Tech Support Forum - View Single Post - Removal of Trojan.Win32.Monder.Gen STEP 2 fails

mactheshiv · 06-14-2008, 07:31 PM

Have run ComboFix with CFScrift.txt, log uploaded to BleepingComputer.

ComboFix 08-06-11.3 - Admin 2008-06-15 9:08:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2127 [GMT 8:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geBtTjgg.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-12 12:43 . 2008-06-12 12:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-12 12:39 . 2008-06-12 12:39 <DIR> d-------- C:\Deckard
2008-06-12 12:20 . 2008-06-12 12:20 <DIR> d-------- C:\ZonedOut
2008-06-12 12:12 . 2008-06-12 12:12 <DIR> d-------- C:\ie-spyad_zo
2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-06-11 12:19 . 2008-06-11 12:19 172,968 --a------ C:\activescan2_en.exe
2008-06-11 11:25 . 2008-06-11 12:19 <DIR> d-------- C:\Program Files\Panda Security
2008-06-10 12:19 . 2008-06-10 12:53 <DIR> d-------- C:\McafeeRootkitDetective
2008-06-10 11:04 . 2008-06-10 11:08 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2008-06-09 12:40 . 2008-06-10 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-09 11:50 . 2008-06-09 11:50 <DIR> d-------- C:\qscan_v1.0
2008-06-09 11:37 . 2008-06-09 11:37 <DIR> d-------- C:\Program Files\DVD Identifier
2008-06-09 11:20 . 2008-06-09 11:20 <DIR> d-------- C:\Program Files\DInfo
2008-06-09 11:20 . 2008-06-09 11:20 249,856 --------- C:\WINDOWS\Setup1.exe
2008-06-09 11:20 . 2008-06-09 11:20 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-06-09 10:52 . 2008-06-09 10:52 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Real
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-06-09 09:25 . 2008-06-09 09:25 99,174 --a------ C:\WINDOWS\system32\ffdshow.reg
2008-06-08 17:20 . 2008-06-08 17:20 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-06-08 17:04 . 2008-06-08 17:04 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-08 17:04 . 2007-08-18 14:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-08 14:06 . 2008-06-15 09:01 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-01 14:55 . 2008-06-01 14:55 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-06-01 12:22 . 2008-06-01 13:34 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-06-01 12:22 . 2008-06-01 13:34 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-06-01 12:01 . 2008-06-01 12:01 <DIR> d-------- C:\DECCHECK
2008-06-01 09:42 . 2008-06-01 09:42 <DIR> d-------- C:\Program Files\KC Softwares
2008-05-31 08:56 . 2008-05-31 08:56 29 --a------ C:\WINDOWS\system32\backup.ini
2008-05-30 15:35 . 2008-05-30 15:35 <DIR> d-------- C:\Sta2Burn
2008-05-30 15:05 . 2008-05-30 15:05 <DIR> d-------- C:\Program Files\Uniblue
2008-05-30 14:40 . 2008-05-30 14:40 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2008-05-30 10:20 . 2008-06-09 14:19 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-30 10:02 . 2008-06-11 12:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-30 10:02 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-30 08:34 . 2008-05-30 08:34 <DIR> d-------- C:\Program Files\WinPcap
2008-05-30 08:34 . 2008-05-30 08:34 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-05-30 08:33 . 2008-05-30 08:36 <DIR> d-------- C:\Program Files\URLSnooper2
2008-05-30 08:33 . 2008-05-30 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DonationCoder
2008-05-29 10:44 . 2008-05-29 10:44 <DIR> d-------- C:\Program Files\GPLGS
2008-05-29 10:42 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Acro Software
2008-05-29 10:42 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-27 11:53 . 2008-05-27 11:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinCare2008
2008-05-27 11:52 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Spotmau WinCare 2008
2008-05-27 11:43 . 2008-02-22 19:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-05-27 11:40 . 2008-05-27 11:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-27 11:36 . 2008-05-27 11:36 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-27 10:15 . 2008-05-27 10:15 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-05-26 14:09 . 2008-05-26 14:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-26 14:09 . 2008-05-26 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 13:15 . 2008-05-26 13:15 <DIR> d-------- C:\Program Files\EasyFLV
2008-05-26 13:15 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\tabctl32.ocx
2008-05-26 13:15 . 2006-07-30 13:47 94,208 --a------ C:\WINDOWS\system32\clrcombo.ocx
2008-05-26 12:41 . 2008-05-26 13:04 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-26 12:41 . 2008-05-30 18:18 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Vso
2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\Documents and Settings\Admin\Application Data\pcouffin.sys
2008-05-26 12:34 . 2008-06-01 17:27 <DIR> d-------- C:\DVDVideoSoft
2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 12:31 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-26 11:30 . 2008-05-26 11:42 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-23 16:22 . 2008-05-23 16:22 <DIR> d-------- C:\Program Files\Xilisoft
2008-05-22 14:49 . 2008-05-22 14:49 <DIR> d-------- C:\MEMTEST
2008-05-22 01:55 . 2008-05-22 01:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc
2008-05-22 01:49 . 2008-05-22 01:49 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-21 14:05 . 2008-05-21 14:06 <DIR> d-------- C:\Program Files\BackRex Outlook Express Backup
2008-05-16 12:14 . 2008-05-30 17:18 <DIR> d-------- C:\Program Files\East-Tec Backup
2008-05-16 12:14 . 2008-06-11 14:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 11:32 . 2008-05-21 13:40 <DIR> d-------- C:\OziExplorer
2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\EasyGPS
2008-05-15 10:54 . 2008-06-15 09:03 <DIR> d-------- C:\Program Files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 01:14 11,355,936 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-15 01:09 157,268 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-14 18:59 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB37.tmp
2008-06-14 18:23 --------- d-----w C:\Program Files\PokerStars
2008-06-14 07:09 2,505,216 ----a-w C:\WINDOWS\Internet Logs\xDB36.tmp
2008-06-14 05:27 3,147,521 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-14 05:24 2,358,272 ----a-w C:\WINDOWS\Internet Logs\xDB35.tmp
2008-06-13 09:33 2,806,272 ----a-w C:\WINDOWS\Internet Logs\xDB34.tmp
2008-06-12 04:00 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB33.tmp
2008-06-11 09:02 1,205,760 ----a-w C:\WINDOWS\Internet Logs\xDB32.tmp
2008-06-11 08:10 2,479,616 ----a-w C:\WINDOWS\Internet Logs\xDB31.tmp
2008-06-11 08:10 186,368 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp
2008-06-11 07:55 2,495,488 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp
2008-06-11 07:55 2,439,168 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp
2008-06-11 06:10 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp
2008-06-11 06:10 2,477,568 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp
2008-06-11 05:16 2,476,032 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp
2008-06-11 05:16 1,888,256 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp
2008-06-10 08:56 215,552 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp
2008-06-10 08:39 398,848 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp
2008-06-10 08:03 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-06-10 08:00 201,216 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-06-10 07:48 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-06-10 07:41 54,784 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-06-10 07:31 1,737,728 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-06-10 06:12 606,720 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-06-09 06:04 302,080 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2008-06-09 03:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\Orbit
2008-06-07 01:46 48,640 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2008-06-06 14:13 141,824 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-06-05 14:05 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-06-01 13:39 62,976 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-06-01 08:57 74,240 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-06-01 07:05 108,032 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-06-01 05:34 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-01 04:20 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-06-01 03:46 41,472 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-06-01 03:43 392,192 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-05-31 00:50 104,960 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-05-30 07:48 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-05-30 07:08 208,384 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-05-30 02:24 79,360 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-05-29 16:09 167,424 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-27 12:23 163,328 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-27 04:47 52,224 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-27 04:10 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-27 03:37 326,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-26 15:34 132,096 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-26 04:45 97,792 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-25 15:58 280,576 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-05-25 15:58 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-25 05:22 48,128 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-25 04:17 39,424 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-05-25 04:01 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-25 03:42 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-24 19:12 2,076,160 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-05-24 19:12 112,640 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-05-23 18:57 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-23 09:34 84,992 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-23 05:32 38,912 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-23 05:14 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-22 04:09 --------- d-----w C:\Program Files\Orbitdownloader
2008-05-21 08:42 --------- d-----w C:\Program Files\ArtisanDVDPlayer
2008-05-20 08:02 --------- d-----w C:\Program Files\Shoot! v3.2
2008-05-15 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-15 06:24 --------- d-----w C:\Program Files\Magellan
