 13:56 2,048 --a------ D:\WINDOWS\system32\fxddodac.exe
2008-10-27 13:55 71,680 --a------ D:\WINDOWS\system32\rkrwacpk.dll
2008-10-27 12:32 71,680 --------- D:\WINDOWS\system32\iekwwjgj.dll
2008-10-27 12:31 355,431 --ahs---- D:\WINDOWS\system32\QWaHRqru.ini2
2008-10-27 12:29 281,600 --------- D:\WINDOWS\system32\urqRHaWQ.dll
2008-10-27 12:25 27,904 --a------ D:\WINDOWS\system32\drivers\ndisprot.sys
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\fccbBSkk.dll
2008-10-27 12:24 32,256 --a------ D:\WINDOWS\system32\awtqrqpp.dll
2008-10-27 12:24 <DIR> d-------- D:\WINDOWS\system32\675873
2008-10-14 14:38 <DIR> d-------- D:\DOCUME~1\Other\APPLIC~1\AdobeUM
2008-10-10 16:36 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2008-10-10 13:53 <DIR> d-------- D:\Program Files\Messenger Plus! Live
2008-10-09 13:57 <DIR> d-------- D:\Documents and Settings\Other\Contacts
2008-10-09 13:57 <DIR> d-------- D:\DOCUME~1\Other\Contacts
2008-10-09 13:49 <DIR> d-------- D:\Program Files\Windows Live


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-10-28 03:53:11 -------- d-----w D:\Program Files\DC++
2008-10-19 05:39:20 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\Orbit
2008-10-15 04:30:07 359,040 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-09-27 08:19:12 -------- d-----w D:\DOCUME~1\Jahanzeb\APPLIC~1\uTorrent
2008-09-16 13:55:48 -------- d-----w D:\Program Files\McAfee


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{000123B4-9B42-4900-B3F7-F4B073EFC214}=D:\Program Files\Orbitdownloader\orbitcth.dll [2007-02-05 13:34]
{476CC7E8-4123-4298-B064-35F12003B861}=D:\WINDOWS\system32\urqRHaWQ.dll [2008-10-27 12:30]
{53707962-6F74-2D53-2644-206D7942484F}=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 14:25]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=D:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-10-24 05:51]
{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}=D:\WINDOWS\system32\fccbBSkk.dll [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-29 13:50 D:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 10:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Tok-Cirrhatus"="D:\Documents and Settings\Other\Local Settings\Application Data\smss.exe" []
"MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A177C1C1-EF04-4FCC-8A4B-FE956DC0A099}"="D:\WINDOWS\system32\fccbBSkk.dll" [2008-10-27 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbBSkk]
fccbBSkk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 D:\WINDOWS\system32\urqRHaWQ

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
D:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"srservice"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RemoteRegistry"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McODS"=3 (0x3)
"LmHosts"=3 (0x3)
"lanmanworkstation"=3 (0x3)
"lanmanserver"=3 (0x3)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"dmadmin"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=3 (0x3)
"BITS"=3 (0x3)
"AppMgmt"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c12-86d6-11dc-8690-806d6172696f}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com c:
Open\command- C:\resycled\boot.com c:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c13-86d6-11dc-8690-806d6172696f}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
Open\command- D:\resycled\boot.com d:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c14-86d6-11dc-8690-806d6172696f}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com e:
Open\command- E:\resycled\boot.com e:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78a3c15-86d6-11dc-8690-806d6172696f}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
Open\command- F:\resycled\boot.com f:


Contents of the 'Scheduled Tasks' folder
2007-10-30 06:46:45 D:\WINDOWS\tasks\McDefragTask.job
2007-10-30 06:46:42 D:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 15:48:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2008-10-28 15:54:21 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2008-10-28 15:54
D:\ComboFix2.txt ... 2008-10-27 21:40

