Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

"online security guide" and "live safety center" deckard log here

This is a discussion on "online security guide" and "live safety center" deckard log here within the Resolved HJT Threads forums, part of the Tech Support Forum category. I'm having the same problem that a lot of people are having. These icons have showed up on my desktop


 
 
Thread Tools Search this Thread
Old 11-17-2007, 09:18 AM   #1
Registered Member
 
Join Date: Nov 2007
Location: New Hampshire
Posts: 19
OS: xp



I'm having the same problem that a lot of people are having. These icons have showed up on my desktop and i keep getting pop ups telling me to download them because i have a virus. i would really applicate the help.
thanks!
John

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
91: 2007-11-17 16:39:03 UTC - RP554 - Deckard's System Scanner Restore Point
90: 2007-11-17 15:47:18 UTC - RP553 - System Checkpoint
89: 2007-11-16 15:05:33 UTC - RP552 - System Checkpoint
88: 2007-11-15 01:17:54 UTC - RP551 - Software Distribution Service 3.0
87: 2007-11-13 22:39:57 UTC - RP550 - Removed Banctec Service Agreement


-- First Restore Point --
1: 2007-11-12 23:17:11 UTC - RP464 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive C: has 2.78 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-17 11:42:27
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John\Desktop\dss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://securityresponse.symantec.com.../fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\SYSTEM32\ssqnnnm.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: {1ab5ae7b-5033-391a-3194-ffe8f580d7a7} - {7a7d085f-8eff-4913-a193-3305b7ea5ba1} - C:\WINDOWS\SYSTEM32\jgqnbgas.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\ujxxmekz.dll
O2 - BHO: (no name) - {DC7BD63B-BB26-4661-B620-C2B5C7BCD0AB} - C:\WINDOWS\SYSTEM32\pmnno.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\SYSTEM32\ujxxmekz.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Startup: hc_tray.lnk = C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - https://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - https://fpdownload.macromedia.com/pub...irector/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - https://office.microsoft.com/officeup...tent/opuc3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: ssqnnnm - C:\WINDOWS\system32\ssqnnnm.dll
O20 - Winlogon Notify: ujxxmekz - C:\WINDOWS\system32\ujxxmekz.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: crd - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\SYSTEM32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


--
End of file - 9946 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 crd - c:\docume~1\admini~1\locals~1\temp\ixp001.tmp\poststp.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-16 17:31:02 280 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-11-12 20:00:01 620 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - John.job


-- Files created between 2007-10-17 and 2007-11-17 -----------------------------

2007-11-15 19:00:46 0 d-------- C:\Program Files\SpywareBlaster
2007-11-15 18:20:46 79936 --a------ C:\WINDOWS\system32\jgqnbgas.dll
2007-11-14 17:24:24 79424 --a------ C:\WINDOWS\system32\pbjhvaup.dll
2007-11-13 18:20:14 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-13 17:25:56 0 --a------ C:\WINDOWS\system32\hyjsyhpn.dll
2007-11-13 17:22:56 0 --a------ C:\WINDOWS\system32\emiyyomf.dll
2007-11-13 17:13:23 0 d-------- C:\WINDOWS\pss
2007-11-13 06:28:57 0 --a------ C:\WINDOWS\system32\atxayxrv.dll
2007-11-13 06:20:19 145780 --a------ C:\WINDOWS\system32\ujxxmekz.dll
2007-11-13 06:19:57 145780 --a------ C:\WINDOWS\system32\jxnniksq.dll
2007-11-12 18:16:58 21867 --ahs---- C:\WINDOWS\system32\onnmp.ini2
2007-11-12 18:16:46 313440 --a------ C:\WINDOWS\system32\pmnno.dll
2007-11-12 18:11:36 36352 --a------ C:\WINDOWS\system32\ssqnnnm.dll
2007-11-12 18:11:24 0 d-------- C:\WINDOWS\system32\rMa02yy
2007-11-11 23:04:46 81920 --a------ C:\WINDOWS\system32\viscomwave.dll <Not Verified; Viscom Software; >
2007-11-11 23:04:43 323584 --a------ C:\WINDOWS\system32\FoxImager.dll
2007-11-11 23:04:42 0 d-------- C:\Program Files\Cheetah Burner
2007-11-08 21:22:27 0 d-------- C:\WINDOWS\system32\Mz17r
2007-11-05 15:03:47 0 d-------- C:\Program Files\Veoh Networks
2007-11-02 17:52:40 0 d-------- C:\Downloads
2007-11-02 17:51:06 0 d-------- C:\Program Files\BitComet
2007-10-31 16:33:41 0 d-------- C:\WINDOWS\system32\Mz08r