2008-05-14 07:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-14 06:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Winamp
2008-05-14 06:04 --------- d-----w C:\Program Files\Winamp
2008-05-14 05:50 --------- d-----w C:\Program Files\PC User DVD Plus 2008
2008-05-14 05:47 --------- d-----w C:\Program Files\TuneXP
2008-05-14 05:46 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-05-14 05:44 --------- d-----w C:\Program Files\Universal Extractor
2008-05-12 07:28 --------- d-----w C:\Program Files\Pinsoft
2008-05-10 09:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Program Files\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-10 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-09 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:14 --------- d-----w C:\Program Files\Microsoft Works
2008-05-07 13:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 10:45 --------- d-----w C:\Program Files\Quicken
2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Intuit
2008-05-07 10:45 --------- d-----w C:\Documents and Settings\Admin\Application Data\Intuit
2008-05-07 10:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-05-06 15:19 --------- d-----w C:\Program Files\SonicWallES
2008-05-06 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-06 15:19 --------- d-----w C:\Documents and Settings\Admin\Application Data\MailFrontier
2008-05-06 15:14 --------- d-----w C:\Documents and Settings\Admin\Application Data\GetRight
2008-05-06 15:12 --------- d-----w C:\Program Files\GetRight
2008-05-06 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-06 13:13 --------- d-----w C:\Program Files\Zone Labs
2008-05-06 12:46 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-05-04 09:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR
2008-05-02 09:30 --------- d-----w C:\Program Files\AVG
2008-05-02 08:14 --------- d-----w C:\Program Files\Realtek
2008-05-02 08:12 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-02 08:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- C:\WINDOWS\HideWin.exe ----
Company: Realtek Semiconductor Corp.
File Description: Hide Windows
File Version: 1.0.0.1
Product Name: HD Audio Hide windows program
Copyright: Realtek Semiconductor Corp. All rights reserved.
Original file name: HideWin.exe
MD5: 2d65f8db74c36819896cf809e4375f0a

((((((((((((((((((((((((((((( snapshot@2008-06-14_13.59.22.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 05:27:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 01:11:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-14 05:27:33 394,504 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-15 01:11:56 395,148 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-06-14 05:58:25 110,080 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-06-15 01:07:43 110,080 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@={D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@={8A814C29-D3CD-4F9E-9770-DF8704503ACA}

[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-17 10:30 16855552 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"MSConfig"="C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe" [2004-08-04 20:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-04 10:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\East-Tec Backup 2008]
--a------ 2008-04-07 15:41 3923560 C:\Program Files\East-Tec Backup\etBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 10:51 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-10 03:11]
R1 FolderProtectDriver;FolderProtectDriver;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-01-10 22:47]
R2 FolderProtectService;FolderProtectService;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2007-12-22 00:23]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-22 04:55]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 09:14:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2008-06-15 9:18:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 01:18:02
ComboFix2.txt 2008-06-14 05:59:51

Pre-Run: 67,568,005,120 bytes free
Post-Run: 67,556,122,624 bytes free

303 --- E O F --- 2008-05-09 05:09:40

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:56 AM, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209719645000
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6098 bytes

06-14-2008, 07:31 PM	#17 (permalink)
mactheshiv Registered User Join Date: Jun 2008 Posts: 13 OS: xp home sp2	Re: Removal of Trojan.Win32.Monder.Gen STEP 2 fails Have run ComboFix with CFScrift.txt, log uploaded to BleepingComputer. ComboFix 08-06-11.3 - Admin 2008-06-15 9:08:49.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2127 [GMT 8:00] Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\geBtTjgg.dll . ((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 ))))))))))))))))))))))))))))))) . 2008-06-12 12:43 . 2008-06-12 12:43 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-12 12:39 . 2008-06-12 12:39 <DIR> d-------- C:\Deckard 2008-06-12 12:20 . 2008-06-12 12:20 <DIR> d-------- C:\ZonedOut 2008-06-12 12:12 . 2008-06-12 12:12 <DIR> d-------- C:\ie-spyad_zo 2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes 2008-06-11 12:19 . 2008-06-11 12:19 172,968 --a------ C:\activescan2_en.exe 2008-06-11 11:25 . 