Tech Support Forum - View Single Post - Removal of Trojan.Win32.Monder.Gen STEP 2 fails

mactheshiv · 06-14-2008, 12:16 AM

Yep, I was mixed up. I have downloaded the RC to ComboFix and that ran ok. After RC was installed I selected YES to continue with the scan but I still had my av/as/firewall programs running so I got prompted numerous times by ZoneAlarm but ComboFix continued to run (to me) as per the tutorial and produced the text file.

ComboFix 08-06-11.3 - Admin 2008-06-14 13:56:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2005 [GMT 8:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\inst.exe
C:\WINDOWS\Fonts\CALIBRIB.TTF

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-12 12:43 . 2008-06-12 12:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-12 12:39 . 2008-06-12 12:39 <DIR> d-------- C:\Deckard
2008-06-12 12:20 . 2008-06-12 12:20 <DIR> d-------- C:\ZonedOut
2008-06-12 12:12 . 2008-06-12 12:12 <DIR> d-------- C:\ie-spyad_zo
2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-06-11 12:19 . 2008-06-11 12:19 172,968 --a------ C:\activescan2_en.exe
2008-06-11 11:25 . 2008-06-11 12:19 <DIR> d-------- C:\Program Files\Panda Security
2008-06-10 12:19 . 2008-06-10 12:53 <DIR> d-------- C:\McafeeRootkitDetective
2008-06-10 11:04 . 2008-06-10 11:08 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2008-06-09 12:40 . 2008-06-10 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-09 12:39 . 2008-06-09 12:39 33,280 --a------ C:\WINDOWS\system32\geBtTjgg.dll
2008-06-09 11:50 . 2008-06-09 11:50 <DIR> d-------- C:\qscan_v1.0
2008-06-09 11:37 . 2008-06-09 11:37 <DIR> d-------- C:\Program Files\DVD Identifier
2008-06-09 11:20 . 2008-06-09 11:20 <DIR> d-------- C:\Program Files\DInfo
2008-06-09 11:20 . 2008-06-09 11:20 249,856 --------- C:\WINDOWS\Setup1.exe
2008-06-09 11:20 . 2008-06-09 11:20 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-06-09 10:52 . 2008-06-09 10:52 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Real
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-06-09 09:25 . 2008-06-09 09:25 99,174 --a------ C:\WINDOWS\system32\ffdshow.reg
2008-06-08 17:20 . 2008-06-08 17:20 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-06-08 17:04 . 2008-06-08 17:04 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-08 17:04 . 2007-08-18 14:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-08 14:06 . 2008-06-14 13:30 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-01 14:55 . 2008-06-01 14:55 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-06-01 12:22 . 2008-06-01 13:34 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-06-01 12:22 . 2008-06-01 13:34 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-06-01 12:01 . 2008-06-01 12:01 <DIR> d-------- C:\DECCHECK
2008-06-01 09:42 . 2008-06-01 09:42 <DIR> d-------- C:\Program Files\KC Softwares
2008-05-31 08:56 . 2008-05-31 08:56 29 --a------ C:\WINDOWS\system32\backup.ini
2008-05-30 15:35 . 2008-05-30 15:35 <DIR> d-------- C:\Sta2Burn
2008-05-30 15:05 . 2008-05-30 15:05 <DIR> d-------- C:\Program Files\Uniblue
2008-05-30 14:40 . 2008-05-30 14:40 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2008-05-30 10:20 . 2008-06-09 14:19 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-30 10:02 . 2008-06-11 12:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-30 10:02 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-30 08:34 . 2008-05-30 08:34 <DIR> d-------- C:\Program Files\WinPcap
2008-05-30 08:34 . 2008-05-30 08:34 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-05-30 08:33 . 2008-05-30 08:36 <DIR> d-------- C:\Program Files\URLSnooper2
2008-05-30 08:33 . 2008-05-30 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DonationCoder
2008-05-29 10:44 . 2008-05-29 10:44 <DIR> d-------- C:\Program Files\GPLGS
2008-05-29 10:42 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Acro Software
2008-05-29 10:42 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-27 11:53 . 2008-05-27 11:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinCare2008
2008-05-27 11:52 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Spotmau WinCare 2008
2008-05-27 11:43 . 2008-02-22 19:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-05-27 11:40 . 2008-05-27 11:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-27 11:36 . 2008-05-27 11:36 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-27 10:15 . 2008-05-27 10:15 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-05-26 14:09 . 2008-05-26 14:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-26 14:09 . 2008-05-26 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 13:15 . 2008-05-26 13:15 <DIR> d-------- C:\Program Files\EasyFLV
2008-05-26 13:15 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\tabctl32.ocx
2008-05-26 13:15 . 2006-07-30 13:47 94,208 --a------ C:\WINDOWS\system32\clrcombo.ocx
2008-05-26 12:41 . 2008-05-26 13:04 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-26 12:41 . 2008-05-30 18:18 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Vso
2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\Documents and Settings\Admin\Application Data\pcouffin.sys
2008-05-26 12:34 . 2008-06-01 17:27 <DIR> d-------- C:\DVDVideoSoft
2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 12:31 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-26 11:30 . 2008-05-26 11:42 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-23 16:22 . 2008-05-23 16:22 <DIR> d-------- C:\Program Files\Xilisoft
2008-05-22 14:49 . 2008-05-22 14:49 <DIR> d-------- C:\MEMTEST
2008-05-22 01:55 . 2008-05-22 01:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc
2008-05-22 01:49 . 2008-05-22 01:49 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-21 14:05 . 2008-05-21 14:06 <DIR> d-------- C:\Program Files\BackRex Outlook Express Backup
2008-05-16 12:14 . 2008-05-30 17:18 <DIR> d-------- C:\Program Files\East-Tec Backup
2008-05-16 12:14 . 2008-06-11 14:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 11:32 . 2008-05-21 13:40 <DIR> d-------- C:\OziExplorer
2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\EasyGPS
2008-05-15 10:54 . 2008-05-15 10:54 <DIR> d-------- C:\Program Files\uTorrent
2008-05-15 10:54 . 2008-06-10 12:03 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\uTorrent
2008-05-14 16:07 . 2008-05-14 16:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-14 16:07 . 2008-05-14 16:07 <DIR> d-------- C:\MagellanDrivers
2008-05-14 15:40 . 2003-03-02 19:44 7,552 --a------ C:\WINDOWS\system32\drivers\enodpl.sys
2008-05-14 15:40 . 2003-04-19 02:32 4,736 --a------ C:\WINDOWS\system32\drivers\tandpl.sys
2008-05-14 15:27 . 2008-05-15 14:24 <DIR> d-------- C:\Program Files\Magellan
2008-05-14 15:27 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-05-14 15:27 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-14 15:13 . 2008-05-14 15:13 <DIR> d-------- C:\Documents and Settings\Admin\WINDOWS
2008-05-14 14:33 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-05-14 14:33 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-05-14 14:18 . 2008-05-22 12:09 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-05-14 14:18 . 2008-05-14 14:18 <DIR> d-------- C:\Downloads
2008-05-14 14:18 . 2008-06-09 11:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Orbit
2008-05-14 14:16 . 2008-05-14 14:16 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-14 14:10 . 2008-05-21 16:42 <DIR> d-------- C:\Program Files\ArtisanDVDPlayer
2008-05-14 14:03 . 2008-05-14 14:04 <DIR> d-------- C:\Program Files\Winamp
2008-05-14 14:03 . 2008-05-14 14:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Winamp
2008-05-14 13:56 . 2008-05-14 13:56 <DIR> d-------- C:\Intel
2008-05-14 13:50 . 2008-05-14 13:50 <DIR> d-------- C:\Program Files\PC User DVD Plus 2008
2008-05-14 13:46 . 2008-05-14 13:47 <DIR> d-------- C:\Program Files\TuneXP
2008-05-14 13:46 . 2008-05-14 13:46 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-05-14 13:44 . 2008-05-14 13:44 <DIR> d-------- C:\Program Files\Universal Extractor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 05:58 11,296,800 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-14 05:27 3,147,521 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-14 05:24 2,358,272 ----a-w C:\WINDOWS\Internet Logs\xDB35.tmp
2008-06-14 05:24 156,068 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-13 09:33 2,806,272 ----a-w C:\WINDOWS\Internet Logs\xDB34.tmp
2008-06-12 04:00 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB33.tmp
2008-06-11 09:02 1,205,760 ----a-w C:\WINDOWS\Internet Logs\xDB32.tmp
2008-06-11 08:10 2,479,616 ----a-w C:\WINDOWS\Internet Logs\xDB31.tmp
2008-06-11 08:10 186,368 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp
2008-06-11 07:55 2,495,488 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp
2008-06-11 07:55 2,439,168 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp
2008-06-11 06:10 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp
2008-06-11 06:10 2,477,568 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp
2008-06-11 05:16 2,476,032 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp
2008-06-11 05:16 1,888,256 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp
2008-06-10 08:56 215,552 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp
2008-06-10 08:39 398,848 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp
2008-06-10 08:03 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-06-10 08:00 201,216 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-06-10 07:48 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-06-10 07:41 54,784 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-06-10 07:31 1,737,728 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-06-10 06:12 606,720 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-06-09 06:04 302,080 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2008-06-07 01:46 48,640 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2008-06-06 14:13 141,824 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-06-05 14:05 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-06-01 13:39 62,976 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-06-01 08:57 74,240 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-06-01 07:05 108,032 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-06-01 05:34 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-01 04:20 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-06-01 03:46 41,472 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-06-01 03:43 392,192 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-05-31 00:50 104,960 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-05-30 15:21 --------- d-----w C:\Program Files\PokerStars
2008-05-30 07:48 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-05-30 07:08 208,384 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-05-30 02:24 79,360 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-05-29 16:09 167,424 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-27 12:23 163,328 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-27 04:47 52,224 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-27 04:10 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-27 03:37 326,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-26 15:34 132,096 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-26 04:45 97,792 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-25 15:58 280,576 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-05-25 15:58 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-25 05:22 48,128 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-25 04:17 39,424 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-05-25 04:01 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-25 03:42 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-24 19:12 2,076,160 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-05-24 19:12 112,640 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-05-23 18:57 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-23 09:34 84,992 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-23 05:32 38,912 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-23 05:14 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-20 08:02 --------- d-----w C:\Program Files\Shoot! v3.2
2008-05-15 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 07:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-12 07:28 --------- d-----w C:\Program Files\Pinsoft
2008-05-10 09:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Program Files\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-10 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-09 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:14 --------- d-----w C:\Program Files\Microsoft Works
2008-05-07 13:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 10:45 --------- d-----w C:\Program Files\Quicken
2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Intuit
2008-05-07 10:45 --------- d-----w C:\Documents and Settings\Admin\Application Data\Intuit
2008-05-07 10:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-05-06 15:19 --------- d-----w C:\Program Files\SonicWallES
2008-05-06 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-06 15:19 --------- d-----w C:\Documents and Settings\Admin\Application Data\MailFrontier
2008-05-06 15:14 --------- d-----w C:\Documents and Settings\Admin\Application Data\GetRight
2008-05-06 15:12 --------- d-----w C:\Program Files\GetRight
2008-05-06 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-06 13:13 --------- d-----w C:\Program Files\Zone Labs
2008-05-06 12:46 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-05-04 09:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR
2008-05-02 09:30 --------- d-----w C:\Program Files\AVG
2008-05-02 08:14 --------- d-----w C:\Program Files\Realtek
2008-05-02 08:12 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-02 08:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
2008-05-02 08:05 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-02 13:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-04-02 13:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]
2008-06-09 12:39 33280 --a------ C:\WINDOWS\system32\geBtTjgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@={D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@={8A814C29-D3CD-4F9E-9770-DF8704503ACA}

[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-17 10:30 16855552 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"MSConfig"="C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe" [2004-08-04 20:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8EA86503-476F-476A-A55A-7225082DF3EB}"= C:\WINDOWS\system32\geBtTjgg.dll [2008-06-09 12:39 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg]
geBtTjgg.dll 2008-06-09 12:39 33280 C:\WINDOWS\system32\geBtTjgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-04 10:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\East-Tec Backup 2008]
--a------ 2008-04-07 15:41 3923560 C:\Program Files\East-Tec Backup\etBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 10:51 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2008-04-28 00:20 649300 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-10 03:11]
R1 FolderProtectDriver;FolderProtectDriver;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-01-10 22:47]
R2 FolderProtectService;FolderProtectService;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2007-12-22 00:23]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-22 04:55]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 13:58:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\geBtTjgg.dll
.
Completion time: 2008-06-14 13:59:50
ComboFix-quarantined-files.txt 2008-06-14 05:59:46

Pre-Run: 67,608,756,224 bytes free
Post-Run: 67,570,212,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

304 --- E O F --- 2008-05-09 05:09:40

06-14-2008, 12:16 AM	#8 (permalink)
mactheshiv Registered User Join Date: Jun 2008 Posts: 13 OS: xp home sp2	Re: Removal of Trojan.Win32.Monder.Gen STEP 2 fails Yep, I was mixed up. I have downloaded the RC to ComboFix and that ran ok. After RC was installed I selected YES to continue with the scan but I still had my av/as/firewall programs running so I got prompted numerous times by ZoneAlarm but ComboFix continued to run (to me) as per the tutorial and produced the text file. ComboFix 08-06-11.3 - Admin 2008-06-14 13:56:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2005 [GMT 8:00] Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Admin\Application Data\inst.exe C:\WINDOWS\Fonts\CALIBRIB.TTF . ((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))))))) . 2008-06-12 12:43 . 2008-06-12 12:43 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-12 12:39 . 2008-06-12 12:39 <DIR> d-------- C:\Deckard 2008-06-12 12:20 . 2008-06-12 12:20 <DIR> d-------- C:\ZonedOut 2008-06-12 12:12 . 2008-06-12 12:12 <DIR> d-------- C:\ie-spyad_zo 2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes 2008-06-11 12:19 . 2008-06-11 12:19 172,968 --a------ C:\activescan2_en.exe 2008-06-11 11:25 . 2008-06-11 12:19 <DIR> d-------- C:\Program Files\Panda Security 2008-06-10 12:19 . 2008-06-10 12:53 <DIR> d-------- C:\McafeeRootkitDetective 2008-06-10 11:04 . 2008-06-10 11:08 <DIR> d-------- C:\Program Files\AoA Audio Extractor 2008-06-09 12:40 . 2008-06-10 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip 2008-06-09 12:39 . 2008-06-09 12:39 33,280 --a------ C:\WINDOWS\system32\geBtTjgg.dll 2008-06-09 11:50 . 2008-06-09 11:50 <DIR> d-------- C:\qscan_v1.0 2008-06-09 11:37 . 2008-06-09 11:37 <DIR> d-------- C:\Program Files\DVD Identifier 2008-06-09 11:20 . 2008-06-09 11:20 <DIR> d-------- C:\Program Files\DInfo 2008-06-09 11:20 . 2008-06-09 11:20 249,856 --------- C:\WINDOWS\Setup1.exe 2008-06-09 11:20 . 2008-06-09 11:20 73,216 --a------ C:\WINDOWS\ST6UNST.EXE 2008-06-09 10:52 . 2008-06-09 10:52 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Real 2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Common Files\Real 2008-06-09 09:25 . 2008-06-09 09:25 99,174 --a------ C:\WINDOWS\system32\ffdshow.reg 2008-06-08 17:20 . 2008-06-08 17:20 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic 2008-06-08 17:04 . 2008-06-08 17:04 <DIR> d-------- C:\Program Files\XP Codec Pack 2008-06-08 17:04 . 2007-08-18 14:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm 2008-06-08 14:06 . 2008-06-14 13:30 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5 2008-06-01 14:55 . 2008-06-01 14:55 <DIR> d-------- C:\Program Files\Windows Resource Kits 2008-06-01 12:22 . 2008-06-01 13:34 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb 2008-06-01 12:22 . 2008-06-01 13:34 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb 2008-06-01 12:01 . 2008-06-01 12:01 <DIR> d-------- C:\DECCHECK 2008-06-01 09:42 . 2008-06-01 09:42 <DIR> d-------- C:\Program Files\KC Softwares 2008-05-31 08:56 . 2008-05-31 08:56 29 --a------ C:\WINDOWS\system32\backup.ini 2008-05-30 15:35 . 2008-05-30 15:35 <DIR> d-------- C:\Sta2Burn 2008-05-30 15:05 . 2008-05-30 15:05 <DIR> d-------- C:\Program Files\Uniblue 2008-05-30 14:40 . 2008-05-30 14:40 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue 2008-05-30 10:20 . 2008-06-09 14:19 <DIR> d-------- C:\Program Files\SpywareGuard 2008-05-30 10:02 . 2008-06-11 12:09 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-05-30 10:02 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-05-30 08:34 . 2008-05-30 08:34 <DIR> d-------- C:\Program Files\WinPcap 2008-05-30 08:34 . 2008-05-30 08:34 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat 2008-05-30 08:33 . 2008-05-30 08:36 <DIR> d-------- C:\Program Files\URLSnooper2 2008-05-30 08:33 . 2008-05-30 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DonationCoder 2008-05-29 10:44 . 2008-05-29 10:44 <DIR> d-------- C:\Program Files\GPLGS 2008-05-29 10:42 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Acro Software 2008-05-29 10:42 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll 2008-05-27 11:53 . 2008-05-27 11:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinCare2008 2008-05-27 11:52 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Spotmau WinCare 2008 2008-05-27 11:43 . 2008-02-22 19:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll 2008-05-27 11:40 . 2008-05-27 11:40 <DIR> d-------- C:\Program Files\Alcohol Soft 2008-05-27 11:36 . 2008-05-27 11:36 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-05-27 10:15 . 2008-05-27 10:15 <DIR> d-------- C:\Program Files\BurnAware Free Edition 2008-05-26 14:09 . 2008-05-26 14:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-05-26 14:09 . 2008-05-26 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-26 13:15 . 2008-05-26 13:15 <DIR> d-------- C:\Program Files\EasyFLV 2008-05-26 13:15 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\tabctl32.ocx 2008-05-26 13:15 . 2006-07-30 13:47 94,208 --a------ C:\WINDOWS\system32\clrcombo.ocx 2008-05-26 12:41 . 2008-05-26 13:04 <DIR> d-------- C:\Program Files\DVDFab 5 2008-05-26 12:41 . 2008-05-30 18:18 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Vso 2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\Documents and Settings\Admin\Application Data\pcouffin.sys 2008-05-26 12:34 . 2008-06-01 17:27 <DIR> d-------- C:\DVDVideoSoft 2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\DVDVideoSoft 2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft 2008-05-26 12:31 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2008-05-26 11:30 . 2008-05-26 11:42 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-05-23 16:22 . 2008-05-23 16:22 <DIR> d-------- C:\Program Files\Xilisoft 2008-05-22 14:49 . 2008-05-22 14:49 <DIR> d-------- C:\MEMTEST 2008-05-22 01:55 . 2008-05-22 01:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc 2008-05-22 01:49 . 2008-05-22 01:49 <DIR> d-------- C:\Program Files\VideoLAN 2008-05-21 14:05 . 2008-05-21 14:06 <DIR> d-------- C:\Program Files\BackRex Outlook Express Backup 2008-05-16 12:14 . 2008-05-30 17:18 <DIR> d-------- C:\Program Files\East-Tec Backup 2008-05-16 12:14 . 2008-06-11 14:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-16 11:32 . 2008-05-21 13:40 <DIR> d-------- C:\OziExplorer 2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\EasyGPS 2008-05-15 10:54 . 2008-05-15 10:54 <DIR> d-------- C:\Program Files\uTorrent 2008-05-15 10:54 . 2008-06-10 12:03 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\uTorrent 2008-05-14 16:07 . 2008-05-14 16:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2008-05-14 16:07 . 2008-05-14 16:07 <DIR> d-------- C:\MagellanDrivers 2008-05-14 15:40 . 2003-03-02 19:44 7,552 --a------ C:\WINDOWS\system32\drivers\enodpl.sys 2008-05-14 15:40 . 2003-04-19 02:32 4,736 --a------ C:\WINDOWS\system32\drivers\tandpl.sys 2008-05-14 15:27 . 2008-05-15 14:24 <DIR> d-------- C:\Program Files\Magellan 2008-05-14 15:27 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys 2008-05-14 15:27 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys 2008-05-14 15:13 . 2008-05-14 15:13 <DIR> d-------- C:\Documents and Settings\Admin\WINDOWS 2008-05-14 14:33 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe 2008-05-14 14:33 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf 2008-05-14 14:18 . 2008-05-22 12:09 <DIR> d-------- C:\Program Files\Orbitdownloader 2008-05-14 14:18 . 2008-05-14 14:18 <DIR> d-------- C:\Downloads 2008-05-14 14:18 . 2008-06-09 11:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Orbit 2008-05-14 14:16 . 2008-05-14 14:16 <DIR> d-------- C:\WINDOWS\system32\Adobe 2008-05-14 14:10 . 2008-05-21 16:42 <DIR> d-------- C:\Program Files\ArtisanDVDPlayer 2008-05-14 14:03 . 2008-05-14 14:04 <DIR> d-------- C:\Program Files\Winamp 2008-05-14 14:03 . 2008-05-14 14:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Winamp 2008-05-14 13:56 . 2008-05-14 13:56 <DIR> d-------- C:\Intel 2008-05-14 13:50 . 2008-05-14 13:50 <DIR> d-------- C:\Program Files\PC User DVD Plus 2008 2008-05-14 13:46 . 2008-05-14 13:47 <DIR> d-------- C:\Program Files\TuneXP 2008-05-14 13:46 . 2008-05-14 13:46 720,896 --a------ C:\WINDOWS\iun6002.exe 2008-05-14 13:44 . 2008-05-14 13:44 <DIR> d-------- C:\Program Files\Universal Extractor . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-14 05:58 11,296,800 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-14 05:27 3,147,521 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2008-06-14 05:24 2,358,272 ----a-w C:\WINDOWS\Internet Logs\xDB35.tmp 2008-06-14 05:24 156,068 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-13 09:33 2,806,272 ----a-w C:\WINDOWS\Internet Logs\xDB34.tmp 2008-06-12 04:00 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB33.tmp 2008-06-11 09:02 1,205,760 ----a-w C:\WINDOWS\Internet Logs\xDB32.tmp 2008-06-11 08:10 2,479,616 ----a-w C:\WINDOWS\Internet Logs\xDB31.tmp 2008-06-11 08:10 186,368 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp 2008-06-11 07:55 2,495,488 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp 2008-06-11 07:55 2,439,168 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp 2008-06-11 06:10 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp 2008-06-11 06:10 2,477,568 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp 2008-06-11 05:16 2,476,032 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp 2008-06-11 05:16 1,888,256 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp 2008-06-10 08:56 215,552 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp 2008-06-10 08:39 398,848 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp 2008-06-10 08:03 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp 2008-06-10 08:00 201,216 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp 2008-06-10 07:48 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp 2008-06-10 07:41 54,784 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp 2008-06-10 07:31 1,737,728 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp 2008-06-10 06:12 606,720 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp 2008-06-09 06:04 302,080 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp 2008-06-07 01:46 48,640 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp 2008-06-06 14:13 141,824 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp 2008-06-05 14:05 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp 2008-06-01 13:39 62,976 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp 2008-06-01 08:57 74,240 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp 2008-06-01 07:05 108,032 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp 2008-06-01 05:34 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-06-01 04:20 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp 2008-06-01 03:46 41,472 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp 2008-06-01 03:43 392,192 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp 2008-05-31 00:50 104,960 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp 2008-05-30 15:21 --------- d-----w C:\Program Files\PokerStars 2008-05-30 07:48 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp 2008-05-30 07:08 208,384 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp 2008-05-30 02:24 79,360 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp 2008-05-29 16:09 167,424 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp 2008-05-27 12:23 163,328 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp 2008-05-27 04:47 52,224 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp 2008-05-27 04:10 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp 2008-05-27 03:37 326,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp 2008-05-26 15:34 132,096 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2008-05-26 04:45 97,792 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2008-05-25 15:58 280,576 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2008-05-25 15:58 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2008-05-25 05:22 48,128 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp 2008-05-25 04:17 39,424 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2008-05-25 04:01 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2008-05-25 03:42 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp 2008-05-24 19:12 2,076,160 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp 2008-05-24 19:12 112,640 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp 2008-05-23 18:57 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp 2008-05-23 09:34 84,992 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp 2008-05-23 05:32 38,912 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp 2008-05-23 05:14 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp 2008-05-20 08:02 --------- d-----w C:\Program Files\Shoot! v3.2 2008-05-15 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-14 07:26 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-05-12 07:28 --------- d-----w C:\Program Files\Pinsoft 2008-05-10 09:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\ACD Systems 2008-05-10 09:03 --------- d-----w C:\Program Files\Common Files\ACD Systems 2008-05-10 09:03 --------- d-----w C:\Program Files\ACD Systems 2008-05-10 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems 2008-05-10 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-05-09 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-08 14:14 --------- d-----w C:\Program Files\Microsoft Works 2008-05-07 13:15 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-07 10:45 --------- d-----w C:\Program Files\Quicken 2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Palo Alto Software 2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Intuit 2008-05-07 10:45 --------- d-----w C:\Documents and Settings\Admin\Application Data\Intuit 2008-05-07 10:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit 2008-05-06 15:19 --------- d-----w C:\Program Files\SonicWallES 2008-05-06 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-05-06 15:19 --------- d-----w C:\Documents and Settings\Admin\Application Data\MailFrontier 2008-05-06 15:14 --------- d-----w C:\Documents and Settings\Admin\Application Data\GetRight 2008-05-06 15:12 --------- d-----w C:\Program Files\GetRight 2008-05-06 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8 2008-05-06 13:13 --------- d-----w C:\Program Files\Zone Labs 2008-05-06 12:46 --------- d-----w C:\Program Files\Common Files\SWF Studio 2008-05-04 09:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR 2008-05-02 09:30 --------- d-----w C:\Program Files\AVG 2008-05-02 08:14 --------- d-----w C:\Program Files\Realtek 2008-05-02 08:12 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-05-02 08:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield 2008-05-02 08:05 --------- d-----w C:\Program Files\microsoft frontpage 2008-04-02 13:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe 2008-04-02 13:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}] 2008-06-09 12:39 33280 --a------ C:\WINDOWS\system32\geBtTjgg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0] @={D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1] @={8A814C29-D3CD-4F9E-9770-DF8704503ACA} [HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}] 2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll [HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}] 2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2007-10-17 10:30 16855552 C:\WINDOWS\RTHDCPL.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776] "nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016] "MSConfig"="C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe" [2004-08-04 20:00 158208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360] C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{8EA86503-476F-476A-A55A-7225082DF3EB}"= C:\WINDOWS\system32\geBtTjgg.dll [2008-06-09 12:39 33280] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg] geBtTjgg.dll 2008-06-09 12:39 33280 C:\WINDOWS\system32\geBtTjgg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "msacm.ac3filter"= ac3filter.acm [HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] -r------- 2005-05-04 10:43 69632 C:\WINDOWS\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] --a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\East-Tec Backup 2008] --a------ 2008-04-07 15:41 3923560 C:\Program Files\East-Tec Backup\etBackup.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-06-09 10:51 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] --a------ 2008-04-28 00:20 649300 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "C:\\Program Files\\Orbitdownloader\\orbitnet.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-10 03:11] R1 FolderProtectDriver;FolderProtectDriver;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-01-10 22:47] R2 FolderProtectService;FolderProtectService;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2007-12-22 00:23] S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-22 04:55] Newly Created Service - CATCHME . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-14 13:58:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\geBtTjgg.dll . Completion time: 2008-06-14 13:59:50 ComboFix-quarantined-files.txt 2008-06-14 05:59:46 Pre-Run: 67,608,756,224 bytes free Post-Run: 67,570,212,864 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 304 --- E O F --- 2008-05-09 05:09:40