Avast WEBforum

Other => Viruses and worms => Topic started by: andy214ever on May 30, 2007, 03:08:41 PM

Title: HELP!
Post by: andy214ever on May 30, 2007, 03:08:41 PM

hi..

how to run boot time scan manualy?
and i got a friend he...do not use any antivirus at all, for about 1 years ....and now his pc is terribly slow  :-\and cannot log on....then i help him log on with safe mode and install the avast on his pc ....and scan his pc...i m shocked....why?because there about 50-60 virus found include adware,and trojan i follow the avast advice to move to chest....and the avast advice me to run boot times scan because there is a dangerous virus in memory, but when i click yes to start boot times scan ...it cant run....anybody help?

Title: Re: HELP!
Post by: DavidR on May 30, 2007, 03:21:59 PM

Personally I not in the least surprised at the number of viruses, adware, etc. that is on their system, my only surprise is that there aren't more.

If you have enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' as you have done, I have no idea why it isn't running.

Or use a command line, Windows, Start, Run and type, C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*

If as you say they can't boot normally, that may be the problem although avast does its scan outside of windows the normal windows boot starts (you see the windows logo) and is then interrupted to start the avast boot-time scan. So the total lack of a normal windows boot may be the cause of this failure.

After so long their system is likely to be completely compromised with password stealers, backdoors, possibly rootkits hiding much more, etc. (you really have a task in front of you) that realistically they should be considering a format and start from scratch.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. AVG anti-spyware (formerly Ewido) (http://www.ewido.net/en/download/) If using winXP. or a-Squared free (http://www.emsisoft.com/en/software/free/) if using win98/ME. Or SUPERantispyware (http://www.superantispyware.com) Or Spyware Terminator (http://www.spywareterminator.com/)
2. Ad-Aware SE Personal Edition (http://www.snapfiles.com/reviews/Ad-Aware/adaware.html)
3. Spybot Search and Destroy (http://www.safer-networking.org/index.php?lang=en&page=download)

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm (http://www.antirootkit.com/software/index.htm).
- BlackLight - It can detect rootkits like Rootkit Revealer but can also remove them. http://www.f-secure.com/blacklight/ (http://www.f-secure.com/blacklight/)
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip) also see http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx (http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx) or http://www.pandasoftware.com/ (http://www.pandasoftware.com/).
 - AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5 (http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5).

Title: Re: HELP!
Post by: andy214ever on May 31, 2007, 10:36:19 AM

thank...i still cant help my friend run boot time scan....it just restart without running boot time scan even i already follow yr advice...and i scan with AVG anti spy and also blacklight found nothing...i run the avast scan in safe mode found some trojan....and i cant move to chest so i just delete it....when i log in pc with normal mode....the avast start warn me that a trojan found.....they keep coming non stop.....and sometimes avast have block somethings from downloading ad- ware  to my friend pc......how can i find that things that download ad- ware to my pc?now his pc is faster a bit than before....but still very slow.... :-\

Title: Re: HELP!
Post by: andy214ever on May 31, 2007, 10:39:19 AM

oops!! sorry i know why i cant run oot times scan now........i just enables it but still dint run it....sorry...i m just a beginner ......

Title: Re: HELP!
Post by: Lisandro on May 31, 2007, 02:43:39 PM

Quote from: andy214ever on May 31, 2007, 10:36:19 AM

they keep coming non stop

If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again.

2) Clean your temporary files. You can use [ur=http://www.stevengould.org/downloads/cleanup/]CleanUp[/url] or the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run other trojan remover tools: a-squared (http://www.emsisoft.com/en/software/free/) and/or Free AVG Antispyware (http://www.ewido.net/en/) (trojan removers). Some users recommend SUPERantispyware (http://www.superantispyware.com) or Spyware Terminator (http://www.spywareterminator.com/).

5) Use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or, which is better, the  Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.

Title: Re: HELP!
Post by: DavidR on May 31, 2007, 02:57:31 PM

Quote from: andy214ever on May 31, 2007, 10:36:19 AM

<snip>
i run the avast scan in safe mode found some trojan....and i cant move to chest so i just delete it

What is the malware/trogan name, infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections. This may help us with what the trojan does and possibly how to combat it or if other elements are at work.

Quote from: andy214ever on May 31, 2007, 10:36:19 AM

....when i log in pc with normal mode....the avast start warn me that a trojan found.....they keep coming non stop.....and sometimes avast have block somethings from downloading ad- ware  to my friend pc......how can i find that things that download ad- ware to my pc?

1. So you are now able to log on normally ?
2. This would tend to indicate that there are still undetected trojan downloaders on his system, the other two anti-spyware links I gave should also be tried, SuperAntiSpwware and SpywareTerminator.
3. An effective firewall should be capable of blocking unauthorised outbound Internet Connections. Does he have a firewall and if so what (XP's firewall doesn't provide outbound protection) ?
4. For adware I would suggest the AdAware and Spybot Search & Destroy links I gave.

Quote from: andy214ever on May 31, 2007, 10:36:19 AM

now his pc is faster a bit than before....but still very slow.... :-\

So you/he might be a little further from the ultimate nuclear option. But, I fear if the other software and anti-rootkits mentioned don't resolve it you are rapidly approaching the previously mentioned option.

Quote from: DavidR

After so long their system is likely to be completely compromised with password stealers, backdoors, possibly rootkits hiding much more, etc. (you really have a task in front of you) that realistically they should be considering a format and start from scratch.

Quote from: andy214ever on May 31, 2007, 10:39:19 AM

oops!! sorry i know why i cant run oot times scan now........i just enables it but still dint run it....sorry...i m just a beginner ......

And this is I believe the reason as previously mentioned (however, you have since mentioned being able to boot normally (?), so perhaps not):

Quote from: DavidR

If as you say they can't boot normally, that may be the problem although avast does its scan outside of windows the normal windows boot starts (you see the windows logo) and is then interrupted to start the avast boot-time scan. So the total lack of a normal windows boot may be the cause of this failure.

There are other anti-rootkits, you have only tried one of them, there are two others I gave links for and there is also the anti-rootkit, detection, removal & protection link I gave with even more. I only listed the ones which have been commonly recommended on these forums and by members with reasonable success.

I would believe that not only did your friend not have an AV, they probably didn't have a firewall (?) and if so that is probably long ago bypassed.

Title: Re: HELP!
Post by: DavidR on May 31, 2007, 03:03:40 PM

Quote from: Tech on May 31, 2007, 02:43:39 PM

Quote from: andy214ever on May 31, 2007, 10:36:19 AM

they keep coming non stop

If a virus is replicant (coming and coming again), you should:

<snip>
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).
<snip>
5) Use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or, which is better, the  Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.

Tech, Did you read that Andy can't do a boot time scan, it fails.

I have suggested and given links to the majority of the software , with exception to SpywareBlaster, which shouldn't be installed until the system is clean and it is a long way from there yet. I would assume the same for Windows Advanced Care dont apply immunization until you have a clean system.

Title: Re: HELP!
Post by: Lisandro on May 31, 2007, 08:19:31 PM

Quote from: andy214ever on May 31, 2007, 10:39:19 AM

i just enables it but still dint run it

Is there any error message? Or it just don't run?
Which is the operational system of that machine?

Title: Re: HELP!
Post by: andy214ever on June 01, 2007, 07:17:02 AM

how to Disable System Restore on  Windows XP???

could yougive me the links of some free fire wall???

thank.....i will follow yr advice..........

Title: Re: HELP!
Post by: Lisandro on June 01, 2007, 02:32:34 PM

Quote from: andy214ever on June 01, 2007, 07:17:02 AM

how to Disable System Restore on  Windows XP???

http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

Quote from: andy214ever on June 01, 2007, 07:17:02 AM

could yougive me the links of some free fire wall???

Personal Firewall Tests & Results. Firewall rating:
http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php#firewalls-ratings

Freeware firewalls:
http://www.firewallleaktester.com/tests_overview.php
http://www.thefreecountry.com/security/firewalls.shtml

Reviews:
XP: http://forum.avast.com/index.php?topic=27646.0
Vista: http://forum.avast.com/index.php?topic=27647.0

Title: Re: HELP!
Post by: DavidR on June 01, 2007, 02:45:45 PM

- Zone Alarm free http://www.zonelabs.com (http://www.zonelabs.com) works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated (large download size) with trial ware. There are others, the first two used by many forum members, Comodo, PCTools Firewall Plus, Sunbelt Kerio, Jetico, etc.

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:39:56 AM

2/15/2005 8:44:55 PM   Personal   5692   Sign of "Win32:VB-DXJ [Trj]" has been found in "C:\WINDOWS\Temp\6.tmp\[FSG]" file. 
2/15/2005 8:27:31 PM   Personal   5692   Sign of "Win32:VB-DXJ [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\F.tmp\[FSG]" file. 
2/15/2005 8:27:24 PM   Personal   5692   Sign of "Win32:VB-DXJ [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\9.tmp\[FSG]" file. 
2/15/2005 8:27:22 PM   Personal   5692   Sign of "Win32:VB-DXJ [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\17.tmp\[FSG]" file. 
2/15/2005 8:27:12 PM   Personal   5692   Sign of "Win32:VB-DXJ [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\16.tmp\[FSG]" file. 
2/15/2005 8:44:15 PM   Personal   5692   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\sd012.exe" file. 
2/15/2005 8:40:42 PM   Personal   5692   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\7.exe" file. 
2/15/2005 8:37:53 PM   Personal   5692   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0114704.dll" file. 
2/15/2005 8:37:53 PM   Personal   5692   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0114700.dll" file. 
2/15/2005 7:42:18 PM   Personal   1164   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\CNNIC\Cdn\Update\wmhlpr.dll" file. 
2/15/2005 7:42:18 PM   Personal   1164   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\CNNIC\Cdn\Update\imaoe.dll" file. 
2/15/2005 7:42:18 PM   Personal   1164   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\CNNIC\Cdn\Update\iesrch.dll" file. 
2/15/2005 7:42:16 PM   Personal   1164   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\CNNIC\Cdn\Update\cdncol.dll" file. 
2/16/2005 4:01:16 PM   SYSTEM   1660   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\7[1].exe" file. 
2/16/2005 4:06:08 PM   Personal   1072   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\7[1].exe" file. 
2/15/2005 8:17:16 PM   SYSTEM   1612   Sign of "Win32:Small-TD [Trj]" has been found in "C:\WINDOWS\downlo~1\CnsHook.dll" file. 
2/15/2005 8:01:07 PM   SYSTEM   1612   Sign of "Win32:Small-TD [Trj]" has been found in "C:\WINDOWS\downlo~1\CnsHook.dll" file. 
2/15/2005 8:16:28 PM   SYSTEM   1612   Sign of "Win32:Small-TD [Trj]" has been found in "C:\WINDOWS\downlo~1\CnsHook.dll" file. 
2/15/2005 8:38:28 PM   Personal   5692   Sign of "Win32:Small-TD [Trj]" has been found in "C:\WINDOWS\Downloaded Program Files\trz2E.tmp" file. 
2/15/2005 8:18:54 PM   Personal   2216   Sign of "Win32:Small-TD [Trj]" has been found in "c:\windows\downloaded program files\cnshook.dll" file. 
2/15/2005 8:44:06 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\qiscbk.dll" file. 
2/15/2005 8:44:05 P

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:40:54 AM

2/15/2005 8:44:05 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\praian.dll\[Petite]" file. 
2/16/2005 5:21:11 PM   SYSTEM   1828   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/15/2005 8:19:28 PM   Personal   2216   Sign of "Win32:Small-FCC [Trj]" has been found in "c:\windows\system32\msccrt.dll\[Petite]" file. 
2/16/2005 9:03:29 PM   SYSTEM   1632   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 9:03:30 PM   SYSTEM   1632   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/15/2005 8:59:11 PM   SYSTEM   1664   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/17/2005 9:36:21 PM   SYSTEM   1576   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/17/2005 9:36:21 PM   SYSTEM   1576   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/17/2005 9:49:11 PM   SYSTEM   1624   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/17/2005 9:49:12 PM   SYSTEM   1624   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/18/2005 12:09:58 PM   SYSTEM   1572   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/18/2005 12:09:58 PM   SYSTEM   1572   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 2:46:53 PM   SYSTEM   1668   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/15/2005 8:59:11 PM   SYSTEM   1664   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 10:40:42 AM   SYSTEM   1648   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 10:40:42 AM   SYSTEM   1648   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 2:46:53 PM   SYSTEM   1668   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 3:43:27 PM   SYSTEM   1624   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/15/2005 8:16:41 PM   SYSTEM   1612   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 3:43:28 PM   SYSTEM   1624   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 3:56:39 PM   SYSTEM   1660   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 5:19:47 PM   SYSTEM   1828   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/16/2005 3:56:40 PM   SYSTEM   1660   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
2/15/2005 8:43:28 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\ltgdfk.dll" file. 
2/15/2005 8:43:26 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\kmnmha.dll" file. 
2/15/2005 8:43:26 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\klqceq.dll" file. 
2/15/2005 8:42:54 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\jyhzwh.dll\[Petite]" file. 
2/15/2005 8:42:54 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\jkwlbt.dll" file. 
2/15/2005 8:42:47 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\gbkkrd.dll" file. 
2/15/2005 8:42:33 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\dnedaq.dll" file. 
2/15/2005 8:40:56 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\cwykgz.dll\[Petite]" file. 
2/15/2005 8:40:52 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\chqnbz.dll" file. 
2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111677.dll\[Petite]" file. 
2/15/2005 8:37:47 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0110674.dll\[Petite]" file. 
2/15/2005 8:37:46 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0109675.dll\[Petite]" file. 
2/15/2005 8:37:45 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108677.dll\[Petite]" file. 
2/15/2005 8:37:30 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108619.dll\[Petite]" file. 
2/15/2005 8:37:29 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108591.dll\[Petite]" file. 
2/15/2005 8:37:27 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108564.dll\[Petite]" file. 
2/15/2005 8:37:25 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0107565.dll\[Petite]" file. 
2/15/2005 8:37:24 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106565.dll\[Petite]" file. 
2/15/2005 8:37:23 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106537.dll" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106514.dll" file. 
2/15/2005 8:37:20 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105510.dll" file. 
2/15/2005 8:37:19 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105479.dll" file. 
2/15/2005 8:37:19 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105458.dll" file. 
2/15/2005 8:37:18 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105437.dll" file. 
2/15/2005 8:37:17 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0104431.dll" file. 
2/15/2005 8:37:17 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0104414.dll" file. 
2/15/2005 8:37:15 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0103411.dll" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103370.dll" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0102370.dll" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101370.dll" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100370.dll" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099370.dll" file. 

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:42:18 AM

 :-[2/15/2005 8:37:10 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098375.dll" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098341.dll" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097341.dll" file. 
2/15/2005 8:27:44 PM   Personal   5692   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\_avast4_\unp45742612.tmp\[Petite]" file. 
2/15/2005 8:42:42 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\WINDOWS\system32\drivers\usbine.sys" file. 
2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111665.sys" file. 
2/15/2005 8:37:47 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0110666.sys" file. 
2/15/2005 8:37:46 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0109665.sys" file. 
2/15/2005 8:37:45 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108666.sys" file. 
2/15/2005 8:37:30 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108608.sys" file. 
2/15/2005 8:37:28 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108580.sys" file. 
2/15/2005 8:37:26 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108554.sys" file. 
2/15/2005 8:37:25 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0107554.sys" file. 
2/15/2005 8:37:23 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106554.sys" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106527.sys" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106506.sys" file. 
2/15/2005 8:37:20 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105504.sys" file. 
2/15/2005 8:37:19 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105473.sys" file. 
2/15/2005 8:37:18 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105452.sys" file. 
2/15/2005 8:37:18 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105431.sys" file. 
2/15/2005 8:37:18 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105430.sys" file. 
2/15/2005 8:37:17 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0104430.sys" file. 
2/15/2005 8:37:17 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0104408.sys" file. 
2/15/2005 8:37:15 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0103409.sys" file. 
2/15/2005 8:37:15 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0103408.sys" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103364.sys" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103363.sys" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0102364.sys" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0102363.sys" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101364.sys" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101363.sys" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100364.sys" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100363.sys" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099364.sys" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099363.sys" file. 
2/15/2005 8:37:10 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098369.sys" file. 
2/15/2005 8:37:10 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098368.sys" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098336.sys" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098335.sys" file. 
2/15/2005 8:37:08 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097336.sys" file. 
2/15/2005 8:37:08 PM   Personal   5692   Sign of "Win32:Small-EZD [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097327.sys" file. 
2/15/2005 8:19:18 PM   Personal   2216   Sign of "Win32:Small-EKC [Trj]" has been found in "c:\windows\system32\ctfnom.exe\[FSG]" file. 
2/15/2005 8:01:53 PM   SYSTEM   1612   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\WINDOWS\system32\ctfnom.exe\[FSG]" file. 
2/15/2005 8:40:42 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\WINDOWS\system32\10.exe\[FSG]" file. 
2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111680.exe\[FSG]" file. 

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:42:56 AM

2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111680.exe\[FSG]" file. 
2/15/2005 8:37:18 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105439.exe\[Upack]" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103372.exe\[Upack]" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101378.exe\[Upack]" file. 
2/15/2005 8:37:10 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098347.exe\[Upack]" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097347.exe\[Upack]" file. 
2/15/2005 8:37:08 PM   Personal   5692   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097328.exe\[FSG]" file. 
2/15/2005 8:19:16 PM   Personal   2216   Sign of "Win32:Qqhelper-J [Trj]" has been found in "c:\windows\system32\chsoj.dll" file. 
2/15/2005 8:01:15 PM   SYSTEM   1612   Sign of "Win32:Qqhelper-J [Trj]" has been found in "C:\windows\system32\chsoj.dll" file. 
2/15/2005 8:40:49 PM   Personal   5692   Sign of "Win32:QQHelper-BR [Trj]" has been found in "C:\WINDOWS\system32\bind_50201.exe" file. 
2/15/2005 8:44:56 PM   Personal   5692   Sign of "Win32:OnLineGames-WG [Trj]" has been found in "C:\WINDOWS\Temp\Gjzo0.dll" file. 
2/15/2005 8:27:33 PM   Personal   5692   Sign of "Win32:OnLineGames-WG [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\Gjzo0.dll" file. 
2/15/2005 8:44:25 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\WINDOWS\system32\trz3A.tmp" file. 
2/15/2005 8:19:37 PM   Personal   2216   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "c:\windows\system32\servhost.dll" file. 
2/15/2005 8:16:42 PM   SYSTEM   1612   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\WINDOWS\system32\servhost.dll" file. 
2/15/2005 8:41:00 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\WINDOWS\system32\dhlakn.dll" file. 
2/15/2005 8:40:53 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\WINDOWS\system32\cmdbcs.dll" file. 
2/15/2005 8:18:58 PM   Personal   2216   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "c:\windows\servhost.exe" file. 
2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111671.dll" file. 
2/15/2005 8:37:47 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0110669.dll" file. 
2/15/2005 8:37:46 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0109669.dll" file. 
2/15/2005 8:37:45 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108672.dll" file. 
2/15/2005 8:37:30 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108610.dll" file. 
2/15/2005 8:37:29 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108582.dll" file. 
2/15/2005 8:37:26 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108555.dll" file. 
2/15/2005 8:37:25 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0107557.dll" file. 
2/15/2005 8:37:23 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106555.dll" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106530.dll" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106509.dll" file. 
2/15/2005 8:37:20 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105506.dll" file. 
2/15/2005 8:37:19 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105478.dll" file. 
2/15/2005 8:37:19 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105456.dll" file. 
2/15/2005 8:37:18 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105435.dll" file. 

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:43:36 AM

2/15/2005 8:37:17 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0104432.dll" file. 
2/15/2005 8:37:17 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0104412.dll" file. 
2/15/2005 8:37:15 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0103415.dll" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103379.exe" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103368.dll" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0102378.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0102368.dll" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101376.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101367.dll" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100376.exe" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100368.dll" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099377.exe" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099368.dll" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098382.exe" file. 
2/15/2005 8:37:10 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098373.dll" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098345.exe" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098340.dll" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097345.exe" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-SK [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097340.dll" file. 
2/15/2005 8:20:07 PM   Personal   2216   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "c:\windows\wintexe.exe\[Upack]" file. 
2/15/2005 8:20:05 PM   Personal   2216   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "c:\windows\wincdb.exe\[Upack]" file. 
2/15/2005 8:20:02 PM   Personal   2216   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "c:\windows\system32\wintdll.dll" file. 
2/15/2005 8:16:42 PM   SYSTEM   1612   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "C:\WINDOWS\system32\wintdll.dll" file. 
2/15/2005 8:19:43 PM   Personal   2216   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "c:\windows\system32\wincdb.dll" file. 
2/15/2005 8:16:42 PM   SYSTEM   1612   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "C:\WINDOWS\system32\wincdb.dll" file. 
2/15/2005 8:44:25 PM   Personal   5692   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "C:\WINDOWS\system32\trz3C.tmp" file. 
2/15/2005 8:44:25 PM   Personal   5692   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "C:\WINDOWS\system32\trz3B.tmp" file. 
2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111685.exe\[Upack]" file. 
2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:OnLineGames-PL [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111673.dll" file. 

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:45:05 AM

2/15/2005 8:37:18 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0104434.dll" file. 
2/15/2005 8:37:17 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0104411.dll" file. 
2/15/2005 8:37:15 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0103412.dll" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103369.dll" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0102366.dll" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101366.dll" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100367.dll" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099365.dll" file. 
2/15/2005 8:37:10 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098372.dll" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098339.dll" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-OC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097339.dll" file. 
2/15/2005 8:40:27 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\WINDOWS\mppds.exe" file. 
2/15/2005 8:37:21 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105522.exe" file. 
2/15/2005 8:37:20 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105492.exe" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103377.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101374.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100374.exe" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099375.exe" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098380.exe" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098343.exe" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-DC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097343.exe" file. 
2/15/2005 8:40:28 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\WINDOWS\msccrt.exe" file. 
2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111674.exe" file. 
2/15/2005 8:37:47 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0110672.exe" file. 
2/15/2005 8:37:46 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0109672.exe" file. 
2/15/2005 8:37:45 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108669.exe" file. 
2/15/2005 8:37:30 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108614.exe" file. 
2/15/2005 8:37:29 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108588.exe" file. 
2/15/2005 8:37:27 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108561.exe" file. 
2/15/2005 8:37:25 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0107561.exe" file. 
2/15/2005 8:37:23 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106561.exe" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106534.exe" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106516.exe" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103380.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0102379.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101377.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100377.exe" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099378.exe" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098383.exe" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098346.exe" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:OnLineGames-CP [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097346.exe" file. 
2/15/2005 8:18:40 PM   Personal   2216   Sign of "Win32:OnLineGames-CO [Trj]" has been found in "c:\windows\cmdbcs.exe\[NsPack]" file. 

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:46:01 AM

2/15/2005 8:02:51 PM   SYSTEM   1612   Sign of "Win32:OnLineGames-CO [Trj]" has been found in "C:\WINDOWS\cmdbcs.exe\[NsPack]" file. 
2/16/2005 5:20:04 PM   SYSTEM   1828   Sign of "Win32:OnLineGames-BX [Trj]" has been found in "C:\WINDOWS\system32\zt.exe\[NsPack]" file. 
2/16/2005 5:20:04 PM   SYSTEM   1828   Sign of "Win32:OnLineGames-BX [Trj]" has been found in "C:\WINDOWS\system32\zt.exe\[NsPack]" file. 
2/15/2005 8:25:23 PM   Personal   5692   Sign of "Win32:OnLineGames-BX [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\zt[1].exe\[NsPack]" file. 
2/15/2005 7:31:27 PM   Personal   1164   Sign of "Win32:OnLineGames-BX [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\zt[1].exe\[NsPack]" file. 
2/16/2005 5:20:04 PM   SYSTEM   1828   Sign of "Win32:OnLineGames-BX [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\zt[1].exe\[NsPack]" file. 
2/15/2005 8:27:40 PM   Personal   5692   Sign of "Win32:Nilage-GB [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\trz1E.tmp" file. 
2/15/2005 8:16:46 PM   Personal   716   Sign of "Win32:Nilage-GB [Trj]" has been found in "c:\documents and settings\personal\local settings\temp\byetmr.exe" file. 
2/15/2005 8:27:30 PM   Personal   5692   Sign of "Win32:Nilage-GB [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\bd5.dll" file. 
2/15/2005 8:19:14 PM   Personal   2216   Sign of "Win32:Lmir-MM [Trj]" has been found in "c:\windows\system32\at2.810810.org.exe" file. 
2/15/2005 8:01:02 PM   SYSTEM   1612   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\at2.810810.org.exe" file. 
2/15/2005 8:40:45 PM   Personal   5692   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\at2.810810.org.dll" file. 
2/15/2005 8:45:04 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\WINDOWS\yuvtpb.exe" file. 
2/15/2005 8:44:58 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\WINDOWS\upxdnd.exe" file. 
2/15/2005 8:40:40 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\WINDOWS\rxeoxw.exe" file. 
2/15/2005 8:40:36 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\WINDOWS\pisvht.exe" file. 
2/15/2005 8:40:07 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\WINDOWS\lgtdqj.exe" file. 
2/15/2005 8:38:21 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\WINDOWS\cnfjpx.exe" file. 
2/15/2005 8:37:48 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0111668.exe" file. 
2/15/2005 8:37:47 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0110670.exe" file. 
2/15/2005 8:37:46 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0109671.exe" file. 

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:46:26 AM

2/15/2005 8:37:45 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108670.exe" file. 
2/15/2005 8:37:30 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108615.exe" file. 
2/15/2005 8:37:29 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108587.exe" file. 
2/15/2005 8:37:27 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108560.exe" file. 
2/15/2005 8:37:25 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0107558.exe" file. 
2/15/2005 8:37:23 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106559.exe" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106532.exe" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106512.exe" file. 
2/15/2005 8:37:22 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0106510.exe" file. 
2/15/2005 8:37:20 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105513.exe" file. 
2/15/2005 8:37:20 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105509.exe" file. 
2/15/2005 8:37:20 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0105496.exe" file. 
2/15/2005 8:37:14 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0103378.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0102377.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0101375.exe" file. 
2/15/2005 8:37:13 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0100375.exe" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0099376.exe" file. 
2/15/2005 8:37:12 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098381.exe" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0098344.exe" file. 
2/15/2005 8:37:09 PM   Personal   5692   Sign of "Win32:Lmir-LM [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP46\A0097344.exe" file. 
2/15/2005 8:37:31 PM   Personal   5692   Sign of "Win32:Lineage-545 [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP47\A0108633.exe\[NsPack]" file. 
2/15/2005 7:37:45 PM   Personal   1164   Sign of "Win32:Lineage-545 [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\c0nime.exe\[NsPack]" file. 
2/15/2005 7:37:45 PM   Personal   1164   Sign of "Win32:Keco-E [Wrm]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\autoexebc.bat\[PECompact]" file. 
2/15/2005 8:31:13 PM   Personal   5692   Sign of "Win32:Detnat-AZ [Wrm]" has been found in "C:\Program Files\Eset\trz26.tmp" file. 
2/15/2005 8:18:08 PM   Personal   2216   Sign of "Win32:Detnat-AZ [Wrm]" has been found in "c:\program files\eset\1explore.exe" file. 
2/15/2005 8:32:14 PM   Personal   5692   Sign of "Win32:Delf-EQR [Trj]" has been found in "C:\Program Files\Internet Explorer\trz29.tmp" file. 
2/15/2005 8:16:34 PM   SYSTEM   1612   Sign of "Win32:Delf-EQR [Trj]" has been found in "C:\Program Files\Internet Explorer\IEXPLORE.Dat" file. 
2/15/2005 8:16:41 PM   SYSTEM   1612   Sign of "Win32:Delf-EQR [Trj]" has been found in "C:\Program Files\Internet Explorer\IEXPLORE.Dat" file. 
2/15/2005 8:18:16 PM   Personal   2216   Sign of "Win32:Delf-EQR [Trj]" has been found in "c:\program files\internet explorer\iexplore.dat" file. 
2/15/2005 8:32:12 PM   Personal   5692   Sign of "Win32:Delf-EQI [Trj]" has been found in "C:\Program Files\Internet Explorer\IEXPLORE.jmp\[UPX]" file. 
2/15/2005 8:27:31 PM   Personal   5692   Sign of "Win32:Delf-EQI [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\ck3.exe.exe\[UPX]" file. 
2/15/2005 8:45:05 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\~tmp6203.exe\[UPX]" file. 
2/15/2005 8:45:05 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\~tmp5864.exe\[UPX]" file. 
2/15/2005 8:45:05 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\~tmp5482.exe\[UPX]" file. 
2/15/2005 8:45:05 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\~tmp411.exe\[UPX]" file. 
2/15/2005 8:45:05 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\~tmp4028.exe\[UPX]" file. 
2/15/2005 8:45:05 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\~tmp3039.exe\[UPX]" file. 
2/15/2005 8:40:42 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\system32\11.exe\[UPX]" file. 
2/15/2005 8:32:13 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\Program Files\Internet Explorer\PLUGINS\system32.jmp\[UPX]" file. 
2/15/2005 8:27:31 PM   Personal   5692   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\Documents and Settings\Personal\Local Settings\Temp\f14.exe\[UPX]" file. 
2/15/2005 8:01:57 PM   SYSTEM   1612   Sign of "Win32:Delf-ECW [Trj]" has been found in "C:\WINDOWS\system32\winsys16_070526.dll" file. 
2/15/2005 8:44:41 PM   Personal   5692   Sign of "Win32:Delf-ECW [Trj]" has been found in "C:\WINDOWS\system32\winsys16_070526.dll" file. 
2/15/2005 8:44:14 PM   Personal   5692   Sign of "Win32:Delf-ECW [Trj]" has been found in "C:\WINDOWS\system32\scrsys16_070526.scr" file. 

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:47:14 AM

this all  the virus found...there still a lot.....

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 08:22:46 AM

the date is not correct because my friend dint set his pc date to correct date.....but that is the virus discover these a few a day....
i finally run a boot time scan and found some trojan....with system restore off.....then i scan his pc after log on with avast several time and found some add ware for the 1st scan then i found nothing for the 3rd and 4 th scan...is that means safe?i already install a fire wall to his pc(sunbelt)and it block somethings i dont know what is that.....it just block it from access internet....what can i do for the following steps? :o

Title: Re: HELP!
Post by: DavidR on June 02, 2007, 02:48:32 PM

You haven't disabled System Restore as Tech suggested before that last scan, that is what puts \_restore points in C:\System Volume Information, this is because files (infected or otherwise) in system folders that are deleted have a restore point created s they can be restored if you made a mistake.

If as you say you have disabled system restore, you should reboot, this will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore. However in your case it is probably best to leave it off for the time being as I doubt you are completely clear yet.

Having done a boot-time scan you should repeat the scans with the anti-rootkit tools and then with AVG-as, SuperAntiSpyware, SpywareTerminatior (these from safe mode) and finally avast.

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 03:36:04 PM

o....that scan is rn before the system restore...

the file i scan after system restore i will post later

sorry....

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 03:37:29 PM

i means found after system restore...

Title: Re: HELP!
Post by: Lisandro on June 02, 2007, 04:23:27 PM

Quote from: andy214ever on June 02, 2007, 03:37:29 PM

i means found after system restore...

Disabling the System Restore will delete the infected points left behind and avoid reinfection.
If you restore an infected point, your system will be infected again.
I suggest you follow the previous points 1, 2, 3...
http://forum.avast.com/index.php?topic=28630.msg234219#msg234219

Title: Re: HELP!
Post by: DavidR on June 02, 2007, 05:16:20 PM

Quote from: andy214ever on June 02, 2007, 03:37:29 PM

i means found after system restore...

Did you reboot after disabling system restore, that is essential to clear the _restore points ?

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:15:28 PM

yeah....i do boot time scan after diable the system restore....

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 06:27:22 PM

after that i scan with counter spy and found a back door and i remove it....and some cookies...what is cookies?i also scn with avg antirootkit and found nothing....i think....the trojan that keep coming already gone....i scan his computer several times with avast and DR web and found nothing....and now all the problem left is there is something access the internet...and it block by the firewall......i wonder what is it....
 ;)

Title: Re: HELP!
Post by: DavidR on June 02, 2007, 07:25:17 PM

Cookies generally are nothing to worry about or are a low level issue as in theory they can track activity. They are used by web sites to basically store user information, like last visit, prefered settings, etc.

If it is blocked by the firewall, then what is the file name being blocked (check firewall logs) ?

When you find the file name, do a windows search for it to find the location and also a google search on the file name.

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 07:42:02 PM

ooo.....then i can take no action on the cookies..but the backdoor???i heard that ,backdoors can steal private information right??how to do window search??i not really good in computer.....sorry...

Title: Re: HELP!
Post by: DavidR on June 02, 2007, 08:03:46 PM

I didn't say take no action simply that they are generally classed as low risk, there are some that set their browser to delete all cookies on shutdown. The choice has to be with the user when to delete cookies.

A windows search, use the search icon in the windows explorer Or the Windows, Start button, Search.

I assume by the fact you are trying to find a file that you have found out what it was trying to get out, this was also asking you to tell us what it was (and we can then help too) ?

I haven't a clue if you have a backdoor or not, the fact that your firewall is blocking an attempt to get out might point to not having a backdoor or that particular file isn't a backdoor. The whole idea of a backdoor is to bypass your firewall.

Title: Re: HELP!
Post by: andy214ever on June 02, 2007, 08:14:34 PM

thank...i will give u  the file name that blocked by firewall later.... sorry for bothering u...

Title: Re: HELP!
Post by: DavidR on June 02, 2007, 09:30:56 PM

Your welcome, it isn't a bother.

Title: Re: HELP!
Post by: andy214ever on June 03, 2007, 10:54:42 AM

the conditionis getting bad....take a look at this...

/3/2007 2:38:21 PM   SYSTEM   1684   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
6/3/2007 2:38:21 PM   SYSTEM   1684   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\WINDOWS\system32\msccrt.dll\[Petite]" file. 
6/3/2007 2:58:20 PM   SYSTEM   1804   Sign of "Win32:Cinmus-D [Adw]" has been found in "C:\WINDOWS\System32\winlib .dll" file. 
6/3/2007 2:58:20 PM   SYSTEM   1804   Sign of "Win32:Cinmus-D [Adw]" has been found in "C:\WINDOWS\system32\winlib .dll" file. 
6/3/2007 2:59:51 PM   SYSTEM   1804   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\7[1].exe" file. 
6/3/2007 2:59:51 PM   SYSTEM   1804   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\7.exe" file. 
6/3/2007 2:59:51 PM   SYSTEM   1804   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\7.exe" file. 
6/3/2007 3:05:21 PM   SYSTEM   1584   Sign of "Win32:Cinmus-D [Adw]" has been found in "C:\WINDOWS\System32\winlib .dll" file. 
6/3/2007 3:05:22 PM   SYSTEM   1584   Sign of "Win32:Cinmus-D [Adw]" has been found in "C:\WINDOWS\system32\winlib .dll" file. 
6/3/2007 3:06:21 PM   SYSTEM   1584   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\7.exe" file. 
6/3/2007 3:06:23 PM   SYSTEM   1584   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\7.exe" file. 
6/3/2007 3:06:36 PM   SYSTEM   1584   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\10[1].exe\[NsPack]" file. 
6/3/2007 3:06:36 PM   SYSTEM   1584   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\WINDOWS\system32\10.exe\[NsPack]" file. 
6/3/2007 3:06:36 PM   SYSTEM   1584   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\WINDOWS\system32\10.exe\[NsPack]" file. 
6/3/2007 3:06:38 PM   SYSTEM   1584   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\11[1].exe\[UPX]" file. 
6/3/2007 3:06:38 PM   SYSTEM   1584   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\system32\11.exe\[UPX]" file. 
6/3/2007 3:06:38 PM   SYSTEM   1584   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\system32\11.exe\[UPX]" file. 
6/3/2007 3:07:04 PM   SYSTEM   1584   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S1AR0TYN\qwetop[1].exe" file. 
6/3/2007 3:07:04 PM   SYSTEM   1584   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\qwetop.exe" file. 
6/3/2007 3:07:04 PM   SYSTEM   1584   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\qwetop.exe" file. 
6/3/2007 3:40:24 PM   Personal   5028   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4DA30LU7\11[1].exe\[UPX]" file. 
6/3/2007 3:40:32 PM   Personal   5028   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\10[1].exe\[NsPack]" file. 
6/3/2007 3:40:35 PM   Personal   5028   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\7[1].exe" file. 
6/3/2007 3:40:38 PM   Personal   5028   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S1AR0TYN\qwetop[1].exe" file. 
6/3/2007 3:48:44 PM   Personal   5028   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP1\A0000016.dll\[Petite]" file. 
6/3/2007 3:49:00 PM   Personal   5028   Sign of "Win32:Small-FCC [Trj]" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP1\A0001039.dll\[Petite]" file. 
6/3/2007 3:49:20 PM   Personal   5028   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume Information\_restore{D6814480-3694-4C18-8E6D-BE60E437082F}\RP1\A0002036.exe" file. 
6/3/2007 3:51:48 PM   Personal   5028   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\WINDOWS\system32\10.exe\[NsPack]" file. 
6/3/2007 3:52:02 PM   Personal   5028   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\system32\11.exe\[UPX]" file. 

Title: Re: HELP!
Post by: andy214ever on June 03, 2007, 10:57:15 AM

6/3/2007 3:55:00 PM   Personal   5028   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\qwetop.exe" file. 
6/3/2007 4:36:11 PM   SYSTEM   1596   Sign of "Win32:Cinmus-D [Adw]" has been found in "C:\WINDOWS\System32\winlib .dll" file. 
6/3/2007 4:36:12 PM   SYSTEM   1596   Sign of "Win32:Cinmus-D [Adw]" has been found in "C:\WINDOWS\system32\winlib .dll" file. 
6/3/2007 4:38:02 PM   SYSTEM   1596   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\qwetop[1].exe" file. 
6/3/2007 4:38:02 PM   SYSTEM   1596   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\qwetop.exe" file. 
6/3/2007 4:38:02 PM   SYSTEM   1596   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\qwetop.exe" file. 
6/3/2007 4:38:42 PM   SYSTEM   1596   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S1AR0TYN\7[1].exe" file. 
6/3/2007 4:39:42 PM   SYSTEM   1596   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\7.exe" file. 
6/3/2007 4:40:32 PM   SYSTEM   1596   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\10[1].exe\[NsPack]" file. 
6/3/2007 4:42:06 PM   SYSTEM   1596   Sign of "Win32:Small-EKC [Trj]" has been found in "C:\WINDOWS\system32\10.exe\[NsPack]" file. 
6/3/2007 4:42:19 PM   SYSTEM   1596   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\11[1].exe\[UPX]" file. 
6/3/2007 4:42:19 PM   SYSTEM   1596   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\system32\11.exe\[UPX]" file. 
6/3/2007 4:42:19 PM   SYSTEM   1596   Sign of "Win32:Delf-EJU [Trj]" has been found in "C:\WINDOWS\system32\11.exe\[UPX]" file. 
6/3/2007 4:45:41 PM   SYSTEM   1832   Sign of "Win32:Cinmus-D [Adw]" has been found in "C:\WINDOWS\System32\winlib .dll" file. 
6/3/2007 4:45:41 PM   SYSTEM   1832   Sign of "Win32:Cinmus-D [Adw]" has been found in "C:\WINDOWS\system32\winlib .dll" file. 
6/3/2007 4:47:12 PM   SYSTEM   1832   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\qwetop[1].exe" file. 
6/3/2007 4:47:12 PM   SYSTEM   1832   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\qwetop.exe" file. 
6/3/2007 4:47:12 PM   SYSTEM   1832   Sign of "Win32:Lmir-MM [Trj]" has been found in "C:\WINDOWS\system32\qwetop.exe" file. 
6/3/2007 4:48:01 PM   SYSTEM   1832   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4T6789MV\7[1].exe" file. 


the firewall i installed have been disabled
i dont know why......

what h i done....????

help....

Title: Re: HELP!
Post by: essexboy on June 03, 2007, 01:40:27 PM

You have the delf dropper trojan

Download ComboFix from Here (http://"http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe") or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Title: Re: HELP!
Post by: andy214ever on June 03, 2007, 01:55:18 PM

how can i idntified the trojan you have said ??

Title: Re: HELP!
Post by: essexboy on June 03, 2007, 02:05:15 PM

Quote

"Win32:Delf-EJU

as reported by Avast

If you download and run combofix we can start removing it

Title: Re: HELP!
Post by: andy214ever on June 03, 2007, 02:41:03 PM

ok...thanks....

can combofix remove other trojan?

Title: Re: HELP!
Post by: essexboy on June 03, 2007, 02:47:06 PM

Yes it will also target virtumondo wareout plus others

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 07:26:50 AM

Personal" - 2007-06-04 13:06:13    Service Pack 2 
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Personal\Desktop\"


((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Internet Explorer\PLUGINS\system64.jmp"
"C:\WINDOWS\system32\4.exe"
"C:\WINDOWS\system32\ad_1993.exe"
"C:\WINDOWS\DOWNLO~1\Cns02.dat"
"C:\WINDOWS\DOWNLO~1\CnsHint.cab"
"C:\WINDOWS\DOWNLO~1\cnshint.dll"
"C:\WINDOWS\DOWNLO~1\CnsHook.dll.1.log"
"C:\WINDOWS\DOWNLO~1\CnsHook.dll.2.log"
"C:\WINDOWS\DOWNLO~1\cnsio.dll"
"C:\WINDOWS\DOWNLO~1\CnsMin.ini"
"C:\WINDOWS\DOWNLO~1\CnsMinAL.cab"
"C:\WINDOWS\DOWNLO~1\CnsMinCg.ini"
"C:\WINDOWS\DOWNLO~1\CnsMinDT.cab"
"C:\WINDOWS\DOWNLO~1\CnsMinDT.dll"
"C:\WINDOWS\DOWNLO~1\CnsMinEx.cab"
"C:\WINDOWS\DOWNLO~1\CnsMinEx.ini"
"C:\WINDOWS\DOWNLO~1\CnsMinHK.cab"
"C:\WINDOWS\DOWNLO~1\CnsMinIO.cab"
"C:\WINDOWS\DOWNLO~1\CnsMinIO.dll"
"C:\WINDOWS\DOWNLO~1\CnsMinUp.cab"
"C:\WINDOWS\DOWNLO~1\CnsPlus.cab"
"C:\WINDOWS\DOWNLO~1\cnsplus.dll"
"C:\WINDOWS\DOWNLO~1\CnsUp.ini"
"C:\WINDOWS\system32\DD95F06E.dat"
"C:\WINDOWS\system32\wbem\cmwrj.dll"
"C:\WINDOWS\system32\drivers\yaskp.sys"
"C:\WINDOWS\system32\Packet.dll"
"C:\WINDOWS\system32\WanPacket.dll"
"C:\WINDOWS\system32\wpcap.dll"
"C:\Program Files\yahoo!\assist~1\yal01.dat"
"C:\Program Files\yahoo!\assist~1\yalive.dll"
"C:\Program Files\yahoo!\assist~1\yaLive.dll.1.log"
"C:\Program Files\yahoo!\assist~1\yalive3.ini"
"C:\Program Files\yahoo!\assist~1\yalLiveEx.dll"
"C:\Program Files\yahoo!\assist~1\yalvsw3.ini"
"C:\Program Files\yahoo!\assist~1\yassistse.exe"
"C:\Program Files\yahoo!\assist~1\yckrule.dat"
"C:\Program Files\yahoo!\assist~1\yckrule.ini"
"C:\Program Files\yahoo!\assist~1\yClickOn.dll"
"C:\Program Files\yahoo!\assist~1\yclickonup.dll"
"C:\Program Files\yahoo!\assist~1\yhelper.dll"
"C:\Program Files\yahoo!\assist~1\ylive.exe"
"C:\Program Files\yahoo!\assist~1\YLive.exe.1.log"
"C:\Program Files\yahoo!\assist~1\yNotifier.dll"
"C:\Program Files\yahoo!\assist~1\yscrblock.dll"
"C:\Program Files\yahoo!\assist~1\Assist\filter.ini"
"C:\Program Files\yahoo!\assist~1\Assist\float.gif"
"C:\Program Files\yahoo!\assist~1\Assist\myrss.xml"
"C:\Program Files\yahoo!\assist~1\Assist\notify.wav"
"C:\Program Files\yahoo!\assist~1\Assist\sound.wav"
"C:\Program Files\yahoo!\assist~1\Assist\yadfilter.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yadwreg.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yangling.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yasbar.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yasbar.dll.1.log"
"C:\Program Files\yahoo!\assist~1\Assist\yasbar0.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yascenter.exe"
"C:\Program Files\yahoo!\assist~1\Assist\yasctrlh.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yasfsks.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yasierres.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yasiesec.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yaskpsec.dat"
"C:\Program Files\yahoo!\assist~1\Assist\yasnoad.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yasrdd.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yasrde.exe"
"C:\Program Files\yahoo!\assist~1\Assist\yassecblk.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yassisres.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yassist.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yassistex.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yassistn3.ini"
"C:\Program Files\yahoo!\assist~1\Assist\yassistnsw3.ini"
"C:\Program Files\yahoo!\assist~1\Assist\yaswiper.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ycnsdtu.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ydragsearch.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yeheocx.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yhelperup.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yieacore.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yieares.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yieaUI.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yiebwlist.dat"

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:15:24 AM

"C:\Program Files\yahoo!\assist~1\Assist\yierepairn.dat"
"C:\Program Files\yahoo!\assist~1\Assist\yiesetres.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ykeepmain.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ykern.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ymailp.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ymyweb.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yoptimum.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yphishbrule.dat"
"C:\Program Files\yahoo!\assist~1\Assist\yphishrule.dat"
"C:\Program Files\yahoo!\assist~1\Assist\yphotoseasy.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yphtb.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yprockg.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yrepair.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yrss.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ysearch.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ysearch.dll.1.log"
"C:\Program Files\yahoo!\assist~1\Assist\ysettings.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yupdateok.dll"
"C:\Program Files\yahoo!\assist~1\Assist\ywiper.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yxpstyle.dll"
"C:\Program Files\yahoo!\assist~1\Assist\yzsnetproto.dll"
"C:\Program Files\yahoo!\assist~1\Assist\profile\1.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\10.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\11.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\13.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\14.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\15.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\16.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\17.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\18.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\19.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\20.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\22.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\23.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\24.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\3.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\6.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\7.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\8.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\9.gif"
"C:\Program Files\yahoo!\assist~1\Assist\profile\profile.xml"

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:16:36 AM

"C:\Program Files\yahoo!\assist~1\Assist\Update\yascenter.exe"
"C:\Program Files\yahoo!\assist~1\Assist\Update\yassisres.dll"
"C:\Program Files\yahoo!\assist~1\Assist\Update\yphotoseasy.dll"
"C:\Program Files\yahoo!\assist~1\Assist\Update\yzsnetproto.dll"
"C:\Program Files\yahoo!\assist~1\Shell\yAsMenu.dll"
"C:\Program Files\yahoo!\assist~1\Shell\yAssecblk.dll"
"C:\Program Files\yahoo!\assist~1\Shell\yIEAngel.dll"
"C:\Program Files\yahoo!\assist~1\Shell\yMenuInfo.dll"
"C:\Program Files\yahoo!\assist~1\Shell\ysp.exe"
"C:\Program Files\yahoo!\assist~1\Update\yalliveex.dll"
"C:\Program Files\yahoo!\assist~1\Update\ynotifier.dll"
"C:\Program Files\yahoo!\assist~1\Update\yscrblock.dll"
"C:\Program Files\kktone\dmfa.dll"
"C:\Program Files\kktone\irunin.bmp"
"C:\Program Files\kktone\irunin.dat"
"C:\Program Files\kktone\irunin.ini"
"C:\Program Files\kktone\irunin.lng"
"C:\Program Files\kktone\KKTone.exe"
"C:\Program Files\kktone\KKTONE.ini"
"C:\Program Files\kktone\KKToneAgent.exe"
"C:\Program Files\kktone\KKTone_vis.dll"
"C:\Program Files\kktone\ktoc.dll"
"C:\Program Files\kktone\mfc71u.dll"
"C:\Program Files\kktone\msvcp71.dll"
"C:\Program Files\kktone\msvcr71.dll"
"C:\Program Files\kktone\TSConvert2U.dll"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\AdList"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\adsend"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\adshow.dat"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\AllUrlList"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\GetADID"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\GetADParameter"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\GetAdType"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\pluglist.xml"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\RelateKey"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\ThirdSoftInfo2"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\windows1.log"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\windows2.log"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo\~lu.dat"
"C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs.\kktone\Uninstall KKTONE.lnk"
"C:\WINDOWS\DOWNLO~1.\keepmain.dll"
"C:\WINDOWS\DOWNLO~1.\keepmainm.cab"
"C:\WINDOWS\DOWNLO~1.\sms.ico"
"C:\WINDOWS\DOWNLO~1.\taobao.ico"
"C:\WINDOWS\DOWNLO~1.\yahoomsg.ico"
"C:\WINDOWS\DOWNLO~1.\ymail.ico"
"C:\Program Files\internet explorer\iexplore.win"
"C:\WINDOWS\system32\d3d1caps.srg"
"C:\WINDOWS\system32\death.sishen"
"C:\WINDOWS\system32\drivers\acpidisk.sys"
"C:\WINDOWS\system32\mprmsgse.axz"
"C:\WINDOWS\system32\mscpx32r.det"
"C:\WINDOWS\system32\mywebhit.ini"
"C:\WINDOWS\system32\mywebhit.ini.tmp"
"C:\WINDOWS\system32\svch0st.exe"
"C:\WINDOWS\system32\zt.dll"
"C:\WINDOWS\hitpop_tmp.txt"
"C:\WINDOWS\install.exe"
"C:\WINDOWS\qqiehelper.dll"
"C:\WINDOWS\sysdn.ini"
"C:\WINDOWS\Kvsc3.exe"
"C:\WINDOWS\system32\Kvsc3.dll"
"C:\WINDOWS\system32\drivers\npf.sys"
"C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Microsoft\PCTools"
"C:\Program Files\cnnic"
"C:\Program Files\yahoo!\assist~1"
"C:\Program Files\kktone"
"C:\DOCUME~1\Personal\APPLIC~1.\cuckoo"
"C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs.\kktone"
"C:\WINDOWS\DOWNLO~1.\Update"
"C:\WINDOWS\system32\drivers\uovwrl.sys"
"C:\WINDOWS\system32\uovwrl.dll"

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:17:11 AM

(((((((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACPIDISK
-------\LEGACY_CDNPROT
-------\LEGACY_CELINDRV
-------\LEGACY_CNSMINKP
-------\LEGACY_ISPONER
-------\LEGACY_MSDEBUGSVC
-------\LEGACY_NPF
-------\LEGACY_RELATIONS
-------\LEGACY_UOVWRL
-------\LEGACY_YASKP
-------\acpidisk
-------\CelInDrv
-------\CnsMinKP
-------\iSPONER
-------\NPF
-------\uovwrl
-------\yaskp


(((((((((((((((((((((((((((((((   Files Created from 2007-05-04 to 2007-06-04  ))))))))))))))))))))))))))))))))))


2007-06-04 13:18   3,814   --a------   C:\WINDOWS\system32\3.exe
2007-06-04 13:18   14,848      C:\WINDOWS\system32\2.exe
2007-06-04 13:13   <DIR>   d--------   C:\DOCUME~1\Personal\APPLIC~1\Cuckoo
2007-06-03 17:50   <DIR>   d--------   C:\Program Files\Crawler
2007-06-03 17:06   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\Spyware Terminator
2007-06-03 17:05   524,288   --ah-----   C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-03 16:59   138,368   --a------   C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-06-03 16:59   <DIR>   d--------   C:\Program Files\Spyware Terminator
2007-06-03 16:59   <DIR>   d--------   C:\DOCUME~1\Personal\APPLIC~1\Spyware Terminator
2007-06-03 16:59   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-06-03 16:49   15,432   --a------   C:\WINDOWS\system32\dnnimq.dll
2007-06-03 16:47   8,727   --a------   C:\WINDOWS\lpdwzn.exe
2007-06-03 16:40   15,432   --a------   C:\WINDOWS\system32\lxyrjn.dll
2007-06-03 14:38   8,727   --a------   C:\WINDOWS\csmsmt.exe
2007-06-02 22:03   8,727   --a------   C:\WINDOWS\jttlsm.exe
2007-06-02 19:48   8,727   --a------   C:\WINDOWS\czbpnz.exe
2007-06-02 19:48   15,432   --a------   C:\WINDOWS\system32\zwwtvs.dll
2007-06-02 14:15   8,727   --a------   C:\WINDOWS\zfdfds.exe
2007-06-02 14:14   10,752   --a------   C:\WINDOWS\system32\ztinetzt.dll
2007-06-02 13:38   8,727   --a------   C:\WINDOWS\nujdxh.exe
2007-06-02 13:37   104   --a------   C:\WINDOWS\system32\Deleteme.bat
2007-06-02 13:07   95,872   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-06-02 13:07   94,552   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-02 13:07   85,952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-02 13:07   745,600   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-06-02 13:07   43,176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-02 13:07   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-02 13:07   26,888   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-02 13:07   23,416   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-02 13:02   <DIR>   d--------   C:\DOCUME~1\Personal\APPLIC~1\Comodo
2007-06-02 12:57   8,727   --a------   C:\WINDOWS\wazuxr.exe
2007-06-02 12:32   11,192   --a------   C:\WINDOWS\system32\drivers\gsrypjdt.sys
2007-06-02 12:27   8,727   --a------   C:\WINDOWS\xuuypb.exe
2007-06-02 12:27   8,436   --a------   C:\WINDOWS\system32\ztinetzt.exe
2007-06-02 12:21   <DIR>   d--------   C:\Program Files\Sunbelt Software
2007-05-28 16:29   113,364   --a------   C:\WINDOWS\system32\d02.exe
2007-05-26 11:18   <DIR>   d--------   C:\Program Files\GrandChase
2007-05-26 08:47   8,192   --a------   C:\WINDOWS\system32\nwizAsktao.dll
2007-05-25 12:09   6,656   ---h-----   C:\WINDOWS\system32\RAVMY523.dll
2007-05-09 18:22   <DIR>   d--------   C:\FunTown
2007-05-09 18:04   <DIR>   d--------   C:\Program Files\Crazy.com.tw
2007-05-05 13:10   4,682   --a------   C:\WINDOWS\system32\npptNT2.sys
2007-05-05 13:07   <DIR>   d--------   C:\Program Files\Gamania
2007-05-04 22:21   <DIR>   d--------   C:\Temp

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:17:49 AM

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 05:18:58   279,638   ----a-w   C:\WINDOWS\system32\7.exe
2007-06-04 05:18:54   49,152   ----a-w   C:\WINDOWS\system32\qwetop.exe
2007-06-04 05:13:26   --------   d-----w   C:\Program Files\Yahoo!
2007-06-04 04:36:47   15,432   ----a-w   C:\WINDOWS\system32\upxdnd.dll
2007-06-03 08:51:27   11,264   ----a-w   C:\WINDOWS\system32\nwizhx2.dll
2007-06-03 08:51:24   8,996   ----a-w   C:\WINDOWS\system32\nwizhx2.exe
2007-06-03 08:49:52   16,965   ----a-w   C:\WINDOWS\upxdnd.exe
2007-06-03 08:49:50   8,240   ----a-w   C:\WINDOWS\system32\mydata.exe
2007-06-03 07:06:28   16,896   ----a-w   C:\WINDOWS\system32\moyu103.dll
2007-06-02 04:51:11   --------   d-----w   C:\Program Files\MSN Messenger
2007-05-26 00:48:00   9,216   ----a-w   C:\WINDOWS\system32\dh2103.dll
2007-05-26 00:47:56   7,360   --sha-w   C:\WINDOWS\system32\nwizdh.exe
2007-05-24 08:29:51   --------   d-----w   C:\DOCUME~1\Personal\APPLIC~1\Google
2007-05-23 09:09:49   377,856   ----a-w   C:\WINDOWS\system32\netexe.exe
2007-05-09 10:04:24   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-26 02:21:34   72,624   ----a-w   C:\WINDOWS\system32\drivers\khips.sys
2007-04-26 02:21:30   302,000   ----a-w   C:\WINDOWS\system32\drivers\fwdrv.sys
2007-04-13 13:50:48   --------   d-----w   C:\Program Files\CP
2007-04-11 07:38:26   --------   d-----w   C:\Program Files\METAL SLUG 3
2007-04-04 10:20:06   --------   d-----w   C:\Program Files\hero
2007-03-31 04:44:42   286,720   ----a-w   C:\WINDOWS\iun506.exe
2007-03-20 09:25:01   20   ---ha-r   C:\WINDOWS\assist.dat
2007-03-08 11:44:23   3,082   ----a-w   C:\WINDOWS\system32\affv9869p2now.sys
2007-02-12 00:42:53   651,264   --sh--w   C:\WINDOWS\system32\_rejoice44.exe
2005-02-14 10:42:02   20,480   --sh--w   C:\WINDOWS\system32\gomvet.exe
2005-02-14 10:41:55   38,912   --sh--w   C:\WINDOWS\system32\servet.exe
2004-08-04 09:36:31   30,208   --sh--w   C:\WINDOWS\system32\bbqpri.dll
1900-05-26 00:47:33   7,388   --sha-w   C:\WINDOWS\system32\nwizAsktao.exe
1900-05-26 00:47:29   12,800   --sha-w   C:\WINDOWS\AVPSrv.exe

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:18:31 AM

((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}=C:\PROGRA~1\Crawler\Toolbar\ctbr.dll [2007-05-24 05:14]
{54EBD53A-9BC1-480B-966A-843A333CA162}=C:\WINDOWS\QQIEHelper.dll []
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\PROGRA~1\FlashGet\getflash.dll [2006-09-12 10:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-17 16:56]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 23:42]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-06-03 16:59]
"rxsa"="C:\DOCUME~1\Personal\LOCALS~1\Temp\rxso.exe" [2007-06-04 13:18]
"qjsa"="C:\DOCUME~1\Personal\LOCALS~1\Temp\qjso.exe" [2007-06-04 13:18]
"mhsa"="C:\DOCUME~1\Personal\LOCALS~1\Temp\mhso.exe" [2007-06-04 13:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:07]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"4jbbhd"=C:\WINDOWS\TEMP\c0nime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"RavMon"=C:\DOCUME~1\Personal\LOCALS~1\Temp\RavMonD.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}"="C:\WINDOWS\system32\msacn.dll" [2004-08-04 09:07]
"{62A612A4-4334-4424-4234-42261A31A238}"="C:\WINDOWS\system32\bbqpri.dll" [2004-08-04 17:36]
"{27622928-28E4-115D-40A0-0BBFE89C54D6}"="C:\WINDOWS\system32\zt.DLL" []
"{DE35052A-9E37-4827-A1EC-79BF400D27A4}"="C:\Program Files\Internet Explorer\PLUGINS\System64.aaa" [1900-02-14 18:42]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^百度下吧.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\百度下吧.lnk
backup=C:\WINDOWS\pss\百度下吧.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BaiduXUpdate]
"C:\Program Files\Baidu\BaiduX\MovieUpdate.exe" --Update

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
DevDetect.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DinerDashFotGSetup.exe]
C:\DOCUME~1\Personal\Desktop\DINERD~1.EXE /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\helper.dll]
C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Program Files\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yassistse]
"C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YLive.exe]
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
   

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 13:18:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\qwetop.exe
C:\WINDOWS\system32\7.exe

scan completed successfully
hidden files: 2


********************************************************************

Completion time: 2007-06-04 13:22:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-04 13:22

   --- E O F ---

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:20:16 AM

ne\C\Program Files\Internet Explorer\PLUGINS\system64.jmp.vir
1987-02-12 14:10      81    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\Death.SiShen.vir
2003-02-21 04:42      348160    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\msvcr71.dll.vir
2003-03-18 20:14      499712    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\msvcp71.dll.vir
2003-03-18 22:12      1047552    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\mfc71u.dll.vir
2004-08-04 09:07      12800    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uovwrl.dll.vir
2004-08-04 09:07      237568    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\cmwrj.dll.vir
2004-08-04 09:07      66417    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\zt.DLL.vir
2004-08-04 09:07      9344    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\uovwrl.sys.vir
2005-02-12 20:48      19968    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\SVCH0ST.EXE.vir
2005-02-14 13:31      886    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinEx.ini.vir
2005-02-14 14:00      20    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\windows2.log.vir
2005-02-14 14:01      32    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mprmsgse.axz.vir
2005-02-14 14:02      10030    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\irunin.dat.vir
2005-02-14 14:02      12331    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\irunin.lng.vir
2005-02-14 14:02      8134    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\irunin.bmp.vir
2005-02-14 14:03      212992    --a------    C:\Qoobox\Quarantine\C\WINDOWS\QQIEHelper.dll.vir
2005-02-14 14:03      60933    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ad_1993.exe.vir
2005-02-14 14:04      1420    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\STARTM~1\Programs\KKTONE\Uninstall KKTONE.lnk.vir
2005-02-14 14:04      14537    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\irunin.ini.vir
2005-02-14 14:04      39    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\pluglist.xml.vir
2005-02-14 14:04      91    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\ThirdSoftInfo2.vir
2005-02-14 18:22      185    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\DD95F06E.dat.vir
2005-02-14 18:33      30828    --a------    C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE.win.vir
2005-02-14 18:47      134    --a------    C:\Qoobox\Quarantine\C\WINDOWS\sysdn.ini.vir
2005-02-14 19:26      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\hitpop_tmp.txt.vir
2005-02-14 19:26      154    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mywebhit.ini.vir
2005-02-14 19:26      4191    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mywebhit.ini.tmp.vir
2005-02-15 20:00      1886    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\taobao.ico.vir
2005-02-15 20:00      5734    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\yahoomsg.ico.vir
2005-02-15 20:00      5734    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\ymail.ico.vir
2005-02-15 20:00      6526    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\sms.ico.vir
2005-02-15 20:06      7682    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsHook.dll.1.log.vir
2005-05-25 20:51      233472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2005-05-25 20:51      61440    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\WanPacket.dll.vir
2005-05-25 20:51      81920    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir
2005-05-26 08:47      8350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Kvsc3.exe.vir
2005-08-29 16:03      2793472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\InstAll.exe.vir
2006-05-23 15:25      239    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\10.gif.vir
2006-05-23 15:28      230    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\16.gif.vir
2006-05-23 15:29      240    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\3.gif.vir
2006-05-23 15:30      155    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\9.gif.vir
2006-05-23 15:30      262    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\20.gif.vir
2006-05-23 15:30      275    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\7.gif.vir
2006-06-04 12:47      617    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\6.gif.vir
2006-06-04 16:03      223    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\18.gif.vir
2006-06-06 07:24      628    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\11.gif.vir
2006-06-06 09:07      282    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\14.gif.vir
2006-06-06 09:12      619    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\15.gif.vir
2006-06-06 09:50      219    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\13.gif.vir
2006-06-06 10:59      281    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\22.gif.vir
2006-06-26 17:50      403    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\8.gif.vir
2006-06-26 17:50      416    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\17.gif.vir
2006-06-26 17:50      420    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\19.gif.vir
2006-09-06 16:31      51712    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\CnsMinKP.sys.vir
2006-09-18 11:34      661    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\1.gif.vir
2006-09-28 13:55      5017    --a------    C:\Qoobox\Quarantine\C\Program Files\3721\CNSMIN.DAT.vir
2006-11-15 16:36      5064    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yal01.dat.vir
2006-11-15 17:45      101816    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\Update\yzsnetproto.dll.vir
2006-11-15 17:46      28088    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\Update\yassisres.dll.vir
2006-11-15 17:46      28088    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yadwreg.dll.vir
2006-11-15 17:47      64952    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\Update\yascenter.exe.vir
2006-11-15 17:48      101816    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Update\ynotifier.dll.vir
2006-11-15 17:48      134584    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Update\yalliveex.dll.vir
2006-11-15 17:50      32184    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yxpstyle.dll.vir
2006-11-15 17:50      97720    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\Update\yphotoseasy.dll.vir
2006-11-15 17:51      28088    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yupdateok.dll.vir
2006-11-15 17:51      32184    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ycnsdtu.dll.vir
2006-11-15 17:52      249272    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ywiper.dll.vir
2006-11-24 11:16      44472    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Update\yscrblock.dll.vir
2006-12-03 19:35      105912    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yhelperup.dll.vir
2006-12-14 09:35      2162    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\sound.wav.vir
2006-12-14 09:35      25496    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\myrss.xml.vir
2006-12-14 09:35      334996    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yierepairn.dat.vir
2006-12-14 09:35      7645    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\float.gif.vir
2006-12-14 09:35      7974    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\filter.ini.vir
2006-12-14 13:55      101816    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yzsnetproto.dll.vir
2006-12-14 13:55      56760    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yadfilter.dll.vir

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:20:48 AM

ne\C\Program Files\Yahoo!\ASSIST~1\yhelper.dll.vir
2006-12-14 13:57      134584    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasnoad.dll.vir
2006-12-14 13:57      28088    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yassisres.dll.vir
2006-12-14 13:57      28088    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Shell\yIEAngel.dll.vir
2006-12-14 13:57      28088    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Shell\ysp.exe.vir
2006-12-14 13:57      294328    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasierres.dll.vir
2006-12-14 13:57      36280    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yassistex.dll.vir
2006-12-14 13:57      40376    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Shell\yMenuInfo.dll.vir
2006-12-14 13:57      64952    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Shell\yAsMenu.dll.vir
2006-12-14 13:57      77240    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yassistse.exe.vir
2006-12-14 13:58      101816    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yeheocx.dll.vir
2006-12-14 13:58      196024    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yieares.dll.vir
2006-12-14 13:58      261560    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yieacore.dll.vir
2006-12-14 13:58      32184    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasctrlh.dll.vir
2006-12-14 13:58      64952    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yascenter.exe.vir
2006-12-14 13:59      101816    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yNotifier.dll.vir
2006-12-14 13:59      134584    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yprockg.dll.vir
2006-12-14 13:59      134584    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yalLiveEx.dll.vir
2006-12-14 13:59      153866    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yiebwlist.dat.vir
2006-12-14 13:59      277944    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yrepair.dll.vir
2006-12-14 13:59      44472    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yscrblock.dll.vir
2006-12-14 13:59      64952    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yoptimum.dll.vir
2006-12-14 14:00      122296    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yphtb.dll.vir
2006-12-14 14:00      97720    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yphotoseasy.dll.vir
2006-12-14 14:01      146872    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yiesetres.dll.vir
2006-12-14 14:01      171448    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ysearch.dll.vir
2006-12-14 14:01      191928    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yrss.dll.vir
2006-12-14 14:01      64440    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ysettings.dll.vir
2006-12-14 14:02      85432    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ymyweb.dll.vir
2006-12-14 14:03      155064    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ymailp.dll.vir
2006-12-14 14:03      179640    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yieaUI.dll.vir
2006-12-14 14:51      167352    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasiesec.dll.vir
2006-12-14 14:52      108472    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasfsks.dll.vir
2006-12-16 18:03      20    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\YLive.exe.1.log.vir
2006-12-16 18:03      82    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\24.gif.vir
2006-12-16 18:03      86    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\23.gif.vir
2006-12-16 18:05      70904    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinAL.cab.vir
2006-12-20 18:07      135168    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\cnshint.dll.vir
2006-12-20 18:07      49152    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\cnsplus.dll.vir
2006-12-21 09:40      331192    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasbar0.dll.vir
2006-12-21 09:40      73144    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yassist.dll.vir
2006-12-21 09:43      142776    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yaswiper.dll.vir
2006-12-21 09:43      52664    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yassecblk.dll.vir
2006-12-21 09:43      52664    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Shell\yAssecblk.dll.vir
2006-12-21 17:39      17132    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\notify.wav.vir
2006-12-21 17:45      167352    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yangling.dll.vir
2006-12-21 17:55      24576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinDT.dll.vir
2006-12-25 08:27      217    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yaskpsec.dat.vir
2006-12-28 14:39      331192    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasbar.dll.vir
2006-12-30 15:08      69048    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\ylive.exe.vir
2006-12-30 15:11      130488    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yalive.dll.vir
2006-12-30 15:15      60856    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yclickonup.dll.vir
2006-12-30 15:15      64952    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yClickOn.dll.vir
2006-12-30 19:50      8111    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\profile\profile.xml.vir
2006-12-31 19:38      40376    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ykern.dll.vir
2007-01-20 19:58      11021    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinDT.cab.vir
2007-01-20 19:58      15574    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsPlus.cab.vir
2007-01-20 19:58      35563    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinEx.cab.vir
2007-01-20 19:58      61315    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsHint.cab.vir
2007-01-20 19:58      78256    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cns.dat.vir
2007-01-24 18:59      45056    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\cnsio.dll.vir
2007-01-24 19:00      36864    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinIO.dll.vir
2007-02-28 19:50      28672    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cns.exe.vir
2007-02-28 19:50      32768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cns.dll.vir
2007-03-08 19:13      25260    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinIO.cab.vir
2007-03-09 18:15      114688    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\TSConvert2U.dll.vir

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:22:18 AM

2007-03-09 18:15      184320    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\KKToneAgent.exe.vir
2007-03-09 18:15      22016    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\ktoc.dll.vir
2007-03-09 18:15      53248    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\dmfa.dll.vir
2007-03-09 18:15      94208    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\KKTone_vis.dll.vir
2007-03-14 18:23      1781760    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\KKTone.exe.vir
2007-03-16 11:29      52664    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ydragsearch.dll.vir
2007-03-16 16:29      8656    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yckrule.dat.vir
2007-03-16 20:02      204    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ysearch.dll.1.log.vir
2007-03-20 10:47      13    --a------    C:\Qoobox\Quarantine\C\Program Files\KKTONE\KKTONE.ini.vir
2007-03-21 15:52      1768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\Cns02.dat.vir
2007-03-28 16:50      108182    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinUp.cab.vir
2007-04-06 16:23      32184    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasrde.exe.vir
2007-04-06 16:23      36280    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasrdd.dll.vir
2007-04-06 16:55      36280    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\ykeepmain.dll.vir
2007-04-06 16:55      63928    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\yaskp.sys.vir
2007-04-09 15:53      36864    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\keepmain.dll.vir
2007-04-09 20:46      74    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yasbar.dll.1.log.vir
2007-04-11 14:56      103981    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\keepmainM.cab.vir
2007-04-26 16:31      4896    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yphishrule.dat.vir
2007-05-08 11:14      186436    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\acpidisk.sys.vir
2007-05-10 14:10      218    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yckrule.ini.vir
2007-05-15 13:36      32667    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinHK.cab.vir
2007-05-18 12:55      374    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yaLive.dll.1.log.vir
2007-05-24 15:42      8208    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsHook.dll.2.log.vir
2007-05-26 08:47      32512    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
2007-05-30 09:56      2385    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yphishbrule.dat.vir
2007-06-02 12:31      8149    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yassistnsw3.ini.vir
2007-06-02 12:32      919    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yalvsw3.ini.vir
2007-06-02 12:38      2560    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mscpx32r.det.vir
2007-06-02 12:59      98    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\d3d1caps.SRG.vir
2007-06-03 08:04      106    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsUp.ini.vir
2007-06-03 08:04      137    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMin.ini.vir
2007-06-03 16:38      9623    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\CnsMinCg.ini.vir
2007-06-03 16:47      6656    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\Kvsc3.dll.vir
2007-06-03 20:12      13312    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\4.exe.vir
2007-06-04 11:41      10    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\~lu.dat.vir
2007-06-04 11:41      181    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\GetADParameter.vir
2007-06-04 11:41      181    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\GetAdType.vir
2007-06-04 11:41      196    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\AdList.vir
2007-06-04 11:41      2369    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\Assist\yassistn3.ini.vir
2007-06-04 11:41      33    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\AllUrlList.vir
2007-06-04 11:41      54    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\RelateKey.vir
2007-06-04 11:41      6834    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\adsend.vir
2007-06-04 11:41      814    --a------    C:\Qoobox\Quarantine\C\Program Files\Yahoo!\ASSIST~1\yalive3.ini.vir
2007-06-04 12:20      181    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\GetADID.vir
2007-06-04 13:00      37    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\adshow.dat.vir
2007-06-04 13:00      59    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Personal\APPLIC~1\Cuckoo\windows1.log.vir
2007-06-04 13:09      1002    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_YASKP.reg.cf
2007-06-04 13:09      1032    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf
2007-06-04 13:09      1038    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CNSMINKP.reg.cf
2007-06-04 13:09      1044    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CELINDRV.reg.cf
2007-06-04 13:09      1076    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_UOVWRL.reg.cf
2007-06-04 13:09      1100    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_ACPIDISK.reg.cf
2007-06-04 13:09      2404    --a------    C:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.cf
2007-06-04 13:09      2430    --a------    C:\Qoobox\Quarantine\Registry_backups\services_uovwrl.reg.cf
2007-06-04 13:09      2578    --a------    C:\Qoobox\Quarantine\Registry_backups\services_yaskp.reg.cf
2007-06-04 13:09      2602    --a------    C:\Qoobox\Quarantine\Registry_backups\services_acpidisk.reg.cf
2007-06-04 13:09      2994    --a------    C:\Qoobox\Quarantine\Registry_backups\services_CnsMinKP.reg.cf
2007-06-04 13:09      3296    --a------    C:\Qoobox\Quarantine\Registry_backups\services_iSPONER.reg.cf
2007-06-04 13:09      804    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_ISPONER.reg.cf
2007-06-04 13:09      826    --a------    C:\Qoobox\Quarantine\Registry_backups\services_CelInDrv.reg.cf
2007-06-04 13:09      828    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_RELATIONS.reg.cf
2007-06-04 13:09      840    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_MSDEBUGSVC.reg.cf
2007-06-04 13:09      860    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CDNPROT.reg.cf

Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:22:54 AM

Code: [Select]

Folder PATH listing
Volume serial number is 5C40-B0FF
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOCUME~1
    |   |   +---ALLUSE~1
    |   |   |   \---STARTM~1
    |   |   |       \---Programs
    |   |   |           \---KKTONE
    |   |   |                   Uninstall KKTONE.lnk.vir
    |   |   |                   
    |   |   \---Personal
    |   |       \---APPLIC~1
    |   |           \---Cuckoo
    |   |                   AdList.vir
    |   |                   adsend.vir
    |   |                   adshow.dat.vir
    |   |                   AllUrlList.vir
    |   |                   GetADID.vir
    |   |                   GetADParameter.vir
    |   |                   GetAdType.vir
    |   |                   pluglist.xml.vir
    |   |                   RelateKey.vir
    |   |                   ThirdSoftInfo2.vir
    |   |                   windows1.log.vir
    |   |                   windows2.log.vir
    |   |                   ~lu.dat.vir
    |   |                   
    |   +---Program Files
    |   |   +---3721
    |   |   |       CNSMIN.DAT.vir
    |   |   |       
    |   |   +---3721.vir
    |   |   +---Internet Explorer
    |   |   |   |   IEXPLORE.win.vir
    |   |   |   |   
    |   |   |   \---PLUGINS
    |   |   |           system64.jmp.vir
    |   |   |           
    |   |   +---KKTONE
    |   |   |       dmfa.dll.vir
    |   |   |       irunin.bmp.vir
    |   |   |       irunin.dat.vir
    |   |   |       irunin.ini.vir
    |   |   |       irunin.lng.vir
    |   |   |       KKTone.exe.vir
    |   |   |       KKTONE.ini.vir
    |   |   |       KKToneAgent.exe.vir
    |   |   |       KKTone_vis.dll.vir
    |   |   |       ktoc.dll.vir
    |   |   |       mfc71u.dll.vir
    |   |   |       msvcp71.dll.vir
    |   |   |       msvcr71.dll.vir
    |   |   |       TSConvert2U.dll.vir
    |   |   |       
    |   |   \---Yahoo!
    |   |       \---ASSIST~1
    |   |           |   yal01.dat.vir
    |   |           |   yaLive.dll.1.log.vir
    |   |           |   yalive.dll.vir
    |   |           |   yalive3.ini.vir
    |   |           |   yalLiveEx.dll.vir
    |   |           |   yalvsw3.ini.vir
    |   |           |   yassistse.exe.vir
    |   |           |   yckrule.dat.vir
    |   |           |   yckrule.ini.vir
    |   |           |   yClickOn.dll.vir
    |   |           |   yclickonup.dll.vir
    |   |           |   yhelper.dll.vir
    |   |           |   YLive.exe.1.log.vir
    |   |           |   ylive.exe.vir
    |   |           |   yNotifier.dll.vir
    |   |           |   yscrblock.dll.vir
    |   |           |   
    |   |           +---Assist
    |   |           |   |   filter.ini.vir
    |   |           |   |   float.gif.vir
    |   |           |   |   myrss.xml.vir
    |   |           |   |   notify.wav.vir
    |   |           |   |   sound.wav.vir
    |   |           |   |   yadfilter.dll.vir
    |   |           |   |   yadwreg.dll.vir
    |   |           |   |   yangling.dll.vir
    |   |           |   |   yasbar.dll.1.log.vir
    |   |           |   |   yasbar.dll.vir
    |   |           |   |   yasbar0.dll.vir
    |   |           |   |   yascenter.exe.vir
    |   |           |   |   yasctrlh.dll.vir
    |   |           |   |   yasfsks.dll.vir
    |   |           |   |   yasierres.dll.vir
    |   |           |   |   yasiesec.dll.vir
    |   |           |   |   yaskpsec.dat.vir
    |   |           |   |   yasnoad.dll.vir
    |   |           |   |   yasrdd.dll.vir
    |   |           |   |   yasrde.exe.vir
    |   |           |   |   yassecblk.dll.vir
    |   |           |   |   yassisres.dll.vir
    |   |           |   |   yassist.dll.vir
    |   |           |   |   yassistex.dll.vir
    |   |           |   |   yassistn3.ini.vir
    |   |           |   |   yassistnsw3.ini.vir
    |   |           |   |   yaswiper.dll.vir
    |   |           |   |   ycnsdtu.dll.vir
    |   |           |   |   ydragsearch.dll.vir
    |   |           |   |   yeheocx.dll.vir
    |   |           |   |   yhelperup.dll.vir
    |   |           |   |   yieacore.dll.vir
    |   |           |   |   yieares.dll.vir
    |   |           |   |   yieaUI.dll.vir
    |   |           |   |   yiebwlist.dat.vir
    |   |           |   |   yierepairn.dat.vir
    |   |           |   |   yiesetres.dll.vir
    |   |           |   |   ykeepmain.dll.vir
    |   |           |   |   ykern.dll.vir
    |   |           |   |   ymailp.dll.vir
    |   |           |   |   ymyweb.dll.vir
    |   |           |   |   yoptimum.dll.vir
    |   |           |   |   yphishbrule.dat.vir
    |   |           |   |   yphishrule.dat.vir
    |   |           |   |   yphotoseasy.dll.vir
    |   |           |   |   yphtb.dll.vir
    |   |           |   |   yprockg.dll.vir
    |   |           |   |   yrepair.dll.vir
    |   |           |   |   yrss.dll.vir
    |   |           |   |   ysearch.dll.1.log.vir
    |   |           |   |   ysearch.dll.vir
    |   |           |   |   ysettings.dll.vir
    |   |           |   |   yupdateok.dll.vir
    |   |           |   |   ywiper.dll.vir
    |   |           |   |   yxpstyle.dll.vir
    |   |           |   |   yzsnetproto.dll.vir
    |   |           |   |   
    |   |           |   +---profile
    |   |           |   |       1.gif.vir
    |   |           |   |       10.gif.vir
    |   |           |   |       11.gif.vir
    |   |           |   |       13.gif.vir
    |   |           |   |       14.gif.vir
    |   |           |   |       15.gif.vir
    |   |           |   |       16.gif.vir
    |   |           |   |       17.gif.vir
    |   |           |   |       18.gif.vir
    |   |           |   |       19.gif.vir
    |   |           |   |       20.gif.vir
    |   |           |   |       22.gif.vir
    |   |           |   |       23.gif.vir
    |   |           |   |       24.gif.vir
    |   |           |   |       3.gif.vir
    |   |           |   |       6.gif.vir
    |   |           |   |       7.gif.vir
    |   |           |   |       8.gif.vir
    |   |           |   |       9.gif.vir
    |   |           |   |       profile.xml.vir
    |   |           |   |       
    |   |           |   \---Update
    |   |           |           yascenter.exe.vir
    |   |           |           yassisres.dll.vir
    |   |           |           yphotoseasy.dll.vir
    |   |           |           yzsnetproto.dll.vir
    |   |           |           
    |   |           +---Shell
    |   |           |       yAsMenu.dll.vir
    |   |           |       yAssecblk.dll.vir
    |   |           |       yIEAngel.dll.vir
    |   |           |       yMenuInfo.dll.vir
    |   |           |       ysp.exe.vir
    |   |           |       
    |   |           \---Update
    |   |                   yalliveex.dll.vir
    |   |                   ynotifier.dll.vir
    |   |                   yscrblock.dll.vir
    |   |                   
    |   \---WINDOWS
    |       |   hitpop_tmp.txt.vir
    |       |   InstAll.exe.vir
    |       |   Kvsc3.exe.vir
    |       |   QQIEHelper.dll.vir
    |       |   sysdn.ini.vir
    |       |   
    |       +---DOWNLO~1
    |       |       Cns02.dat.vir
    |       |       CnsHint.cab.vir
    |       |       cnshint.dll.vir
    |       |       CnsHook.dll.1.log.vir
    |       |       CnsHook.dll.2.log.vir
    |       |       cnsio.dll.vir
    |       |       CnsMin.ini.vir
    |       |       CnsMinAL.cab.vir
    |       |       CnsMinCg.ini.vir
    |       |       CnsMinDT.cab.vir
    |       |       CnsMinDT.dll.vir
    |       |       CnsMinEx.cab.vir
    |       |       CnsMinEx.ini.vir
    |       |       CnsMinHK.cab.vir
    |       |       CnsMinIO.cab.vir
    |       |       CnsMinIO.dll.vir
    |       |       CnsMinUp.cab.vir
    |       |       CnsPlus.cab.vir
    |       |       cnsplus.dll.vir
    |       |       CnsUp.ini.vir
    |       |       keepmain.dll.vir
    |       |       keepmainM.cab.vir
    |       |       sms.ico.vir
    |       |       taobao.ico.vir
    |       |       yahoomsg.ico.vir
    |       |       ymail.ico.vir
    |       |       
    |       \---system32
    |           |   4.exe.vir
    |           |   ad_1993.exe.vir
    |           |   cns.dat.vir
    |           |   cns.dll.vir
    |           |   cns.exe.vir
    |           |   d3d1caps.SRG.vir
    |           |   DD95F06E.dat.vir
    |           |   Death.SiShen.vir
    |           |   Kvsc3.dll.vir
    |           |   mprmsgse.axz.vir
    |           |   mscpx32r.det.vir
    |           |   mywebhit.ini.tmp.vir
    |           |   mywebhit.ini.vir
    |           |   Packet.dll.vir
    |           |   SVCH0ST.EXE.vir
    |           |   uovwrl.dll.vir
    |           |   WanPacket.dll.vir
    |           |   wpcap.dll.vir
    |           |   zt.DLL.vir
    |           |   
    |           +---drivers
    |           |       acpidisk.sys.vir
    |           |       CnsMinKP.sys.vir
    |           |       npf.sys.vir
    |           |       uovwrl.sys.vir
    |           |       yaskp.sys.vir
    |           |       
    |           \---wbem
    |                   cmwrj.dll.vir
    |                   
    \---Registry_backups
            LEGACY_ACPIDISK.reg.cf
            LEGACY_CDNPROT.reg.cf
            LEGACY_CELINDRV.reg.cf
            LEGACY_CNSMINKP.reg.cf
            LEGACY_ISPONER.reg.cf
            LEGACY_MSDEBUGSVC.reg.cf
            LEGACY_NPF.reg.cf
            LEGACY_RELATIONS.reg.cf
            LEGACY_UOVWRL.reg.cf
            LEGACY_YASKP.reg.cf
            services_acpidisk.reg.cf
            services_CelInDrv.reg.cf
            services_CnsMinKP.reg.cf
            services_iSPONER.reg.cf
            services_NPF.reg.cf
            services_uovwrl.reg.cf
            services_yaskp.reg.cf
           


Title: Re: HELP!
Post by: andy214ever on June 04, 2007, 08:23:29 AM

what to do next?

Title: Re: HELP!
Post by: TedNelly on June 04, 2007, 08:54:56 AM

Short answer
Perhaps read here
PC Pitstop Forums Re:Qoobox (http://forums.pcpitstop.com/rss.php?topic=127135)
ComboFix creates a folder called QooBox in C: (C:\QooBox). ... An empty folder called Qoobox has appeared on my C drive, dated Oct. 29. .

Title: Re: HELP!
Post by: essexboy on June 04, 2007, 11:23:18 PM

Bear with me please there are still a raft of infections there, whilst you are waiting

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop

I will give files and instructions soon

Title: Re: HELP!
Post by: essexboy on June 04, 2007, 11:47:53 PM

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\3.exe
C:\WINDOWS\system32\2.exe
C:\DOCUME~1\Personal\APPLIC~1\Cuckoo
C:\WINDOWS\system32\dnnimq.dll
C:\WINDOWS\lpdwzn.exe
C:\WINDOWS\system32\lxyrjn.dll
C:\WINDOWS\csmsmt.exe
C:\WINDOWS\jttlsm.exe
C:\WINDOWS\czbpnz.exe
C:\WINDOWS\system32\zwwtvs.dll
C:\WINDOWS\zfdfds.exe
C:\WINDOWS\system32\ztinetzt.dll
C:\WINDOWS\nujdxh.exe
C:\WINDOWS\system32\Deleteme.bat
C:\WINDOWS\wazuxr.exe
C:\WINDOWS\system32\drivers\gsrypjdt.sys
C:\WINDOWS\xuuypb.exe
C:\WINDOWS\system32\ztinetzt.exe
c:\WINDOWS\system32\RAVMY523.dll
C:\WINDOWS\system32\7.exe
C:\WINDOWS\system32\qwetop.exe
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\nwizhx2.dll
C:\WINDOWS\system32\nwizhx2.exe
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\system32\mydata.exe
C:\WINDOWS\system32\moyu103.dll
C:\WINDOWS\system32\dh2103.dll
C:\WINDOWS\system32\nwizdh.exe
C:\WINDOWS\system32\_rejoice44.exe
C:\WINDOWS\system32\gomvet.exe
C:\WINDOWS\system32\servet.exe
C:\WINDOWS\system32\bbqpri.dll
C:\WINDOWS\system32\nwizAsktao.exe
C:\WINDOWS\AVPSrv.exe
C:\WINDOWS\system32\qwetop.exe
C:\WINDOWS\system32\7.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine



First we must back up the entire registry.To do this

REGISTRY BACKUP

Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that 'my computer' is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the 'all' button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg  (http://img127.imageshack.us/img127/433/regtg8.jpg)

REGISTRY FIX

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
rxsa=-
qjsa=-
mhsa=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
4jbbhd=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
RavMon=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{62A612A4-4334-4424-4234-42261A31A238}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{27622928-28E4-115D-40A0-0BBFE89C54D6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DE35052A-9E37-4827-A1EC-79BF400D27A4}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop (http://img127.imageshack.us/img127/433/regtg8.jpg)

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

___________________________________

Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe)  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

We appear to be about halfway there at the moment you have one of the new chinese type infections so most of the removal will be manual

Title: Re: HELP!
Post by: Lisandro on June 05, 2007, 03:17:18 AM

Quote from: essexboy on June 04, 2007, 11:47:53 PM

REGISTRY BACKUP

I suggest the automated ERUNT for this: http://www.larshederer.homepage.t-online.de/erunt/

Title: Re: HELP!
Post by: essexboy on June 05, 2007, 07:09:43 PM

I've never used that myself Tech, is it any good.  Does it require the .net framework to run.  Probably a safer way to back up the registry though, but having said that none of the changes I am making should cause any damage 

EDIT just looked at the link and bookmarked Ta

Title: Re: HELP!
Post by: Lisandro on June 05, 2007, 07:19:04 PM

Quote from: essexboy on June 05, 2007, 07:09:43 PM

I've never used that myself Tech, is it any good.

Any good? Is a fantastic tool... saved me more than once.
It can backup the registry AND restore it (the manual method won't restore all the Registry).
It can 'compact' (defragment) the registry too.

Quote from: essexboy on June 05, 2007, 07:09:43 PM

Does it require the .net framework to run.

No. Just unpack it (unzip) and use in a folder of your choice.
You can use command-line parameters to.

Quote from: essexboy on June 05, 2007, 07:09:43 PM

Probably a safer way to back up the registry though, but having said that none of the changes I am making should cause any damage

Your method won't allow full restore of the registry like ERUNT will.

Title: Re: HELP!
Post by: essexboy on June 05, 2007, 09:56:09 PM

You have sold me Tech I will re-write my canned to incorporate ERUNT Thanks  ;D

Title: Re: HELP!
Post by: andy214ever on June 06, 2007, 08:38:53 AM

bad news...my friend pc alredy sent to formate........... :-\

Title: Re: HELP!
Post by: essexboy on June 06, 2007, 10:04:37 AM

No problem as this looked like it was going to be a lengthy one

Title: Re: HELP!
Post by: DavidR on June 06, 2007, 03:17:36 PM

Quote from: andy214ever on June 06, 2007, 08:38:53 AM

bad news...my friend pc alredy sent to formate........... :-\

I feared this may ultimately be the case from your first post, which seems an eternity ago, but only a week.

Quote from: andy214ever on May 30, 2007, 03:08:41 PM

hi..

how to run boot time scan manualy?
and i got a friend he...do not use any antivirus at all, for about 1 years ....and now his pc is terribly slow  :-\and cannot log on....then i help him log on with safe mode and install the avast on his pc ....and scan his pc...i m shocked....why?because there about 50-60 virus found include adware,and trojan i follow the avast advice to move to chest....and the avast advice me to run boot times scan because there is a dangerous virus in memory, but when i click yes to start boot times scan ...it cant run....anybody help?

For such a long time without protection it is often better/safer to start from scratch as I mentioned in my first reply. Hopefully they have learned a valuable lesson and that they recognise your help and get you a few beers.

Quote from: DavidR

After so long their system is likely to be completely compromised with password stealers, backdoors, possibly rootkits hiding much more, etc. (you really have a task in front of you) that realistically they should be considering a format and start from scratch.