Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Automatic update cannot be restarted - Virtumonde trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » August 3rd, 2008, 7:54 pm

Hello TD,

Thanks for hanging in there with me. I never thought the process would require such detailed step by step instructions. I cna't be more thankful to have you along side guiding my way out.

Here are the latest report logs.

ComboFix.txt report log:

ComboFix 08-07-29.1 - Franck 2008-08-03 14:09:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.231 [GMT -7:00]
Running from: C:\Documents and Settings\Franck.COMPUTER1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Franck.COMPUTER1\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\provdll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-07-27 13:18 . 2008-07-27 13:18 <DIR> d-------- C:\Program Files\Maxtor
2008-07-27 13:18 . 2008-07-27 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-07-27 13:16 . 2008-07-27 13:16 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-27 08:33 . 2008-05-09 03:53 512,000 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2008-07-27 08:33 . 2008-05-09 03:53 430,080 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2008-07-27 08:33 . 2008-05-09 03:53 180,224 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\scrobj.dll
2008-07-27 08:33 . 2008-05-09 03:53 172,032 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\scrrun.dll
2008-07-27 08:33 . 2008-05-08 04:24 155,648 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wscript.exe
2008-07-27 08:33 . 2008-05-09 01:45 135,168 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cscript.exe
2008-07-27 08:33 . 2008-05-09 03:53 90,112 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wshext.dll
2008-07-23 22:33 . 2008-07-23 22:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-23 22:07 . 2008-07-23 22:07 <DIR> d-------- C:\SDFix
2008-07-20 16:40 . 2001-08-17 22:43 24,576 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-07-17 06:56 . 2008-07-17 06:57 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 06:56 . 2008-07-17 06:56 <DIR> d-------- C:\Program Files\iPod
2008-07-17 06:52 . 2008-07-17 06:52 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-07-17 00:16 . 2008-07-24 21:36 96,559 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2008-07-17 00:16 . 2008-07-24 21:36 87,855 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2008-07-17 00:13 . 2008-07-17 00:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-17 00:13 . 2008-08-03 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-17 00:12 . 2008-08-03 14:15 7,189,536 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-07-17 00:12 . 2008-08-03 14:14 295,968 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-07-17 00:12 . 2008-08-03 14:13 100,448 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-07-17 00:12 . 2008-08-03 14:13 30,836 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-07-17 00:02 . 2008-07-17 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-16 22:05 . 2008-07-16 22:05 <DIR> d-------- C:\Program Files\Sun
2008-07-16 22:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-16 21:42 . 2003-11-11 02:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-07-16 21:42 . 2008-07-16 21:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-13 20:16 . 2008-07-16 21:46 2,170 --a------ C:\WINDOWS\imsins.BAK
2008-07-13 20:05 . 2008-04-13 17:12 69,120 --a------ C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-07-13 20:05 . 2008-04-13 17:12 50,688 --a------ C:\WINDOWS\SYSTEM32\tspkg.dll
2008-07-13 20:03 . 2008-04-13 17:11 650,752 --a------ C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-13 15:02 . 2008-07-13 15:02 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 23:41 --------- d-----w C:\Program Files\Audible
2008-07-18 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 13:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-17 14:06 --------- d-----w C:\Documents and Settings\Franck.COMPUTER1\Application Data\Skype
2008-07-17 13:04 --------- d-----w C:\Program Files\Diegos Rescue Adventure
2008-07-17 07:50 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-17 05:04 --------- d-----w C:\Program Files\Java
2008-06-29 03:55 --------- d-----w C:\Program Files\Bonjour
2008-06-22 21:36 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-06-22 21:36 --------- d-----w C:\Program Files\Adobe Media Player
2008-06-22 05:30 --------- d-----w C:\Program Files\Viewpoint
2008-06-22 05:30 --------- d-----w C:\Program Files\Transaction Viewer
2008-06-22 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-22 03:32 --------- d-----w C:\Program Files\Dell Support Center
2008-06-22 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-06-22 03:25 --------- d-----w C:\Program Files\Handbrake
2008-06-22 03:24 --------- d-----w C:\Program Files\DivX
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 06:20 --------- d-----w C:\Program Files\QuickTime
2008-06-15 06:17 --------- d-----w C:\Program Files\Apple Software Update
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-09-23 05:08 74,992 -c--a-w C:\Documents and Settings\Tania\Application Data\GDIPFONTCACHEV1.DAT
2006-08-17 07:00 74,992 ----a-w C:\Documents and Settings\Franck.COMPUTER1\Application Data\GDIPFONTCACHEV1.DAT
2005-07-15 20:50 56 -csh--r C:\WINDOWS\SYSTEM32\BFE2B44BC3.sys
2006-07-26 16:24 1,682 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-07-30_21.04.40.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-08-03 20:38:37 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-08-03 20:38:37 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-08-03 20:38:37 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2008-07-31 03:33:12 223,928 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-08-03 21:14:15 223,922 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-08-03 21:14:16 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_200.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"Adpm"="C:\DOCUME~1\FRANCK~1.COM\APPLIC~1\SSEMBL~1\ati2evxx.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 17:11 177152 C:\WINDOWS\SYSTEM32\mqrt.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Audible Download Manager.lnk - C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe [2007-11-16 15:40:16 1754456]
billeo.lnk - C:\Program Files\Billeo\billeo.exe [2007-09-13 07:23:46 1144072]
CheckIt 86.lnk - C:\Program Files\CheckIt\86\CheckIt86.exe [2003-12-18 22:44:22 339968]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-11-11 02:22:45 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jKAtTMET]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^Franck.COMPUTER1^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Franck.COMPUTER1\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
"BuildBU"=c:\dell\bldbubg.exe
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1567:UDP"= 1567:UDP:Windows Media Format SDK (iexplore.exe)
"1566:UDP"= 1566:UDP:Windows Media Format SDK (iexplore.exe)
"1587:UDP"= 1587:UDP:Windows Media Format SDK (iexplore.exe)
"1586:UDP"= 1586:UDP:Windows Media Format SDK (iexplore.exe)
"1602:UDP"= 1602:UDP:Windows Media Format SDK (iexplore.exe)
"1603:UDP"= 1603:UDP:Windows Media Format SDK (iexplore.exe)
"1627:UDP"= 1627:UDP:Windows Media Format SDK (iexplore.exe)
"1626:UDP"= 1626:UDP:Windows Media Format SDK (iexplore.exe)
"1666:UDP"= 1666:UDP:Windows Media Format SDK (iexplore.exe)
"1667:UDP"= 1667:UDP:Windows Media Format SDK (iexplore.exe)
"1700:UDP"= 1700:UDP:Windows Media Format SDK (iexplore.exe)
"1701:UDP"= 1701:UDP:Windows Media Format SDK (iexplore.exe)
"1721:UDP"= 1721:UDP:Windows Media Format SDK (iexplore.exe)
"1720:UDP"= 1720:UDP:Windows Media Format SDK (iexplore.exe)
"1734:UDP"= 1734:UDP:Windows Media Format SDK (iexplore.exe)
"1735:UDP"= 1735:UDP:Windows Media Format SDK (iexplore.exe)
"1832:UDP"= 1832:UDP:Windows Media Format SDK (iexplore.exe)
"1833:UDP"= 1833:UDP:Windows Media Format SDK (iexplore.exe)
"1921:UDP"= 1921:UDP:Windows Media Format SDK (iexplore.exe)
"1920:UDP"= 1920:UDP:Windows Media Format SDK (iexplore.exe)