-- Find3M Report ---------------------------------------------------------------

2007-11-17 11:40:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-15 20:03:53 0 d-------- C:\Program Files\Norton Internet Security
2007-11-14 03:19:06 0 d-------- C:\Program Files\ArcadeRockstar
2007-11-13 19:27:21 0 d-------- C:\Program Files\QuickTime
2007-11-13 19:23:20 0 d-------- C:\Program Files\iTunes
2007-11-13 19:22:06 0 d-------- C:\Program Files\DellSupport
2007-11-13 19:22:00 0 d-------- C:\Program Files\Dell Photo AIO Printer 922
2007-11-13 19:19:10 0 d-------- C:\Program Files\Apple Software Update
2007-11-13 19:19:08 0 d-------- C:\Program Files\AIM
2007-11-13 17:41:58 0 d-------- C:\Program Files\Viewpoint
2007-11-13 16:19:57 0 d-------- C:\Program Files\Symantec
2007-11-12 09:48:39 0 d-------- C:\Documents and Settings\John\Application Data\uTorrent
2007-11-11 23:04:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-08 19:25:02 0 d-------- C:\Program Files\TMD-Recruit.5.0
2007-10-04 19:22:18 0 d-------- C:\Program Files\DivX
2007-09-28 11:07:52 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 11:05:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-09-28 11:05:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-28 11:05:40 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-28 11:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX«>
2007-09-28 11:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX«>
2007-09-28 11:05:40 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX«>
2007-09-28 11:05:08 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-24 17:12:15 0 d-------- C:\Documents and Settings\John\Application Data\DivX


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
11/12/2007 06:11 PM 36352 --a------ C:\WINDOWS\system32\ssqnnnm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7a7d085f-8eff-4913-a193-3305b7ea5ba1}]
11/15/2007 06:20 PM 79936 --a------ C:\WINDOWS\system32\jgqnbgas.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
11/13/2007 06:20 AM 145780 --a------ C:\WINDOWS\system32\ujxxmekz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC7BD63B-BB26-4661-B620-C2B5C7BCD0AB}]
11/12/2007 06:16 PM 313440 --a------ C:\WINDOWS\system32\pmnno.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\ujxxmekz.dll [11/13/2007 06:20 AM 145780]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 09:12 PM]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [09/17/2003 11:43 AM]
"P17Helper"="P17.dll" [06/10/2004 12:51 PM C:\WINDOWS\SYSTEM32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [04/11/2004 09:15 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [10/12/2004 05:54 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 02:01 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/13/2004 02:05 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 08:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 08:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 08:36 AM]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [06/18/2004 04:30 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 09:36 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 02:59 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/13/2007 04:11 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 10:09 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [04/14/2005 03:56 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [06/22/2007 07:45 AM]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" []
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [11/01/2007 01:22 PM]
"@"="" []

C:\Documents and Settings\John\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 2:04:12 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\ssqnnnm.dll [11/12/2007 06:11 PM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnnnm]
ssqnnnm.dll 11/12/2007 06:11 PM 36352 C:\WINDOWS\SYSTEM32\ssqnnnm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ujxxmekz]
ujxxmekz.dll 11/13/2007 06:20 AM 145780 C:\WINDOWS\SYSTEM32\ujxxmekz.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnno.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c5ba628-ccd0-11da-b5a7-00111197003c}]
AutoRun\command- F:\JDSecure\Windows\JDSecure31.exe

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-11-17 11:44:53 ------------
Attached Files
File Type: txt extra.txt (22.9 KB, 38 views)
Shamrawknroll is offline  
Sponsored Links
Advertisement
 
Old 11-20-2007, 08:57 AM   #2
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please download VundoFix.exe to your desktop. We'll use this later.

Download SDFix and save it to your Desktop.

Please download & install - ERUNT (This is a utility that'll replicate a copy of your Registry)
  1. Start ERUNT, confirm the Welcome message.

  2. Next, select the backup options:

    • System registry
    • Current User Registry
    • Other open user registry

  3. Click "OK" and wait until the backup process is complete. (Note that depending on your system configuration this may take some time, and that the first bar is NOT a progress bar, just an indicator that the program is still running.)
# Note: To ensure proper operation of ERUNT, you should be logged in as a system administrator.

Disconnect from the internet.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next reply..
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Once VundoFix has completed it's work....

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.dell4me.com/myway
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\SYSTEM32\ssqnnnm.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: {1ab5ae7b-5033-391a-3194-ffe8f580d7a7} - {7a7d085f-8eff-4913-a193-3305b7ea5ba1} - C:\WINDOWS\SYSTEM32\jgqnbgas.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\ujxxmekz.dll
O2 - BHO: (no name) - {DC7BD63B-BB26-4661-B620-C2B5C7BCD0AB} - C:\WINDOWS\SYSTEM32\pmnno.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\SYSTEM32\ujxxmekz.dll
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O20 - Winlogon Notify: ssqnnnm - C:\WINDOWS\system32\ssqnnnm.dll
O20 - Winlogon Notify: ujxxmekz - C:\WINDOWS\system32\ujxxmekz.dll




Close HijackThis now.

