Removal of Trojan.Win32.Monder.Gen STEP 2 fails

[mactheshiv]

xp home sp2. virus detected in c\windows\system32\gebtjgg.dll. step 2 panda activescan full scan (zone alarm av off) stops at 57%-58% (tried twice). net activity stops. i waited for 5 minutes, nothing happens again. no messages. page freezes bit i can close the browser (firefox). cannot open browser again, just get the hour glass, nothing happens. ctrl-alt-del does not work. have to restart machine to try again. any help would be very much appreciated, thank you.

Skipped step 2, got to step 5. DSS ran then nothing. No auto HJT start? I ran HJT which produced this log.

Will FIX CHECKED
O2 - BHO: (no name) - {8EA86503-476F-476A-A55A-7225082DF3EB} - C:\WINDOWS\system32\geBtTjgg.dll
solve the problem? I haven't done anything yet.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:24 PM, on 13/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8EA86503-476F-476A-A55A-7225082DF3EB} - C:\WINDOWS\system32\geBtTjgg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209719645000
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} -
O20 - Winlogon Notify: geBtTjgg - C:\WINDOWS\SYSTEM32\geBtTjgg.dll
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6574 bytes

[mactheshiv]

BUMP. Tried DSS again with the /config command, still no txt files. DSS gets to Examining Event Logs (about 75% on the sliding progress bar) then disappears, nothing else happens.

[Angelfire777]

Hi, welcome to tsf!

Sorry for the delay. You don't seem to have any antivirus program installed in your machine. Having no antivirus these days is an open invitation for malware to enter your system. I'll have you download one later.

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
________

HJT Uninstall list

• Open HijackThis > Click "Misc Tools Section"
• Click "Open Uninstall Manager".
• Click "Save List".
• Save it to your Desktop.
• Copy the contents of the file to your next reply.

[mactheshiv]

Thanks for your reply. I can see you guys are very busy. I have Zone Alarm Security Suite with Antivrus & Antispyware installed. What I don't have is a XP cd. I started with Win98 and since then I have used online updates only. Can I download the Recovery Console?

[Angelfire777]

Oh I see. No need for another antivirus then.

Yes, you can download the recovery console.

[mactheshiv]

I downloaded a Recovery Console rc.iso file from TweakXP and burnt the image to cd. What do I do with it now? No winnt32.exe file found.

[Angelfire777]

I think you got things mixed up.

Since you don't have your CD, start in this part of the combofix tutorial:

Quote:

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:

.......

[mactheshiv]

Yep, I was mixed up. I have downloaded the RC to ComboFix and that ran ok. After RC was installed I selected YES to continue with the scan but I still had my av/as/firewall programs running so I got prompted numerous times by ZoneAlarm but ComboFix continued to run (to me) as per the tutorial and produced the text file.

ComboFix 08-06-11.3 - Admin 2008-06-14 13:56:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2005 [GMT 8:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\inst.exe
C:\WINDOWS\Fonts\CALIBRIB.TTF

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-12 12:43 . 2008-06-12 12:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-12 12:39 . 2008-06-12 12:39 <DIR> d-------- C:\Deckard
2008-06-12 12:20 . 2008-06-12 12:20 <DIR> d-------- C:\ZonedOut
2008-06-12 12:12 . 2008-06-12 12:12 <DIR> d-------- C:\ie-spyad_zo
2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-06-11 12:19 . 2008-06-11 12:19 172,968 --a------ C:\activescan2_en.exe
2008-06-11 11:25 . 2008-06-11 12:19 <DIR> d-------- C:\Program Files\Panda Security
2008-06-10 12:19 . 2008-06-10 12:53 <DIR> d-------- C:\McafeeRootkitDetective
2008-06-10 11:04 . 2008-06-10 11:08 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2008-06-09 12:40 . 2008-06-10 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-09 12:39 . 2008-06-09 12:39 33,280 --a------ C:\WINDOWS\system32\geBtTjgg.dll
2008-06-09 11:50 . 2008-06-09 11:50 <DIR> d-------- C:\qscan_v1.0
2008-06-09 11:37 . 2008-06-09 11:37 <DIR> d-------- C:\Program Files\DVD Identifier
2008-06-09 11:20 . 2008-06-09 11:20 <DIR> d-------- C:\Program Files\DInfo
2008-06-09 11:20 . 2008-06-09 11:20 249,856 --------- C:\WINDOWS\Setup1.exe
2008-06-09 11:20 . 2008-06-09 11:20 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-06-09 10:52 . 2008-06-09 10:52 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Real
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-06-09 09:25 . 2008-06-09 09:25 99,174 --a------ C:\WINDOWS\system32\ffdshow.reg
2008-06-08 17:20 . 2008-06-08 17:20 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-06-08 17:04 . 2008-06-08 17:04 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-08 17:04 . 2007-08-18 14:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-08 14:06 . 2008-06-14 13:30 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-01 14:55 . 2008-06-01 14:55 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-06-01 12:22 . 2008-06-01 13:34 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-06-01 12:22 . 2008-06-01 13:34 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-06-01 12:01 . 2008-06-01 12:01 <DIR> d-------- C:\DECCHECK
2008-06-01 09:42 . 2008-06-01 09:42 <DIR> d-------- C:\Program Files\KC Softwares
2008-05-31 08:56 . 2008-05-31 08:56 29 --a------ C:\WINDOWS\system32\backup.ini
2008-05-30 15:35 . 2008-05-30 15:35 <DIR> d-------- C:\Sta2Burn
2008-05-30 15:05 . 2008-05-30 15:05 <DIR> d-------- C:\Program Files\Uniblue
2008-05-30 14:40 . 2008-05-30 14:40 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2008-05-30 10:20 . 2008-06-09 14:19 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-30 10:02 . 2008-06-11 12:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-30 10:02 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-30 08:34 . 2008-05-30 08:34 <DIR> d-------- C:\Program Files\WinPcap
2008-05-30 08:34 . 2008-05-30 08:34 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-05-30 08:33 . 2008-05-30 08:36 <DIR> d-------- C:\Program Files\URLSnooper2
2008-05-30 08:33 . 2008-05-30 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DonationCoder
2008-05-29 10:44 . 2008-05-29 10:44 <DIR> d-------- C:\Program Files\GPLGS
2008-05-29 10:42 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Acro Software
2008-05-29 10:42 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-27 11:53 . 2008-05-27 11:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinCare2008
2008-05-27 11:52 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Spotmau WinCare 2008
2008-05-27 11:43 . 2008-02-22 19:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-05-27 11:40 . 2008-05-27 11:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-27 11:36 . 2008-05-27 11:36 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-27 10:15 . 2008-05-27 10:15 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-05-26 14:09 . 2008-05-26 14:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-26 14:09 . 2008-05-26 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 13:15 . 2008-05-26 13:15 <DIR> d-------- C:\Program Files\EasyFLV
2008-05-26 13:15 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\tabctl32.ocx
2008-05-26 13:15 . 2006-07-30 13:47 94,208 --a------ C:\WINDOWS\system32\clrcombo.ocx
2008-05-26 12:41 . 2008-05-26 13:04 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-26 12:41 . 2008-05-30 18:18 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Vso
2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\Documents and Settings\Admin\Application Data\pcouffin.sys
2008-05-26 12:34 . 2008-06-01 17:27 <DIR> d-------- C:\DVDVideoSoft
2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 12:31 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-26 11:30 . 2008-05-26 11:42 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-23 16:22 . 2008-05-23 16:22 <DIR> d-------- C:\Program Files\Xilisoft
2008-05-22 14:49 . 2008-05-22 14:49 <DIR> d-------- C:\MEMTEST
2008-05-22 01:55 . 2008-05-22 01:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc
2008-05-22 01:49 . 2008-05-22 01:49 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-21 14:05 . 2008-05-21 14:06 <DIR> d-------- C:\Program Files\BackRex Outlook Express Backup
2008-05-16 12:14 . 2008-05-30 17:18 <DIR> d-------- C:\Program Files\East-Tec Backup
2008-05-16 12:14 . 2008-06-11 14:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 11:32 . 2008-05-21 13:40 <DIR> d-------- C:\OziExplorer
2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\EasyGPS
2008-05-15 10:54 . 2008-05-15 10:54 <DIR> d-------- C:\Program Files\uTorrent
2008-05-15 10:54 . 2008-06-10 12:03 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\uTorrent
2008-05-14 16:07 . 2008-05-14 16:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-14 16:07 . 2008-05-14 16:07 <DIR> d-------- C:\MagellanDrivers
2008-05-14 15:40 . 2003-03-02 19:44 7,552 --a------ C:\WINDOWS\system32\drivers\enodpl.sys
2008-05-14 15:40 . 2003-04-19 02:32 4,736 --a------ C:\WINDOWS\system32\drivers\tandpl.sys
2008-05-14 15:27 . 2008-05-15 14:24 <DIR> d-------- C:\Program Files\Magellan
2008-05-14 15:27 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-05-14 15:27 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-14 15:13 . 2008-05-14 15:13 <DIR> d-------- C:\Documents and Settings\Admin\WINDOWS
2008-05-14 14:33 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-05-14 14:33 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-05-14 14:18 . 2008-05-22 12:09 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-05-14 14:18 . 2008-05-14 14:18 <DIR> d-------- C:\Downloads
2008-05-14 14:18 . 2008-06-09 11:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Orbit
2008-05-14 14:16 . 2008-05-14 14:16 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-14 14:10 . 2008-05-21 16:42 <DIR> d-------- C:\Program Files\ArtisanDVDPlayer
2008-05-14 14:03 . 2008-05-14 14:04 <DIR> d-------- C:\Program Files\Winamp
2008-05-14 14:03 . 2008-05-14 14:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Winamp
2008-05-14 13:56 . 2008-05-14 13:56 <DIR> d-------- C:\Intel
2008-05-14 13:50 . 2008-05-14 13:50 <DIR> d-------- C:\Program Files\PC User DVD Plus 2008
2008-05-14 13:46 . 2008-05-14 13:47 <DIR> d-------- C:\Program Files\TuneXP
2008-05-14 13:46 . 2008-05-14 13:46 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-05-14 13:44 . 2008-05-14 13:44 <DIR> d-------- C:\Program Files\Universal Extractor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 05:58 11,296,800 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-14 05:27 3,147,521 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-14 05:24 2,358,272 ----a-w C:\WINDOWS\Internet Logs\xDB35.tmp
2008-06-14 05:24 156,068 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-13 09:33 2,806,272 ----a-w C:\WINDOWS\Internet Logs\xDB34.tmp
2008-06-12 04:00 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB33.tmp
2008-06-11 09:02 1,205,760 ----a-w C:\WINDOWS\Internet Logs\xDB32.tmp
2008-06-11 08:10 2,479,616 ----a-w C:\WINDOWS\Internet Logs\xDB31.tmp
2008-06-11 08:10 186,368 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp
2008-06-11 07:55 2,495,488 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp
2008-06-11 07:55 2,439,168 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp
2008-06-11 06:10 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp
2008-06-11 06:10 2,477,568 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp
2008-06-11 05:16 2,476,032 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp
2008-06-11 05:16 1,888,256 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp
2008-06-10 08:56 215,552 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp
2008-06-10 08:39 398,848 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp
2008-06-10 08:03 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-06-10 08:00 201,216 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-06-10 07:48 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-06-10 07:41 54,784 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-06-10 07:31 1,737,728 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-06-10 06:12 606,720 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-06-09 06:04 302,080 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2008-06-07 01:46 48,640 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2008-06-06 14:13 141,824 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-06-05 14:05 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-06-01 13:39 62,976 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-06-01 08:57 74,240 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-06-01 07:05 108,032 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-06-01 05:34 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-01 04:20 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-06-01 03:46 41,472 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-06-01 03:43 392,192 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-05-31 00:50 104,960 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-05-30 15:21 --------- d-----w C:\Program Files\PokerStars
2008-05-30 07:48 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-05-30 07:08 208,384 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-05-30 02:24 79,360 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-05-29 16:09 167,424 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-27 12:23 163,328 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-27 04:47 52,224 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-27 04:10 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-27 03:37 326,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-26 15:34 132,096 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-26 04:45 97,792 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-25 15:58 280,576 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-05-25 15:58 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-25 05:22 48,128 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-25 04:17 39,424 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-05-25 04:01 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-25 03:42 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-24 19:12 2,076,160 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-05-24 19:12 112,640 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-05-23 18:57 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-23 09:34 84,992 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-23 05:32 38,912 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-23 05:14 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-20 08:02 --------- d-----w C:\Program Files\Shoot! v3.2
2008-05-15 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 07:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-12 07:28 --------- d-----w C:\Program Files\Pinsoft
2008-05-10 09:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Program Files\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-10 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-09 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:14 --------- d-----w C:\Program Files\Microsoft Works
2008-05-07 13:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 10:45 --------- d-----w C:\Program Files\Quicken
2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Intuit
2008-05-07 10:45 --------- d-----w C:\Documents and Settings\Admin\Application Data\Intuit
2008-05-07 10:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-05-06 15:19 --------- d-----w C:\Program Files\SonicWallES
2008-05-06 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-06 15:19 --------- d-----w C:\Documents and Settings\Admin\Application Data\MailFrontier
2008-05-06 15:14 --------- d-----w C:\Documents and Settings\Admin\Application Data\GetRight
2008-05-06 15:12 --------- d-----w C:\Program Files\GetRight
2008-05-06 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-06 13:13 --------- d-----w C:\Program Files\Zone Labs
2008-05-06 12:46 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-05-04 09:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR
2008-05-02 09:30 --------- d-----w C:\Program Files\AVG
2008-05-02 08:14 --------- d-----w C:\Program Files\Realtek
2008-05-02 08:12 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-02 08:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
2008-05-02 08:05 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-02 13:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-04-02 13:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]
2008-06-09 12:39 33280 --a------ C:\WINDOWS\system32\geBtTjgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@={D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@={8A814C29-D3CD-4F9E-9770-DF8704503ACA}

[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-17 10:30 16855552 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"MSConfig"="C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe" [2004-08-04 20:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8EA86503-476F-476A-A55A-7225082DF3EB}"= C:\WINDOWS\system32\geBtTjgg.dll [2008-06-09 12:39 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg]
geBtTjgg.dll 2008-06-09 12:39 33280 C:\WINDOWS\system32\geBtTjgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-04 10:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\East-Tec Backup 2008]
--a------ 2008-04-07 15:41 3923560 C:\Program Files\East-Tec Backup\etBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 10:51 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2008-04-28 00:20 649300 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-10 03:11]
R1 FolderProtectDriver;FolderProtectDriver;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-01-10 22:47]
R2 FolderProtectService;FolderProtectService;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2007-12-22 00:23]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-22 04:55]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 13:58:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\geBtTjgg.dll
.
Completion time: 2008-06-14 13:59:50
ComboFix-quarantined-files.txt 2008-06-14 05:59:46

Pre-Run: 67,608,756,224 bytes free
Post-Run: 67,570,212,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

304 --- E O F --- 2008-05-09 05:09:40

[mactheshiv]

Sorry, I forgot the HJT file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:28 PM, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\CAP4RSK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8EA86503-476F-476A-A55A-7225082DF3EB} - C:\WINDOWS\system32\geBtTjgg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209719645000
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} -
O20 - Winlogon Notify: geBtTjgg - C:\WINDOWS\SYSTEM32\geBtTjgg.dll
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6540 bytes

[Angelfire777]

You forgot to post the hijackthis uninstall list too.

[mactheshiv]

And the HJT uninstall list:

ACDSee 5.0 Standard
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11
AoA Audio Extractor 1.0
Artisan DVD/DivX Player
BackRex Outlook Express Backup
BurnAware Free Edition 1.2.9
Canon LBP3200
CutePDF Writer 2.7
DVD Identifier
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.2.2
East-Tec Backup 2008 2.0
EasyFLV FLV Converter Ver 7 build 0.0.1
EasyGPS 2.8.5
eXplorist Wizard
Free YouTube Download 2.2
GetRight
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Karen's Drive Info
KC Softwares VideoInspector
MapSend Lite
MapSend Manager
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (3.0b5)
NVIDIA Drivers
Orbit Downloader
OziExplorer 3.95
Panda ActiveScan 2.0
PokerStars
Quicken 2008
RealPlayer
Realtek High Definition Audio Driver
Registry Mechanic 7.0
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Shoot! v3.2
Silhouette Shooter v1.0
Spotmau Wincare 2008
Spybot - Search & Destroy
SpywareBlaster 4.0
SpywareGuard v2.2
TuneXP 1.5
Tweak UI
Uniblue RegistryBooster 2
Uninstall 1.0.0.0
Universal Extractor 1.5
Update for Office 2007 (KB946691)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URL Snooper v2.20.02
VantagePoint
VantagePoint
Video Editor
VideoLAN VLC media player 0.8.6f
Winamp
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 4.1 beta
XP Codec Pack
ZoneAlarm Security Suite

[Angelfire777]

Thanks. I'll get back to you tomorrow.

It's midnight here already and it's time for bed.

[mactheshiv]

Thanks for your help. Nearly 3.00 pm here. I finish work at 2.00 am my time, will log on then barring any overtime?

[Angelfire777]

Hi,

Make sure you don't forget to disable Zonealarm the next time I ask you to run combofix. As you have seen, it could've interfered with it.

Do you have utorrent installd in your machine?

Some programs I recommend you uninstall from your system:

PokerStars
Programs like this normally has some sort of malware bundled in them. They sometimes serve as vectors for malware to enter your system. Please uninstall it if you do not play it.

Registry Mechanic 7.0
Uniblue RegistryBooster 2
Registry cleaners usually do more good than harm. We do not recommend such products in your system.
More info could be found here: http://aumha.net/viewtopic.php?t=28099

*If you decide to uninstall them, click start > control panel > add/remove programs > uninstall them.
________

• Open notepad.
• Copy and paste the text inside the code box below to notepad

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/258439-removal-trojan-win32-monder-gen-step-2-fails.html
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8EA86503-476F-476A-A55A-7225082DF3EB}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_CLASSES_ROOT\CLSID\{A90A5822-F108-45AD-8482-9BC8B12DD539}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A90A5822-F108-45AD-8482-9BC8B12DD539}]
Collect::
C:\WINDOWS\system32\geBtTjgg.dll
Filelook::
C:\WINDOWS\HideWin.exe

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.
• You can take a look at the image below if you're unsure on how to do it.
  
• Combofix wil restart your machine then it will produce a log afterwards.
• Please post the contents of that log along with a fresh HijackThis log.
• Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.

_______

We will need to install the latest version of Java before you can perform the kaspersky scan.

Download Java Runtime Environment 6u6, and install it to your computer.
_______

Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a

• Fresh HijackThis log.
• kaspersky scan log
• combofix log

[mactheshiv]

Hello again. I do have utorrent, which has no uninstall link
I have uninstalled Pokerstars, Registry Mechanic and Uniblue RegistryBooster via control panel/add-remove programs. What about utorrent?

[Angelfire777]

If you want to uninstall it,

click start > run > copy and paste:

"C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL

Click "yes" when it asks you if you want to uninstall. Then proceed with the next steps.

[mactheshiv]

Have run ComboFix with CFScrift.txt, log uploaded to BleepingComputer.

ComboFix 08-06-11.3 - Admin 2008-06-15 9:08:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2127 [GMT 8:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geBtTjgg.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-12 12:43 . 2008-06-12 12:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-12 12:39 . 2008-06-12 12:39 <DIR> d-------- C:\Deckard
2008-06-12 12:20 . 2008-06-12 12:20 <DIR> d-------- C:\ZonedOut
2008-06-12 12:12 . 2008-06-12 12:12 <DIR> d-------- C:\ie-spyad_zo
2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 15:49 . 2008-06-11 15:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-06-11 12:19 . 2008-06-11 12:19 172,968 --a------ C:\activescan2_en.exe
2008-06-11 11:25 . 2008-06-11 12:19 <DIR> d-------- C:\Program Files\Panda Security
2008-06-10 12:19 . 2008-06-10 12:53 <DIR> d-------- C:\McafeeRootkitDetective
2008-06-10 11:04 . 2008-06-10 11:08 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2008-06-09 12:40 . 2008-06-10 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-09 11:50 . 2008-06-09 11:50 <DIR> d-------- C:\qscan_v1.0
2008-06-09 11:37 . 2008-06-09 11:37 <DIR> d-------- C:\Program Files\DVD Identifier
2008-06-09 11:20 . 2008-06-09 11:20 <DIR> d-------- C:\Program Files\DInfo
2008-06-09 11:20 . 2008-06-09 11:20 249,856 --------- C:\WINDOWS\Setup1.exe
2008-06-09 11:20 . 2008-06-09 11:20 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-06-09 10:52 . 2008-06-09 10:52 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Real
2008-06-09 10:51 . 2008-06-09 10:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-06-09 09:25 . 2008-06-09 09:25 99,174 --a------ C:\WINDOWS\system32\ffdshow.reg
2008-06-08 17:20 . 2008-06-08 17:20 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-06-08 17:04 . 2008-06-08 17:04 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-08 17:04 . 2007-08-18 14:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-08 14:06 . 2008-06-15 09:01 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-01 14:55 . 2008-06-01 14:55 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-06-01 12:22 . 2008-06-01 13:34 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-06-01 12:22 . 2008-06-01 13:34 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-06-01 12:01 . 2008-06-01 12:01 <DIR> d-------- C:\DECCHECK
2008-06-01 09:42 . 2008-06-01 09:42 <DIR> d-------- C:\Program Files\KC Softwares
2008-05-31 08:56 . 2008-05-31 08:56 29 --a------ C:\WINDOWS\system32\backup.ini
2008-05-30 15:35 . 2008-05-30 15:35 <DIR> d-------- C:\Sta2Burn
2008-05-30 15:05 . 2008-05-30 15:05 <DIR> d-------- C:\Program Files\Uniblue
2008-05-30 14:40 . 2008-05-30 14:40 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2008-05-30 10:20 . 2008-06-09 14:19 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-30 10:02 . 2008-06-11 12:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-30 10:02 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-30 08:34 . 2008-05-30 08:34 <DIR> d-------- C:\Program Files\WinPcap
2008-05-30 08:34 . 2008-05-30 08:34 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat
2008-05-30 08:33 . 2008-05-30 08:36 <DIR> d-------- C:\Program Files\URLSnooper2
2008-05-30 08:33 . 2008-05-30 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DonationCoder
2008-05-29 10:44 . 2008-05-29 10:44 <DIR> d-------- C:\Program Files\GPLGS
2008-05-29 10:42 . 2008-05-29 10:42 <DIR> d-------- C:\Program Files\Acro Software
2008-05-29 10:42 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-27 11:53 . 2008-05-27 11:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinCare2008
2008-05-27 11:52 . 2008-05-27 12:01 <DIR> d-------- C:\Program Files\Spotmau WinCare 2008
2008-05-27 11:43 . 2008-02-22 19:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-05-27 11:40 . 2008-05-27 11:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-27 11:36 . 2008-05-27 11:36 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-27 10:15 . 2008-05-27 10:15 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-05-26 14:09 . 2008-05-26 14:09 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-26 14:09 . 2008-05-26 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 13:15 . 2008-05-26 13:15 <DIR> d-------- C:\Program Files\EasyFLV
2008-05-26 13:15 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\tabctl32.ocx
2008-05-26 13:15 . 2006-07-30 13:47 94,208 --a------ C:\WINDOWS\system32\clrcombo.ocx
2008-05-26 12:41 . 2008-05-26 13:04 <DIR> d-------- C:\Program Files\DVDFab 5
2008-05-26 12:41 . 2008-05-30 18:18 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Vso
2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-26 12:41 . 2008-05-26 12:41 47,360 --a------ C:\Documents and Settings\Admin\Application Data\pcouffin.sys
2008-05-26 12:34 . 2008-06-01 17:27 <DIR> d-------- C:\DVDVideoSoft
2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-26 12:31 . 2008-05-26 12:31 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 12:31 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-26 11:30 . 2008-05-26 11:42 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-23 16:22 . 2008-05-23 16:22 <DIR> d-------- C:\Program Files\Xilisoft
2008-05-22 14:49 . 2008-05-22 14:49 <DIR> d-------- C:\MEMTEST
2008-05-22 01:55 . 2008-05-22 01:55 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc
2008-05-22 01:49 . 2008-05-22 01:49 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-21 14:05 . 2008-05-21 14:06 <DIR> d-------- C:\Program Files\BackRex Outlook Express Backup
2008-05-16 12:14 . 2008-05-30 17:18 <DIR> d-------- C:\Program Files\East-Tec Backup
2008-05-16 12:14 . 2008-06-11 14:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 11:32 . 2008-05-21 13:40 <DIR> d-------- C:\OziExplorer
2008-05-15 15:02 . 2008-05-15 15:02 <DIR> d-------- C:\Program Files\EasyGPS
2008-05-15 10:54 . 2008-06-15 09:03 <DIR> d-------- C:\Program Files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 01:14 11,355,936 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-15 01:09 157,268 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-14 18:59 1,369,600 ----a-w C:\WINDOWS\Internet Logs\xDB37.tmp
2008-06-14 18:23 --------- d-----w C:\Program Files\PokerStars
2008-06-14 07:09 2,505,216 ----a-w C:\WINDOWS\Internet Logs\xDB36.tmp
2008-06-14 05:27 3,147,521 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-14 05:24 2,358,272 ----a-w C:\WINDOWS\Internet Logs\xDB35.tmp
2008-06-13 09:33 2,806,272 ----a-w C:\WINDOWS\Internet Logs\xDB34.tmp
2008-06-12 04:00 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB33.tmp
2008-06-11 09:02 1,205,760 ----a-w C:\WINDOWS\Internet Logs\xDB32.tmp
2008-06-11 08:10 2,479,616 ----a-w C:\WINDOWS\Internet Logs\xDB31.tmp
2008-06-11 08:10 186,368 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp
2008-06-11 07:55 2,495,488 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp
2008-06-11 07:55 2,439,168 ----a-w C:\WINDOWS\Internet Logs\xDB2E.tmp
2008-06-11 06:10 87,040 ----a-w C:\WINDOWS\Internet Logs\xDB2C.tmp
2008-06-11 06:10 2,477,568 ----a-w C:\WINDOWS\Internet Logs\xDB2D.tmp
2008-06-11 05:16 2,476,032 ----a-w C:\WINDOWS\Internet Logs\xDB2B.tmp
2008-06-11 05:16 1,888,256 ----a-w C:\WINDOWS\Internet Logs\xDB2A.tmp
2008-06-10 08:56 215,552 ----a-w C:\WINDOWS\Internet Logs\xDB29.tmp
2008-06-10 08:39 398,848 ----a-w C:\WINDOWS\Internet Logs\xDB28.tmp
2008-06-10 08:03 58,880 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-06-10 08:00 201,216 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-06-10 07:48 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-06-10 07:41 54,784 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-06-10 07:31 1,737,728 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-06-10 06:12 606,720 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-06-09 06:04 302,080 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2008-06-09 03:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\Orbit
2008-06-07 01:46 48,640 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2008-06-06 14:13 141,824 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-06-05 14:05 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-06-01 13:39 62,976 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-06-01 08:57 74,240 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-06-01 07:05 108,032 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-06-01 05:34 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-01 04:20 59,392 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-06-01 03:46 41,472 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-06-01 03:43 392,192 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-05-31 00:50 104,960 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-05-30 07:48 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-05-30 07:08 208,384 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-05-30 02:24 79,360 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-05-29 16:09 167,424 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-27 12:23 163,328 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-27 04:47 52,224 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-27 04:10 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-27 03:37 326,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-26 15:34 132,096 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-26 04:45 97,792 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-25 15:58 280,576 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-05-25 15:58 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-25 05:22 48,128 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-25 04:17 39,424 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-05-25 04:01 38,400 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-25 03:42 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-24 19:12 2,076,160 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-05-24 19:12 112,640 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-05-23 18:57 45,568 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-23 09:34 84,992 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-23 05:32 38,912 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-23 05:14 2,080,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-22 04:09 --------- d-----w C:\Program Files\Orbitdownloader
2008-05-21 08:42 --------- d-----w C:\Program Files\ArtisanDVDPlayer
2008-05-20 08:02 --------- d-----w C:\Program Files\Shoot! v3.2
2008-05-15 06:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-15 06:24 --------- d-----w C:\Program Files\Magellan
2008-05-14 07:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-14 06:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Winamp
2008-05-14 06:04 --------- d-----w C:\Program Files\Winamp
2008-05-14 05:50 --------- d-----w C:\Program Files\PC User DVD Plus 2008
2008-05-14 05:47 --------- d-----w C:\Program Files\TuneXP
2008-05-14 05:46 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-05-14 05:44 --------- d-----w C:\Program Files\Universal Extractor
2008-05-12 07:28 --------- d-----w C:\Program Files\Pinsoft
2008-05-10 09:04 --------- d-----w C:\Documents and Settings\Admin\Application Data\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Program Files\ACD Systems
2008-05-10 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-10 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-09 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:14 --------- d-----w C:\Program Files\Microsoft Works
2008-05-07 13:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 10:45 --------- d-----w C:\Program Files\Quicken
2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-05-07 10:45 --------- d-----w C:\Program Files\Common Files\Intuit
2008-05-07 10:45 --------- d-----w C:\Documents and Settings\Admin\Application Data\Intuit
2008-05-07 10:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-05-06 15:19 --------- d-----w C:\Program Files\SonicWallES
2008-05-06 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-06 15:19 --------- d-----w C:\Documents and Settings\Admin\Application Data\MailFrontier
2008-05-06 15:14 --------- d-----w C:\Documents and Settings\Admin\Application Data\GetRight
2008-05-06 15:12 --------- d-----w C:\Program Files\GetRight
2008-05-06 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-05-06 13:13 --------- d-----w C:\Program Files\Zone Labs
2008-05-06 12:46 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-05-04 09:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\AVGTOOLBAR
2008-05-02 09:30 --------- d-----w C:\Program Files\AVG
2008-05-02 08:14 --------- d-----w C:\Program Files\Realtek
2008-05-02 08:12 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-02 08:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\InstallShield
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- C:\WINDOWS\HideWin.exe ----
Company: Realtek Semiconductor Corp.
File Description: Hide Windows
File Version: 1.0.0.1
Product Name: HD Audio Hide windows program
Copyright: Realtek Semiconductor Corp. All rights reserved.
Original file name: HideWin.exe
MD5: 2d65f8db74c36819896cf809e4375f0a


((((((((((((((((((((((((((((( snapshot@2008-06-14_13.59.22.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 05:27:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 01:11:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-14 05:27:33 394,504 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-15 01:11:56 395,148 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-06-14 05:58:25 110,080 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-06-15 01:07:43 110,080 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@={D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@={8A814C29-D3CD-4F9E-9770-DF8704503ACA}

[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 17:05 348160 --a------ C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-17 10:30 16855552 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"MSConfig"="C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe" [2004-08-04 20:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTjgg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-04 10:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\East-Tec Backup 2008]
--a------ 2008-04-07 15:41 3923560 C:\Program Files\East-Tec Backup\etBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 10:51 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-10 03:11]
R1 FolderProtectDriver;FolderProtectDriver;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-01-10 22:47]
R2 FolderProtectService;FolderProtectService;C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2007-12-22 00:23]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-22 04:55]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 09:14:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2008-06-15 9:18:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 01:18:02
ComboFix2.txt 2008-06-14 05:59:51

Pre-Run: 67,568,005,120 bytes free
Post-Run: 67,556,122,624 bytes free

303 --- E O F --- 2008-05-09 05:09:40

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:56 AM, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CAP4RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\MSconfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209719645000
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6098 bytes

[Angelfire777]

Did you perform the online scan?

If you did, please post the log. If not, please do the online scan so we could continue cleaning your machine.

[mactheshiv]

Just finished the scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 15, 2008 02:05:25
Records in database: 865003
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 63649
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:37:17


File name / Threat name / Threats count
C:\Documents and Settings\Admin\Desktop\[4]-Submit_2008-06-15@9.08.zip Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\WanPacket.dll Infected: Backdoor.Win32.ForBot.aj 1

The selected area was scanned.

[Angelfire777]

Hi,

You can delete these folders now because you uninstall the programs already:

C:\Program Files\Uniblue
C:\Documents and Settings\Admin\Application Data\Uniblue
C:\Program Files\uTorrent
C:\Program Files\PokerStars

Delete this file in your desktop: [4]-Submit_2008-06-15@9.08.zip

The other infection that kaspersky detected is a false positive. It's a dll from WinPcap.

How is it running?