--- E O F ---

2004-08-04 03:56      69120    --a------    D:\Qoobox\Quarantine\D\WINDOWS\system32\kdbnl.exe.vir
2008-08-15 10:11      26624    --a------    D:\Qoobox\Quarantine\D\WINDOWS\system32\a.exe.vir
2008-10-28 13:38      24692    --a------    D:\Qoobox\Quarantine\Registry_backups\winlogon.reg.cf


Folder PATH listing
Volume serial number is 9C49-5401
D:\QOOBOX
\---Quarantine
    +---D
    |   \---WINDOWS
    |       \---system32
    |               a.exe.vir
    |               kdbnl.exe.vir
    |               
    \---Registry_backups
            winlogon.reg.cf

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

SmitFraudFix v2.367

Scan done at 20:20:12.81, 2008-11-04
Run from D:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Description: Intel(R) PRO/100+ Management Adapter with Alert On LAN* - Packet Scheduler Miniport
DNS Server Search Order: 203.81.204.3
DNS Server Search Order: 203.81.204.23

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: Intel(R) PRO/100+ Management Adapter with Alert On LAN* - Packet Scheduler Miniport
DNS Server Search Order: 203.81.204.3
DNS Server Search Order: 203.81.204.23

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92D437AF-0B8A-4735-975E-2D5679051DBA}: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=203.81.204.3 203.81.204.23

0

for some reason i cannot run Microsoft® Windows® Malicious Software Removal Tool (KB890830)
Also i have used softwares spybot search and destoy and cleanup

0

i ran the eset scanner online but could only manage an hour, it was scanning my c drive while the OS is on D.
here is the log
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3596 (20081107)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=db0c41f44b777846bdf11f40760fbe12
# end=stopped
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-08 09:59:19
# local_time=2008-11-08 02:59:19 (+0500, West Asia Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=79470
# found=4
# scan_time=3499
C:\Program Files\AIM\WxBug.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B
C:\Program Files\AIM\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B
C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000

i can try any other software from eset like the nod32, if you want.

0

i can try any other software from eset like the nod32, if you want.

You have done this, that was the ESET Scanner.

You need to go in and UNINSTALL all those extra programs you used; Combofix, vundofix, Avenger, SmitFraudFix. KEEP Malwarebytes Anti-Malware and Spybot. Also keep the ATF-Cleaner. Don't worry about the Microsoft® Windows® Malicious Software Removal Tool, for whatever reasons many cannot run this tool.
To uninstall combofix do the following;
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
I cannot stress enough here again for others who may be reading this that Combofix is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could adversely impact your system and prevent it from ever starting again.
One of the things that shouldn't be done is use this tool over and over, it should be used one time unless directed to do it again. When that is done it is usually recommended that the original be removed and a new copy downloaded if needed again.
Please remove it from your system.
VundoFix and SmitfraudFix are also infection specific tools, indicated when these two infections are present but not to be used for general cleaning of the computer.

These days Malwarebytes' Anti-Malware is the tool most often recommended as a FIRST step because it updates frequently (often times DAILY) AND it does remove many, many infections including Vundo infections.

Now since the problem only happens with Firefox AND you could not use the ATF Firefox option then this says to me that your copy of Firefox is probably infected and very likely corrupted. You said you are using Firefox 2 so it is out of date. Current version is version 3.0.3.
I hate to have you download a new copy before getting that infection out of there and risk having that one infected too so let's try to see if we can get that cleaned out.

Update the MBA-M program, then download CCleaner.

Shut down completely, disconnect the internet cable from the computer this way the computer cannot go online.
Then reboot to Safe Mode
1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.

Once the computer is in Safe Mode then first run the ATF-Cleaner, again do both clean up options, first IE and then Firefox.

Next run the CCleaner on the default cleaning options, which is exactly how it will be when you open the program. It will scan the computer, list files which can be removed. Let it remove all it finds.

Next run a Full system scan with MBA-M and allow it to clean all it finds.

Shut down the computer.

Re-attach the internet cable to the computer and reboot to normal mode.
Run a new HJT scan and post back here with the MBA-M log and the HJT log.
Judy

0

Yesterday i ran MBA-M, here is the log:

Malwarebytes' Anti-Malware 1.30
Database version: 1343
Windows 5.1.2600 Service Pack 2

11/8/2008 5:18:42 PM
mbam-log-2008-11-08 (17-18-41).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 41708
Time elapsed: 55 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\wvUkHBUm.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5b2ca3c-d4cc-48ec-9ac1-c925378dc8ee} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\wvukhbum -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\wvukhbum -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\wvUkHBUm.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\mUBHkUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\mUBHkUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\hxwawvge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\egvwawxh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\jgtdehvq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\qvhedtgj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\rjxwnyni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\inynwxjr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

after which today so far there are no popups.

i could not uninstall combofix the way you asked, could i just delete it.
i uninstalled viewpoint. I hope that removes it.
Now i will do the instructions as you asked.
Thank you

0

What happened when you tried to remove combofix?
Yes, you can just delete it though it will not remove any backups these multiple runnings have done.

0

i have done all the scans and the way you asked me to do.
ATF-Cleaner: once again i could not use the firefox option but now i know why because firefox is actually not installed in the windows i run the copy form my previous installation of windows which i deleted a year back.However while running the CCleaner it was able to delete the firefox files and there is no history or cookies left.
Then i ran MBA-M and here is the report:
Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 5.1.2600 Service Pack 2

11/9/2008 1:09:59 PM
mbam-log-2008-11-09 (13-09-59).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 48967
Time elapsed: 47 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\ssqNGvtT.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88ad8087-a4fa-4c3c-9613-63bc69d0bd11} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88ad8087-a4fa-4c3c-9613-63bc69d0bd11} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\ssqngvtt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\ssqngvtt -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\ssqNGvtT.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\TtvGNqss.ini (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\TtvGNqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\rvjogjrk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\krjgojvr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

After which the HJTloj looks like this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:31, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {49DC26F5-43C2-4312-B885-AE9080736D93} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6A044BCA-7D52-4619-B36C-96FD0A436DD7} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099} - D:\WINDOWS\system32\fccbBSkk.dll
O2 - BHO: (no name) - {A957451F-324E-472A-BE5C-B8B8E68EDA5A} - (no file)
O2 - BHO: (no name) - {EE528997-7B75-45EA-AB8A-0298C5D3F04D} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fccbBSkk - D:\WINDOWS\SYSTEM32\fccbBSkk.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4348 bytes

The computer appears to be running smoothly now.
Although there are no more popups coming now but i am still not a 100% sure.

0

Please recommend what to do withe the Firefox do i install the new version(I have downloaded it already).
Since the previous Firefox was actually not installed from the OS i am running now, what do i need to do to remove it completely (i.e registry,cookies etc...) as it is my default browser and IE is uninstall from the Add/Remove windows components

0

You need to do the following;
Download SmitFraudFix and save it to your desktop.
Confirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps.
Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.

When your computer has started in safe mode, and you see the desktop, close all open Windows.

Now, double-click on the SmitFraudfix icon that should be residing on your desktop.

When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

You will now see a menu. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
The program will start cleaning your computer and go through a series of cleanup processes. When SmitFraudFix is done, it will automatically start the Disk Cleanup program

This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with the next step.

When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.


When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.
Reboot the computer and run a new HJT scan. Post back here with that log and the Smitfraudfix log.
We will deal with the Firefox problems shortly.
Judy

0

Please recommend what to do withe the Firefox do i install the new version(I have downloaded it already).
Since the previous Firefox was actually not installed from the OS i am running now, what do i need to do to remove it completely (i.e registry,cookies etc...) as it is my default browser and IE is uninstall from the Add/Remove windows components

Firefox HAS to be installed or it would not be running. Looking at your logs it is running from "C" drive, in fact it is the only program I see running from "C" drive. This is why you cannot get anything to scan it, because you are not telling it to scan "C" drive.
Run that MBA-M again, updating it first and this time also have it scan "C" drive.
When you choose Full Scan you should get a box which allows you to tell the program which drives to scan. Be sure to put a check mark in BOTH "C" and "D" drives. Obviously Firefox cannot be the only thing on "C" drive so there are probably a lot of files never scanned with the MBA-M program. Run that and of course have it fix everything found. Post back here with that log before running any other program I have told you to run.
Judy

0

Firefox HAS to be installed or it would not be running. Looking at your logs it is running from "C" drive, in fact it is the only program I see running from "C" drive. This is why you cannot get anything to scan it, because you are not telling it to scan "C" drive.
Run that MBA-M again, updating it first and this time also have it scan "C" drive.
When you choose Full Scan you should get a box which allows you to tell the program which drives to scan. Be sure to put a check mark in BOTH "C" and "D" drives. Obviously Firefox cannot be the only thing on "C" drive so there are probably a lot of files never scanned with the MBA-M program. Run that and of course have it fix everything found. Post back here with that log before running any other program I have told you to run.
Judy

I did do the full scan with all my drives and updated it, please refer to the previous MBA-M

0

I did the smitfraud like you said but for some reason it did not reboot as you mentioned, ithink it could be because i had run this program previously but this time it was a fresh copy(as id eleted the previous one) and i did as you told. anyways here is the log:
SmitFraudFix v2.374

Scan done at 13:54:31.54, 2008-11-10
Run from D:\Documents and Settings\Jahanzeb\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

for some reason my HJT is not able to create a log it closes down by saying an error although i can scan but cannot create a log. The scan looks the same except this
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
and all the other (no file) ones are not there here is the process list from HJT, for some reason it works.

Process list saved on 14:27:55, on 2008-11-10
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
560 D:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
656 D:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
700 D:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
712 D:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
896 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1088 D:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1296 D:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1400 D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 8.1.159.0 McAfee, Inc.
1412 d:\program files\common files\mcafee\mna\mcnasvc.exe 2.1.143.0 McAfee, Inc.
1468 d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 2.0.150.0 McAfee, Inc.
1520 D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 14.0.0.349 McAfee, Inc.
1568 D:\Program Files\McAfee\MPF\MPFSrv.exe 9.0.136.0 McAfee, Inc.
1604 D:\WINDOWS\system32\nvsvc32.exe 6.14.10.6693 NVIDIA Corporation
1772 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1180 D:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
972 D:\PROGRA~1\McAfee.com\Agent\mcagent.exe 8.0.237.0 McAfee, Inc.
2100 D:\WINDOWS\system32\wscntfy.exe 5.1.2600.2180 Microsoft Corporation
3120 D:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.1.45 RealNetworks, Inc.
3648 D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 12.1.111.0 McAfee, Inc.
948 d:\PROGRA~1\mcafee\msc\mcuimgr.exe 8.0.226.0 McAfee, Inc.
2636 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20080.17373 Mozilla Corporation
1728 D:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.

I will try reinstalling it then i will post it if it works.

0

At last it worked here is th log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:49, on 2008-11-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3376 bytes

0

This log looks better. I know you requested that MBA-M scan all drives but it appears that it didn't scan "C" drive where your Firefox is located. Can you try it once more, click Full Scan but when the box opens just put a check mark in "C" and take it out of the others. Let's see if it WILL scan "C" by itself.
Judy

0

This is the MBA-M log:

Malwarebytes' Anti-Malware 1.30
Database version: 1375
Windows 5.1.2600 Service Pack 2

2008-11-11 12:25:00
mbam-log-2008-11-11 (12-25-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 20418
Time elapsed: 12 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\opnlllKA.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b31c1c0-a374-4cf8-91f8-027c91495b2f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0b31c1c0-a374-4cf8-91f8-027c91495b2f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\opnlllka -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: d:\windows\system32\opnlllka -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\opnlllKA.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\AKlllnpo.ini (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\AKlllnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\xqamhktj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\jtkhmaqx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

I think the malware keeps on coming back today i had a pop up from ip
http://83.149.115.148/go//?cmp=nm_firefox_rn&uid=00C2C7DAA3F911DDB0A9150044CFFFFF&rid=zdez&guid=18F0032549E7424087A87FF6D789E65C&affid=150044&lid=http&url=http:%2F%2Fwww.daniweb.com%2Fforums%2Fthread155855-2.html&v=1156&m=irq4
and then later another http://personalantispy.com/.ware/index.php?41055b5e43150f5d3d5a58455a05521d0a5c1f4242103c480f3a030c6b484556555614135c0b5c07570404114300050d14416d000854500153505050021e4640541c0f52161212405f06114740095e015417515c0c52454b06015b52

well anyways here is my HJTlog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:29, on 2008-11-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {49DC26F5-43C2-4312-B885-AE9080736D93} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6A044BCA-7D52-4619-B36C-96FD0A436DD7} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A177C1C1-EF04-4FCC-8A4B-FE956DC0A099} - D:\WINDOWS\system32\fccbBSkk.dll
O2 - BHO: (no name) - {A957451F-324E-472A-BE5C-B8B8E68EDA5A} - (no file)
O2 - BHO: (no name) - {EE528997-7B75-45EA-AB8A-0298C5D3F04D} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fccbBSkk - D:\WINDOWS\SYSTEM32\fccbBSkk.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4271 bytes

the nofile things are back too.

0

Were these pop-ups in Firefox? I still don't know why "C" drive is not being scanned. The latest MBA-M scan shows that "D" drive was scanned, not "C" even though you told it to scan "C" drive.
Can you tell me, what is on "C" drive? Firefox clearly showed it was running from "C" drive.

0

the C drive is scan i watched it i think its all clear from c drive its just that the same vundo trojan keeps coming back.
anyways yesterday i tried superantispysweeper it found many trojans mostly vundo. after whcih i ran MBA-M it found nothing.
i think it could be because of registry and this software detected at least 14 errors from registry

0

i think it could be because of registry and this software detected at least 14 errors from registry

MBA-M also cleaned the registry of 27 different items.
Really sounds to me like a rootkit is on there but since you say your computer is now totally clean since running superantispysweeper.
You will need to run a new HJT scan and post that log so we can complete the fixes in there before downloading the new Firefox version but go ahead and completely uninstall Firefox. It is running from "C" drive so you are going to have to go in there and uninstall it.

You never answered, exactly what IS on "C" drive other than Firefox?

0

Onmy C drive i have movies, music videos and counter strike.
I used to have na OS before like one year ago but now i deleted it but still have the Documnets and settings folder.

0

here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:49:05, on 2008-11-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
d:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {49DC26F5-43C2-4312-B885-AE9080736D93} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6A044BCA-7D52-4619-B36C-96FD0A436DD7} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A957451F-324E-472A-BE5C-B8B8E68EDA5A} - (no file)
O2 - BHO: (no name) - {EE528997-7B75-45EA-AB8A-0298C5D3F04D} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [e0ff4138] rundll32.exe "D:\WINDOWS\system32\mqqcncgr.dll",b
O8 - Extra context menu item: &Download all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4353 bytes

since running the spysweeper i have this problem whenever i start it says this is missing mqqcncgr.dll. I think it was removed.

0

Onmy C drive i have movies, music videos and counter strike.
I used to have na OS before like one year ago but now i deleted it but still have the Documnets and settings folder.

What do you mean you deleted it? I don't believe that you can really just delete an operating system, the drive would have to be reformatted in order to completely remove it.

0

i deleted the windows folder and edited the boot.ini.
Which antivirus,firewall, and spyware should i use combination or all in one.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.