---------------------------------------------------------------------------------------------

Delete these folders if they still exist:



Folders:
C:\Program Files\RXToolBar
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\Mz17r
C:\WINDOWS\system32\Mz08r

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Post that log in your next reply.

---------------------------------------------------------------------------------------------

Please run Deckard's System Scanner once again, and post it's log.

---------------------------------------------------------------------------------------------

So, I need logs from:

VundoFix
SDFix
DSS
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-22-2007, 10:52 AM   #3
Registered Member
 
Join Date: Nov 2007
Location: New Hampshire
Posts: 19
OS: xp



VundoFix V6.6.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:21:54 PM 11/20/2007

Listing files found while scanning....

C:\WINDOWS\system32\ssqnnnm.dll
C:\windows\SYSTEM32\ujxxmekz.dllbox

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqnnnm.dll
C:\WINDOWS\system32\ssqnnnm.dll Could not be deleted.

Attempting to delete C:\windows\SYSTEM32\ujxxmekz.dllbox
C:\windows\SYSTEM32\ujxxmekz.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqnnnm.dll
C:\WINDOWS\system32\ssqnnnm.dll Has been deleted!

Performing Repairs to the registry.
Done!


SDFix: Version 1.115

Run by John on Tue 11/20/2007 at 09:39 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\John\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Temp\abW9 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2007-11-20 21:46:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:c3,f7,d1,5c,1a,49,96,75,c2,70,c9,00,e2,c8,93,b6,04,65,e1,53,ca,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,5e,ff,87,4c,b8,48,1c,e0,8a,02,1d,5f,1e,8d,22,ce,90,..
"hdf12"=hex:a3,0e,a1,7c,a2,37,ee,6e,0c,25,b3,49,9e,e8,7c,93,03,dd,ba,f3,ed,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:84,09,2c,a3,51,d8,9d,43,32,82,f2,54,b6,74,35,36,b1,f1,c6,95,33,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:c3,f7,d1,5c,1a,49,96,75,c2,70,c9,00,e2,c8,93,b6,04,65,e1,53,ca,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,5e,ff,87,4c,b8,48,1c,e0,8a,02,1d,5f,1e,8d,22,ce,90,..
"hdf12"=hex:a3,0e,a1,7c,a2,37,ee,6e,0c,25,b3,49,9e,e8,7c,93,03,dd,ba,f3,ed,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:84,09,2c,a3,51,d8,9d,43,32,82,f2,54,b6,74,35,36,b1,f1,c6,95,33,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1145138751\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1145138751\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1145138751\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1145138751\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Documents and Settings\\John\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\John\\Desktop\\utorrent.exe:*:Enabled:ŠTorrent"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:ŠTorrent"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\John\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Mon 10 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 20 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BIT23.tmp"
Thu 10 Aug 2006 616,448 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\4wxtnbxo.TMP"
Wed 14 Nov 2007 66,876 A.SH. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\aywxxdwq.exe"
Tue 13 Nov 2007 68,331 A.SH. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\dldhebrh.exe"
Tue 13 Nov 2007 69,796 A.SH. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\elbehtku.exe"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico1.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico10.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico103.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico104.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico105.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico106.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico107.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico10E.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico10F.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico11.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico110.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico111.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico112.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico118.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico119.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico11A.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico11B.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico11C.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico130.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico131.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico132.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico133.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico134.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico1D.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico1E.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico1F.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico2.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico20.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico21.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico22.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico23.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico24.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico25.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico26.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico27.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico28.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico29.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico2A.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico2B.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico2C.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico2D.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico2E.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico2F.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico3.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico30.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico31.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico32.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico33.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico34.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico35.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico36.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico37.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico38.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico39.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico3A.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico3B.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico3C.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico3D.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico3E.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico3F.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico4.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico40.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico41.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico42.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico43.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico44.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico45.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico46.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico47.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico48.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico49.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico4A.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico4B.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico4C.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico4D.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico4E.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico4F.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico5.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico50.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico51.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico52.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico53.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico54.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico55.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico56.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico57.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico58.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico59.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico5A.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico5B.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico5C.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico5D.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico5E.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico5F.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico6.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico60.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico61.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico62.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico63.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico64.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico65.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico66.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico67.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico68.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico69.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico6A.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico6B.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico6C.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico6D.