2008-06-11 12:19 <DIR> d-------- C:\Program Files\Panda Security 2008-06-10 12:19 . 2008-06-10 12:53 <DIR> d-------- C:\McafeeRootkitDetective 2008-06-10 11:04 . 2008-06-10 11:08 <DIR> d-------- C:\Program Files\AoA Audio Extractor 2008-06-09 12:40 . 2008-06-10 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip 2008-06-09 11:50 . 2008-06-09 11:50 <DIR> d-------- C:\qscan_v1.0 2008-06-09 11:37 . 2008-06-09 11:37 <DIR> d-------- C:\Program Files\DVD Identifier 2008-06-09 11:20 . 2008-06-09 11:20 <DIR> d-------- C:\Program Files\DInfo 2008-06-09 11:20 . 2008-06-09 11:20 249,856 --------- C:\WINDOWS\Setup1.exe 2008-06-09 11:20 . 2008-06-09 11:20 73,216 --a------ C:\WINDOWS\ST6UNST.EXE 2008-06-09 10:52 . 2008-06-09 10:52 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Real 2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Common Files\Real 2008-06-09 09:25 . 2008-06-09 09:25 99,174 --a------ C:\WINDOWS\system32\ffdshow.reg 2008-06-08 17:20 . 2008-06-08 17:20 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic 2008-06-08 17:04 . 2008-06-08 17:04 <DIR> d-------- C:\Program Files\XP Codec Pack 2008-06-08 17:04 . 2007-08-18 14:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm 2008-06-08 14:06 . 2008-06-15 09:01 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5 2008-06-01 14:55 . 2008-06-01 14:55 <DIR> d-------- C:\Program Files\Windows Resource Kits 2008-06-01 12:22 . 2008-06-01 13:34 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb 2008-06-01 12:22 . 2008-06-01 13:34 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb 2008-06-01 12:01 . 2008-06-01 12:01 <DIR> d-------- C:\DECCHECK 2008-06-01 09:42 . 2008-06-01 09:42 <DIR> d-------- C:\Program Files\KC Softwares 2008-05-31 08:56 . 2008-05-31 08:56 29 --a------ C:\WINDOWS\system32\backup.ini 2008-05-30 15:35 . 2008-05-30 15:35 <DIR> d-------- C:\Sta2Burn 2008-05-30 15:05 . 2008-05-30 15:05 <DIR> d-------- C:\Program Files\Uniblue 2008-05-30 14:40 . 2008-05-30 14:40 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue 2008-05-30 10:20 . 2008-06-09 14:19 <DIR> d-------- C:\Program Files\SpywareGuard 2008-05-30 10:02 . 2008-06-11 12:09 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-05-30 10:02 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-05-30 08:34 . 2008-05-30 08:34 <DIR> d-------- C:\Program Files\WinPcap 2008-05-30 08:34 . 2008-05-30 08:34 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat 2008-05-30 08:33 . 2008-05-30 08:36 <DIR> d-------- C:\Program Files\URLSnooper2 2008-05-30 08:33 . 2008-05-30 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DonationCoder 2008-05-29 10:44 . 2008-05-29 10:44 <DIR> d-------- C:\Program Files\GPLGS 2008-05-29 10:42 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Acro Software 2008-05-29 10:42 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll 2008-05-27 11:53 . 2008-05-27 11:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinCare2008 2008-05-27 11:52 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Spotmau WinCare 2008 2008-05-27 11:43 . 2008-02-22 19:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll 2008-05-27 11:40 . 2008-05-27 11:40 <DIR> d-------- C:\Program Files\Alcohol Soft 2008-05-27 11:36 . 2008-05-27 11:36 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-05-27 10:15 . 2008-05-27 10:15 <DIR> d-------- C:\Program Files\BurnAware Free Edition 2008-05-26 14:09 . 2008-05-26 14:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-05-26 14:09 . 2008-05-26 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-26 13:15 . 2008-05-26 13:15 <DIR> d-------- C:\Program Files\EasyFLV 2008-05-26 13:15 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\tabctl32.ocx 2008-05-26 13:15 . 2006-07-30 13:47 94,208 --a------ C:\WINDOWS\system32\clrcombo.ocx 2008-05-26 12:41 . 2008-05-26 13:04 <DIR> d-------- C:\Program Files\DVDFab 5 2008-05-26 12:41 . 2008-05-30 18:18 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Vso 2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\Documents and Settings\Admin\Application Data\pcouffin.sys 2008-05-26 12:34 . 2008-06-01 17:27 <DIR> d-------- C:\DVDVideoSoft 2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\DVDVideoSoft 2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft 2008-05-26 12:31 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2008-05-26 11:30 . 2008-05-26 11:42 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-05-23 16:22 . 2008-05-23 16:22 <DIR> d-------- C:\Program Files\Xilisoft 2008-05-22 14:49 . 2008-05-22 14:49 <DIR> d-------- C:\MEMTEST 2008-05-22 01:55 . 2008-05-22 01:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc 2008-05-22 01:49 . 2008-05-22 01:49 <DIR> d-------- C:\Program Files\VideoLAN 2008-05-21 14:05 . 2008-05-21 14:06 <DIR> d-------- C:\Program Files\BackRex Outlook Express Backup 2008-05-16 12:14 . 2008-05-30 17:18 <DIR> d-------- C:\Program Files\East-Tec Backup 2008-05-16 12:14 . 2008-06-11 14:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-16 11:32 . 2008-05-21 13:40 <DIR> d-------- C:\OziExplorer 2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\EasyGPS 2008-05-15 10:54 . 2008-06-15 09:03 <DIR> d-------- C:\Program Files\uTorrent . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-15 01:14 11,355,936 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-15 01:09 157,268 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-14 18:59 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB37.tmp 2008-06-14 18:23 --------- d-----w C:\Program Files\PokerStars 2008-06-14 07:09 2,505,216 ----a-w C:\WINDOWS\Internet Logs\xDB36.tmp 2008-06-14 05:27 3,147,521 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2008-06-14 05:24 2,358,272 ----a-w C:\WINDOWS\Internet Logs\xDB35.tmp 2008-06-13 09:33 2,806,272 ----a-w C:\WINDOWS\Internet Logs\xDB34.tmp 2008-06-12 04:00 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB33.tmp 2008-06-11 09:02 1,205,760 ----a-w C:\WINDOWS\Internet Logs\xDB32.tmp 2008-06-11 08:10 2,479,616 ----a-w C:\WINDOWS\Internet Logs\xDB31.tmp 2008-06-11 08:10 186,368 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp 2008-06-11 07:55 2,495,488 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp 2008-06-11 07:55 2,439,168 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp 2008-06-11 06:10 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp 2008-06-11 06:10 2,477,568 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp 2008-06-11 05:16 2,476,032 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp 2008-06-11 05:16 1,888,256 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp 2008-06-10 08:56 215,552 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp 2008-06-10 08:39 398,848 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp 2008-06-10 08:03 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp 2008-06-10 08:00 201,216 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp 2008-06-10 07:48 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp 2008-06-10 07:41 54,784 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp 2008-06-10 07:31 1,737,728 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp 2008-06-10 06:12 606,720 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp 2008-06-09 06:04 302,080 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp 2008-06-09 03:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\Orbit 2008-06-07 01:46 48,640 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp 2008-06-06 14:13 141,824 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp 2008-06-05 14:05 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp 2008-06-01 13:39 62,976 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp 2008-06-01 08:57 74,240 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp 2008-06-01 07:05 108,032 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp 2008-06-01 05:34 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-06-01 04:20 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp 2008-06-01 03:46 41,472 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp 2008-06-01 03:43 392,192 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp 2008-05-31 00:50 104,960 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp 2008-05-30 07:48 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp 2008-05-30 07:08 208,384 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp 2008-05-30 02:24 79,360 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp 2008-05-29 16:09 167,424 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp 2008-05-27 12:23 163,328 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp 2008-05-27 04:47 52,224 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp 2008-05-27 04:10 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp 2008-05-27 03:37 326,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp 2008-05-26 15:34 132,096 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2008-05-26 04:45 97,792 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2008-05-25 15:58 280,576 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2008-05-25 15:58 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2008-05-25 05:22 48,128 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp 2008-05-25 04:17 39,424 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2008-05-25 04:01 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2008-05-25 03:42 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp 2008-05-24 19:12 2,076,160 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp 2008-05-24 19:12 112,640 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp 2008-05-23 18:57 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp 2008-05-23 09:34 84,992 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp 2008-05-23 05:32 38,912 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp 2008-05-23 05:14 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp 2008-05-22 04:09 --------- d-----w C:\Program Files\Orbitdownloader 2008-05-21 08:42 --------- d-----w C:\Program Files\ArtisanDVDPlayer 2008-05-20 08:02 --------- d-----w C:\Program Files\Shoot! v3.2 2008-05-15 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-15 06:24 --------- d-----w C:\Program Files\Magellan 2008-05-14 07:26 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-05-14 06:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Winamp 2008-05-14 06:04 --------- d-----w C:\Program Files\Winamp 2008-05-14 05:50 --------- d-----w C:\Program Files\PC User DVD Plus 2008 2008-05-14 05:47 --------- d-----w C:\Program Files\TuneXP 2008-05-14 05:46 720,896 ----a-w