What did combofix.exe do?

Respital

Respital

Active Member
Hey cf... :cool:
I just ran combofix.exe...
Can someone tell me what it did.... :confused:
Here's the log file:

ComboFix 08-06-20.4 - mdg 06/26/2008 21:56:19.1 - NTFSx86
Running from: C:\Documents and Settings\mdg\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sysdm.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 01:59 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-27 01:56 --------- d-----w C:\Documents and Settings\mdg\Application Data\uTorrent
2008-06-27 00:00 --------- d-----w C:\Program Files\SiteAdvisor
2008-06-26 23:50 2,414 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-26 21:50 --------- d-----w C:\Documents and Settings\mdg\Application Data\OpenOffice.org2
2008-06-26 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-26 20:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 20:09 --------- d-----w C:\Program Files\CyberLink
2008-06-26 19:56 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-06-26 19:55 --------- d-----w C:\Program Files\Java
2008-06-26 19:40 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-26 02:58 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-06-26 02:58 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-26 02:58 --------- d-----w C:\Program Files\Real
2008-06-26 02:58 --------- d-----w C:\Program Files\Common Files\xing shared
2008-06-26 02:58 --------- d-----w C:\Program Files\Common Files\Real
2008-06-26 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 02:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-26 02:49 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 02:49 --------- d-----w C:\Documents and Settings\mdg\Application Data\Malwarebytes
2008-06-26 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 02:30 --------- d-----w C:\Program Files\Google Earth Pro 4.2
2008-06-26 02:01 --------- d-----w C:\Program Files\McAfee
2008-06-24 17:10 --------- d-----w C:\Program Files\Infogrames Interactive
2008-06-24 03:34 82,432 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-06-23 17:38 --------- d-----w C:\Program Files\SpeedFan
2008-06-23 17:38 --------- d-----w C:\Program Files\ShortKeys2
2008-06-23 00:01 --------- d-----w C:\Documents and Settings\mdg\Application Data\SiteAdvisor
2008-06-19 21:48 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 21:47 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 19:16 2,842 -c--a-w C:\Documents and Settings\Kuzniak\Application Data\wklnhst.dat
2008-06-18 18:30 --------- d-----w C:\Documents and Settings\Kuzniak\Application Data\Skype
2008-06-18 18:28 --------- d-----w C:\Documents and Settings\Kuzniak\Application Data\McAfee
2008-06-18 18:27 --------- d-----w C:\Documents and Settings\Kuzniak\Application Data\SiteAdvisor
2008-06-18 03:03 --------- d-----w C:\Program Files\Yahoo!
2008-06-18 02:48 --------- d-----w C:\Program Files\Lavasoft
2008-06-18 02:48 --------- d-----w C:\Documents and Settings\mdg\Application Data\Lavasoft
2008-06-18 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-18 02:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 17:26 --------- d-----w C:\Program Files\HammerHead
2008-06-17 00:06 10,942 -c--a-w C:\Documents and Settings\mdg\Application Data\wklnhst.dat
2008-06-11 22:42 --------- d-----w C:\Program Files\Steam
2008-06-01 00:44 --------- d-----w C:\Documents and Settings\mdg\Application Data\Nero
2008-06-01 00:41 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-01 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-01 00:38 --------- d-----w C:\Program Files\Nero
2008-05-31 21:14 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-30 23:25 106 ----a-w C:\delete.bat
2008-05-30 15:02 --------- d-----w C:\Documents and Settings\mdg\Application Data\McAfee
2008-05-30 15:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-29 13:35 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-05-28 23:19 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-05-28 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-28 23:18 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-28 23:16 --------- d-----w C:\Program Files\McAfee.com
2008-05-28 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-26 02:52 --------- d-----w C:\Program Files\Paint.NET
2008-05-26 02:51 --------- d-----w C:\Program Files\QuickTime
2008-05-26 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-24 04:11 --------- d-----w C:\Documents and Settings\mdg\Application Data\HPAppData
2008-05-24 00:54 --------- d-----w C:\Program Files\7-Zip
2008-05-23 22:21 81,920 ----a-w C:\WINDOWS\system32\404Fix.exe
2008-05-22 17:33 --------- d-----w C:\Program Files\Trymedia
2008-05-20 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-20 21:11 --------- d-----w C:\Documents and Settings\mdg\Application Data\HP
2008-05-19 01:40 82,944 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-05-18 22:17 --------- d-----w C:\Program Files\nLite
2008-05-18 21:16 --------- d-----w C:\Documents and Settings\LocalService\Application Data\HP
2008-05-18 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-05-18 21:14 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\HPAppData
2008-05-18 21:14 --------- d-----w C:\Program Files\HP
2008-05-18 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-18 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-18 21:11 --------- d-----w C:\Program Files\Common Files\HP
2008-05-18 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-05-18 21:10 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-18 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-18 18:35 --------- d-----w C:\Program Files\Copysafe
2008-05-18 18:35 --------- d-----w C:\Program Files\ATITool
2008-05-18 17:58 --------- d-----w C:\Program Files\Incomplete
2008-05-18 02:19 --------- d-----w C:\Program Files\Lavalys
2008-05-18 01:48 --------- d-----w C:\Program Files\Electronic Arts
2008-05-16 21:59 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-05-16 21:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-16 20:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-16 17:41 --------- d-----w C:\Documents and Settings\mdg\Application Data\Skype
2008-05-16 17:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 16:23 --------- d-----w C:\Documents and Settings\mdg\Application Data\Xfire
2008-05-11 20:47 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-11 20:47 --------- d-----w C:\Documents and Settings\mdg\Application Data\SUPERAntiSpyware.com
2008-05-11 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-11 20:41 --------- d-----w C:\Program Files\Trend Micro
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2007-04-29 21:26 374 -c--a-w C:\Documents and Settings\mdg\Application Data\internaldb6334.dat
2007-04-29 21:25 18,432 ----a-w C:\Documents and Settings\mdg\Application Data\internaldb41.dat
2007-04-29 21:24 538 -c--a-w C:\Documents and Settings\mdg\Application Data\internaldb8467.dat
2006-12-06 03:57 59,952 -c--a-w C:\Documents and Settings\Kuzniak\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 00:35 56 --sh--r C:\WINDOWS\system32\CF7EBFD16D.sys
2007-10-17 00:38 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

06/13/2007 06:23 1617920 5411554c84b28fc522ca788aaf3d2e44 C:\WINDOWS\explorer.exe
06/13/2007 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
08/10/2004 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
06/13/2007 06:23 1617920 5411554c84b28fc522ca788aaf3d2e44 C:\WINDOWS\icon_TMP\explorer.exe
06/13/2007 06:23 4918784 a4d32bd82c68d8f1407064ad8d2b9ccb C:\WINDOWS\system_backup\explorer.exe
06/13/2007 06:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\VCP_SAVE\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 2097488]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [09/18/2005 18:40 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 05:04 59392]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 15:03 16125440 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 18:43 69632 C:\WINDOWS\Alcmtr.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/12/2005 14:43 45056]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [03/11/2007 21:34 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 23:37 413696]
"Cleanup"="C:\DOCUME~1\mdg\LOCALS~1\Temp\2008528191321_mcappins.exe" [ ]
"msci"="C:\DOCUME~1\mdg\LOCALS~1\Temp\2008528191318_mcinfo.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [06/21/2007 19:12 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 1164576]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [01/16/2007 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 11:22 20480]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 19:12 582992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/25/2008 22:58 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^mdg^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\mdg\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 09/18/2007 10:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
--a------ 03/15/2007 23:58 781992 C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iconcache]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
C:\Program Files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
C:\Program Files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 10/13/2004 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 12/03/2007 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 03/01/2007 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 09/18/2005 18:40 1421824 C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 03/28/2008 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 08/31/2007 17:40 22879528 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 05/16/2006 18:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 12/02/2007 14:58 1266936 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 09/25/2007 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 02/29/2008 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 06/29/2006 19:55 707376 C:\WINDOWS\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)
"NBService"=3 (0x3)
"LightScribeService"=2 (0x2)
"Dcfssvc"=2 (0x2)
"BITS"=2 (0x2)
"ATI Smart"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Steam\\steamapps\\kuzniak2\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\kuzniak2\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Steam\\steamapps\\kuzniak2\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

*Newly Created Service* - 0233271214445745MCINSTCLEANUP
*Newly Created Service* - CATCHME
*Newly Created Service* - KLIF
*Newly Created Service* - NPKCRYPT
*Newly Created Service* - NPPTNT2
*Newly Created Service* - PGFILTER
*Newly Created Service* - SITEADVISOR_SERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 23:16:37 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-28 23:16:36 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 22:00:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 06/26/2008 22:01:47
ComboFix-quarantined-files.txt 2008-06-27 02:01:37

Pre-Run: 155,036,164,096 bytes free
Post-Run: 155,401,019,392 bytes free

279 --- E O F --- 2008-05-11 20:00:11
 
Yeah, you also scanned for newly created services, hidden processes, hidden files, and for rootkits. I don't think this is all of it.
 
Have you been using this computer a lot?

I find it weird that no file has been created for a month...
 
Let's get results from different scanners:

Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.


Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
 
Thanks Punk...
But i don't think any of that is necessary.
I just ran ComboFix to see what it would do.
Thanks anyways though.

P.s: My computer runs like a dream and always will. :)
 
Respital said:
Thanks Punk...
But i don't think any of that is necessary.
I just ran ComboFix to see what it would do.
Thanks anyways though.

P.s: My computer runs like a dream and always will. :)
Click to expand...

Those are only scanners.

It's up to you ;)
 
Deckard's System Scanner v20071014.68
Run by mdg on 2008-06-29 14:42:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
82: 2008-06-29 18:43:00 UTC - RP483 - Deckard's System Scanner Restore Point
81: 2008-06-28 18:34:04 UTC - RP482 - System Checkpoint
80: 2008-06-27 14:54:40 UTC - RP481 - Software Distribution Service 3.0
79: 2008-06-26 21:57:59 UTC - RP480 - Removed Kaspersky Anti-Virus 7.0.
78: 2008-06-26 20:13:06 UTC - RP479 - Installed Kaspersky Anti-Virus 7.0.


-- First Restore Point --
1: 2008-05-11 16:25:06 UTC - RP402 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as mdg.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:06 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\mdg\Desktop\AlwaysOnTopMaker.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\mdg\Desktop\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mdg.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {D554A583-D4CF-4A6F-B07A-CB25F60FA743} - C:\WINDOWS\system32\qoMgeDTJ.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qoMgeDTJ - C:\WINDOWS\SYSTEM32\qoMgeDTJ.dll
O23 - Service: McAfee Application Installer Cleanup (0233271214445745) (0233271214445745mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\023327~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 9577 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080517-220506-106 O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mdg\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
backup-20080517-220506-212 O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
backup-20080517-220506-433 O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
backup-20080517-220506-516 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080521-232528-157 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm035YYCA
backup-20080528-191551-667 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080606-203017-412 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080621-144706-338 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ATITool (ATITool Overclocking Utility) - c:\windows\system32\drivers\atitool.sys <Not Verified; ; Low-Level Driver>
R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 pgfilter - c:\program files\peerguardian2\pgfilter.sys

S2 ASInsHelp - c:\windows\system32\drivers\asinshelp32.sys (file missing)
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 cheetah1 - c:\docume~1\mdg\locals~1\temp\rar$ex01.375\ce13\cheetah.sys (file missing)
S3 cpuz126 - c:\docume~1\mdg\locals~1\temp\cpuz.sys (file missing)
S3 cpuz128 - c:\docume~1\mdg\locals~1\temp\cpuz_x32.sys (file missing)
S3 CrystalCpuInfo - c:\program files\occt\cpuinfo.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 iCheat1 - c:\docume~1\mdg\locals~1\temp\rar$ex04.953\engine\www.tsforos.com\bin\idriver.sys (file missing)
S3 IlvMoneyDRIVER53 - c:\docume~1\mdg\locals~1\temp\rar$ex00.609\moonlight_engine_1083.3\ilvmoney1083.sys (file missing)
S3 kaspersky1 - c:\docume~1\mdg\locals~1\temp\rar$ex19.406\kaspersky.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 sejt1 - c:\docume~1\mdg\locals~1\temp\rar$ex01.469\akuma\akuma\sejt.sys (file missing)
S3 SoRa01 - c:\documents and settings\mdg\desktop\sora remake engine 2.6\sora remak engine 2.6\sora.sys (file missing)
S3 spuce1 - c:\docume~1\mdg\locals~1\temp\rar$ex00.078\spuc3ngine!\spuce.sys (file missing)
S3 SQTECH930B (USB 2.0 PC CAMERA) - c:\windows\system32\drivers\capt930b.sys (file missing)
S3 sys_com001 - c:\docume~1\mdg\locals~1\temp\rar$ex00.219\syscomengine_1059\syscom.sys (file missing)
S3 TSHAK3T1 - c:\docume~1\mdg\locals~1\temp\rar$ex02.891\re 3.2\spuce.sys (file missing)
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys (file missing)
S3 VX3000 (VX-3000) - c:\windows\system32\drivers\vx3000.sys <Not Verified; Microsoft Corporation; Microsoft LifeCam>
S3 xp1 - c:\documents and settings\mdg\desktop\xpengine\xp.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S2 0233271214445745mcinstcleanup (McAfee Application Installer Cleanup (0233271214445745)) - c:\windows\temp\023327~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 19:16:37 346 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-05-28 19:16:36 348 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-29 14:42:17 0 dr-h----- C:\Documents and Settings\mdg\Recent
2008-06-28 13:51:54 0 d-------- C:\Documents and Settings\Kuzniak\Application Data\OpenOffice.org2
2008-06-28 13:18:27 0 d-------- C:\Documents and Settings\Kuzniak\Application Data\HPAppData
2008-06-27 17:25:50 25600 --a------ C:\WINDOWS\system32\qoMgeDTJ.dll
2008-06-27 13:09:46 0 d-------- C:\Documents and Settings\Kuzniak\Application Data\Real
2008-06-26 23:33:53 0 d-------- C:\Program Files\Oxin's Style!
2008-06-26 21:55:38 68096 --a------ C:\WINDOWS\zip.exe
2008-06-26 21:55:38 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-26 21:55:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-26 21:55:37 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-26 21:55:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-26 21:55:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-26 21:55:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-26 21:55:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-26 19:50:36 2414 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-26 19:49:43 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-26 19:49:42 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-26 19:49:42 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-26 19:49:42 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-26 19:49:42 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-26 19:49:41 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-26 19:49:41 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-26 16:10:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-26 15:58:36 0 d-------- C:\Documents and Settings\mdg\Application Data\OpenOffice.org2
2008-06-26 15:56:16 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-26 15:40:32 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-06-26 15:33:59 0 d-------- C:\Nexon
2008-06-25 22:58:54 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-25 22:58:21 0 d-------- C:\Program Files\Real
2008-06-25 22:58:12 0 d-------- C:\Program Files\Common Files\Real
2008-06-25 22:58:09 0 d-------- C:\Documents and Settings\mdg\Application Data\Real
2008-06-25 22:54:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 22:49:40 0 d-------- C:\Documents and Settings\mdg\Application Data\Malwarebytes
2008-06-25 22:49:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 22:49:36 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-25 22:30:35 0 d-------- C:\WINDOWS\Google Earth Pro 4.2
2008-06-25 22:30:35 0 d-------- C:\Program Files\Google Earth Pro 4.2
2008-06-24 13:10:45 0 d-------- C:\Program Files\Infogrames Interactive
2008-06-18 14:28:03 0 d-------- C:\Documents and Settings\Kuzniak\Application Data\McAfee
2008-06-18 14:27:49 0 d-------- C:\Documents and Settings\Kuzniak\Application Data\SiteAdvisor
2008-06-18 14:27:31 0 d---s---- C:\Documents and Settings\Kuzniak\Cookies
2008-06-17 22:47:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-17 13:19:40 0 d-------- C:\Program Files\HammerHead
2008-05-31 20:44:19 0 d-------- C:\Documents and Settings\mdg\Application Data\Nero
2008-05-31 20:38:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-30 19:25:58 106 --a------ C:\delete.bat
2008-05-30 11:02:53 0 d-------- C:\Documents and Settings\mdg\Application Data\McAfee


-- Find3M Report ---------------------------------------------------------------

2008-06-29 14:45:17 0 d-------- C:\Program Files\PeerGuardian2
2008-06-29 14:38:46 0 d-------- C:\Documents and Settings\mdg\Application Data\uTorrent
2008-06-27 15:14:35 0 d-------- C:\Program Files\Steam
2008-06-27 10:57:26 0 d-------- C:\Program Files\Java
2008-06-27 00:43:34 0 d-------- C:\Program Files\SiteAdvisor
2008-06-26 22:39:22 0 d-------- C:\Program Files\LimeWire
2008-06-26 16:09:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-26 16:09:48 0 d-------- C:\Program Files\CyberLink
2008-06-26 15:40:32 0 d-------- C:\Program Files\Common Files
2008-06-25 22:01:26 0 d-------- C:\Program Files\McAfee
2008-06-23 13:38:37 0 d-------- C:\Program Files\ShortKeys2
2008-06-23 13:38:06 0 d-------- C:\Program Files\SpeedFan
2008-06-22 20:01:18 0 d-------- C:\Documents and Settings\mdg\Application Data\SiteAdvisor
2008-06-17 23:03:37 0 d-------- C:\Program Files\Yahoo!
2008-06-17 22:48:05 0 d-------- C:\Program Files\Lavasoft
2008-06-17 22:48:04 0 d-------- C:\Documents and Settings\mdg\Application Data\Lavasoft
2008-06-17 22:47:23 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 20:06:36 10942 --a----c- C:\Documents and Settings\mdg\Application Data\wklnhst.dat
2008-05-31 20:41:54 0 d-------- C:\Program Files\Common Files\Nero
2008-05-31 20:38:59 0 d-------- C:\Program Files\Nero
2008-05-31 17:14:39 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-28 19:18:18 0 d-------- C:\Program Files\Common Files\McAfee
2008-05-28 19:16:28 0 d-------- C:\Program Files\McAfee.com
2008-05-25 22:52:04 0 d-------- C:\Program Files\Paint.NET
2008-05-25 22:51:30 0 d-------- C:\Program Files\QuickTime
2008-05-24 00:11:47 0 d-------- C:\Documents and Settings\mdg\Application Data\HPAppData
2008-05-23 20:54:15 0 d-------- C:\Program Files\7-Zip
2008-05-22 13:33:30 0 d-------- C:\Program Files\Trymedia
2008-05-20 17:11:40 0 d-------- C:\Documents and Settings\mdg\Application Data\HP
2008-05-19 22:27:48 139775 --a------ C:\WINDOWS\hpoins15.dat
2008-05-18 18:17:19 0 d-------- C:\Program Files\nLite
2008-05-18 17:14:13 0 d-------- C:\Program Files\HP
2008-05-18 17:11:18 0 d-------- C:\Program Files\Common Files\HP
2008-05-18 17:10:27 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-18 14:35:17 0 d-------- C:\Program Files\Copysafe
2008-05-18 14:35:01 0 d-------- C:\Program Files\ATITool
2008-05-18 13:58:13 0 d-------- C:\Program Files\Incomplete
2008-05-17 22:19:56 0 d-------- C:\Program Files\Lavalys
2008-05-17 21:48:39 0 d-------- C:\Program Files\Electronic Arts
2008-05-16 18:35:50 0 d-------- C:\Program Files\Messenger
2008-05-16 17:59:09 0 d-------- C:\Program Files\Common Files\ATI Technologies
2008-05-16 17:35:42 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-16 16:57:00 0 d-------- C:\Documents and Settings\mdg\Application Data\Adobe
2008-05-16 13:41:16 0 d-------- C:\Documents and Settings\mdg\Application Data\Skype
2008-05-11 16:47:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-11 16:47:43 0 d-------- C:\Documents and Settings\mdg\Application Data\SUPERAntiSpyware.com
2008-05-11 16:41:25 0 d-------- C:\Program Files\Trend Micro
 
-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
03/02/2007 04:52 PM 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
03/02/2007 04:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
11/26/2007 10:46 AM 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D554A583-D4CF-4A6F-B07A-CB25F60FA743}]
06/27/2008 05:25 PM 25600 --a------ C:\WINDOWS\system32\qoMgeDTJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 05:04 AM]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 03:03 PM C:\WINDOWS\RTHDCPL.EXE]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/12/2005 02:43 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [03/11/2007 09:34 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [06/21/2007 07:12 PM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 AM]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [01/16/2007 01:59 PM]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 11:22 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/25/2008 10:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [09/18/2005 06:40 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [10/23/2006 2:48:20 AM]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [10/23/2006 1:01:50 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [3/11/2007 9:26:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{D554A583-D4CF-4A6F-B07A-CB25F60FA743}"= C:\WINDOWS\system32\qoMgeDTJ.dll [06/27/2008 05:25 PM 25600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMgeDTJ]
qoMgeDTJ.dll 06/27/2008 05:25 PM 25600 C:\WINDOWS\system32\qoMgeDTJ.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^mdg^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\mdg\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
C:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iconcache]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
"C:\Program Files\lg_fwupdate\fwupdate.exe" blrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
"C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
C:\WINDOWS\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)
"NBService"=3 (0x3)
"LightScribeService"=2 (0x2)
"Dcfssvc"=2 (0x2)
"BITS"=2 (0x2)
"ATI Smart"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

*Newly Created Service* - PGFILTER



-- Hosts -----------------------------------------------------------------------

127.0.0.1 gameguard.mapleglobal.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

8757 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-29 14:46:13 ------------
 
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 2.66GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.66GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 1502.48 MiB / 698.09 MiB
Pagefile Memory (total/avail): 3605.67 MiB / 2841.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.25 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 140.06 GiB free.
D: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-08NCB1 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - HP Photosmart C4280 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
AUState says computer is ready and waiting.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Steam\\steamapps\\kuzniak2\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\kuzniak2\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\kuzniak2\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\kuzniak2\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Steam\\steamapps\\kuzniak2\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\kuzniak2\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mdg\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MDG-5912FDC157A
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mdg
LOGONSERVER=\\MDG-5912FDC157A
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mdg\LOCALS~1\Temp
TMP=C:\DOCUME~1\mdg\LOCALS~1\Temp
USERDOMAIN=MDG-5912FDC157A
USERNAME=mdg
USERPROFILE=C:\Documents and Settings\mdg
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

mdg (admin)
Lucas
Kuzniak


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0684EECC-380C-4B97-8C51-5BDB9E4D679C}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{325F7A83-E15A-4C18-B5FE-E03A38F690BD}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
ATITool Overclocking Utility --> "C:\Program Files\ATITool\Uninstall.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CopySafe Plugin --> C:\PROGRA~1\Copysafe\UNWISE.EXE C:\PROGRA~1\Copysafe\INSTALL.LOG
Counter-Strike: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/240
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Fraps --> "C:\Fraps\uninstall.exe"
Google Earth Pro 4.2 --> "C:\WINDOWS\Google Earth Pro 4.2\uninstall.exe" "/U:C:\Program Files\Google Earth Pro 4.2\Uninstall\uninstall.xml"
Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
Half-Life 2: Lost Coast --> "C:\Program Files\Steam\steam.exe" steam://uninstall/340
Half-Life(R) 2 --> MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
HammerHead Rhythm Station --> C:\Program Files\HammerHead\Uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Customer Participation Program 9.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 9.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 9.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Photosmart All-In-One Software 9.0 --> C:\Program Files\HP\Digital Imaging\{B22C19AE-6A67-4f28-B541-5AE72FB17A25}\setup\hpzscr01.exe -datfile hposcr15.dat
HP Photosmart Essential 2.01 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Smart Web Printing --> MsiExec.exe /X{415CDA53-9100-476F-A7B2-476691E117C7}
HP Solution Center 9.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HPSSupply --> MsiExec.exe /X{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}
HyperCam 2 --> "C:\Program Files\HyCam2\UnHyCam2.exe"
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kodak EasyShare software --> MsiExec.exe /I{34C17174-BEA7-45A8-9BD0-7E5AF3639B3E}
LimeWire 4.18.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapleStory --> MsiExec.exe /I{E6FC4EEE-2EEA-49A7-B036-908B9BD4BB70}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Need for Speed™ Carbon --> C:\Program Files\Electronic Arts\Need for Speed Carbon\EAUninstall.exe
Nero 8 --> MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1033}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
nLite 1.4 --> "C:\Program Files\nLite\unins000.exe"
OpenOffice.org 2.4 --> MsiExec.exe /I{2CD2C0DB-81C3-416B-9FA6-589B9235359B}
Paint.NET v3.31 --> MsiExec.exe /X{51AFB69C-1C54-4C77-A888-2860F8CD3E7D}
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Remove Vista Customization Pack v3 --> c:\windows\vcp_save\runme.bat
RollerCoaster Tycoon 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9
Sansa Media Converter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2A0F8F4-CE50-4857-A21C-3061682B2E87}\Setup.exe" -l0x9
Scientific-Atlanta WebSTAR 2000 series Cable Modem --> UNDPX2A.EXE
SecurDisc Viewer --> MsiExec.exe /X{ABD1DC2F-0D20-4C44-BEB9-3EEFA0EA1033}
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> C:\PROGRA~1\Steam\UNWISE.EXE C:\PROGRA~1\Steam\INSTALL.LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1954 / Error
Event Submitted/Written: 06/29/2008 00:39:14 PM
Event ID/Source: 0 / Media Center Scheduler
Event Description:
There are zero configured tuners on this machine, scheduling should not occur in this state!!!

Event Record #/Type1947 / Error
Event Submitted/Written: 06/29/2008 00:37:26 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1940 / Error
Event Submitted/Written: 06/28/2008 11:04:16 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module msvcrt.dll, version 7.0.2600.2180, fault address 0x000373c8.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type1937 / Error
Event Submitted/Written: 06/28/2008 02:01:06 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type1936 / Error
Event Submitted/Written: 06/28/2008 02:01:06 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type40967 / Warning
Event Submitted/Written: 06/29/2008 10:35:14 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type40966 / Warning
Event Submitted/Written: 06/29/2008 06:23:43 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type40965 / Warning
Event Submitted/Written: 06/28/2008 04:55:35 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type40964 / Warning
Event Submitted/Written: 06/28/2008 02:58:12 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type40963 / Error
Event Submitted/Written: 06/28/2008 02:05:22 PM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {DB77BAA7-3DC1-4EE7-8067-2886475BE6F7}.
The error:
"%%2"
Happened while starting this command:
"c:\program files\mcafee\msc\mcpromgr.exe" -Embedding



-- End of Deckard's System Scanner: finished at 2008-06-29 14:46:13 ------------
 
Found a suspicious file...

Please go to Virus Total or Jotti and upload C:\WINDOWS\system32\qoMgeDTJ.dll for scanning.

For Virus Total

  1. Please copy and paste C:\WINDOWS\system32\qoMgeDTJ.dll in the text box next to the Browse button.
  2. Click on Send File.

For Jotti

  1. Please copy and paste C:\WINDOWS\system32\qoMgeDTJ.dll in the text box next to the Browse button.
  2. Click on Submit.
 
Punk said:
Found a suspicious file...

Please go to Virus Total or Jotti and upload C:\WINDOWS\system32\qoMgeDTJ.dll for scanning.

For Virus Total

  1. Please copy and paste C:\WINDOWS\system32\qoMgeDTJ.dll in the text box next to the Browse button.
  2. Click on Send File.

For Jotti

  1. Please copy and paste C:\WINDOWS\system32\qoMgeDTJ.dll in the text box next to the Browse button.
  2. Click on Submit.
Click to expand...

Werid i don't seem to find anything wrong with my computer...
Here are the results for jotti:

Scan taken on 29 Jun 2008 22:41:47 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Generic10.ATMT
BitDefender
Found Trojan.Vundo.EWZ
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan.Win32.Monderc.gen
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monderc.gen
NOD32
Found nothing
Norman Virus Control
Found Vundo.gen192
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

And here are the results from VirusTotal:

This is not the whole result...
But i have to go soon so the faster this is taken care of the better.

Antivirus Version Last Update Result
ClamAV 0.93.1 2008.06.29 -
DrWeb 4.44.0.09170 2008.06.29 -
F-Secure 7.60.13501.0 2008.06.26 -
Microsoft 1.3704 2008.06.30 Trojan:Win32/Vundo.gen!N
Norman 5.80.02 2008.06.27 Vundo.gen192
 
Last edited:
Scans are positive, this a bad file.

Let's scan for more Vundo files:
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Let's scan for trojan:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

And finally get rid of this file:
Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\qoMgeDTJ.dll
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.
 
Just what i need. -.- :mad:
Edit: Vundo found nothing. Should i go ahead and run SDFix still?


VundoFix V7.0.6

Scan started at 7:05:37 PM 6/29/2008

Listing files found while scanning....

No infected files were found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:01 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAfee Phishing Filter - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {D554A583-D4CF-4A6F-B07A-CB25F60FA743} - C:\WINDOWS\system32\qoMgeDTJ.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qoMgeDTJ - C:\WINDOWS\SYSTEM32\qoMgeDTJ.dll
O23 - Service: McAfee Application Installer Cleanup (0233271214445745) (0233271214445745mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\023327~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 10549 bytes
 
Last edited:
Punk said:
Yes do all the steps I gave you.
Click to expand...

I have a very bad suspicion that i pissed it off... :(
I can't boot into safe mode...
I tried but it wouldn't go passed all of the lines of stuff... :(

Help. :o

Edit: I already killed it using Avenger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\qoMgeDTJ.dll" deleted successfully.

Completed script processing.

*******************
 
Last edited:
You must log in or register to reply here.
Back
Top