R2 Maxtor Sync Service;Maxtor Service;C:\Program Files\Maxtor\Sync\SyncServices.exe [2007-09-28 12:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S1 mutohpenn;mutohpenn;C:\WINDOWS\system32\drivers\mutohpenn.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-06-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3e3494c6-316e-be82-317c-87997d9478d6} - (no file)
BHO-{440d021a-0710-ca64-0cfa-d4000546110e} - (no file)
BHO-{6241B42E-BAA2-409E-85DB-7016D0E7A9E8} - (no file)
BHO-{7E2FDF40-FDB2-4291-9A8C-7F8000CFB7BB} - (no file)
BHO-{817ed65f-a652-44e4-9b4d-2de37fde414e} - (no file)
BHO-{AB863861-41E6-4129-8F44-E7BFFE5C4077} - (no file)
BHO-{be8ba3dd-bd6d-449e-b22d-35b192cee387} - (no file)
BHO-{CF176F46-8271-401B-A070-C695DA07B8D2} - (no file)
BHO-{E7CF5199-48C4-43DE-AA0A-D387367C54C5} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 14:15:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\locator.exe
C:\WINDOWS\SYSTEM32\snmp.exe
C:\WINDOWS\SYSTEM32\mqsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\SYSTEM32\mqtgsvc.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-03 14:20:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 21:20:34
ComboFix2.txt 2008-07-31 04:10:08
ComboFix3.txt 2008-07-27 01:22:54
ComboFix4.txt 2007-07-19 05:26:50

Pre-Run: 77,957,271,552 bytes free
Post-Run: 77,948,534,784 bytes free

220 --- E O F --- 2008-07-27 15:28:26


mbam-log-date log

Malwarebytes' Anti-Malware 1.24
Database version: 1020
Windows 5.1.2600 Service Pack 3

16:30:41 2008-08-03
mbam-log-8-3-2008 (16-30-41).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 192058
Time elapsed: 1 hour(s), 44 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mtynrycr.dll.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mhnqrozcaqfjdhoow.dll.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mysidesearch_sidebar_uninstall.exe.vir (Adware.BHO) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qcehobww.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rhscrf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\victccfa.dll.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xaiovgamqkz.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0065192.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0065619.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0065697.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0066677.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0066691.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0068785.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0068786.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0068787.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0068853.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP325\A0070377.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0076242.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0076243.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0076244.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0076245.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0076255.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0076257.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0076260.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0076261.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0078401.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0078417.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0078429.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\A0078442.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0080105.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Maxtor backup\COMPUTER1\C\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mhnqrozcaqfjdhoow.dll.vir (Adware.Agent) -> Quarantined and deleted successfully.
F:\Maxtor backup\COMPUTER1\C\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mtynrycr.dll.vir (Rogue.Installer) -> Quarantined and deleted successfully.
F:\Maxtor backup\COMPUTER1\C\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mysidesearch_sidebar_uninstall.exe.vir (Adware.BHO) -> Quarantined and deleted successfully.
F:\Maxtor backup\COMPUTER1\C\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qcehobww.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\Maxtor backup\COMPUTER1\C\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rhscrf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\Maxtor backup\COMPUTER1\C\QooBox\Quarantine\C\WINDOWS\SYSTEM32\victccfa.dll.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tania\Desktop\Install WinAntiVirus Pro 2007 .lnk (Rogue.Link) -> Quarantined and deleted successfully.


Latest Hijackthis log (this was after fixing the 4 files you listed in your instructions.):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:40, on 2008-08-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Franck.COMPUTER1\My Documents\HJT\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {3e3494c6-316e-be82-317c-87997d9478d6} - (no file)
O2 - BHO: (no name) - {440d021a-0710-ca64-0cfa-d4000546110e} - (no file)
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: (no name) - {6241B42E-BAA2-409E-85DB-7016D0E7A9E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E2FDF40-FDB2-4291-9A8C-7F8000CFB7BB} - (no file)
O2 - BHO: (no name) - {817ed65f-a652-44e4-9b4d-2de37fde414e} - (no file)
O2 - BHO: (no name) - {82336A8D-6CD0-4647-B791-75FCA8CF2B39} - (no file)
O2 - BHO: (no name) - {AB863861-41E6-4129-8F44-E7BFFE5C4077} - (no file)
O2 - BHO: (no name) - {be8ba3dd-bd6d-449e-b22d-35b192cee387} - (no file)
O2 - BHO: (no name) - {CF176F46-8271-401B-A070-C695DA07B8D2} - (no file)
O2 - BHO: (no name) - {E7CF5199-48C4-43DE-AA0A-D387367C54C5} - (no file)
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6587211781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4856694843
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/ko ... nt/kdx.cab
O20 - Winlogon Notify: jKAtTMET - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8182 bytes


Thanks for your help.

fwkjoe123
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm
Advertisement
Register to Remove

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » August 4th, 2008, 3:34 am

Hello fwkjoe123,
Thanks for the logs. Good work. You're welcome. :)

Please disable Spybot's TeaTimer and Kaspersky as stated in previous directions.

Run CFScript and Combofix

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:
Please Copy ALL inside the code box
Code: Select all
    Killall::
    Folder::
    C:\WINDOWS\jKAtTMET
    C:\WINDOWS\system32\drivers\mutohpenn.sys
    Driver::
    mutohpenn
    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Post
The newest Combofix.txt
A New HijackThis log

Thank you
Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » August 5th, 2008, 12:53 am

Hi TD,

Please find enclosed the lastest logs.

ComboFix log

ComboFix 08-07-29.1 - Franck 2008-08-04 21:34:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.295 [GMT -7:00]
Running from: C:\Documents and Settings\Franck.COMPUTER1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Franck.COMPUTER1\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MUTOHPENN
-------\Service_mutohpenn


((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-03 14:41 . 2008-08-03 14:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 14:41 . 2008-08-03 14:41 <DIR> d-------- C:\Documents and Settings\Franck.COMPUTER1\Application Data\Malwarebytes
2008-08-03 14:41 . 2008-08-03 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 14:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-03 14:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-27 13:18 . 2008-07-27 13:18 <DIR> d-------- C:\Program Files\Maxtor
2008-07-27 13:18 . 2008-07-27 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-07-27 13:16 . 2008-07-27 13:16 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-27 08:33 . 2008-05-09 03:53 512,000 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2008-07-27 08:33 . 2008-05-09 03:53 430,080 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2008-07-27 08:33 . 2008-05-09 03:53 180,224 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\scrobj.dll
2008-07-27 08:33 . 2008-05-09 03:53 172,032 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\scrrun.dll
2008-07-27 08:33 . 2008-05-08 04:24 155,648 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wscript.exe
2008-07-27 08:33 . 2008-05-09 01:45 135,168 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cscript.exe
2008-07-27 08:33 . 2008-05-09 03:53 90,112 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wshext.dll
2008-07-23 22:33 . 2008-07-23 22:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-23 22:07 . 2008-07-23 22:07 <DIR> d-------- C:\SDFix
2008-07-20 16:40 . 2001-08-17 22:43 24,576 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-07-17 06:56 . 2008-07-17 06:57 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 06:56 . 2008-07-17 06:56 <DIR> d-------- C:\Program Files\iPod
2008-07-17 06:52 . 2008-07-17 06:52 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-07-17 00:16 . 2008-07-24 21:36 96,559 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2008-07-17 00:16 . 2008-07-24 21:36 87,855 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2008-07-17 00:13 . 2008-07-17 00:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-17 00:13 . 2008-08-04 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-17 00:12 . 2008-08-04 21:40 7,314,976 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-07-17 00:12 . 2008-08-04 21:40 305,952 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-07-17 00:12 . 2008-08-04 21:38 102,128 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-07-17 00:12 . 2008-08-04 21:38 31,748 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-07-17 00:02 . 2008-07-17 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-16 22:05 . 2008-07-16 22:05 <DIR> d-------- C:\Program Files\Sun
2008-07-16 22:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-16 21:42 . 2003-11-11 02:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-07-16 21:42 . 2008-07-16 21:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-13 20:22 . 2008-07-13 20:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-13 20:16 . 2008-07-16 21:46 2,170 --a------ C:\WINDOWS\imsins.BAK
2008-07-13 20:05 . 2008-04-13 17:12 69,120 --a------ C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-07-13 20:05 . 2008-04-13 17:12 50,688 --a------ C:\WINDOWS\SYSTEM32\tspkg.dll
2008-07-13 20:03 . 2008-04-13 17:11 650,752 --a------ C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-13 15:02 . 2008-07-13 15:02 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 23:41 --------- d-----w C:\Program Files\Audible
2008-07-18 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 13:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-17 14:06 --------- d-----w C:\Documents and Settings\Franck.COMPUTER1\Application Data\Skype
2008-07-17 13:04 --------- d-----w C:\Program Files\Diegos Rescue Adventure
2008-07-17 07:50 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-17 05:04 --------- d-----w C:\Program Files\Java
2008-06-29 03:55 --------- d-----w C:\Program Files\Bonjour
2008-06-22 21:36 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-06-22 21:36 --------- d-----w C:\Program Files\Adobe Media Player
2008-06-22 05:30 --------- d-----w C:\Program Files\Viewpoint
2008-06-22 05:30 --------- d-----w C:\Program Files\Transaction Viewer
2008-06-22 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-22 03:32 --------- d-----w C:\Program Files\Dell Support Center
2008-06-22 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-06-22 03:25 --------- d-----w C:\Program Files\Handbrake
2008-06-22 03:24 --------- d-----w C:\Program Files\DivX
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 06:20 --------- d-----w C:\Program Files\QuickTime
2008-06-15 06:17 --------- d-----w C:\Program Files\Apple Software Update
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-09-23 05:08 74,992 -c--a-w C:\Documents and Settings\Tania\Application Data\GDIPFONTCACHEV1.DAT
2006-08-17 07:00 74,992 ----a-w C:\Documents and Settings\Franck.COMPUTER1\Application Data\GDIPFONTCACHEV1.DAT
2005-07-15 20:50 56 -csh--r C:\WINDOWS\SYSTEM32\BFE2B44BC3.sys
2006-07-26 16:24 1,682 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-07-30_21.04.40.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-08-05 04:27:06 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-08-05 04:27:06 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-07-31 02:29:44 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-08-05 04:27:06 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2008-07-31 03:33:12 223,928 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-08-05 04:39:01 223,922 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2008-08-05 04:39:02 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_234.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 17:11 177152 C:\WINDOWS\SYSTEM32\mqrt.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Audible Download Manager.lnk - C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe [2007-11-16 15:40:16 1754456]
billeo.lnk - C:\Program Files\Billeo\billeo.exe [2007-09-13 07:23:46 1144072]
CheckIt 86.lnk - C:\Program Files\CheckIt\86\CheckIt86.exe [2003-12-18 22:44:22 339968]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-11-11 02:22:45 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jKAtTMET]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^Franck.COMPUTER1^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Franck.COMPUTER1\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
"BuildBU"=c:\dell\bldbubg.exe
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1567:UDP"= 1567:UDP:Windows Media Format SDK (iexplore.exe)
"1566:UDP"= 1566:UDP:Windows Media Format SDK (iexplore.exe)
"1587:UDP"= 1587:UDP:Windows Media Format SDK (iexplore.exe)
"1586:UDP"= 1586:UDP:Windows Media Format SDK (iexplore.exe)
"1602:UDP"= 1602:UDP:Windows Media Format SDK (iexplore.exe)
"1603:UDP"= 1603:UDP:Windows Media Format SDK (iexplore.exe)
"1627:UDP"= 1627:UDP:Windows Media Format SDK (iexplore.exe)
"1626:UDP"= 1626:UDP:Windows Media Format SDK (iexplore.exe)
"1666:UDP"= 1666:UDP:Windows Media Format SDK (iexplore.exe)
"1667:UDP"= 1667:UDP:Windows Media Format SDK (iexplore.exe)
"1700:UDP"= 1700:UDP:Windows Media Format SDK (iexplore.exe)
"1701:UDP"= 1701:UDP:Windows Media Format SDK (iexplore.exe)
"1721:UDP"= 1721:UDP:Windows Media Format SDK (iexplore.exe)
"1720:UDP"= 1720:UDP:Windows Media Format SDK (iexplore.exe)
"1734:UDP"= 1734:UDP:Windows Media Format SDK (iexplore.exe)
"1735:UDP"= 1735:UDP:Windows Media Format SDK (iexplore.exe)
"1832:UDP"= 1832:UDP:Windows Media Format SDK (iexplore.exe)
"1833:UDP"= 1833:UDP:Windows Media Format SDK (iexplore.exe)
"1921:UDP"= 1921:UDP:Windows Media Format SDK (iexplore.exe)
"1920:UDP"= 1920:UDP:Windows Media Format SDK (iexplore.exe)

R2 Maxtor Sync Service;Maxtor Service;C:\Program Files\Maxtor\Sync\SyncServices.exe [2007-09-28 12:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
.
Contents of the 'Scheduled Tasks' folder

2008-06-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3e3494c6-316e-be82-317c-87997d9478d6} - (no file)
BHO-{440d021a-0710-ca64-0cfa-d4000546110e} - (no file)
BHO-{6241B42E-BAA2-409E-85DB-7016D0E7A9E8} - (no file)
BHO-{7E2FDF40-FDB2-4291-9A8C-7F8000CFB7BB} - (no file)
BHO-{817ed65f-a652-44e4-9b4d-2de37fde414e} - (no file)
BHO-{AB863861-41E6-4129-8F44-E7BFFE5C4077} - (no file)
BHO-{be8ba3dd-bd6d-449e-b22d-35b192cee387} - (no file)
BHO-{CF176F46-8271-401B-A070-C695DA07B8D2} - (no file)
BHO-{E7CF5199-48C4-43DE-AA0A-D387367C54C5} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 21:40:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\locator.exe
C:\WINDOWS\SYSTEM32\snmp.exe
C:\WINDOWS\SYSTEM32\mqsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\SYSTEM32\mqtgsvc.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-04 21:45:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 04:45:05
ComboFix2.txt 2008-08-03 21:20:48
ComboFix3.txt 2008-07-31 04:10:08
ComboFix4.txt 2008-07-27 01:22:54
ComboFix5.txt 2008-08-05 04:33:11

Pre-Run: 77,906,837,504 bytes free
Post-Run: 77,896,151,040 bytes free

227 --- E O F --- 2008-07-27 15:28:26


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:48, on 2008-08-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Franck.COMPUTER1\My Documents\HJT\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6587211781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4856694843
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/ko ... nt/kdx.cab
O20 - Winlogon Notify: jKAtTMET - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7249 bytes


I'll await further instructions.

fwkjoe123
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » August 5th, 2008, 11:38 am

Hello fwkjoe123,
Thank you for the logs. Your logs look clean now. Great job. :)
Now some housecleaning and updates.
Please copy/print out instructions.


-----
Remove Lines in HijackThis
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).
IF Not Present, do not worry.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank (unless YOU Have set it)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: jKAtTMET - C:\WINDOWS\


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.



-----
UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.



------
Please download OTCleanIt and save it to your desktop.

Double click on OTCleanIt.exe. Click on CleanUp!.

You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.

It will restart your computer automatically. If it doesn't, please restart your computer manually.


-----
Update Adobe Reader
Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe is a large program and if you prefer a smaller program you can get Foxit 2.2 instead from http://www.foxitsoftware.com/pdf/rd_intro.php


-----
Create a new System Restore Point
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.



Once done, I'll give you some further information to staying clean.
-----
Post
New HijackThis log
How your computer is running now

Thank you
Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » August 5th, 2008, 11:30 pm

Hi TD,

Thanks for the help. Followes instructions. Here is the Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:27, on 2008-08-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Franck.COMPUTER1\My Documents\HJT\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} (Mindjet MindManager Viewer Control) - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6587211781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4856694843
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/ko ... nt/kdx.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7314 bytes
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » August 5th, 2008, 11:31 pm

Hello TD,

Forgot to give feedback on the computer. Running great.
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby turtledove » August 6th, 2008, 11:50 am

Hello fwkjoe123, great job :)
Your system is now clean.
The following is information to help minimize problems in the future.
***Please Copy/Print for reference when you need new Anti Virus/Firewall/Anti spyware.



**Please post back that you've read this and are clear to close this topic; or if there are any remaining issues.**



Before Surfing Be Sure that XP IS fully up to date
Visit Microsoft's Windows Update Site Frequently - This is important
XP Updates

*How on earth did I get infected in the first place?
Read Here

You can help the fight, report it at Malware Complaints
Stand Up and be Counted!

Some of your legitimate programs will leave .tmp files as they run. Clean these out regularly. Before running a scan is a good time.

Use the following and KEEP UPDATED
A Realtime monitor : (Replaces Spybot)
Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.



Check for updates at least WEEKLY
Antivirus: *Use only one*
AntiVir
AVAST! Anti-Virus

Needed Firewall: Monitors traffic IN and OUT Bound. Very Important. *Use only one*
Online Armor
Comodo Personal Firewall

Java Updates: *Always remove old Java Before installing New Version*
Java Update


Test open Ports:
SheildsUp (follow the links to Shield's-Up!)

Other Protection:
IE-Spyad
SpywareBlaster


Also use online scanners as well; as some spyware/virus can disable your software. Check out these:

ActiveScan by Panda
Kaspersky Online Scanner

**Keep IE Secure:
Make your Internet Explorer more secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this site. http://surfthenetsafely.com/ieseczone8.htm

Last of all: Very Important: Keep All AntiVirus, Antispyware and Firewall UPDATED WEEKLY.

Thank You
Safe and Happy Surfing :)

Turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby fwkjoe123 » August 7th, 2008, 1:28 am

Dear TD,

Thank you Thank You Thank You. :D

Your help has been invaluable to me, I never thought it would take this long to rid myself of that junk. :blackeye:

With you help, it got done somehow. :cheers: I learned a lot about the process, I also learned a lot about the concept of malware. I now know to always keep my guard up when online. Better safe than sorry.

By the way, your signature tag line is right on target. Indeed, it did get better.

Thanks once more and so long.

fwkjoe123
fwkjoe123
Active Member
 
Posts: 12
Joined: July 20th, 2008, 5:24 pm

Re: Automatic update cannot be restarted - Virtumonde trojan

Unread postby Shaba » August 7th, 2008, 7:58 am

fwkjoe123 this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware