Paulos2

Hi guys, this is my 1st time posting on any tech support site, so i really help i can get some help !
I left my computer running last night, with a torrent program running, and when i checked the computer this morning,
there was a red screen showing, with a smiley face going back and forth (pac-man like) on the bottom, with a message at the top saying something along the lines of trend chipaway virus has detected a bootable virus..and it referenced trendmicro at the bottom....and then it asked me if i wanted to boot, or get more information or something. I rest the computer without doing anything else, but got the same screen back again (looks like the computer loaded for a little bit (ie- might be able to get into safe mode ??) maybe??) then the same red screen came back.
I'm running CA Antivrus, AntiSpyware, and the CA Firewall, while periodically using Spyware doctor to keep spyware away, so this is the 1st real issue i've encountered for a while, and im really worried that this is some type of virus that will wipe my hard-drive ...
please help.! ...........i know this could be too far gone but ive had this computer for years and years, and there is a lot of stuff on here i dont want to lose! please, please help!
Many thanks !
Paul

Paulos2

Guys, hope you can help.
Have discovered my Chip-A-Way virus alert, was just that, an alert for a possible boot sector virus. I have located Trojan Mebroot- i finally managed to remove it using Spyware Doctor last night, but i still have an infected 002 + 020 set of Hijack-This files, that i just cannot remove.
(whilst infected with Mebroot, i also got infected with Trojan Virtumonde ... which i have deleted as well - this may be the cause for 002 + 020 entries now, and the IE Explorer not working ..)
Re: IE explorer, how can i get this to work again ?
I have tried to use Pocket Kill Switch, and even tried to delete on reboot, this doesnt work, nor does using Hijack This to remove the 002 + 020 infections.
As a result, i still get the Chip-A-Way alert (red screen), and now the internet does not work at all ....(page does not load)
Please, please help - im really lost, and i just need someone to point me in the right direction with this, alot of people have checked this post, but nobody has offered any help to me, im really desperate and hope somebody can help me ...
CA Antivirus/Antispyware does not work, Adaware, malwarebytes or Spybot doesnt either ... Pls help, im really getting desperate ..
Paul

TheBruce1

Hello and welcome to TSF

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

=======
Logs Required
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt<----Attached

__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.



Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.


If we have helped you in anyway,please consider Donating

Paulos2

Hello, thank you so much for helping me (i was beginning to lose all hope !)I will d/l the DS scanner and provide you with all required items tonight (at work now)
What i do have with me now is a copy of my HijackThis logfile, which might help in the meantime ?
(update to previous post)
I ran Malwarebytes scanner and found 6x infections of Vundo trojan, which i removed - same problem as before is i my boot sector (rootkit) appears to be infected still, probably from the Mebroot infection to start with)
This file appears to be main problem, and i just cannot delete the wretched thing:
C:\WINDOWS\system32\hgGXRLfG.dll

Same for the corresponding Winlogon file:
O20 - Winlogon Notify: hgGXRLfG - C:\WINDOWS\SYSTEM32\hgGXRLfG.dll
O20 - Winlogon Notify: khfEXrQK - C:\WINDOWS\

Anyway, here is the HJT report, and i will post all requirements to your previous email tonight.
(thank you so much for this help, i greatly appreciate it, and without you or your website, i would be truly lost)
:)
This is my HijackThis post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 905 PM, on 14/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Vet Antivirus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Spyware Doctor\pctsAuxs.exe
C:\Spyware Doctor\pctsSvc.exe
C:\Spyware Doctor\pctsTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Vet Antivirus\VetMsg.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\essspk.exe
C:\Vet Antivirus\CAVRID.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PestPatrol\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PestPatrol\PPCtlPriv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\WINDOWS\system32\hgGXRLfG.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ISTray] "C:\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\PestPatrol\CAAntiSpyware.exe /scan /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1208680705563
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/w...omanagerwt.cab
O20 - Winlogon Notify: hgGXRLfG - C:\WINDOWS\SYSTEM32\hgGXRLfG.dll
O20 - Winlogon Notify: khfEXrQK - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet Antivirus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\PestPatrol\PPCtlPriv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet Antivirus\VetMsg.exe

--
End of file - 9458 bytes

Paulos2

Hello, Deckard Scanner details follow.
Hope you can help - i ran VundoFix + VirtumondeBeGone, which appeared to remove most traces of the Vundo/Virtumonde trojan, BUT i still get the red screen each time i load up, saying i have a boot sector virus, via the ChipAway Virus detector ...
IE still does not work at all, but i do have an Internet connection, and can update Anti-Virus programs etc ... ?? Very confused.

Here is the DS Scanner log. (I will attach the Extra file)

Deckard's System Scanner v20071014.68
Run by Paul on 2008-07-16 00:13:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-07-15 14:14:21 UTC - RP632 - Deckard's System Scanner Restore Point
3: 2008-07-14 01:34:46 UTC - RP631 - System Checkpoint
2: 2008-07-13 00:22:33 UTC - RP630 - Installed Ad-Aware
1: 2008-07-13 00:08:18 UTC - RP629 - Spyware Doctor: Cleaning Threats


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).


-- HijackThis (run as Paul.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:14 AM, on 16/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\essspk.exe
C:\Vet Antivirus\CAVRID.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Vet Antivirus\ISafe.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Belkin\Bluetooth Software\BTTray.exe
C:\Spyware Doctor\pctsAuxs.exe
C:\Spyware Doctor\pctsSvc.exe
C:\PestPatrol\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Vet Antivirus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\PestPatrol\PPCtlPriv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe
F:\V Killers\Virus killers\New Folder\dss.exe
C:\DOCUME~1\Paul\Desktop\Paul.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ISTray] "C:\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\PestPatrol\CAAntiSpyware.exe /scan /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1208680705563
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/w...omanagerwt.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet Antivirus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\PestPatrol\PPCtlPriv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet Antivirus\VetMsg.exe

--
End of file - 8876 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Paul\Desktop\backups\) ----------------

backup-20080714-210647-223 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080714-210647-368 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20080714-210648-169 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080714-210743-886 O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\WINDOWS\system32\hgGXRLfG.dll
backup-20080714-213955-497 O20 - Winlogon Notify: hgGXRLfG - C:\WINDOWS\SYSTEM32\hgGXRLfG.dll
backup-20080714-213955-829 O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\WINDOWS\system32\hgGXRLfG.dll
backup-20080714-213958-514 O20 - Winlogon Notify: khfEXrQK - C:\WINDOWS\
backup-20080714-214102-564 O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\WINDOWS\system32\hgGXRLfG.dll
backup-20080714-214102-598 O20 - Winlogon Notify: hgGXRLfG - C:\WINDOWS\SYSTEM32\hgGXRLfG.dll
backup-20080714-230636-726 O20 - Winlogon Notify: hgGXRLfG - C:\WINDOWS\SYSTEM32\hgGXRLfG.dll
backup-20080714-230636-746 O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\WINDOWS\system32\hgGXRLfG.dll
backup-20080715-003529-244 O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\WINDOWS\system32\hgGXRLfG.dll
backup-20080715-003529-441 O20 - Winlogon Notify: hgGXRLfG - hgGXRLfG.dll (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 10>
R3 Edspport (EDSP Port Driver) - c:\windows\system32\drivers\es56hpi.sys <Not Verified; ESS Technology, Inc.; ES56H-PI Modem Card>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6500s-1
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6500s-1
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-07-16 00:00:00 262 --ah----- C:\WINDOWS\Tasks\B0FD2D2598F2A291.job
2008-07-14 12:31:20 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-16 and 2008-07-16 -----------------------------

2008-07-16 00:07:29 0 d-------- C:\WINDOWS\LastGood
2008-07-15 23:44:13 0 d-------- C:\Program Files\PC Integrity Scanner
2008-07-15 22:56:24 0 d-------- C:\VundoFix Backups
2008-07-14 22:56:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2008-07-13 20:59:49 0 d-------- C:\Spyware Doctor
2008-07-13 20:59:49 0 d-------- C:\Documents and Settings\Paul\Application Data\PC Tools
2008-07-13 15:19:28 3456 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-13 10:22:41 0 d-------- C:\Program Files\Lavasoft
2008-07-13 10:22:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-13 10:14:35 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-13 10:00:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 22:05:04 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-10 22:03:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-10 22:02:51 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-10 22:02:50 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-10 22:02:50 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-10 22:00:11 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-10 22:00:11 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-10 22:00:11 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-10 22:00:11 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-10 22:00:11 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-10 22:00:11 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-10 22:00:11 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-10 22:00:10 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-06 21:01:40 0 d-a------ C:\Program Files\Trojan Remover
2008-07-06 20:58:31 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-06 20:58:31 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-06 20:58:31 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-07-06 20:58:31 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-07-06 20:58:31 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-06 20:58:28 0 d-------- C:\Trojan Remover
2008-07-06 20:58:28 0 d-------- C:\Documents and Settings\Paul\Application Data\Simply Super Software
2008-07-06 20:58:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-19 01:31:11 0 d-------- C:\Program Files\FastPictureViewer


-- Find3M Report ---------------------------------------------------------------

2008-07-16 00:11:13 0 d-------- C:\Program Files\Online Services
2008-07-16 00:07:52 0 d-------- C:\Program Files\Windows NT
2008-07-12 18:12:32 0 d-------- C:\Documents and Settings\Paul\Application Data\uTorrent
2008-06-19 10:10:18 0 d-------- C:\Documents and Settings\Paul\Application Data\Adobe
2008-06-15 14:34:47 106 --a------ C:\WINDOWS\wuasirvy.dll
2008-06-15 14:34:46 36 --a------ C:\WINDOWS\rasqervy.dll
2008-06-15 14:34:43 8 --a------ C:\WINDOWS\sdfinacs.dll
2008-06-15 14:34:36 5 --a------ C:\WINDOWS\sdfixwcs.dll
2008-05-26 22:58:35 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-26 22:58:34 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-26 22:58:32 0 d-------- C:\Program Files\Common Files
2008-05-26 22:55:11 0 d-------- C:\Program Files\PC Connectivity Solution
2008-05-26 22:53:13 0 d-------- C:\Program Files\Nokia
2008-04-30 15:33:57 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-20 18:20:28 71680 -----n--- C:\KillBox.exe <Not Verified; Option; Explicit Software vbtechcd@gmail.com>
2008-04-20 18:12:27 50688 -----n--- C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [11/10/2002 06:26 PM]
"EssSpkPhone"="essspk.exe" [31/05/2002 10:34 AM C:\WINDOWS\essspk.exe]
"CAVRID"="C:\Vet Antivirus\CAVRID.exe" [14/06/2008 05:52 PM]
"eTrust PestPatrol Active Protection"="C:\PestPatrol\PPActiveDetection.exe" []
"EPSON Stylus C45 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.exe" [14/01/2004 04:00 AM]
"Pop-Up Stopper"="" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 10:00 PM C:\WINDOWS\system32\bthprops.cpl]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50 AM]
"iTunesHelper"="C:\iTunes\iTunesHelper.exe" [15/11/2007 12:11 PM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [23/05/2008 06:08 AM]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [04/04/2008 03:46 PM]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [04/04/2008 03:46 PM]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [04/04/2008 03:46 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [14/11/2007 10:43 PM]
"TrojanScanner"="C:\Trojan Remover\Trjscan.exe" [03/06/2008 08:33 PM]
"ISTray"="C:\Spyware Doctor\pctsTray.exe" [10/04/2008 03:14 PM]
"CaPPcl"="C:\PestPatrol\CAAntiSpyware.exe" [11/05/2008 02:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00 PM]
"PcSync"="C:\Nokia\Nokia PC Suite 6\PcSync2.exe" []
"PowerBar"="" []
"SpybotSD TeaTimer"="C:\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 10:43 AM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [16/04/2008 12:53 PM]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [26/03/2008 06:41 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Belkin\Bluetooth Software\BTTray.exe [17/07/2003 1:24:30 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUnNedc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
"C:\Program Files\Microsoft IntelliType Pro\itype.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d87f75a-e1a3-11dc-9fa5-000c6e48ee4a}]
AutoRun\command- G:\RavMon.exe
explore\Command- G:\RavMon.exe -e
open\Command- G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad02a6b6-3c35-11dd-8794-000c6e48ee4a}]
AutoRun\command- G:\RavMon.exe
explore\Command- G:\RavMon.exe -e
open\Command- G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7df9060-8234-11dc-9f69-000c6e48ee4a}]
AutoRun\command- G:\RavMon.exe
explore\Command- G:\RavMon.exe -e
open\Command- G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e81a1368-8546-11dc-9f6c-000c6e48ee4a}]
AutoRun\command- G:\RavMon.exe
explore\Command- G:\RavMon.exe -e
open\Command- G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9755797-8ff9-11dc-9f6e-000c6e48ee4a}]
AutoRun\command- G:\RavMon.exe
explore\Command- G:\RavMon.exe -e
open\Command- G:\RavMon.exe




-- End of Deckard's System Scanner: finished at 2008-07-16 00:24:35 ------------


Have Attached the DC 'Extra' file now, and i also attached my log of VirtumondeBeGone, whixh may assist.
I have Utorrent installed, so im very sure this is how i became infected to start with, but really hope you can help, im totally lost + frustrated !

Thanks again,
Paul

Attached Files

	extra.txt (21.8 KB, 1 views)
	VBG.TXT (3.9 KB, 1 views)

TheBruce1

Hello again Paul

Do not run any tools or do any scans that i have not asked you to do, this may complicate things.

==========

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present.

Please Do Not Attach logs to your posts unless you are advised to do so.

==========

P2P

P2P - I see you have P2P software µTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are Here,
Here and Here.

===========

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Java 2 Runtime Environment, SE v1.4.2_06
Java(TM) SE Runtime Environment 6 Update 1
Leave Java(TM) 6 Update 2 installed

============

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

==========

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

=========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

==========
Logs Required
C:\Combofix.txt
Hijackthis Log

__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.



Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.


If we have helped you in anyway,please consider Donating

Paulos2

Hi there,

Have a quick update,
I followed your instructions, and got up to the ComboFix stage, where i had to stop as the ComboFix copy i had previously downloaded has now expired - as my computer at home wont allow IE to work, i've had to download ComboFix again this morning, from my offiice. (will continue with ComboFix as per your instructions tonight)

Thought i should pass on some feedback though, with regards to the SunJava applications being removed per your instructions,
(Java 2 Runtime Environment, SE v1.4.2_06)
(Java(TM) SE Runtime Environment 6 Update 1)
I have removed these two programs, and have left the following Installed:
Leave Java(TM) 6 Update 2 installed
From what i understand, it appears maybe this is how (or part of the reason) i became infected with the Mebroot / Vundo / Virtumonde infections to start with, ie- older copies of sun java that are targetted by these types of trojans ??

I will continue the process tonight, as im assuming the Boot Sector is still infected, hence my Red Screen trend micro chip away warning that i alwasy get now, when re-starting the computer.
I have the recovering consol download ready to go, have turned off the Spybot Tea Timer, and will disable all other antivirus programs tonight, and will continue again - will keep you posted.
Thanks alot for your help thus far, fingers crossed the ComboFix report doesnt show anything too bad (or not too bad for you to help me with :))
Thanks gain, Paul

Paulos2

Hello again,

I have run the ComboFix program as per instructions.
At stage 41 (the end) of ComboFix, the computer restarted itself, and i got the red trend-micro chip-a-way virus alert again ..
Not sure if the computer was meant to restart itself, but i loaded back into normal mode, and i now attach my copies of the ComboFix log:
(still concerned as to why the red virus alert screen comes up when the computer is booting ? im assuming there must be some boot sector virus infection still present ?)

ComboFix scan results:

ComboFix 08-07-15.4 - Paul 2008-07-18 6:03:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.266 [GMT 10:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Paul\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\msacm32.drv
C:\WINDOWS\system32\cdeNnUtv.ini
C:\WINDOWS\system32\cdeNnUtv.ini2
C:\WINDOWS\system32\kxwqlmmj.ini
C:\WINDOWS\system32\xxGPYcfe.ini
C:\WINDOWS\system32\xxGPYcfe.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-16 00:35 . 2008-07-16 23:46 <DIR> d-------- C:\Program Files\Sophos
2008-07-16 00:33 . 2007-11-20 12:26 <DIR> d-------- C:\sav_install
2008-07-15 23:44 . 2008-07-16 22:04 <DIR> d-------- C:\Program Files\PC Integrity Scanner
2008-07-15 23:37 . 2008-07-15 23:37 <DIR> d-------- C:\Deckard
2008-07-15 22:56 . 2008-07-15 23:30 <DIR> d-------- C:\VundoFix Backups
2008-07-14 22:56 . 2008-07-14 22:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2008-07-14 22:38 . 2008-07-18 06:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-14 22:38 . 2008-07-14 22:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-13 21:00 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-13 21:00 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-13 21:00 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-13 21:00 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-13 20:59 . 2008-07-14 00:21 <DIR> d-------- C:\Spyware Doctor
2008-07-13 20:59 . 2008-07-13 20:59 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\PC Tools
2008-07-13 15:19 . 2008-07-13 16:33 3,456 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-13 10:22 . 2008-07-13 10:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-13 10:22 . 2008-07-13 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-13 10:00 . 2008-07-13 10:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 22:03 . 2008-07-10 22:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-10 22:00 . 2008-07-10 22:05 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-06 21:01 . 2008-07-06 23:36 <DIR> d-a------ C:\Program Files\Trojan Remover
2008-07-06 20:58 . 2008-07-06 23:38 <DIR> d-------- C:\Trojan Remover
2008-07-06 20:58 . 2008-07-06 20:58 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Simply Super Software
2008-07-06 20:58 . 2008-07-06 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-07-06 20:58 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-06 20:58 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-07-06 20:58 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-06 20:58 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-06 20:58 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-20 11:15 . 2008-06-20 11:15 0 --a------ C:\WINDOWS\system32\11.CPX
2008-06-19 01:31 . 2008-06-19 01:31 <DIR> d-------- C:\Program Files\FastPictureViewer
2008-06-19 00:52 . 2008-06-19 00:53 1,227,048 --a------ C:\wic_x86_enu.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 20:07 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-07-17 20:07 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-07-17 20:07 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-07-17 20:07 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-07-17 20:07 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-07-17 20:07 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-07-17 20:07 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-07-17 20:07 251,820 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-07-17 12:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 13:51 --------- d-----w C:\Program Files\Java
2008-07-12 08:12 --------- d-----w C:\Documents and Settings\Paul\Application Data\uTorrent
2008-06-14 07:54 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-14 07:54 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-14 07:53 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-14 07:53 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-14 07:53 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-04 13:03 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 13:03 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-26 13:26 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-26 13:26 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-05-26 12:58 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-05-26 12:58 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-26 12:55 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-05-26 12:53 --------- d-----w C:\Program Files\Nokia
2008-05-25 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-16 01:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-11 06:36 21,679,872 ----a-w C:\pf_en_32.exe
2008-05-11 04:40 99,592 ----a-w C:\WINDOWS\system32\isafeif.dll
2008-05-11 04:40 83,256 ----a-w C:\WINDOWS\system32\vetredir.dll
2008-04-30 17:04 46,804,880 ----a-w C:\zlsSetup_70_470_000_en.exe
2008-04-28 12:17 4,614,888 ------w C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-04-20 08:20 71,680 ------w C:\KillBox.exe
2008-04-20 08:12 50,688 ------w C:\ATF-Cleaner.exe
2008-04-19 06:06 8,578,014 ------w C:\W.E.C.P.Codec.Package.Setup.exe
2007-08-14 06:04 87,608 ----a-w C:\Documents and Settings\Paul\Application Data\inst.exe
2007-08-14 06:04 47,360 ----a-w C:\Documents and Settings\Paul\Application Data\pcouffin.sys
2004-10-01 05:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2008-03-11 02:39 144 --sha-w C:\WINDOWS\system32\2228924393.dat
.

------- Sigcheck -------

2004-08-04 22:00 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 22:00 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PowerBar"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 18:26 98304]
"CAVRID"="C:\Vet Antivirus\CAVRID.exe" [2008-06-14 17:52 234736]
"eTrust PestPatrol Active Protection"="C:\PestPatrol\PPActiveDetection.exe" [N/A]
"EPSON Stylus C45 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-14 04:00 99840]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"iTunesHelper"="C:\iTunes\iTunesHelper.exe" [2007-11-15 12:11 267048]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-23 06:08 181512]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-04-04 15:46 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-04-04 15:46 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-04-04 15:46 259336]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 22:43 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"EssSpkPhone"="essspk.exe" [2002-05-31 10:34 167936 C:\WINDOWS\essspk.exe]
"Pop-Up Stopper"="" [N/A]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 22:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 22:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Belkin\Bluetooth Software\BTTray.exe [2003-07-17 13:24:30 499773]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DIVXc32.dll
"vidc.DIV4"= DIVXc32f.dll
"vidc.ffds"= C:\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 12:11 267048 C:\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a--c--- 2005-12-04 16:38 437008 C:\Program Files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 22:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\uTorrent\\utorrent.exe"=
"C:\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Tools\\iTunes\\iTunes.exe"=
"C:\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 10:24]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 10:24]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2007-05-18 13:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
R3 PPCtlPriv;PPCtlPriv;C:\PestPatrol\PPCtlPriv.exe [2008-05-11 14:40]
S1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys []
S1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad02a6b6-3c35-11dd-8794-000c6e48ee4a}]
\Shell\AutoRun\command - G:\RavMon.exe
\Shell\explore\Command - G:\RavMon.exe -e
\Shell\open\Command - G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7df9060-8234-11dc-9f69-000c6e48ee4a}]
\Shell\AutoRun\command - G:\RavMon.exe
\Shell\explore\Command - G:\RavMon.exe -e
\Shell\open\Command - G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e81a1368-8546-11dc-9f6c-000c6e48ee4a}]
\Shell\AutoRun\command - G:\RavMon.exe
\Shell\explore\Command - G:\RavMon.exe -e
\Shell\open\Command - G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9755797-8ff9-11dc-9f6e-000c6e48ee4a}]
\shell\AutoRun\command - G:\RavMon.exe
\shell\explore\Command - G:\RavMon.exe -e
\shell\open\Command - G:\RavMon.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 02:31:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-17 20:00:00 C:\WINDOWS\Tasks\B0FD2D2598F2A291.job"
- c:\docume~1\paul\applic~1\atomst~1\load cdrom site.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-PFW - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 06:14:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...