C:\WINDOWS\iun6002.exe 2008-05-14 05:44 --------- d-----w C:\Program Files\Universal Extractor 2008-05-12 07:28 --------- d-----w C:\Program Files\Pinsoft 2008-05-10 09:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\ACD Systems 2008-05-10 09:03 --------- d-----w C:\Program Files\Common Files\ACD Systems 2008-05-10 09:03 --------- d-----w C:\Program Files\ACD Systems 2008-05-10 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems 2008-05-10 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-05-09 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-08 14:14 --------- d-----w C:\Program Files\Microsoft Works 2008-05-07 13:15 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-07 10:45 --------- d-----w C:\Program Files\Quicken 2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Palo Alto Software 2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Intuit 2008-05-07 10:45 --------- d-----w C:\Documents and Settings\Admin\Application Data\Intuit 2008-05-07 10:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit 2008-05-06 15:19 --------- d-----w C:\Program Files\SonicWallES 2008-05-06 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-05-06 15:19 --------- d-----w C:\Documents and Settings\Admin\Application Data\MailFrontier 2008-05-06 15:14 --------- d-----w C:\Documents and Settings\Admin\Application Data\GetRight 2008-05-06 15:12 --------- d-----w C:\Program Files\GetRight 2008-05-06 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8 2008-05-06 13:13 --------- d-----w C:\Program Files\Zone Labs 2008-05-06 12:46 --------- d-----w C:\Program Files\Common Files\SWF Studio 2008-05-04 09:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR 2008-05-02 09:30 --------- d-----w C:\Program Files\AVG 2008-05-02 08:14 --------- d-----w C:\Program Files\Realtek 2008-05-02 08:12 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-05-02 08:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- C:\WINDOWS\HideWin.exe ---- Company: Realtek Semiconductor Corp. File Description: Hide Windows File Version: 1.0.0.1 Product Name: HD Audio Hide windows program Copyright: Realtek Semiconductor Corp. All rights reserved. Original file name: HideWin.exe MD5: 2d65f8db74c36819896cf809e4375f0a ((((((((((((((((((((((((((((( snapshot@2008-06-14_13.59.22.20 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-14 05:27:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-15 01:11:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-14 05:27:33 394,504 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat + 2008-06-15 01:11:56 395,148 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat - 2008-06-14 05:58:25 110,080 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat + 2008-06-15 01:07:43 110,080 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0] @={D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1] @={8A814C29-D3CD-4F9E-9770-DF8704503ACA} [HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}] 2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll [HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}] 2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2007-10-17 10:30 16855552 C:\WINDOWS\RTHDCPL.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776] "nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016] "MSConfig"="C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe" [2004-08-04 20:00 158208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360] C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "msacm.ac3filter"= ac3filter.acm [HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] -r------- 2005-05-04 10:43 69632 C:\WINDOWS\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] --a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\East-Tec Backup 2008] --a------ 2008-04-07 15:41 3923560 C:\Program Files\East-Tec Backup\etBackup.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-06-09 10:51 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "C:\\Program Files\\Orbitdownloader\\orbitnet.exe"= R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-10 03:11] R1 FolderProtectDriver;FolderProtectDriver;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-01-10 22:47] R2 FolderProtectService;FolderProtectService;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2007-12-22 00:23] S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-22 04:55] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-15 09:14:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\CAP4RSK.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe . ************************************************************************ . Completion time: 2008-06-15 9:18:08 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-15 01:18:02 ComboFix2.txt 2008-06-14 05:59:51 Pre-Run: 67,568,005,120 bytes free Post-Run: 67,556,122,624 bytes free 303 --- E O F --- 2008-05-09 05:09:40 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:24:56 AM, on 15/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\CAP4RSK.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SpywareGuard\sgmain.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe /auto O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209719645000 O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 6098 bytes