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico6E.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico6F.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico7.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico70.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico71.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico72.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico73.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico73F.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico74.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico740.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico741.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico742.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico743.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico75.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico75B.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico75C.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico75D.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico75E.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico75F.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico76.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico77.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico772.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico773.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico774.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico775.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico776.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico78.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico785.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico786.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico787.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico788.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico789.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico79.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico7A.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico7B.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico7C.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico7D.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico7E.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico7F.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico80.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico81.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico82.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico83.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico84.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico85.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico855.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico856.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico857.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico858.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico859.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico86.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico87.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico87B.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico87C.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico87D.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico87E.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico87F.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico88.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico89.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8A.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8B.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8C.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8D.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8E.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8EA.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8EB.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8EC.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8ED.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8EE.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico8F.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico9.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico90.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico91.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico91A.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico91B.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico91C.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico91D.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico91E.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico92.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico93.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico93C.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico93D.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico93E.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico93F.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico94.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico940.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico95.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico96.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico97.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico98.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico99.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico9A.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico9B.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\ico9C.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA2.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA3.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA4.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA5.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA6.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA7.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA8.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoA9.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoAA.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoAB.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoAC.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoAD.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoAE.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoAF.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoB.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoB0.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoB1.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoB2.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoB3.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoB4.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoB5.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoBB.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoBC.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoBD.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoBE.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoBF.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoC.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoC2.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoC3.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoC4.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoC5.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoC6.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoC9.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoCA.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoCB.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoCC.tmp"
Wed 14 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoCD.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoCF.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoD.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoD0.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoD1.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoD2.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoD3.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoD7.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoD8.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoD9.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoDA.tmp"
Tue 13 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoDB.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoDC.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoDD.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoDE.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoDF.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoE.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoE0.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoE6.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoE7.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoE8.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoE9.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoEA.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoF.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoF2.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoF3.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoF4.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoF5.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoF6.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoFB.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoFC.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoFD.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoFE.tmp"
Sat 17 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\John\LOCALS~1\Temp\icoFF.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\John\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\John\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\John\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\John\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sat 19 May 2007 8 A..H. --- "C:\Documents and Settings\John\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Finished!

Deckard's System Scanner v20071014.68
Run by John on 2007-11-22 12:47:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive C: has 2.38 GiB (less than 15%) free.


-- HijackThis (run as John.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-22 12:53:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\John\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\John.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://securityresponse.symantec.com.../fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll
O2 - BHO: (no name) - {25627D3F-9779-4A8D-ACF1-974BDF1AC42A} - C:\WINDOWS\SYSTEM32\pmnno.dll
O2 - BHO: {a3507035-83c2-afab-8494-c0b74b78b2e2} - {2e2b87b4-7b0c-4948-bafa-2c385307053a} - C:\WINDOWS\SYSTEM32\vypvjbpx.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [0cb10757] rundll32.exe "C:\WINDOWS\system32\qftpkhvn.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: hc_tray.lnk = C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - https://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - https://fpdownload.macromedia.com/pub...irector/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - https://office.microsoft.com/officeup...tent/opuc3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: crd - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\SYSTEM32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


--
End of file - 9360 bytes

-- Files created between 2007-10-22 and 2007-11-22 -----------------------------

2007-11-22 12:50:32 0 d-------- C:\Program Files\Trend Micro
2007-11-21 18:22:40 80960 --a------ C:\WINDOWS\system32\vypvjbpx.dll
2007-11-21 18:16:40 83085 --a------ C:\WINDOWS\system32\ysxrbkxp.dll
2007-11-20 21:38:41 0 d-------- C:\WINDOWS\ERUNT
2007-11-20 20:50:16 0 d-------- C:\Program Files\BackStreet Browser 3.1
2007-11-20 20:21:54 0 d-------- C:\VundoFix Backups
2007-11-20 20:18:50 0 d-------- C:\SDFix)
2007-11-20 18:24:51 84545 --a------ C:\WINDOWS\system32\qftpkhvn.dll
2007-11-20 18:18:50 84544 --a------ C:\WINDOWS\system32\ccfxavli.dll
2007-11-20 14:32:15 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-19 18:21:59 83008 --a------ C:\WINDOWS\system32\nwbadfwr.dll
2007-11-19 18:18:58 83085 --a------ C:\WINDOWS\system32\lnvjnfsx.dll
2007-11-15 19:00:46 0 d-------- C:\Program Files\SpywareBlaster
2007-11-15 18:20:46 79936 --a------ C:\WINDOWS\system32\jgqnbgas.dll
2007-11-14 17:24:24 79424 --a------ C:\WINDOWS\system32\pbjhvaup.dll
2007-11-13 18:20:14 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-13 17:13:23 0 d-------- C:\WINDOWS\pss
2007-11-12 18:16:58 484347 --ahs---- C:\WINDOWS\system32\onnmp.ini2
2007-11-12 18:16:46 313440 --a------ C:\WINDOWS\system32\pmnno.dll
2007-11-11 23:04:46 81920 --a------ C:\WINDOWS\system32\viscomwave.dll <Not Verified; Viscom Software; >
2007-11-11 23:04:43 323584 --a------ C:\WINDOWS\system32\FoxImager.dll
2007-11-11 23:04:42 0 d-------- C:\Program Files\Cheetah Burner
2007-11-05 15:03:47 0 d-------- C:\Program Files\Veoh Networks
2007-11-02 17:52:40 0 d-------- C:\Downloads
2007-11-02 17:51:06 0 d-------- C:\Program Files\BitComet


-- Find3M Report ---------------------------------------------------------------

2007-11-21 12:35:55 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-15 20:03:53 0 d-------- C:\Program Files\Norton Internet Security
2007-11-14 03:19:06 0 d-------- C:\Program Files\ArcadeRockstar
2007-11-13 19:27:21 0 d-------- C:\Program Files\QuickTime
2007-11-13 19:23:20 0 d-------- C:\Program Files\iTunes
2007-11-13 19:22:06 0 d-------- C:\Program Files\DellSupport
2007-11-13 19:22:00 0 d-------- C:\Program Files\Dell Photo AIO Printer 922
2007-11-13 19:19:10 0 d-------- C:\Program Files\Apple Software Update
2007-11-13 19:19:08 0 d-------- C:\Program Files\AIM
2007-11-13 17:41:58 0 d-------- C:\Program Files\Viewpoint
2007-11-13 16:19:57 0 d-------- C:\Program Files\Symantec
2007-11-12 09:48:39 0 d-------- C:\Documents and Settings\John\Application Data\uTorrent
2007-11-11 23:04:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-08 19:25:02 0 d-------- C:\Program Files\TMD-Recruit.5.0
2007-10-04 19:22:18 0 d-------- C:\Program Files\DivX
2007-09-28 11:07:52 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 11:05:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-09-28 11:05:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-28 11:05:40 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-28 11:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX«>
2007-09-28 11:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX«>
2007-09-28 11:05:40 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX«>
2007-09-28 11:05:08 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-24 17:12:15 0 d-------- C:\Documents and Settings\John\Application Data\DivX


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25627D3F-9779-4A8D-ACF1-974BDF1AC42A}]
11/12/2007 06:16 PM 313440 --a------ C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e2b87b4-7b0c-4948-bafa-2c385307053a}]
11/21/2007 06:22 PM 80960 --a------ C:\WINDOWS\system32\vypvjbpx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 09:12 PM]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [09/17/2003 11:43 AM]
"P17Helper"="P17.dll" [06/10/2004 12:51 PM C:\WINDOWS\SYSTEM32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [04/11/2004 09:15 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [10/12/2004 05:54 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 02:01 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/13/2004 02:05 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 08:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 08:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 08:36 AM]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [06/18/2004 04:30 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 09:36 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 02:59 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/13/2007 04:11 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"0cb10757"="C:\WINDOWS\system32\qftpkhvn.dll" [11/20/2007 06:24 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 10:09 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [04/14/2005 03:56 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [06/22/2007 07:45 AM]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" []
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [11/01/2007 01:22 PM]

C:\Documents and Settings\John\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 2:04:12 PM]
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnno.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c5ba628-ccd0-11da-b5a7-00111197003c}]
AutoRun\command- F:\JDSecure\Windows\JDSecure31.exe

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-11-22 12:54:24 ------------
Shamrawknroll is offline  
Sponsored Links
Advertisement
 
Old 11-22-2007, 12:43 PM   #4
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations. ---------------------------------------------------------------------------------------------


    * IMPORTANT !!! Place combofix.exe on your Desktop


  2. Disconnect from the internet.
  3. Disable your AntiVirus application, usually via a right click on the System Tray icon.


  4. Go to -> Run -> paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall



  5. Follow the prompts. Type "1" and press Enter to begin the scan.
  6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  7. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  8. Re-establish an internet connection.
  9. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-29-2007, 12:51 PM   #5
Registered Member
 
Join Date: Nov 2007
Location: New Hampshire
Posts: 19
OS: xp



ComboFix 07-11-19.4C - John 2007-11-29 9:11:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.244 [GMT -5:00]
Running from: C:\Documents and Settings\John\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\John\Application Data\macromedia\Flash Player\#SharedObjects\LNXAF2XK\www.broadcaster.com
C:\Documents and Settings\John\Application Data\macromedia\Flash Player\#SharedObjects\LNXAF2XK\www.broadcaster.com\played_list.sol
C:\Documents and Settings\John\Application Data\macromedia\Flash Player\#SharedObjects\LNXAF2XK\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\John\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\John\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\John\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\onnmp.ini
C:\WINDOWS\SYSTEM32\onnmp.ini2
C:\WINDOWS\system32\pmnno.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-29 11:32 58,760 --a------ C:\symlcsv1.exe
2007-11-22 12:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-21 18:22 80,960 --a------ C:\WINDOWS\SYSTEM32\vypvjbpx.dll
2007-11-21 18:16 83,085 --a------ C:\WINDOWS\SYSTEM32\ysxrbkxp.dll
2007-11-20 21:38 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-20 20:50 <DIR> d-------- C:\Program Files\BackStreet Browser 3.1
2007-11-20 20:21 <DIR> d-------- C:\VundoFix Backups
2007-11-20 20:18 <DIR> d-------- C:\SDFix)
2007-11-20 18:25 715,268 ---hs---- C:\WINDOWS\SYSTEM32\nvhkptfq.ini
2007-11-20 18:18 84,544 --a------ C:\WINDOWS\SYSTEM32\ccfxavli.dll
2007-11-19 18:21 83,008 --a------ C:\WINDOWS\SYSTEM32\nwbadfwr.dll
2007-11-19 18:18 83,085 --a------ C:\WINDOWS\SYSTEM32\lnvjnfsx.dll
2007-11-17 11:38 <DIR> d-------- C:\Deckard
2007-11-15 19:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-15 18:20 79,936 --a------ C:\WINDOWS\SYSTEM32\jgqnbgas.dll
2007-11-15 18:15 678,021 --ahs---- C:\WINDOWS\SYSTEM32\mgltrabo.ini
2007-11-14 17:24 669,671 --ahs---- C:\WINDOWS\SYSTEM32\exmajwcb.ini
2007-11-14 17:24 79,424 --a------ C:\WINDOWS\SYSTEM32\pbjhvaup.dll
2007-11-13 18:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-13 18:20 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-11-13 18:20 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-11-13 17:23 668,993 --ahs---- C:\WINDOWS\SYSTEM32\fmoyyime.ini
2007-11-13 06:26 669,233 --ahs---- C:\WINDOWS\SYSTEM32\hmajuviq.ini
2007-11-11 23:04 <DIR> d-------- C:\Program Files\Cheetah Burner
2007-11-11 23:04 1,228,800 --a------ C:\WINDOWS\SYSTEM32\FoxBurner.ocx
2007-11-11 23:04 1,164,728 --a------ C:\WINDOWS\SYSTEM32\NMSDVDXU.dll
2007-11-11 23:04 856,064 --a------ C:\WINDOWS\SYSTEM32\mpgfiltr.ax
2007-11-11 23:04 454,656 --a------ C:\WINDOWS\SYSTEM32\FoxDVDImager.ocx
2007-11-11 23:04 380,928 --a------ C:\WINDOWS\SYSTEM32\CDRipperX.ocx
2007-11-11 23:04 323,584 --a------ C:\WINDOWS\SYSTEM32\FoxImager.dll
2007-11-05 15:03 <DIR> d-------- C:\Program Files\Veoh Networks
2007-11-02 17:52 <DIR> d-------- C:\Downloads
2007-11-02 17:51 <DIR> d-------- C:\Program Files\BitComet
2007-10-31 16:33 <DIR> d-------- C:\Temp\mZOr
2007-10-30 19:55 191,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2007-10-30 19:55 145,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2007-10-30 19:55 39,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2007-10-30 19:55 37,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndisv.sys
2007-10-30 19:55 35,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2007-10-30 19:55 27,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2007-10-30 19:55 12,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2007-10-30 19:24 12,963 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SymRedir.cat
2007-10-30 19:24 1,358 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SymRedir.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-24 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-23 08:29 --------- d-----w C:\Documents and Settings\John\Application Data\uTorrent
2007-11-20 23:24 84,545 ----a-w C:\WINDOWS\SYSTEM32\qftpkhvn.dll
2007-11-16 01:03 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-14 08:19 --------- d-----w C:\Program Files\ArcadeRockstar
2007-11-14 00:27 --------- d-----w C:\Program Files\QuickTime
2007-11-14 00:23 --------- d-----w C:\Program Files\iTunes
2007-11-14 00:22 --------- d-----w C:\Program Files\DellSupport
2007-11-14 00:22 --------- d-----w C:\Program Files\Dell Photo AIO Printer 922
2007-11-14 00:19 --------- d-----w C:\Program Files\Apple Software Update
2007-11-14 00:19 --------- d-----w C:\Program Files\AIM
2007-11-13 22:41 --------- d-----w C:\Program Files\Viewpoint
2007-11-13 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-13 21:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-13 21:19 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-11-13 21:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-13 21:19 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-13 21:19 --------- d-----w C:\Program Files\Symantec
2007-11-12 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 00:25 --------- d-----w C:\Program Files\TMD-Recruit.5.0
2007-10-31 00:55 625,032 ----a-w C:\WINDOWS\SYSTEM32\SymNeti.dll
2007-10-31 00:55 242,056 ----a-w C:\WINDOWS\SYSTEM32\SymRedir.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-05 00:22 --------- d-----w C:\Program Files\DivX
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-05-02 02:42 140,408 ----a-w C:\Documents and Settings\John\Hold.dat
2007-04-23 16:00 40 ----a-w C:\Documents and Settings\John\language.dat
2006-09-09 14:50 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e2b87b4-7b0c-4948-bafa-2c385307053a}]
2007-11-21 18:22 80960 --a------ C:\WINDOWS\system32\vypvjbpx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 15:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 07:45]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" []
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-01 13:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"P17Helper"="Rundll32 P17.dll" []
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 16:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 14:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-13 16:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"0cb10757"="C:\WINDOWS\system32\qftpkhvn.dll" [2007-11-20 18:24]

C:\Documents and Settings\John\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnno.dll

R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c5ba628-ccd0-11da-b5a7-00111197003c}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-28 22:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-27 01:29:58 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - John.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2007-11-29 13:33:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 13:36:22 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:48:52 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John\Desktop\HiJackThis_v2.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://securityresponse.symantec.com.../fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: {a3507035-83c2-afab-8494-c0b74b78b2e2} - {2e2b87b4-7b0c-4948-bafa-2c385307053a} - C:\WINDOWS\system32\vypvjbpx.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [0cb10757] rundll32.exe "C:\WINDOWS\system32\qftpkhvn.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: hc_tray.lnk = C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - https://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: crd - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8857 bytes
Shamrawknroll is offline  
Old 11-29-2007, 12:56 PM   #6
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hello, Shamrawknroll -

ComboFix is constantly updated to address changing threats.

Since it's been several days between posts, please delete your existing version of ComboFix, and get the latest version from the link below. Run it with the following instructions:

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download this file - https://download.bleepingcomputer.com...a/ComboFix.exe

    * IMPORTANT !!! Place combofix.exe on your Desktop


  2. Disconnect from the internet....pull the plug!
  3. Go to -> Run -> paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall



  4. Follow the prompts. Type "1" and press Enter to begin the scan.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Re-establish an internet connection.
  8. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-29-2007, 03:09 PM   #7
Registered Member
 
Join Date: Nov 2007
Location: New Hampshire
Posts: 19
OS: xp



i just downloaded combo fix today so it should be the latest version.
Shamrawknroll is offline  
Old 11-29-2007, 03:11 PM   #8
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



The log header differs.

ComboFix 07-11-19.4C

Please use the link I gave you in my last post. It has been updated.

Thanks.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-29-2007, 03:23 PM   #9
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Ok, I see what's going on....still, please use the version from the link in my last post.

Thanks.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-29-2007, 04:41 PM   #10
Registered Member
 
Join Date: Nov 2007
Location: New Hampshire
Posts: 19
OS: xp



ComboFix 07-11-30.3 - John 2007-11-30 19:32:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.202 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\ccfxavli.dll
C:\WINDOWS\system32\jgqnbgas.dll
C:\WINDOWS\system32\lnvjnfsx.dll
C:\WINDOWS\SYSTEM32\nvhkptfq.ini
C:\WINDOWS\system32\pbjhvaup.dll
C:\WINDOWS\system32\qftpkhvn.dll
C:\WINDOWS\system32\vypvjbpx.dll
C:\WINDOWS\system32\ysxrbkxp.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-11-25 21:47 . 2007-11-25 21:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 21:47 . 2007-11-25 21:47 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-22 12:50 . 2007-11-22 12:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 21:38 . 2007-11-20 21:38 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-20 20:50 . 2007-11-20 20:52 <DIR> d-------- C:\Program Files\BackStreet Browser 3.1
2007-11-20 20:21 . 2007-11-20 20:32 <DIR> d-------- C:\VundoFix Backups
2007-11-20 20:18 . 2007-11-20 20:18 <DIR> d-------- C:\SDFix)
2007-11-17 11:38 . 2007-11-17 11:38 <DIR> d-------- C:\Deckard
2007-11-15 19:00 . 2007-11-15 19:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-13 18:20 . 2007-11-13 18:20 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-11-11 23:04 . 2007-11-11 23:04 <DIR> d-------- C:\Program Files\Cheetah Burner
2007-11-11 23:04 . 2003-12-17 16:00 1,208,320 --a------ C:\WINDOWS\SYSTEM32\PTxSCP.ocx
2007-11-05 15:03 . 2007-11-05 15:03 <DIR> d-------- C:\Program Files\Veoh Networks
2007-11-02 17:52 . 2007-11-02 17:52 <DIR> d-------- C:\Downloads
2007-11-02 17:51 . 2007-11-09 17:41 <DIR> d-------- C:\Program Files\BitComet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 20:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 08:29 --------- d-----w C:\Documents and Settings\John\Application Data\uTorrent
2007-11-16 01:03 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-14 08:19 --------- d-----w C:\Program Files\ArcadeRockstar
2007-11-14 00:27 --------- d-----w C:\Program Files\QuickTime
2007-11-14 00:23 --------- d-----w C:\Program Files\iTunes
2007-11-14 00:22 --------- d-----w C:\Program Files\DellSupport
2007-11-14 00:22 --------- d-----w C:\Program Files\Dell Photo AIO Printer 922
2007-11-14 00:19 --------- d-----w C:\Program Files\Apple Software Update
2007-11-14 00:19 --------- d-----w C:\Program Files\AIM
2007-11-13 22:41 --------- d-----w C:\Program Files\Viewpoint
2007-11-13 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-13 21:19 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-13 21:19 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-11-13 21:19 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-13 21:19 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-13 21:19 --------- d-----w C:\Program Files\Symantec
2007-11-12 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 00:25 --------- d-----w C:\Program Files\TMD-Recruit.5.0
2007-10-31 00:55 625,032 ----a-w C:\WINDOWS\SYSTEM32\SymNeti.dll
2007-10-31 00:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 00:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 00:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 00:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 00:55 242,056 ----a-w C:\WINDOWS\SYSTEM32\SymRedir.dll
2007-10-31 00:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 00:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 00:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 00:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 00:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-05 00:22 --------- d-----w C:\Program Files\DivX
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-05-02 02:42 140,408 ----a-w C:\Documents and Settings\John\Hold.dat
2007-04-23 16:00 40 ----a-w C:\Documents and Settings\John\language.dat
2006-09-09 14:50 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [email protected]_13.34.55.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 08:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-29\ERDNT.EXE
+ 2007-11-29 18:34:27 4,751,360 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-29\Users\00000001\NTUSER.DAT
+ 2007-11-29 18:34:28 16,384 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-29\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-30\ERDNT.EXE
+ 2007-11-30 23:00:41 4,751,360 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-30\Users\00000001\NTUSER.DAT
+ 2007-11-30 23:00:43 16,384 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-30\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 15:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 07:45]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" []
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-01 13:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"P17Helper"="Rundll32 P17.dll" []
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 16:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 14:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-13 16:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]

C:\Documents and Settings\John\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
S2 crd;crd;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c5ba628-ccd0-11da-b5a7-00111197003c}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 22:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-27 01:29:58 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - John.job"
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2007-11-30 19:35:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 19:36:22
C:\ComboFix2.txt ... 2007-11-29 13:36
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:39:32 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\John\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://securityresponse.symantec.com.../fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: hc_tray.lnk = C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - https://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: crd - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8441 bytes
Shamrawknroll is offline  
Old 11-29-2007, 04:49 PM   #11
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Looking better.

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 12-02-2007, 09:09 AM   #12
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



There were some server issues, and your post was lost in the restore.

Please repost your kaspersky log. It may be easier to attach, as I recall it was quite large.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 12-02-2007, 09:57 AM   #13
Registered Member
 
Join Date: Nov 2007
Location: New Hampshire
Posts: 19
OS: xp



attachment
Attached Files
File Type: txt kasperskyresults.txt (238.0 KB, 36 views)
Shamrawknroll is offline  
Old 12-02-2007, 10:00 AM   #14
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Good job, thanks. I had this fix saved, but needed to make sure it was for the right post.


Delete these:

C:\Documents and Settings\Administrator\Start Menu\Programs\ClockSync
C:\Program Files\ClockSync


---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 u3 and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windowsi586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:
  • Microsoft Windows Update - https://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • SpywareGuard to catch and block spyware before it can execute.
  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here

    IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • FIREWALL
    If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Scan here https://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • https://www.trillian.cc ? Trillian or https://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • https://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • https://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • https://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:26 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts