Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Automatic update cannot be restarted - Virtumonde trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » July 20th, 2008, 5:41 pm

Hi there,

i've picked up a bunch of malware a bout 1 week ago. I used a series of anti-virus softwares to clean my computer. so far, i've been making some headway. this last one a a real pain. it turns off micorsoft automatic update. my last scan says that my machine is clean but nothing is working the way it was before.
Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:12 PM, on 7/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Franck.COMPUTER1\Local Settings\Temporary Internet Files\Content.IE5\NV5BLGDS\hijackthis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: mysidesearch search enhancer - {3e3494c6-316e-be82-317c-87997d9478d6} - C:\WINDOWS\system32\axgxsoyrakl.dll
O2 - BHO: gooochi browser optimizer - {440d021a-0710-ca64-0cfa-d4000546110e} - C:\WINDOWS\system32\mhnqrozcaqfjdhoow.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {e414edf7-3ed2-d4b9-4e44-256af56de718} - {817ed65f-a652-44e4-9b4d-2de37fde414e} - C:\WINDOWS\system32\rhscrf.dll
O2 - BHO: (no name) - {82336A8D-6CD0-4647-B791-75FCA8CF2B39} - C:\WINDOWS\system32\jKAtTMET.dll (file missing)
O2 - BHO: (no name) - {A3637A61-A23D-49E2-A2C3-985DDED5729C} - C:\WINDOWS\system32\cbXQIXqo.dll
O2 - BHO: (no name) - {E7CF5199-48C4-43DE-AA0A-D387367C54C5} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file)
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{af1f0e79-44d7-3774-2c33-0521442b4e07}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\mhnqrozcaqfjdhoow.dll" DllStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - HKCU\..\Run: [Adpm] "C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6587211781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4856694843
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/ko ... nt/kdx.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: jKAtTMET - jKAtTMET.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9409 bytes


I really need some help to get back to normal. using this computer has turned into a real ounishment.

Thanks

Fwkjoe123 :pale:
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm
Advertisement
Register to Remove

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » July 22nd, 2008, 12:46 pm

Hello, I am turtledove,
Welcome to the forum :wave:

I will be glad to help you with your computer problems.
HijackThis and other logs take awhile to research. Please be patient with me. I know that you want your problems solved quickly, and I will work hard to help you.

As an Undergraduate, my posts will be checked first by A Teacher or Expert. Please be patient, I'll post a fix soon.
***Please bookmark or favourite this page. In case you need it as reference and an easy way to find for answering.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.
4. Always Copy/Print out ALL Instructions.

If you can do these things, everything should go smoothly.
*Please do not run any fixes on your own, as they may interfere with our work.
*If you are going to be busy and *unable to post for more than 5 days* please post in this thread so we know and do not close this thread.


*Please Note: If you do not respond with a note that you need more time and you have not responded in 5 days, the thread will be closed as inactive.*

I am currently researching your log and will reply as soon as possible.
Thanks for your patience!


Please make an Uninstall list :
To access the Uninstall Manager, please do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.


Post
Uninstall List

Thank you

Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » July 23rd, 2008, 11:51 am

Hello Fwkjoe123

Please Move HijackThis
Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file or from Temporary folders because the backups will be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.


Next: Use SDFix
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fix tool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Post
SDFix Report.txt
New HiJackThis log
How your PC is running
Uninstall list if not done yet
Thank you

Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » July 23rd, 2008, 12:30 pm

Hi Turtledove,

Thanks for replying. I'll wait for the ALL CLEAR instructions prior to proceeding.

Thanks
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » July 23rd, 2008, 1:09 pm

Hello fwkjoe123,

You may proceed with the instructions in my 2 posts above.

I'll wait for the ALL CLEAR instructions prior to proceeding.


This actually means to keep checking back here and following directions until your Computer is clean.

Thanks

Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » July 24th, 2008, 1:32 am

Hello Turtledove,

Thanks for the help. So far, i've followed instructions in post 1. When I run the Unistalled list and I attempt to save the list, by clicking "save as..." the entire Hijackthis program closes. I attempted it several times. I even attempted at running it in Safe Mode and I get the same results.
I tried to run nthe startup list just to see if it would run and it did run just fine. It's the report below.
I will follow instruction in post 2 and keep you informed.

StartupList report, 7/23/2008, 9:36:07 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Franck.COMPUTER1\My Documents\hijackthis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16674)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Franck.COMPUTER1\My Documents\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Franck.COMPUTER1\Start Menu\Programs\Startup]
DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
billeo.lnk = C:\Program Files\Billeo\billeo.exe
CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
Digital Line Detect.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
MsmqIntCert = regsvr32 /s mqrt.dll
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
{af1f0e79-44d7-3774-2c33-0521442b4e07} = C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\mhnqrozcaqfjdhoow.dll" DllStart
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
AVP = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
AppleSyncNotifier = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
BM4f52b110 = Rundll32.exe "C:\WINDOWS\system32\plogguob.dll",s

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Sakora = C:\Program Files\Sakora\Sakora.exe
Adpm = "C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\ati2evxx.exe" -vt yazb
GetPack19 = "C:\Program Files\GetPack\GetPack19.exe"
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\PROGRA~1\Webshots\webshots.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/sh ... tor/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?LinkID=39204

[Snapfish Activia]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
CODEBASE = http://www.costcophotocenter.com/CostcoActivia.cab

[Mindjet MindManager Viewer Control]
InProcServer32 = C:\PROGRA~1\Mindjet\MJMMVI~1\MJMMVI~1.OCX
CODEBASE = http://www.mindjet.com/viewer/eng/MjMmViewer.cab

[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
CODEBASE = http://bin.mcafee.com/molbin/shared/mci ... insctl.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windows ... 6587211781

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftup ... 4856694843

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/fl ... rashim.cab

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/sh ... wflash.cab

[Secure Delivery]
CODEBASE = http://content.kontiki.com/kdx/v2.20/ko ... nt/kdx.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,828 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » July 24th, 2008, 3:27 am

Hello Turtledove,

Here is the SDFix report:

SDFix: Version 1.208
Run by Franck on Wed 07/23/2008 at 10:42 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\iCheck\iCheck.exe - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\Program Files\Webtools\webtools.dll - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\Documents and Settings\Franck.COMPUTER1\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\mjc - Removed
Folder C:\Program Files\Sakora - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\Webtools - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 23:50:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 15 Jul 2005 56 ..SHR --- "C:\WINDOWS\SYSTEM32\BFE2B44BC3.sys"
Wed 26 Jul 2006 1,682 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Sun 15 Feb 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 15 Feb 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Sat 16 Jul 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Tue 31 Oct 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 12 Jul 2008 44,256 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R3F.tmp"
Sat 12 Jul 2008 45,116 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R41.tmp"
Sat 12 Jul 2008 44,256 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R62.tmp"
Sat 12 Jul 2008 45,116 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R64.tmp"
Sat 12 Jul 2008 44,256 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R6E.tmp"
Sat 12 Jul 2008 45,116 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R71.tmp"
Sat 12 Jul 2008 44,256 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R86.tmp"
Sat 12 Jul 2008 45,116 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R88.tmp"
Sat 12 Jul 2008 44,256 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R93.tmp"
Sat 12 Jul 2008 45,116 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@R96.tmp"
Sat 12 Jul 2008 44,256 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@RA9.tmp"
Sat 12 Jul 2008 45,116 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@RAB.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@S63.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@S65.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@S6F.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@S72.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@S87.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@S89.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@S94.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@S97.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@SAA.tmp"
Sat 12 Jul 2008 1,409 ...H. --- "C:\Documents and Settings\Tania\Local Settings\Temp\Z@SAC.tmp"
Thu 18 Mar 2004 67,944 ...H. --- "C:\Program Files\Snapfish\Snapfish PhotoShow\data\Snapfish PhotoShow Express.exe"
Sun 16 Mar 2008 8 A..H. --- "C:\Documents and Settings\Dora\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 16 Mar 2008 8 A..H. --- "C:\Documents and Settings\Dora\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 16 Mar 2008 8 A..H. --- "C:\Documents and Settings\Dora\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 16 Mar 2008 8 A..H. --- "C:\Documents and Settings\Dora\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sat 28 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kaitlyn\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 28 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kaitlyn\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 28 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kaitlyn\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 28 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kaitlyn\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Wed 19 Dec 2007 361 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\BIT14E.tmp"
Thu 5 Jun 2008 6,369 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\BIT17B.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Tania\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Tania\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Tania\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Tania\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 10 Jan 2008 2,200 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT100.tmp"
Thu 10 Jan 2008 2,146 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT103.tmp"
Thu 10 Jan 2008 1,448 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT125.tmp"
Thu 10 Jan 2008 2,204 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT12C.tmp"
Thu 10 Jan 2008 2,062 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT132.tmp"
Sun 11 May 2008 2,325 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT138.tmp"
Mon 25 Feb 2008 2,449 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT13B.tmp"
Thu 10 Jan 2008 2,319 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT145.tmp"
Thu 10 Jan 2008 2,132 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT14A.tmp"
Thu 10 Jan 2008 1,730 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT14B.tmp"
Thu 10 Jan 2008 2,218 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT15A.tmp"
Thu 10 Jan 2008 2,196 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BIT16C.tmp"
Thu 10 Jan 2008 1,885 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BITCC.tmp"
Thu 10 Jan 2008 2,281 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BITD1.tmp"
Mon 25 Feb 2008 2,341 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BITD2.tmp"
Thu 10 Jan 2008 2,301 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BITDD.tmp"
Thu 10 Jan 2008 2,213 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BITE0.tmp"
Thu 10 Jan 2008 1,639 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BITE8.tmp"
Thu 10 Jan 2008 1,741 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BITEC.tmp"
Thu 10 Jan 2008 1,778 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\0c81c9f4-8f7b-4bf0-a94b-3a18728e2b01\BITFE.tmp"
Mon 11 Feb 2008 9,316 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT101.tmp"
Mon 11 Feb 2008 8,573 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT107.tmp"
Mon 11 Feb 2008 8,019 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT128.tmp"
Mon 11 Feb 2008 9,236 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT12B.tmp"
Mon 11 Feb 2008 9,217 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT137.tmp"
Tue 29 Apr 2008 9,224 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT13E.tmp"
Mon 11 Feb 2008 8,004 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT140.tmp"
Mon 11 Feb 2008 11,092 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT141.tmp"
Mon 11 Feb 2008 9,254 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT14F.tmp"
Tue 29 Apr 2008 3,378 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT151.tmp"
Mon 11 Feb 2008 9,838 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT153.tmp"
Tue 29 Apr 2008 11,067 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT154.tmp"
Thu 10 Jan 2008 16,041 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT158.tmp"
Mon 11 Feb 2008 9,363 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT15B.tmp"
Mon 11 Feb 2008 8,157 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT15F.tmp"
Mon 11 Feb 2008 7,990 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BIT176.tmp"
Mon 11 Feb 2008 5,951 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITA2.tmp"
Mon 11 Feb 2008 9,590 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITA9.tmp"
Mon 11 Feb 2008 9,407 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITB1.tmp"
Thu 5 Jun 2008 10,140 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITB5.tmp"
Mon 11 Feb 2008 6,005 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITB6.tmp"
Thu 10 Jan 2008 16,196 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITD9.tmp"
Mon 11 Feb 2008 9,355 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITDA.tmp"
Thu 10 Jan 2008 13,853 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITDE.tmp"
Mon 11 Feb 2008 9,622 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITE1.tmp"
Mon 11 Feb 2008 10,328 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITEA.tmp"
Mon 11 Feb 2008 10,043 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITEB.tmp"
Mon 11 Feb 2008 9,175 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITF1.tmp"
Mon 11 Feb 2008 9,301 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITF2.tmp"
Mon 11 Feb 2008 9,386 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITF4.tmp"
Mon 11 Feb 2008 8,503 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITF7.tmp"
Mon 24 Mar 2008 9,824 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITF8.tmp"
Mon 11 Feb 2008 10,141 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\30f69b45-d5fd-4eef-87de-1546f615163c\BITF9.tmp"
Thu 10 Jan 2008 36,395 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\BIT108.tmp"
Thu 10 Jan 2008 1,081 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\BIT114.tmp"
Thu 10 Jan 2008 1,019 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\BIT129.tmp"
Sun 11 May 2008 1,057 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\BITA4.tmp"
Thu 10 Jan 2008 1,011 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\BITB8.tmp"
Mon 25 Feb 2008 1,071 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\BITC9.tmp"
Thu 10 Jan 2008 1,043 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\BITCF.tmp"
Thu 10 Jan 2008 1,061 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\BITF3.tmp"
Mon 3 Mar 2008 6,013 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_job\BIT15D.tmp"
Thu 10 Jan 2008 1,885 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_msg\BIT10D.tmp"
Thu 10 Jan 2008 48,577 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT102.tmp"
Thu 10 Jan 2008 3,397 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT105.tmp"
Thu 10 Jan 2008 2,767 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT110.tmp"
Thu 10 Jan 2008 2,057 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT111.tmp"
Thu 10 Jan 2008 3,928 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT113.tmp"
Thu 10 Jan 2008 2,412 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT115.tmp"
Thu 10 Jan 2008 3,325 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT117.tmp"
Thu 10 Jan 2008 5,475 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT118.tmp"
Thu 10 Jan 2008 2,865 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT11B.tmp"
Thu 10 Jan 2008 4,006 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT11C.tmp"
Thu 10 Jan 2008 2,261 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT11D.tmp"
Thu 10 Jan 2008 2,061 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT11F.tmp"
Thu 10 Jan 2008 1,625 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT121.tmp"
Thu 10 Jan 2008 2,853 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT122.tmp"
Thu 10 Jan 2008 2,630 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT124.tmp"
Mon 25 Feb 2008 3,577 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT12A.tmp"
Thu 10 Jan 2008 3,519 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT12E.tmp"
Thu 10 Jan 2008 23,819 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT12F.tmp"
Thu 10 Jan 2008 3,029 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT131.tmp"
Thu 10 Jan 2008 3,328 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT136.tmp"
Thu 10 Jan 2008 2,191 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT139.tmp"
Thu 10 Jan 2008 4,195 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT13A.tmp"
Thu 10 Jan 2008 2,298 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT13C.tmp"
Thu 10 Jan 2008 5,862 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT13D.tmp"
Thu 10 Jan 2008 15,522 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT13F.tmp"
Thu 10 Jan 2008 3,359 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT142.tmp"
Thu 10 Jan 2008 2,198 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT147.tmp"
Thu 10 Jan 2008 1,899 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT148.tmp"
Thu 10 Jan 2008 2,924 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT149.tmp"
Thu 10 Jan 2008 3,192 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT14C.tmp"
Thu 10 Jan 2008 2,806 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT152.tmp"
Thu 10 Jan 2008 3,514 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT159.tmp"
Thu 10 Jan 2008 2,702 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT15E.tmp"
Thu 10 Jan 2008 2,379 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT160.tmp"
Thu 10 Jan 2008 2,478 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT161.tmp"
Thu 10 Jan 2008 4,138 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT166.tmp"
Thu 10 Jan 2008 16,187 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT167.tmp"
Thu 10 Jan 2008 19,600 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT16A.tmp"
Thu 10 Jan 2008 2,733 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT170.tmp"
Thu 10 Jan 2008 2,392 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT171.tmp"
Thu 10 Jan 2008 2,964 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT172.tmp"
Thu 10 Jan 2008 2,367 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT173.tmp"
Thu 10 Jan 2008 3,531 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT175.tmp"
Thu 10 Jan 2008 12,678 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BIT179.tmp"
Thu 10 Jan 2008 4,434 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITA1.tmp"
Thu 10 Jan 2008 1,977 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITA5.tmp"
Thu 10 Jan 2008 3,871 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITA8.tmp"
Thu 10 Jan 2008 2,029 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITAA.tmp"
Thu 10 Jan 2008 1,246 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITAB.tmp"
Thu 10 Jan 2008 3,219 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITAD.tmp"
Thu 10 Jan 2008 3,542 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITBD.tmp"
Thu 10 Jan 2008 3,268 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITC1.tmp"
Thu 10 Jan 2008 3,822 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITC3.tmp"
Thu 10 Jan 2008 3,350 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITC4.tmp"
Thu 10 Jan 2008 3,440 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITC7.tmp"
Thu 10 Jan 2008 2,766 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITC8.tmp"
Thu 10 Jan 2008 3,947 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITCD.tmp"
Thu 10 Jan 2008 2,783 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITCE.tmp"
Thu 10 Jan 2008 4,154 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITD6.tmp"
Thu 10 Jan 2008 3,329 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITD7.tmp"
Thu 10 Jan 2008 2,653 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITDF.tmp"
Mon 25 Feb 2008 2,423 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITE2.tmp"
Thu 10 Jan 2008 2,521 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITE4.tmp"
Thu 10 Jan 2008 12,426 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITE5.tmp"
Thu 10 Jan 2008 3,186 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITE6.tmp"
Thu 10 Jan 2008 2,550 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITEE.tmp"
Thu 10 Jan 2008 4,247 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITEF.tmp"
Thu 10 Jan 2008 23,831 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITF5.tmp"
Thu 10 Jan 2008 2,411 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITFA.tmp"
Thu 10 Jan 2008 2,954 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITFB.tmp"
Thu 10 Jan 2008 2,370 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_resource\BITFC.tmp"
Thu 10 Jan 2008 1,091 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT104.tmp"
Thu 10 Jan 2008 1,087 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT106.tmp"
Thu 10 Jan 2008 1,054 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT109.tmp"
Thu 10 Jan 2008 981 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT10A.tmp"
Thu 10 Jan 2008 1,087 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT10B.tmp"
Thu 10 Jan 2008 1,035 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT10C.tmp"
Mon 25 Feb 2008 1,077 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT10E.tmp"
Thu 10 Jan 2008 1,047 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT10F.tmp"
Thu 10 Jan 2008 1,028 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT112.tmp"
Thu 10 Jan 2008 1,074 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT116.tmp"
Thu 10 Jan 2008 1,121 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT119.tmp"
Thu 10 Jan 2008 930 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT11A.tmp"
Thu 10 Jan 2008 1,047 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT11E.tmp"
Thu 10 Jan 2008 1,075 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT123.tmp"
Thu 10 Jan 2008 1,042 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT126.tmp"
Thu 10 Jan 2008 1,085 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT127.tmp"
Thu 10 Jan 2008 1,095 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT12D.tmp"
Thu 10 Jan 2008 911 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT130.tmp"
Thu 10 Jan 2008 1,048 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT133.tmp"
Wed 6 Feb 2008 1,097 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT134.tmp"
Mon 25 Feb 2008 1,011 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT135.tmp"
Thu 10 Jan 2008 1,047 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT143.tmp"
Thu 10 Jan 2008 1,033 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT144.tmp"
Thu 10 Jan 2008 1,062 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT146.tmp"
Thu 10 Jan 2008 1,025 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT14D.tmp"
Thu 10 Jan 2008 1,037 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT150.tmp"
Thu 10 Jan 2008 1,047 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT155.tmp"
Thu 10 Jan 2008 1,058 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT156.tmp"
Wed 6 Feb 2008 1,021 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT157.tmp"
Thu 10 Jan 2008 1,035 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT15C.tmp"
Thu 10 Jan 2008 1,049 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT162.tmp"
Thu 10 Jan 2008 1,081 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT163.tmp"
Thu 10 Jan 2008 1,040 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT164.tmp"
Mon 25 Feb 2008 964 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT165.tmp"
Thu 10 Jan 2008 1,057 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT168.tmp"
Thu 10 Jan 2008 1,021 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT169.tmp"
Thu 10 Jan 2008 1,068 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT16B.tmp"
Thu 10 Jan 2008 1,119 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT16D.tmp"
Thu 10 Jan 2008 1,034 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT16F.tmp"
Thu 10 Jan 2008 1,025 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT174.tmp"
Thu 10 Jan 2008 1,041 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT177.tmp"
Thu 10 Jan 2008 1,073 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT178.tmp"
Thu 10 Jan 2008 1,083 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BIT17A.tmp"
Thu 10 Jan 2008 1,037 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITA3.tmp"
Thu 10 Jan 2008 1,012 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITA6.tmp"
Thu 10 Jan 2008 1,101 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITA7.tmp"
Thu 10 Jan 2008 1,093 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITAC.tmp"
Thu 10 Jan 2008 983 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITAE.tmp"
Thu 10 Jan 2008 1,040 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITAF.tmp"
Thu 10 Jan 2008 1,045 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITB0.tmp"
Thu 10 Jan 2008 1,088 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITB2.tmp"
Thu 20 Mar 2008 921 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITB3.tmp"
Thu 10 Jan 2008 1,049 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITB4.tmp"
Thu 10 Jan 2008 1,041 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITB7.tmp"
Thu 10 Jan 2008 1,051 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITB9.tmp"
Thu 10 Jan 2008 1,083 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITBA.tmp"
Thu 10 Jan 2008 983 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITBB.tmp"
Thu 10 Jan 2008 1,030 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITBC.tmp"
Thu 10 Jan 2008 1,022 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITBE.tmp"
Thu 10 Jan 2008 1,056 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITBF.tmp"
Thu 10 Jan 2008 968 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITC0.tmp"
Thu 10 Jan 2008 1,029 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITC5.tmp"
Thu 10 Jan 2008 1,085 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITC6.tmp"
Thu 10 Jan 2008 972 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITCA.tmp"
Thu 10 Jan 2008 1,002 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITCB.tmp"
Thu 10 Jan 2008 1,065 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITD0.tmp"
Thu 10 Jan 2008 1,102 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITD3.tmp"
Thu 10 Jan 2008 1,032 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITD4.tmp"
Thu 10 Jan 2008 1,020 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITD5.tmp"
Thu 10 Jan 2008 1,014 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITD8.tmp"
Thu 10 Jan 2008 1,027 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITDB.tmp"
Thu 10 Jan 2008 1,028 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITDC.tmp"
Thu 10 Jan 2008 1,012 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITE3.tmp"
Thu 10 Jan 2008 1,045 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITE7.tmp"
Thu 10 Jan 2008 1,011 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITE9.tmp"
Thu 10 Jan 2008 1,035 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITED.tmp"
Thu 10 Jan 2008 1,043 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITF0.tmp"
Thu 10 Jan 2008 1,026 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITF6.tmp"
Thu 10 Jan 2008 1,007 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITFD.tmp"
Thu 10 Jan 2008 1,049 A..H. --- "C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\SupportSoft\dellsupportcenter\Kaitlyn\data\sprt_url\BITFF.tmp"

Finished!




Next is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:08 AM, on 7/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Franck.COMPUTER1\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file)
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{af1f0e79-44d7-3774-2c33-0521442b4e07}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\mhnqrozcaqfjdhoow.dll" DllStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM4f52b110] Rundll32.exe "C:\WINDOWS\system32\plogguob.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Adpm] "C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6587211781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4856694843
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/ko ... nt/kdx.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8226 bytes


The computer is still running rough. Startup is much faster than before. However, When I try to acccess site such as Malwareremoval.com, I'm only able to see the home page. The moment I try to access specific threads, the IE hangs up. Windows update is still off and not going anywhere.

Also, I tried to run a Uninstaller list, Hijackthis shuts down. Please advise on next step.

Fwkjoe123
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » July 25th, 2008, 3:32 am

Hello Fwkjoe123,
Thank you for the reports. :)
***Please Print or Copy these instructions to Notepad, as you must disconnect from Internet and turn off Protection Software to do Fix.

Two AV Company Products
You have McAfee running as well as Kasperskey according to log. You should only be running ONE of them. I would suggest un-installing McAfee. To have both programs will cause conflict and slowdowns.
Go Start-->Control Panel-->Select Add/Remove Programs to un-install McAfee (or Kaspersky if not paid and McAfee is.)


Please do this before running Combofix - After download, disconnect-turn off internet connection.
Disable Kaspersky Internet Security and TeaTimer:
To Disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

To disable Disable Kaspersky :
Kaspersky Internet Suite
Please navigate to the system tray on the bottom right hand corner and look for K Icon sign.

* Right click it-> select Pause Protection.
* Click on -> By User Request
* A popup will claim that protection is now disabled and a sign like this: will now be shown.

You successfully disabled the Kaspersky Internet Suite Guard.

Please go to your HJT folder and rename Hijackthis.exe to scanthis.exe. Do this by Right clickinmg on HijackThis.exe and select Rename. Highlight only HijackThis part and replace with Scanner. Click a blank area, the file should now read scanner.exe.


This is to ensure certain files that hide are visible to subsequent HijackThis and other Scans.
Run ComboFix and Recovery Console Installation

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows: Only After you have Recovery Console installed, then run ComboFix:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix(As stated above).


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
Is McAffee still installed?


Thank you.

Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » July 26th, 2008, 10:04 pm

Hi Turtledove,

Thanks for the latest set of instructions. I followed them and here are the results:

McAfee is not lised inthe list of installed programs. Therefore, I was unable to perform any unistall function. Kasperskyt is the AV software I paid for. McAfee AV was the free version I obtained from Cox Cable.

Here is the Combofix report

ComboFix 08-07-26.1 - Administrator 2008-07-26 18:11:01.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.343 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Franck.COMPUTER1\Application Data\macromedia\Flash Player\#SharedObjects\JZLFEFQP\interclick.com
C:\Documents and Settings\Franck.COMPUTER1\Application Data\macromedia\Flash Player\#SharedObjects\JZLFEFQP\interclick.com\ud.sol
C:\Documents and Settings\Franck.COMPUTER1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Franck.COMPUTER1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Franck.COMPUTER1\Application Data\SSEMBL~1
C:\Documents and Settings\Franck.COMPUTER1\Application Data\SSEMBL~1\?ssembly\
C:\Documents and Settings\Kaitlyn\Application Data\macromedia\Flash Player\#SharedObjects\BUA3B92H\interclick.com
C:\Documents and Settings\Kaitlyn\Application Data\macromedia\Flash Player\#SharedObjects\BUA3B92H\interclick.com\ud.sol
C:\Documents and Settings\Kaitlyn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Kaitlyn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Tania\Application Data\macromedia\Flash Player\#SharedObjects\R6AVWUXM\interclick.com
C:\Documents and Settings\Tania\Application Data\macromedia\Flash Player\#SharedObjects\R6AVWUXM\interclick.com\ud.sol
C:\Documents and Settings\Tania\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Tania\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\asembl~1
C:\WINDOWS\BM4f52b110.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\crosof~1
C:\WINDOWS\crosof~1\??crosoft\
C:\WINDOWS\pskt.ini
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\SYSTEM32\afcctciv.ini
C:\WINDOWS\system32\awwnplar.dll
C:\WINDOWS\system32\axgxsoyrakl.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\SYSTEM32\caklebhr.ini
C:\WINDOWS\system32\cbXQIXqo.dll
C:\WINDOWS\system32\dhjgcgho.dll
C:\WINDOWS\system32\duwzjv.dll
C:\WINDOWS\system32\eacyng.dll
C:\WINDOWS\system32\gqqdkfcq.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hvsmrjvn.dll
C:\WINDOWS\system32\iiuopo.dll
C:\WINDOWS\system32\juarjodp.dll
C:\WINDOWS\system32\jxvczd.dll
C:\WINDOWS\system32\kowioirh.dll
C:\WINDOWS\system32\kptaytmp.dll
C:\WINDOWS\system32\ktelgvga.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mevyltoq.ini
C:\WINDOWS\system32\mhnqrozcaqfjdhoow.dll
C:\WINDOWS\system32\miffnibo.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mtynrycr.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\ncglmlaw.dll
C:\WINDOWS\system32\ntufkwpe.dll
C:\WINDOWS\system32\nvjrmsvh.ini
C:\WINDOWS\system32\ohgcgjhd.ini
C:\WINDOWS\SYSTEM32\oqXIQXbc.ini
C:\WINDOWS\SYSTEM32\oqXIQXbc.ini2
C:\WINDOWS\system32\plogguob.dll
C:\WINDOWS\system32\qbmuvmng.ini
C:\WINDOWS\system32\qcehobww.dll
C:\WINDOWS\system32\qpjonacx.dll
C:\WINDOWS\system32\qqqsntek.ini
C:\WINDOWS\system32\rbanroar.dll
C:\WINDOWS\system32\rhbelkac.dll
C:\WINDOWS\system32\rhscrf.dll
C:\WINDOWS\system32\ustvqcmw.dll
C:\WINDOWS\system32\vaxzst.dll
C:\WINDOWS\system32\vbytop.dll
C:\WINDOWS\system32\victccfa.dll
C:\WINDOWS\SYSTEM32\vovavxpb.ini
C:\WINDOWS\SYSTEM32\wbroujxb.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\SYSTEM32\wpxeuwpq.ini
C:\WINDOWS\system32\xnnark.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-24 21:37 . 2008-07-24 21:37 105,472 --a------ C:\WINDOWS\SYSTEM32\speqkvuh.dll
2008-07-24 21:37 . 2008-07-24 21:37 105,472 --a------ C:\WINDOWS\SYSTEM32\ngktqs.dll
2008-07-24 21:36 . 2008-07-24 21:36 83,456 --a------ C:\WINDOWS\SYSTEM32\ketnsqqq.dll
2008-07-24 21:35 . 2008-07-24 21:35 91,648 --a------ C:\WINDOWS\SYSTEM32\vgpnsxdt.dll
2008-07-23 22:33 . 2008-07-23 22:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-23 22:07 . 2008-07-23 22:07 <DIR> d-------- C:\SDFix
2008-07-20 16:40 . 2001-08-17 22:43 24,576 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-07-17 06:56 . 2008-07-17 06:57 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 06:56 . 2008-07-17 06:56 <DIR> d-------- C:\Program Files\iPod
2008-07-17 06:52 . 2008-07-17 06:52 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-07-17 00:16 . 2008-07-24 21:36 96,559 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2008-07-17 00:16 . 2008-07-24 21:36 87,855 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2008-07-17 00:13 . 2008-07-17 00:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-17 00:13 . 2008-07-26 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-17 00:12 . 2008-07-26 17:46 4,523,040 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-07-17 00:12 . 2008-07-26 17:46 61,580 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-07-17 00:12 . 2008-07-26 18:17 57,120 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-07-17 00:12 . 2008-07-26 17:46 6,356 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-07-17 00:02 . 2008-07-17 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-16 22:05 . 2008-07-16 22:05 <DIR> d-------- C:\Program Files\Sun
2008-07-16 22:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-16 21:42 . 2003-11-11 02:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-07-16 21:42 . 2008-07-16 21:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-14 05:59 . 2008-07-26 17:45 111,532 --a------ C:\WINDOWS\BM4f52b110.xml
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-13 20:16 . 2008-07-13 20:31 2,675 --a------ C:\WINDOWS\imsins.BAK
2008-07-13 20:05 . 2008-04-13 17:12 69,120 --a------ C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-07-13 20:05 . 2008-04-13 17:12 50,688 --a------ C:\WINDOWS\SYSTEM32\tspkg.dll
2008-07-13 20:03 . 2008-04-13 17:11 650,752 --a------ C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-13 19:39 . 2008-07-14 08:33 90,922 --a------ C:\WINDOWS\SYSTEM32\axgxsoyrakl.dll-uninst.exe
2008-07-13 15:02 . 2008-07-13 15:02 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-07-13 14:52 . 2008-07-14 08:24 64,332 --a------ C:\WINDOWS\SYSTEM32\xaiovgamqkz.exe
2008-07-13 14:51 . 2008-07-17 06:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\sfig
2008-07-13 14:51 . 2008-07-16 00:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\provdll
2008-07-13 14:51 . 2008-07-16 00:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\olixds01
2008-07-13 14:51 . 2008-07-17 06:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\OBDE
2008-07-13 14:51 . 2008-07-17 06:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\imp32
2008-07-13 14:51 . 2008-07-17 05:41 <DIR> d--hs---- C:\WINDOWS\RnJhbmNr
2008-07-13 14:51 . 2008-07-13 14:51 <DIR> d-------- C:\Temp\stmpv4
2008-07-13 14:51 . 2008-07-13 14:51 152,079 --a------ C:\WINDOWS\SYSTEM32\g94.exe
2008-06-28 20:55 . 2008-06-28 20:55 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 23:41 --------- d-----w C:\Program Files\Audible
2008-07-18 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 13:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-17 14:06 --------- d-----w C:\Documents and Settings\Franck.COMPUTER1\Application Data\Skype
2008-07-17 13:04 --------- d-----w C:\Program Files\Diegos Rescue Adventure
2008-07-17 07:56 --------- d-----w C:\Program Files\McAfee.com
2008-07-17 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-17 07:50 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-17 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-17 05:04 --------- d-----w C:\Program Files\Java
2008-06-22 21:36 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-06-22 21:36 --------- d-----w C:\Program Files\Adobe Media Player
2008-06-22 05:30 --------- d-----w C:\Program Files\Viewpoint
2008-06-22 05:30 --------- d-----w C:\Program Files\Transaction Viewer
2008-06-22 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-22 03:32 --------- d-----w C:\Program Files\Dell Support Center
2008-06-22 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-06-22 03:25 --------- d-----w C:\Program Files\Handbrake
2008-06-22 03:24 --------- d-----w C:\Program Files\DivX
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 06:20 --------- d-----w C:\Program Files\QuickTime
2008-06-15 06:17 --------- d-----w C:\Program Files\Apple Software Update
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-09-23 05:08 74,992 -c--a-w C:\Documents and Settings\Tania\Application Data\GDIPFONTCACHEV1.DAT
2006-08-17 07:00 74,992 ----a-w C:\Documents and Settings\Franck.COMPUTER1\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 23:24 472 --sha-r C:\WINDOWS\RnJhbmNr\lBL1vAhO.vbs
2005-07-15 20:50 56 -csh--r C:\WINDOWS\SYSTEM32\BFE2B44BC3.sys
2006-07-26 16:24 1,682 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 17:11 177152 C:\WINDOWS\SYSTEM32\mqrt.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Audible Download Manager.lnk - C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe [2007-11-16 15:40:16 1754456]
billeo.lnk - C:\Program Files\Billeo\billeo.exe [2007-09-13 07:23:46 1144072]
CheckIt 86.lnk - C:\Program Files\CheckIt\86\CheckIt86.exe [2003-12-18 22:44:22 339968]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-11-11 02:22:45 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^Franck.COMPUTER1^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Franck.COMPUTER1\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
"BuildBU"=c:\dell\bldbubg.exe
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1567:UDP"= 1567:UDP:Windows Media Format SDK (iexplore.exe)
"1566:UDP"= 1566:UDP:Windows Media Format SDK (iexplore.exe)
"1587:UDP"= 1587:UDP:Windows Media Format SDK (iexplore.exe)
"1586:UDP"= 1586:UDP:Windows Media Format SDK (iexplore.exe)
"1602:UDP"= 1602:UDP:Windows Media Format SDK (iexplore.exe)
"1603:UDP"= 1603:UDP:Windows Media Format SDK (iexplore.exe)
"1627:UDP"= 1627:UDP:Windows Media Format SDK (iexplore.exe)
"1626:UDP"= 1626:UDP:Windows Media Format SDK (iexplore.exe)
"1666:UDP"= 1666:UDP:Windows Media Format SDK (iexplore.exe)
"1667:UDP"= 1667:UDP:Windows Media Format SDK (iexplore.exe)
"1700:UDP"= 1700:UDP:Windows Media Format SDK (iexplore.exe)
"1701:UDP"= 1701:UDP:Windows Media Format SDK (iexplore.exe)
"1721:UDP"= 1721:UDP:Windows Media Format SDK (iexplore.exe)
"1720:UDP"= 1720:UDP:Windows Media Format SDK (iexplore.exe)
"1734:UDP"= 1734:UDP:Windows Media Format SDK (iexplore.exe)
"1735:UDP"= 1735:UDP:Windows Media Format SDK (iexplore.exe)
"1832:UDP"= 1832:UDP:Windows Media Format SDK (iexplore.exe)
"1833:UDP"= 1833:UDP:Windows Media Format SDK (iexplore.exe)
"1921:UDP"= 1921:UDP:Windows Media Format SDK (iexplore.exe)
"1920:UDP"= 1920:UDP:Windows Media Format SDK (iexplore.exe)

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S1 mutohpenn;mutohpenn;C:\WINDOWS\system32\drivers\mutohpenn.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-06-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0 []
.
- - - - ORPHANS REMOVED - - - -

BHO-{3e3494c6-316e-be82-317c-87997d9478d6} - (no file)
BHO-{440d021a-0710-ca64-0cfa-d4000546110e} - (no file)
BHO-{6241B42E-BAA2-409E-85DB-7016D0E7A9E8} - (no file)
BHO-{7E2FDF40-FDB2-4291-9A8C-7F8000CFB7BB} - (no file)
BHO-{817ed65f-a652-44e4-9b4d-2de37fde414e} - (no file)
BHO-{82336A8D-6CD0-4647-B791-75FCA8CF2B39} - (no file)
BHO-{AB863861-41E6-4129-8F44-E7BFFE5C4077} - (no file)
BHO-{be8ba3dd-bd6d-449e-b22d-35b192cee387} - (no file)
BHO-{CF176F46-8271-401B-A070-C695DA07B8D2} - (no file)
BHO-{E7CF5199-48C4-43DE-AA0A-D387367C54C5} - (no file)
HKCU-Run-Adpm - C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\ati2evxx.exe
HKLM-Run-{af1f0e79-44d7-3774-2c33-0521442b4e07} - C:\WINDOWS\system32\mhnqrozcaqfjdhoow.dll
HKLM-Run-BM4f52b110 - C:\WINDOWS\system32\plogguob.dll
Notify-jKAtTMET - (no file)
MSConfigStartUp-4c61828c - C:\WINDOWS\system32\bxjuorbw.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dell.com/
O8 -: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 18:18:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\locator.exe
C:\WINDOWS\SYSTEM32\snmp.exe
C:\WINDOWS\SYSTEM32\mqsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\SYSTEM32\mqtgsvc.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-26 18:22:53 - machine was rebooted [Franck]
ComboFix-quarantined-files.txt 2008-07-27 01:22:45
ComboFix2.txt 2007-07-19 05:26:50

Pre-Run: 17,995,411,456 bytes free
Post-Run: 17,736,413,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

304 --- E O F --- 2008-07-09 02:45:37


Here is the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30, on 2008-07-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Franck.COMPUTER1\My Documents\HJT\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file)
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6587211781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4856694843
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/ko ... nt/kdx.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7644 bytes
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » July 26th, 2008, 10:07 pm

Hello Turtledove,

I forgot to mention that since your instructions did not mention anything about reconnecting the computer back to the Internet, I've left the system Internet connection off. I'm using another system to access the web.

Waiting for more instructions.

Fwkjoe123
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » July 27th, 2008, 4:37 am

Hello and thank you fwkjoe123 for the reports. :)
You may connect to internet, just be sure your Protections are all ON first. I'm looking over your logs.

Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » July 28th, 2008, 1:27 am

Hello fwkjoe123,

First let's get McAfee taken out:
Uninstall McAfee

Note : You should first attempt to remove your McAfee consumer products using Add/Remove Programs in the Windows Control Panel (Programs and Features, in Windows Vista). This is the best method. After uninstalling using Windows Add/Remove Programs, run the McAfee Consumer Removal Tool (MCPR.EXE) to ensure successful removal of all McAfee references.

Download the removal tool from HERE
  • Click Save and save the file to any folder on your computer.
  • Navigate to the folder where the file is saved.
  • Make sure all McAfee windows are closed.
  • Double-click MCPR.EXE to run the removal tool.
    • Note: Windows Vista users must right-click MCPR.EXE and select Run as Administrator.
  • Restart your computer after receiving the message CleanUp Successful.


Run CFScript and Combofix

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    Killall::
    File::
C:\WINDOWS\SYSTEM32\speqkvuh.dll
C:\WINDOWS\SYSTEM32\ngktqs.dll
C:\WINDOWS\SYSTEM32\ketnsqqq.dll
C:\WINDOWS\SYSTEM32\vgpnsxdt.dll
C:\WINDOWS\BM4f52b110.xml
C:\WINDOWS\SYSTEM32\axgxsoyrakl.dll-uninst.exe
C:\WINDOWS\SYSTEM32\xaiovgamqkz.exe
C:\WINDOWS\SYSTEM32\g94.exe

    Folder::
C:\WINDOWS\SYSTEM32\sfig 
C:\WINDOWS\SYSTEM32\olixds01
C:\WINDOWS\SYSTEM32\OBDE
C:\WINDOWS\SYSTEM32\imp32
C:\WINDOWS\RnJhbmNr
C:\Temp\stmpv4
    Driver::
C:\WINDOWS\system32\drivers\mutohpenn.sys
    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please Post:
ComboFix.txt
New HijackThis log
Any remaining problems

Thank you
Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » July 30th, 2008, 5:37 pm

Hello fwkjoe123,

How are things coming along, any problems?
Let me know if you need further assistance please.

Have a nice day.

TD
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » July 31st, 2008, 12:20 am

Hello TD<

Sorry for the delay in getting back to you. Thanks for the latest instructions.

Here are the logs.

ComboFix:

ComboFix 08-07-29.1 - Franck 2008-07-30 20:20:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.222 [GMT -7:00]
Running from: C:\Documents and Settings\Franck.COMPUTER1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Franck.COMPUTER1\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\BM4f52b110.xml
C:\WINDOWS\SYSTEM32\axgxsoyrakl.dll-uninst.exe
C:\WINDOWS\SYSTEM32\g94.exe
C:\WINDOWS\SYSTEM32\ketnsqqq.dll
C:\WINDOWS\SYSTEM32\ngktqs.dll
C:\WINDOWS\SYSTEM32\speqkvuh.dll
C:\WINDOWS\SYSTEM32\vgpnsxdt.dll
C:\WINDOWS\SYSTEM32\xaiovgamqkz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kaitlyn\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Kaitlyn\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Tania\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Tania\Start Menu\Programs\Startup\DW_Start.lnk
C:\Temp\stmpv4
C:\Temp\stmpv4\bnwe7.log
C:\WINDOWS\BM4f52b110.xml
C:\WINDOWS\RnJhbmNr
C:\WINDOWS\RnJhbmNr\lBL1vAhO.vbs
C:\WINDOWS\SYSTEM32\axgxsoyrakl.dll-uninst.exe
C:\WINDOWS\SYSTEM32\g94.exe
C:\WINDOWS\SYSTEM32\imp32
C:\WINDOWS\SYSTEM32\ketnsqqq.dll
C:\WINDOWS\SYSTEM32\ngktqs.dll
C:\WINDOWS\SYSTEM32\OBDE
C:\WINDOWS\SYSTEM32\olixds01
C:\WINDOWS\SYSTEM32\sfig
C:\WINDOWS\SYSTEM32\speqkvuh.dll
C:\WINDOWS\SYSTEM32\vgpnsxdt.dll
C:\WINDOWS\SYSTEM32\xaiovgamqkz.exe
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-27 13:18 . 2008-07-27 13:18 <DIR> d-------- C:\Program Files\Maxtor
2008-07-27 13:18 . 2008-07-27 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-07-27 13:16 . 2008-07-27 13:16 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-27 08:33 . 2008-05-09 03:53 512,000 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2008-07-27 08:33 . 2008-05-09 03:53 430,080 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2008-07-27 08:33 . 2008-05-09 03:53 180,224 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\scrobj.dll
2008-07-27 08:33 . 2008-05-09 03:53 172,032 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\scrrun.dll
2008-07-27 08:33 . 2008-05-08 04:24 155,648 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wscript.exe
2008-07-27 08:33 . 2008-05-09 01:45 135,168 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cscript.exe
2008-07-27 08:33 . 2008-05-09 03:53 90,112 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wshext.dll
2008-07-23 22:33 . 2008-07-23 22:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-23 22:07 . 2008-07-23 22:07 <DIR> d-------- C:\SDFix
2008-07-20 16:40 . 2001-08-17 22:43 24,576 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-07-17 06:56 . 2008-07-17 06:57 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 06:56 . 2008-07-17 06:56 <DIR> d-------- C:\Program Files\iPod
2008-07-17 06:52 . 2008-07-17 06:52 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-07-17 00:16 . 2008-07-24 21:36 96,559 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2008-07-17 00:16 . 2008-07-24 21:36 87,855 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2008-07-17 00:13 . 2008-07-17 00:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-17 00:13 . 2008-07-30 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-17 00:12 . 2008-07-30 21:00 7,082,016 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-07-17 00:12 . 2008-07-30 21:00 288,800 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-07-17 00:12 . 2008-07-30 20:32 98,504 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-07-17 00:12 . 2008-07-30 20:32 30,116 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-07-17 00:02 . 2008-07-17 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-16 22:05 . 2008-07-16 22:05 <DIR> d-------- C:\Program Files\Sun
2008-07-16 22:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-16 21:42 . 2003-11-11 02:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-07-16 21:42 . 2008-07-16 21:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-13 20:16 . 2008-07-16 21:46 2,170 --a------ C:\WINDOWS\imsins.BAK
2008-07-13 20:05 . 2008-04-13 17:12 69,120 --a------ C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-07-13 20:05 . 2008-04-13 17:12 50,688 --a------ C:\WINDOWS\SYSTEM32\tspkg.dll
2008-07-13 20:03 . 2008-04-13 17:11 650,752 --a------ C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-13 15:02 . 2008-07-13 15:02 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-07-13 14:51 . 2008-07-16 00:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\provdll
2008-06-28 20:55 . 2008-06-28 20:55 <DIR> d-------- C:\Program Files\Bonjour
2008-06-22 14:36 . 2008-06-22 14:36 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-22 14:36 . 2008-06-22 14:36 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-06-20 10:46 . 2008-06-20 10:46 245,248 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 10:46 . 2008-06-20 10:46 147,968 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 04:51 . 2008-06-20 04:51 361,600 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 04:40 . 2008-06-20 04:40 138,496 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 04:08 . 2008-06-20 04:08 225,856 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-14 23:17 . 2008-06-14 23:17 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-10 14:26 . 2008-06-13 04:05 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-10 14:26 . 2008-05-08 07:02 203,136 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 23:41 --------- d-----w C:\Program Files\Audible
2008-07-18 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 13:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-17 14:06 --------- d-----w C:\Documents and Settings\Franck.COMPUTER1\Application Data\Skype
2008-07-17 13:04 --------- d-----w C:\Program Files\Diegos Rescue Adventure
2008-07-17 07:50 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-17 05:04 --------- d-----w C:\Program Files\Java
2008-06-22 05:30 --------- d-----w C:\Program Files\Viewpoint
2008-06-22 05:30 --------- d-----w C:\Program Files\Transaction Viewer
2008-06-22 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-22 03:32 --------- d-----w C:\Program Files\Dell Support Center
2008-06-22 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-06-22 03:25 --------- d-----w C:\Program Files\Handbrake
2008-06-22 03:24 --------- d-----w C:\Program Files\DivX
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 06:20 --------- d-----w C:\Program Files\QuickTime
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2007-09-23 05:08 74,992 -c--a-w C:\Documents and Settings\Tania\Application Data\GDIPFONTCACHEV1.DAT
2006-08-17 07:00 74,992 ----a-w C:\Documents and Settings\Franck.COMPUTER1\Application Data\GDIPFONTCACHEV1.DAT
2005-07-15 20:50 56 -csh--r C:\WINDOWS\SYSTEM32\BFE2B44BC3.sys
2006-07-26 16:24 1,682 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-26_18.22.01.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 08:45:51 135,168 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\cscript.exe
+ 2008-05-09 10:45:15 512,000 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\jscript.dll
+ 2008-05-09 10:45:16 180,224 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\scrobj.dll
+ 2008-05-09 10:45:16 172,032 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\scrrun.dll
+ 2008-05-09 10:45:16 430,080 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\vbscript.dll
+ 2008-05-08 11:24:44 155,648 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\wscript.exe
+ 2008-05-09 10:45:17 90,112 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\wshext.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951978\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951978\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951978\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951978\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951978\update\updspapi.dll
- 2008-05-15 02:38:32 2,560 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-07-29 21:50:02 2,560 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-05-15 02:38:32 34,304 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-07-29 21:50:01 34,304 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-05-15 02:38:32 8,192 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-07-29 21:50:02 8,192 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-05-15 02:38:32 3,584 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-07-29 21:50:02 3,584 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-05-15 02:38:33 114,688 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-07-29 21:50:02 114,688 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-05-15 02:38:32 16,384 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-07-29 21:50:02 16,384 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-05-15 02:38:32 30,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-07-29 21:50:02 30,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-05-15 02:38:33 22,528 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-07-29 21:50:03 22,528 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-05-15 02:38:32 45,056 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-07-29 21:50:01 45,056 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-05-15 02:38:32 90,112 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-07-29 21:50:01 90,112 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-07-27 20:18:54 454,656 ----a-r C:\WINDOWS\Installer\{B8281D46-D846-4BB9-BC84-F1115A7BF820}\ARPPRODUCTICON.exe
+ 2008-07-27 20:18:55 454,656 ----a-r C:\WINDOWS\Installer\{B8281D46-D846-4BB9-BC84-F1115A7BF820}\NewShortcut1_D5E5682B2798457BBBF70892B58EFF3A.exe
+ 2008-07-27 20:18:55 454,656 ----a-r C:\WINDOWS\Installer\{B8281D46-D846-4BB9-BC84-F1115A7BF820}\NewShortcut2_60EEB642E9E045A2A676B9D8FE17C4A9.exe
+ 2008-07-27 20:18:55 45,056 ----a-r C:\WINDOWS\Installer\{B8281D46-D846-4BB9-BC84-F1115A7BF820}\NewShortcut3_D5E5682B2798457BBBF70892B58EFF3A.exe
- 2008-07-27 00:12:03 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-07-27 00:12:03 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-07-27 00:12:03 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2008-04-14 00:12:15 139,264 ----a-w C:\WINDOWS\SYSTEM32\cscript.exe
+ 2008-05-09 08:45:51 135,168 ----a-w C:\WINDOWS\SYSTEM32\cscript.exe
+ 2007-05-03 20:37:08 22,152 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\mxopswd.sys
- 2008-07-27 01:17:07 223,926 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-07-31 03:33:12 223,928 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
- 2008-04-14 00:11:56 512,000 ----a-w C:\WINDOWS\SYSTEM32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w C:\WINDOWS\SYSTEM32\jscript.dll
- 2008-04-14 00:12:05 180,224 ----a-w C:\WINDOWS\SYSTEM32\scrobj.dll
+ 2008-05-09 10:53:39 180,224 ----a-w C:\WINDOWS\SYSTEM32\scrobj.dll
- 2008-04-14 00:12:05 172,032 ----a-w C:\WINDOWS\SYSTEM32\scrrun.dll
+ 2008-05-09 10:53:40 172,032 ----a-w C:\WINDOWS\SYSTEM32\scrrun.dll
- 2008-04-14 00:12:08 434,176 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
- 2008-04-14 00:12:41 155,648 ----a-w C:\WINDOWS\SYSTEM32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w C:\WINDOWS\SYSTEM32\wscript.exe
- 2008-04-14 00:12:10 90,112 ----a-w C:\WINDOWS\SYSTEM32\wshext.dll
+ 2008-05-09 10:53:40 90,112 ----a-w C:\WINDOWS\SYSTEM32\wshext.dll
+ 2008-07-31 03:33:13 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_5a4.dat
+ 2006-12-02 05:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 07:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 07:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 07:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 07:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 07:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 07:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 07:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 07:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 07:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 07:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 07:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 07:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 07:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"Adpm"="C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\ati2evxx.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 17:11 177152 C:\WINDOWS\SYSTEM32\mqrt.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Audible Download Manager.lnk - C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe [2007-11-16 15:40:16 1754456]
billeo.lnk - C:\Program Files\Billeo\billeo.exe [2007-09-13 07:23:46 1144072]
CheckIt 86.lnk - C:\Program Files\CheckIt\86\CheckIt86.exe [2003-12-18 22:44:22 339968]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-11-11 02:22:45 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jKAtTMET]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^Franck.COMPUTER1^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Franck.COMPUTER1\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
"BuildBU"=c:\dell\bldbubg.exe
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1567:UDP"= 1567:UDP:Windows Media Format SDK (iexplore.exe)
"1566:UDP"= 1566:UDP:Windows Media Format SDK (iexplore.exe)
"1587:UDP"= 1587:UDP:Windows Media Format SDK (iexplore.exe)
"1586:UDP"= 1586:UDP:Windows Media Format SDK (iexplore.exe)
"1602:UDP"= 1602:UDP:Windows Media Format SDK (iexplore.exe)
"1603:UDP"= 1603:UDP:Windows Media Format SDK (iexplore.exe)
"1627:UDP"= 1627:UDP:Windows Media Format SDK (iexplore.exe)
"1626:UDP"= 1626:UDP:Windows Media Format SDK (iexplore.exe)
"1666:UDP"= 1666:UDP:Windows Media Format SDK (iexplore.exe)
"1667:UDP"= 1667:UDP:Windows Media Format SDK (iexplore.exe)
"1700:UDP"= 1700:UDP:Windows Media Format SDK (iexplore.exe)
"1701:UDP"= 1701:UDP:Windows Media Format SDK (iexplore.exe)
"1721:UDP"= 1721:UDP:Windows Media Format SDK (iexplore.exe)
"1720:UDP"= 1720:UDP:Windows Media Format SDK (iexplore.exe)
"1734:UDP"= 1734:UDP:Windows Media Format SDK (iexplore.exe)
"1735:UDP"= 1735:UDP:Windows Media Format SDK (iexplore.exe)
"1832:UDP"= 1832:UDP:Windows Media Format SDK (iexplore.exe)
"1833:UDP"= 1833:UDP:Windows Media Format SDK (iexplore.exe)
"1921:UDP"= 1921:UDP:Windows Media Format SDK (iexplore.exe)
"1920:UDP"= 1920:UDP:Windows Media Format SDK (iexplore.exe)

R2 Maxtor Sync Service;Maxtor Service;C:\Program Files\Maxtor\Sync\SyncServices.exe [2007-09-28 12:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S1 mutohpenn;mutohpenn;C:\WINDOWS\system32\drivers\mutohpenn.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-06-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3e3494c6-316e-be82-317c-87997d9478d6} - (no file)
BHO-{440d021a-0710-ca64-0cfa-d4000546110e} - (no file)
BHO-{6241B42E-BAA2-409E-85DB-7016D0E7A9E8} - (no file)
BHO-{7E2FDF40-FDB2-4291-9A8C-7F8000CFB7BB} - (no file)
BHO-{817ed65f-a652-44e4-9b4d-2de37fde414e} - (no file)
BHO-{82336A8D-6CD0-4647-B791-75FCA8CF2B39} - (no file)
BHO-{AB863861-41E6-4129-8F44-E7BFFE5C4077} - (no file)
BHO-{be8ba3dd-bd6d-449e-b22d-35b192cee387} - (no file)
BHO-{CF176F46-8271-401B-A070-C695DA07B8D2} - (no file)
BHO-{E7CF5199-48C4-43DE-AA0A-D387367C54C5} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 21:00:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\locator.exe
C:\WINDOWS\SYSTEM32\snmp.exe
C:\WINDOWS\SYSTEM32\mqsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\SYSTEM32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-30 21:06:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 04:05:49
ComboFix2.txt 2008-07-27 01:22:54
ComboFix3.txt 2007-07-19 05:26:50

Pre-Run: 77,079,412,736 bytes free
Post-Run: 77,121,835,008 bytes free

331 --- E O F --- 2008-07-27 15:28:26


Next is the log from Hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07, on 2008-07-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Franck.COMPUTER1\My Documents\HJT\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file)
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Adpm] "C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\ati2evxx.exe" -vt yazb
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6587211781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4856694843
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/ko ... nt/kdx.cab
O20 - Winlogon Notify: jKAtTMET - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7162 bytes

Computer is running better. Automatic update is working now. Seems like the worse is over. I look forward to hearing back you analysis of the latest posted logs. The Curious thing is that when I run windows update, I there are no update available. Am I running with all the latest updates? What about SP3? Is there a need for it?

THX

fwkjoe123
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » August 1st, 2008, 2:02 am

Hello fwkjoe123,
Good job, and you are welcome.
Please run the following, we are about done. As always, copy these instructions for the time offline.

*Turn OFF internet and Kaspersky AND TeaTimer from Spybot First or CFScript/Combo may not complete the deletions**
KASPERSKY ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a K sign.

* right click it-> select Pause Protection.
* click on -> By User Request
* a popup will claim that protection is now disabled and a sign like this: will now be shown.

You succesfully disabled the Kaspersky Antivirus Guard.

SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]



Run CFScript and Combofix

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:
Please Copy ALL inside the code box
Code: Select all
    Killall::
    Folder::
    C:\WINDOWS\SYSTEM32\provdll
    C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\
    Driver::
    mutohpenn.sys
    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



**Restart Kaspersky and TeaTimer, reconnect internet
Run Malwarebytes' Anti-Malware Program
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidentally close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Rerun HijackThis
All other windows need closed.
Place a check mark in the following: IF Present:

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - (no file) --> If Not used anymore
O4 - HKCU\..\Run: [Adpm] "C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\ati2evxx.exe" -vt yazb
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O20 - Winlogon Notify: jKAtTMET - C:\WINDOWS\

Please click fix checked, when it finishes, click exit.
Reboot Computer


Please Post
ComboFix.txt
mbam-log-date (time).txt ----> mbam with date & time made
New HijackThis log with any remaining problems

Thank you

Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware