Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Connect To Internet Possibly B/c Of Malware


  • Please log in to reply
9 replies to this topic

#1 GoSensGo

GoSensGo

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 11 November 2007 - 06:52 PM

We think we have recently caught some sort of virus or malware on our home computer. I couple of weeks ago, we saw popups asking us to install a Chinese language simplified language pack, which we did not do. Then, a couple of days later, while browsing on the internet, several webpages randomly popped up with all sorts of Chinese characters. We think the websites originated from cdpf.org.cn (we did not click through to this site). We immediately ran Spybot, Adaware, Stinger and deleted the malware and viruses it found. It located Double Click, Media Plex, Web Trends Live, Win32OnLineGame and AlexaRelated among others. Each time we ran these programs, we shut down and restarted until no other new viruses or malware were identified in the logs. We also deleted all internet history, temp files, and recycle bin contents.

Now, we can no longer connect to the Internet. We are using a modem from Bell Canada (Sympatico). We tried to power off, reset, and restart the modem, but that did not help. We tried to ping several websites through Command Prompt. We did receive a response from some, though lately everything that we try to ping comes back as "Request Timed Out" or “Host not valid.” We also attempted to connect to the Internet via FireFox. Initially, this worked, but now we can no longer connect via Firefox either. We started up in Safe mode and tried to launch the Internet via safe mode, but still no luck.

More recently, we have received error message when starting up the Computer. We receive messages saying ccApp.exe or upidd.exe or dpmw32.exe generated errors and will be closed by Windows: A log file has been created. Also, and only once, we received a Dr Watson Fatal error message. Also, we are having difficulty launching programs from the Start Menu. When we attempt to do so, the computer freezes (the mouse does not seem to work from the Start Menu, but works every where else). We are able to launch programs from the respective Program Files via Explorer but cannot use the Run function from the Start Menu.

We have run Chkdisk also.

The computer is running Windows 2000 NT.

Because we have no internet connection, we have to go back and forth from home to the office to post and view responses here.

Not sure if all these problems are related. We would appreciate any help or advice you can provide.

Here is snapshot of ipconfig

Ethernet adapter {9DF623F2-4FB6-481B-815D-E4833EDFFB11}:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NOC Extranet Access Adapter
Physical Address. . . . . . . . . : 44-45-53-54-42-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : no-domain-set.bellcanada
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-11-43-14-69-3C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1


Here is the HijackThis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:57 PM, on 11/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\etlisrv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\IGM.exe
C:\WINNT\swchost.exe
C:\WINNT\IGW.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\etlitr50.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\SMARTCTR.EXE
C:\lotus\smartctr\SUITEST.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\YAMAMURD\Application Data\Mozilla\Profiles\default\ubinv4vg.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SecurityBanner] C:\WINAPPS\SecurityBanner\PWGSC.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IDD] C:\Winapps\Idd\upidd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinSysM] C:\WINNT\IGM.exe
O4 - HKLM\..\Run: [WinSysW] C:\WINNT\swchost.exe
O4 - HKLM\..\Run: [WinSys] C:\WINNT\IGW.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\sqmapi32.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\sqmapi32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194436251843
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O20 - AppInit_DLLs: rsztfpm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINNT\etlisrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Telephotsgoogle (Wdswsdewn) - Unknown owner - C:\WINNT\system32\serdst.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe

BC AdBot (Login to Remove)

 


#2 GoSensGo

GoSensGo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 16 November 2007 - 09:04 AM

We've posted almost a week ago but haven't received a reply. Would really appreciate some advice on how to fix our problems.

We haven't been able to use the internet from home for more than a week... We're starting to go through 'internet withdrawal.' :thumbsup:

Just reposting in case we've been missed. Computer hasn't been used in about a week so HJT log is unchanged from version previously posted below.

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 25 November 2007 - 08:16 PM

Hi GoSensGo,

Our apologies for the long delay. You wouldn't believe how swamped everyone is in the malware removal community. You are definitely suffering from some serious infections--one reason your particular log has been passed over is because not much is known about the malware on your computer and, to be perfectly candid, the last few times I've worked on such infections on Win2k there was so much damage that a reformat would be much easier.

First you should know that what little info is out there classifies the infection as a password stealer. You should immediately get to a known clean computer and change all passwords. It may be that this malware is only interested in online games to steal virtual goods among other goals, but if they can steal those passwords they can get any, so pay particular attention to passwords for financial institutions and any others where money changes hands, such as ebay.

If you are still connected to the modem, physically unplug. Your LSP stack is apparently infected, which means their is still communication with the net, but the malware is filtering out what it wants to on the TCP/IP level.

Then before you do anything else, make backups of all your critical data.

The next step is to gather more information--please be patient as we work thru this. Of course you will have to transfer files I need you to download from another computer, just be sure to put them on the desktop of the affected machine unless otherwise specified.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.


Please download Combofix to your desktop.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply.


Two other files I want you to download and transfer, but do not run them just yet.

LSPFix
WinSockFix

Please post the requested logs and we should be able to get your internet back in the next round.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#4 GoSensGo

GoSensGo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 26 November 2007 - 11:48 PM

Thanks in advance for whatever help you are able to provide.

We're not sure how to be logged onto the account with administrator privileges. In any event, we still ran DSS and here is the log file (first main, then extra):




Deckard's System Scanner v20071014.68
Run by yamamurd on 2007-11-26 22:34:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as yamamurd.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:42 PM, on 11/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\etlisrv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\IGM.exe
C:\WINNT\swchost.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
C:\WINNT\IGW.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\etlitr50.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\SMARTCTR.EXE
C:\lotus\smartctr\SUITEST.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\yamamurd\Desktop\dss.exe
C:\DOCUME~1\yamamurd\Desktop\yamamurd.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\YAMAMURD\Application Data\Mozilla\Profiles\default\ubinv4vg.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SecurityBanner] C:\WINAPPS\SecurityBanner\PWGSC.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IDD] C:\Winapps\Idd\upidd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinSysM] C:\WINNT\IGM.exe
O4 - HKLM\..\Run: [WinSysW] C:\WINNT\swchost.exe
O4 - HKLM\..\Run: [WinSys] C:\WINNT\IGW.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\sqmapi32.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\sqmapi32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194436251843
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O20 - AppInit_DLLs: kvdxhma.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINNT\etlisrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Telephotsgoogle (Wdswsdewn) - Unknown owner - C:\WINNT\system32\serdst.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe

--
End of file - 10426 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\winnt\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\winnt\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 Isecdrv - c:\winnt\system32\drivers\isecdrv.sys <Not Verified; Intel Corporation; Intel Security Driver>
R2 NetwareWorkstation (Novell Client for Windows) - c:\winnt\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWDHCP (Novell DHCP Inform Client) - c:\winnt\system32\netware\nwdhcp.sys
R2 PMEM - c:\winnt\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 RESMGR (Novell NetWare Resource Manager) - c:\winnt\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 SRVLOC (Novell Service Location) - c:\winnt\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 Eacfilt (Eacfilt Miniport) - c:\winnt\system32\drivers\eacfilt.sys <Not Verified; Nortel Networks; Filter Driver for CVC>
R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\winnt\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
R3 NWSNS (Novell Simple Naming Services) - c:\winnt\system32\netware\nwsns.sys

S2 IPSECEXT (Nortel Extranet Access Protocol) - c:\winnt\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
S2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\winnt\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 NWDNS (Novell DNS Name Space Service Provider) - c:\winnt\system32\netware\nwdns.sys
S3 NWHOST (Novell Host File Name Space Service Provider) - c:\winnt\system32\netware\nwhost.sys
S3 NWSAP (Novell SAP Name Space Provider) - c:\winnt\system32\netware\nwsap.sys
S3 NWSLP (Novell SLP Name Space Service Provider) - c:\winnt\system32\netware\nwslp.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 cusrvc (Client Update Service for Novell) - c:\winnt\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 ELIService (Entrust Login Interface) - c:\winnt\etlisrv.exe <Not Verified; Entrust®; Entrust/Entelligence>
R2 spkrmon - c:\program files\analog devices\soundmax\spkrmon.exe <Not Verified; ; spkrmon Module>
R2 WM (Novell Workstation Manager) - c:\winnt\system32\wm.exe <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 SBHookSvc - c:\progra~1\netass~1\smartb~1\sbhooksvc.exe <Not Verified; Motive Communications, Inc.; Sympatico NetAssistant>

S2 Wdswsdewn (Telephotsgoogle) - c:\winnt\system32\serdst.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-02 09:00:01 274 --a------ C:\WINNT\Tasks\Live Update.job
2006-03-06 11:48:06 828 --a------ C:\WINNT\Tasks\System State.job


-- Files created between 2007-10-26 and 2007-11-26 -----------------------------

2007-11-25 20:17:39 0 d-------- C:\Program Files\Common Files\SWF Studio
2007-11-25 20:12:50 0 d-------- C:\Documents and Settings\yamamurd\Application Data\U3
2007-11-18 18:44:30 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_794.dat
2007-11-08 07:32:15 22928 --a------ C:\Privilege.dat
2007-11-07 23:23:58 12020 --a------ C:\WINNT\system32\LYLOADER.EXE
2007-11-07 22:56:15 0 d-------- C:\Documents and Settings\yamamurd\.housecall6.6
2007-11-07 22:38:43 0 d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 22:33:27 18072 --a------ C:\WINNT\system32\15.exe
2007-11-07 22:33:19 13893 --a------ C:\WINNT\system32\12.exe
2007-11-07 22:33:07 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a4.dat
2007-11-07 22:24:56 0 d-------- C:\Program Files\Lavasoft
2007-11-07 22:24:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 22:24:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 17:28:21 6357 ---hs---- C:\WINNT\system32\wdatl.dll
2007-11-07 06:51:22 0 d-------- C:\WINNT\SoftwareDistribution
2007-11-07 06:50:33 14480 ---hs---- C:\WINNT\system32\tlatl.dll
2007-11-07 06:50:30 10176 ---hs---- C:\WINNT\system32\wlatl.dll
2007-11-07 06:50:15 8644 ---hs---- C:\WINNT\system32\gjatl.dll
2007-11-07 06:50:10 8510 ---hs---- C:\WINNT\system32\qjatl.dll
2007-11-07 06:50:05 8634 ---hs---- C:\WINNT\system32\zxatl.dll
2007-11-06 17:48:44 9458 ---hs---- C:\WINNT\system32\dh3atl.dll
2007-11-06 17:48:40 5751 ---hs---- C:\WINNT\system32\jzatl.dll
2007-11-06 17:48:36 9864 ---hs---- C:\WINNT\system32\dhatl.dll
2007-11-06 17:48:26 19600 ---hs---- C:\WINNT\system32\qqhxatl.dll
2007-11-06 17:48:18 5607 ---hs---- C:\WINNT\system32\djatl.dll
2007-11-06 17:47:32 10679 ---hs---- C:\WINNT\system32\rxjhatl.dll
2007-11-06 17:47:31 22928 --a------ C:\WINNT\system32\LYLOADMR.EXE
2007-11-06 17:47:30 6784 --a------ C:\WINNT\system32\mseam.sys
2007-11-06 17:47:21 9398 ---hs---- C:\WINNT\system32\zhtuatl.dll
2007-11-06 17:47:15 6885 ---hs---- C:\WINNT\system32\myatl.dll
2007-11-06 17:47:12 4508 --a------ C:\WINNT\system32\sqmapi32.dll
2007-11-04 18:32:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2007-11-04 18:02:03 0 d-------- C:\Documents and Settings\Default User\Application Data\Google
2007-11-04 12:56:12 20 --a------ C:\mhsha1.dat
2007-11-04 12:56:05 2214 --a------ C:\WINNT\system32\SHQMANGR.DLL
2007-11-04 12:56:05 43008 --a------ C:\WINNT\system32\SHQ.DLL
2007-11-04 12:56:04 20 --a------ C:\WINNT\system32\mhsha1.dat
2007-11-04 11:27:41 14907 --a------ C:\WINNT\system32\kvdxsfis.exe
2007-11-04 11:27:41 98 --a------ C:\WINNT\system32\kvdxsfcf.dll
2007-11-04 11:27:34 52 --a------ C:\WINNT\system32\rsjzcfg.dll
2007-11-04 11:27:33 15049 --a------ C:\WINNT\system32\rsjzcsp.exe
2007-11-04 11:27:29 15085 --a------ C:\WINNT\system32\kvdxhis.exe
2007-11-04 11:27:29 50 --a------ C:\WINNT\system32\kvdxhcf.dll
2007-11-04 11:27:25 14552 --a------ C:\WINNT\system32\ratbgtl.exe
2007-11-04 11:27:25 58 --a------ C:\WINNT\system32\ratbgni.dll
2007-11-04 11:27:24 49 --a------ C:\WINNT\system32\avwldin.dll
2007-11-04 11:27:23 15145 --a------ C:\WINNT\system32\avwldst.exe
2007-11-04 11:27:14 70449 ---hs---- C:\WINNT\IGW.exe
2007-11-04 11:27:14 50862 --ahs---- C:\WINNT\49400WO.DLL
2007-11-04 11:27:10 54 --a------ C:\WINNT\system32\kaqhhcs.dll
2007-11-04 11:27:09 14739 --a------ C:\WINNT\system32\kaqhhaz.exe
2007-11-04 11:26:49 51 --a------ C:\WINNT\system32\kapjdcs.dll
2007-11-04 11:26:49 15023 --a------ C:\WINNT\system32\kapjdaz.exe
2007-11-04 11:26:47 56 --a------ C:\WINNT\system32\sidjbcs.dll
2007-11-04 11:26:46 14239 --a------ C:\WINNT\system32\sidjbaz.exe
2007-11-04 11:26:44 15519 --a------ C:\WINNT\system32\avwgest.exe
2007-11-04 11:26:44 49 --a------ C:\WINNT\system32\avwgein.dll
2007-11-04 11:26:39 15371 --a------ C:\WINNT\system32\raqjdtl.exe
2007-11-04 11:26:39 52 --a------ C:\WINNT\system32\raqjdni.dll
2007-11-04 11:26:36 15728 --a------ C:\WINNT\system32\avzxest.exe
2007-11-04 11:26:19 89393 ---hs---- C:\WINNT\swchost.exe
2007-11-04 11:26:18 42801 --a------ C:\WINNT\49400WL.DLL
2007-11-04 11:26:08 67377 --a------ C:\WINNT\IGM.exe
2007-11-04 11:26:08 43313 --ahs---- C:\WINNT\49400MM.DLL
2007-11-04 11:26:05 15015 --a------ C:\WINNT\system32\rarjdtl.exe
2007-11-04 11:26:05 55 --a------ C:\WINNT\system32\rarjdni.dll
2007-11-04 11:26:04 52 --a------ C:\WINNT\system32\kawdccs.dll
2007-11-04 11:26:04 14686 --a------ C:\WINNT\system32\kawdcaz.exe
2007-11-04 11:26:02 16221 --a------ C:\WINNT\system32\rsztfsp.exe
2007-11-04 11:26:02 62 --a------ C:\WINNT\system32\rsztffg.dll
2007-11-04 11:26:01 15832 --a------ C:\WINNT\system32\rsmygsp.exe
2007-11-04 11:26:01 51 --a------ C:\WINNT\system32\rsmygfg.dll
2007-11-04 11:26:01 5973 --a------ C:\WINNT\system32\MSDEG32.DLL
2007-11-04 11:26:00 3530 --a------ C:\WINNT\system32\LYMANGR.DLL
2007-11-04 11:25:58 20704 --a------ C:\WINNT\system32\0.exe
2007-11-04 11:24:55 37888 ---hs---- C:\WINNT\system32\serdst.exe


-- Find3M Report ---------------------------------------------------------------

2007-11-26 22:31:23 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-25 20:17:39 0 d-a------ C:\Program Files\Common Files
2007-11-09 20:14:40 447 --a------ C:\Program Files\INSTALL.LOG
2007-11-04 11:27:44 362496 -----n--- C:\WINNT\system32\kaqhhzy.dll
2007-10-24 08:20:53 0 d-------- C:\Documents and Settings\yamamurd\Application Data\Image Zone Express
2007-10-08 09:28:35 0 d-------- C:\Program Files\Common Files\Nullsoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/20/03 03:00a C:\WINNT\system32\mobsync.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05/25/04 10:35p]
"SecurityBanner"="C:\WINAPPS\SecurityBanner\PWGSC.exe" [11/02/04 06:07a]
"NDPS"="C:\WINNT\system32\dpmw32.exe" [01/21/00 02:47a]
"NWTRAY"="NWTRAY.EXE" [03/12/02 10:37a C:\WINNT\system32\nwtray.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/17/05 08:32p]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/24/05 05:21p]
"IDD"="C:\Winapps\Idd\upidd.exe" [03/07/06 10:14a]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [10/22/04 02:13p]
"StandardInstall"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/06 03:23a]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [09/23/05 11:08p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/03/07 05:38p]
"WinSysM"="C:\WINNT\IGM.exe" [11/07/07 10:32p]
"WinSysW"="C:\WINNT\swchost.exe" [11/07/07 10:32p]
"WinSys"="C:\WINNT\IGW.exe" [11/04/07 11:27a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [06/20/03 03:00a C:\WINNT\system32\internat.exe]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/17/07 05:37p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Entrust.lnk - C:\WINNT\system32\etlitr50.exe [3/6/2006 1:33:40 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/23/2005 11:28:44 PM]
Lotus Organizer EasyClip.lnk - C:\lotus\organize\easyclip.exe [7/25/2001 9:05:08 AM]
Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe [8/14/2001 5:16:14 AM]
Lotus SmartCenter.lnk - C:\lotus\smartctr\SMARTCTR.EXE [4/25/2000 8:08:08 AM]
Lotus SuiteStart.lnk - C:\lotus\smartctr\SUITEST.EXE [4/23/1999 7:02:04 AM]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [6/18/2006 4:23:08 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [3/6/2006 12:05:44 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"MSDCG32 "=LYLeador.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= qvphook.dll [ ]
"{ED0ACB58-556F-21DA-DDFE-6D20F3F611BB}"= C:\WINNT\system32\kb1111p.dll [12/31/98 07:01p 40960]
"{7E32FA58-3453-FA2D-BC49-F340348ACCE7}"= C:\WINNT\system32\rsmygpm.dll [08/03/04 08:57p 23378]
"{634345F1-DACF-3452-CB7D-4620F34A1536}"= C:\WINNT\system32\rsztfpm.dll [08/03/04 08:57p 23912]
"{38907901-1416-3389-9981-372178569983}"= C:\WINNT\system32\kawdczy.dll [08/03/04 08:57p 20820]
"{4598FF45-DA60-F48A-BC43-10AC47853D54}"= C:\WINNT\system32\rarjdpi.dll [08/03/04 08:57p 21850]
"{44783410-4F90-34A0-7820-3230ACD05F44}"= C:\WINNT\system32\raqjdpi.dll [08/04/04 11:26a 22868]
"{5A1247C1-53DA-FF43-ABD3-345F323A48D5}"= C:\WINNT\system32\avwgemn.dll [08/04/04 11:26a 22862]
"{28847374-8323-FADC-B443-4732ABCD3782}"= C:\WINNT\system32\sidjbzy.dll [08/04/04 11:26a 20316]
"{4A321487-4977-D98A-C8D5-6488257545A4}"= C:\WINNT\system32\kapjdzy.dll [08/04/04 11:26a 22354]
"{87D81718-1314-5200-2597-587901018078}"= C:\WINNT\system32\kaqhhzy.dll [11/04/07 11:27a 362496]
"{4960356A-458E-DE24-BD50-268F589A56A4}"= C:\WINNT\system32\avwldmn.dll [08/04/04 11:27a 23114]
"{76650011-3344-6688-4899-345FABCD1567}"= C:\WINNT\system32\ratbgpi.dll [08/04/04 11:27a 20832]
"{8C87A354-ABC3-DEDE-FF33-3213FD7447C8}"= C:\WINNT\system32\kvdxhma.dll [08/04/04 11:27a 21840]
"{32FAACDE-34DA-CCD4-AB4D-DA34485A3423}"= C:\WINNT\system32\rsjzcpm.dll [08/04/04 11:27a 21844]
"{6D561258-45F3-A451-F908-A258458226D6}"= C:\WINNT\system32\kvdxsfma.dll [08/04/04 11:27a 21424]
"{5859245F-345D-BC13-AC4F-145D47DA34F5}"= C:\WINNT\system32\avzxemn.dll [08/04/04 11:26a 23904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=rsztfpm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2007-11-26 22:36:12 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 1022.07 MiB / 721.14 MiB
Pagefile Memory (total/avail): 2460.12 MiB / 2193.53 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.21 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 64.12 GiB free.
D: is CDROM (No Media)
E: is Fixed (FAT32) - 37.24 GiB total, 36.65 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD800JD-75JNA0 - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:

\\.\PHYSICALDRIVE1 - FUJITSU MHT2040AH USB Device - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.25 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is not configured.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\yamamurd\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=A372451
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\A372451
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Oracle\Oracle.81\bin;C:\WINNT\system32\nls;C:\WINNT\system32\nls\ENGLISH
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\yamamurd\LOCALS~1\Temp
TMP=C:\DOCUME~1\yamamurd\LOCALS~1\Temp
USERDOMAIN=A372451
USERNAME=yamamurd
USERPROFILE=C:\Documents and Settings\yamamurd
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

yamamurd (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\NETASS~1\Uninstall.exe BellCanada
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Accelio Capture Advanced End-User Components --> MsiExec.exe /I{884A8E42-054C-4C2C-AF9C-4EC2241DE60A}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Interactive Forms Update SP1 --> MsiExec.exe /I{AC76BA86-0000-F676-9FA0-000000000603}
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINNT\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Before You Know It 3.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E8F626C5-4CBF-4B26-9410-F7CC091377B7}\Setup.exe" -l0x9
Copernic Agent Basic --> "C:\WINNT\CopernicAgentUninstall.exe" /ARGSFILE="C:\Program Files\Copernic Agent\unwise.dat"
ELF v6.0 --> C:\Program Files\elf\UninstELF60.EXE
eMusic - 50 Free MP3 offer --> "C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
Entrust Desktop Solutions --> C:\WINNT\etuninst.exe
eWebEditPro 2.1 Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADAE6A0F-3038-4F17-8B6F-F29CFBDCFD42}\Setup.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HijackThis 2.0.2 --> "C:\Documents and Settings\yamamurd\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Cameras 6.0 --> C:\Program Files\HP\Digital Imaging\{24E9CC12-F336-4e2d-90CF-9D80B75A17E8}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Essential --> MsiExec.exe /X{D7CAE58E-26DE-49B7-A75D-EAEDF76726BE}
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel Security Driver --> C:\WINNT\UNWISE.EXE C:\WINNT\intelsds.log
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java 2 Runtime Environment, SE v1.4.2_10 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142100}
Java 2 Runtime Environment, SE v1.4.2_12 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142120}
Java 2 SDK, SE v1.4.2_12 --> MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142120}
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LIMS - SIGC v5.3 --> C:\WINNT\unlims53.exe
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Lotus NotesSQL 3.01 driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{113EECD6-9A04-11D4-811D-00805F923B86}\Setup.exe" -uninst
Lotus SmartSuite 9.7 - SuperScript - English --> MsiExec.exe /X{536D6172-7453-7569-7465-392E37300409}
Macromedia Flash Player --> MsiExec.exe /X{27579b3c-5470-4496-be6c-0c872674f19f}
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{23AEBB83-CB47-4739-8A0C-92CC1E32AA2F}
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 --> C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Outlook 2000 SR-1 --> MsiExec.exe /I{00160409-78E1-11D2-B60F-006097C998E7}
Microsoft VGX Q833989 --> C:\WINNT\vgxuninst.exe C:\WINNT\INF\Q833989.inf
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NetAssistant --> C:\WINNT\Motive\BellCanada\MCCUninst.exe
Netscape (7.02) --> C:\WINNT\NSUninst.exe /ua "7.02 (en)"
NG-SRA VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF964A78-078C-11D1-B7A7-0000C0134CE6}\setup.exe" Uninstall
NICI (Shared) U.S./Worldwide (128 bit) (2.6.4-5) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
NMAS Client Components (2.3) --> C:\WINNT\system32\unclient.exe
Novell Client for Windows --> %SystemRoot%\system32\rundll32 nwsetup.dll NWUninstallClient
Oracle 8.1 --> C:\WINNT\Ora81Uninst.exe
PWGSC - WinZip v8.1 Superscript Installation --> "C:\PROGRA~1\WinZip\WINZIP32.EXE" /uninstall
Quick View Plus --> C:\WINNT\UNINSQVP.EXE
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Shockwave --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{3E172636-AE83-474A-9D07-E31C22C6DDC2}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
Windows Messenger 5.1 --> MsiExec.exe /I{A433AE09-2126-4dad-9CBD-C1B05DC42787}
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9337 / Error
Event Submitted/Written: 11/26/2007 10:31:44 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type9327 / Error
Event Submitted/Written: 11/25/2007 09:15:36 PM
Event ID/Source: 1000 / Microsoft Internet Explorer
Event Description:
iexplore.exe6.0.2800.1106ntdll.dll5.0.2195.70060000f281

Event Record #/Type9325 / Error
Event Submitted/Written: 11/25/2007 08:15:08 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type9315 / Error
Event Submitted/Written: 11/25/2007 08:10:56 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type9306 / Error
Event Submitted/Written: 11/24/2007 07:33:45 PM
Event ID/Source: 1000 / Microsoft Internet Explorer
Event Description:
iexplore.exe6.0.2800.1106ntdll.dll5.0.2195.70060000f281



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7837 / Warning
Event Submitted/Written: 11/26/2007 10:30:44 PM / 11/26/2007 10:31:20 PM
Event ID/Source: 1005 / SAVRT
Event Description:
Auto-Protect could not scan file C:\WINNT\System32\ativvaxx.dll for viruses due to low kernel stack.

Event Record #/Type7836 / Warning
Event Submitted/Written: 11/26/2007 10:30:44 PM / 11/26/2007 10:31:20 PM
Event ID/Source: 1005 / SAVRT
Event Description:
Auto-Protect could not scan file C:\WINNT\System32\ati3duag.dll for viruses due to low kernel stack.

Event Record #/Type7835 / Warning
Event Submitted/Written: 11/26/2007 10:30:22 PM / 11/26/2007 10:31:20 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type7833 / Error
Event Submitted/Written: 11/26/2007 10:31:10 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Automatic Updates service terminated with the following error:
%%2147952506

Event Record #/Type7832 / Error
Event Submitted/Written: 11/26/2007 10:31:08 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Telephotsgoogle service to connect.



-- End of Deckard's System Scanner: finished at 2007-11-26 22:36:12 ------------


Here is a log file of Combofix

ComboFix 07-11-19.4 - yamamurd 11/26/2007 22:40:51.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.720 [GMT -5:00]
Running from: C:\Documents and Settings\yamamurd\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\privilege.dat
C:\WINNT\49400MM.DLL
C:\WINNT\Fonts\ardaase.fon
C:\WINNT\Fonts\ardasase.fon
C:\WINNT\Fonts\cadaafx.fon
C:\WINNT\Fonts\chqiaur.fon
C:\WINNT\Fonts\chreaur.fon
C:\WINNT\Fonts\enhuafx.fon
C:\WINNT\Fonts\enpoafx.fon
C:\WINNT\Fonts\gejiand.fon
C:\WINNT\Fonts\msguasd.fon
C:\WINNT\Fonts\mswuasd.fon
C:\WINNT\IGM.exe
C:\WINNT\system32\0.exe
C:\WINNT\system32\12.exe
C:\WINNT\system32\15.exe
C:\WINNT\system32\avzxemn.dll
C:\WINNT\system32\avzxest.exe
C:\WINNT\system32\dh3atl.dll
C:\WINNT\system32\dhatl.dll
C:\WINNT\system32\djatl.dll
C:\WINNT\system32\gjatl.dll
C:\WINNT\system32\jzatl.dll
C:\WINNT\system32\lyloader.exe
C:\WINNT\system32\lymangr.dll
C:\WINNT\system32\mhsha1.dat
C:\WINNT\system32\MSDEG32.DLL
C:\WINNT\system32\myatl.dll
C:\WINNT\system32\qjatl.dll
C:\WINNT\system32\rsjzcpm.dll
C:\WINNT\system32\rsmygpm.dll
C:\WINNT\system32\rsztfpm.dll
C:\WINNT\system32\rxjhatl.dll
C:\WINNT\system32\SHQ.DLL
C:\WINNT\system32\SHQMANGR.DLL
C:\WINNT\system32\sqmapi32.dll
C:\WINNT\system32\wdatl.dll
C:\WINNT\system32\wlatl.dll
C:\WINNT\system32\zhtuatl.dll
C:\WINNT\system32\zxatl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-26 22:44 16,384 C:\WINNT\system32\Perflib_Perfdata_4e8.dat
2007-11-26 22:33 <DIR> d-------- C:\Deckard
2007-11-25 20:17 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-25 20:12 <DIR> d-------- C:\Documents and Settings\yamamurd\Application Data\U3
2007-11-10 19:04 801,072 --a--c--- C:\WINNT\system32\dllcache\3cpciadi.sys
2007-11-10 19:04 792,176 --a--c--- C:\WINNT\system32\dllcache\3cisaadi.sys
2007-11-10 19:04 774,928 --a--c--- C:\WINNT\system32\dllcache\3cisati.sys
2007-11-10 19:04 763,024 --a--c--- C:\WINNT\system32\dllcache\3cwmcru.sys
2007-11-10 19:04 91,920 --a--c--- C:\WINNT\system32\dllcache\acq32.dll
2007-11-10 19:04 40,752 --a--c--- C:\WINNT\system32\dllcache\1394bus.sys
2007-11-10 19:04 38,320 --a--c--- C:\WINNT\system32\dllcache\8514a.dll
2007-11-10 19:04 22,992 --a--c--- C:\WINNT\system32\dllcache\15_16wdm.sys
2007-11-10 19:04 10,928 --a--c--- C:\WINNT\system32\dllcache\4mmdat.sys
2007-11-07 22:56 <DIR> d-------- C:\Documents and Settings\yamamurd\.housecall6.6
2007-11-07 22:56 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-11-07 22:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 22:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-07 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 06:51 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-11-07 06:51 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-11-07 06:51 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-11-07 06:51 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2007-11-07 06:51 33,624 --a------ C:\WINNT\system32\wups.dll
2007-11-07 06:51 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2007-11-07 06:51 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2007-11-07 06:51 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2007-11-07 06:50 14,480 ---hs---- C:\WINNT\system32\tlatl.dll
2007-11-06 17:48 19,600 ---hs---- C:\WINNT\system32\qqhxatl.dll
2007-11-06 17:47 22,928 --a------ C:\WINNT\system32\LYLOADMR.EXE
2007-11-06 17:47 6,784 --a------ C:\WINNT\system32\mseam.sys
2007-11-04 12:56 20 --a------ C:\mhsha1.dat
2007-11-04 11:27 70,449 ---hs---- C:\WINNT\IGW.exe
2007-11-04 11:27 50,862 --ahs---- C:\WINNT\49400WO.DLL
2007-11-04 11:26 89,393 ---hs---- C:\WINNT\swchost.exe
2007-11-04 11:26 42,801 --a------ C:\WINNT\49400WL.DLL
2007-11-04 11:26 15,519 --a------ C:\WINNT\system32\avwgest.exe
2007-11-04 11:26 14,239 --a------ C:\WINNT\system32\sidjbaz.exe
2007-11-04 11:26 56 --a------ C:\WINNT\system32\sidjbcs.dll
2007-11-04 11:26 49 --a------ C:\WINNT\system32\avwgein.dll
2007-11-04 11:24 37,888 ---hs---- C:\WINNT\system32\serdst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 03:44 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-10 01:14 447 ----a-w C:\Program Files\INSTALL.LOG
2007-10-24 13:20 --------- d-----w C:\Documents and Settings\yamamurd\Application Data\Image Zone Express
2007-10-08 14:28 --------- d-----w C:\Program Files\Common Files\Nullsoft
2006-03-06 17:06 3,604,092 ----a-w C:\Program Files\log.txt
2006-03-06 16:24 271 ---h--w C:\Program Files\desktop.ini
2006-03-06 16:24 21,952 ---h--w C:\Program Files\folder.htt
2003-06-20 08:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2004-08-04 01:57 21,850 --sh--w C:\WINNT\system32\rarjdpi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 03:00 C:\WINNT\system32\internat.exe]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-17 17:37 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 03:00 C:\WINNT\system32\mobsync.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04-05-25 22:35 ]
"SecurityBanner"="C:\WINAPPS\SecurityBanner\PWGSC.exe" [04-11-02 06:07 ]
"NDPS"="C:\WINNT\system32\dpmw32.exe" [00-01-21 02:47 ]
"NWTRAY"="NWTRAY.EXE" [02-03-12 10:37 C:\WINNT\system32\nwtray.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05-02-17 20:32 ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [05-04-24 17:21 ]
"IDD"="C:\Winapps\Idd\upidd.exe" [06-03-07 10:14 ]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [04-10-22 14:13 ]
"StandardInstall"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [06-12-15 03:23 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05-09-23 23:08 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-03-03 17:38 ]
"WinSysW"="C:\WINNT\swchost.exe" [07-11-07 22:32 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 03:00 C:\WINNT\system32\internat.exe]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-17 17:37 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 03:00 ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Entrust.lnk - C:\WINNT\system32\etlitr50.exe [2006-03-06 13:33:40]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-23 23:28:44]
Lotus Organizer EasyClip.lnk - C:\lotus\organize\easyclip.exe [2001-07-25 09:05:08]
Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe [2001-08-14 05:16:14]
Lotus SmartCenter.lnk - C:\lotus\smartctr\SMARTCTR.EXE [2000-04-25 08:08:08]
Lotus SuiteStart.lnk - C:\lotus\smartctr\SUITEST.EXE [1999-04-23 07:02:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2006-06-18 16:23:08]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-06 12:05:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= qvphook.dll [ ]
"{ED0ACB58-556F-21DA-DDFE-6D20F3F611BB}"= C:\WINNT\system32\kb1111p.dll [98-12-31 19:01 40960]
"{7E32FA58-3453-FA2D-BC49-F340348ACCE7}"= C:\WINNT\system32\rsmygpm.dll [ ]
"{634345F1-DACF-3452-CB7D-4620F34A1536}"= C:\WINNT\system32\rsztfpm.dll [ ]
"{38907901-1416-3389-9981-372178569983}"= C:\WINNT\system32\kawdczy.dll [04-08-03 20:57 20820]
"{4598FF45-DA60-F48A-BC43-10AC47853D54}"= C:\WINNT\system32\rarjdpi.dll [04-08-03 20:57 21850]
"{44783410-4F90-34A0-7820-3230ACD05F44}"= C:\WINNT\system32\raqjdpi.dll [04-08-04 11:26 22868]
"{5A1247C1-53DA-FF43-ABD3-345F323A48D5}"= C:\WINNT\system32\avwgemn.dll [04-08-04 11:26 22862]
"{28847374-8323-FADC-B443-4732ABCD3782}"= C:\WINNT\system32\sidjbzy.dll [04-08-04 11:26 20316]
"{4A321487-4977-D98A-C8D5-6488257545A4}"= C:\WINNT\system32\kapjdzy.dll [04-08-04 11:26 22354]
"{87D81718-1314-5200-2597-587901018078}"= C:\WINNT\system32\kaqhhzy.dll [07-11-04 11:27 362496]
"{4960356A-458E-DE24-BD50-268F589A56A4}"= C:\WINNT\system32\avwldmn.dll [04-08-04 11:27 23114]
"{76650011-3344-6688-4899-345FABCD1567}"= C:\WINNT\system32\ratbgpi.dll [04-08-04 11:27 20832]
"{8C87A354-ABC3-DEDE-FF33-3213FD7447C8}"= C:\WINNT\system32\kvdxhma.dll [04-08-04 11:27 21840]
"{32FAACDE-34DA-CCD4-AB4D-DA34485A3423}"= C:\WINNT\system32\rsjzcpm.dll [ ]
"{6D561258-45F3-A451-F908-A258458226D6}"= C:\WINNT\system32\kvdxsfma.dll [04-08-04 11:27 21424]
"{5859245F-345D-BC13-AC4F-145D47DA34F5}"= C:\WINNT\system32\avzxemn.dll [ ]
C:\WINNT\system32\NavLogon.dll 05-04-24 17:21 55104 C:\WINNT\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kaqhhzy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

R0 NICM;Novell InterService Communication Driver;C:\WINNT\system32\drivers\nicm.sys
R0 NWFILTER;Novell UNC Path Filter;C:\WINNT\system32\NetWare\nwfilter.sys
R2 cusrvc;Client Update Service for Novell;C:\WINNT\system32\cusrvc.exe
R2 Isecdrv;ISECDRV;\??\C:\WINNT\system32\drivers\Isecdrv.sys
R2 NetwareWorkstation;Novell Client for Windows;C:\WINNT\system32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINNT\system32\NetWare\nwdhcp.sys
R2 RESMGR;Novell NetWare Resource Manager;C:\WINNT\system32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINNT\system32\NetWare\srvloc.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINNT\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINNT\system32\DRIVERS\ipsecw2k.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINNT\system32\NetWare\NWSNS.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINNT\system32\DRIVERS\ipsecw2k.sys
S2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINNT\system32\NetWare\nwsipx32.sys
S2 Wdswsdewn;Telephotsgoogle;C:\WINNT\system32\serdst.exe
S3 NWDNS;Novell DNS Name Space Service Provider;C:\WINNT\system32\NetWare\nwdns.sys
S3 NWHOST;Novell Host File Name Space Service Provider;C:\WINNT\system32\NetWare\NWHOST.sys
S3 NWSAP;Novell SAP Name Space Provider;C:\WINNT\system32\NetWare\NWSAP.sys
S3 NWSLP;Novell SLP Name Space Service Provider;C:\WINNT\system32\NetWare\nwslp.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 14:00:01 C:\WINNT\Tasks\Live Update.job"
- C:\Progra~1\Symant~1\VPDN_LU.exe
"2006-03-06 16:48:06 C:\WINNT\Tasks\System State.job"
- C:\WINNT\system32\ntbackup.exeibackup
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 22:44:31
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_658.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-26 22:45:53 - machine was rebooted
.
--- E O F ---



LSPFix and WinSockFix are downloaded to the desktop. Awaiting your next instructions.

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 27 November 2007 - 03:51 PM

OK, first let me say I should modify my previous statemnt a bit; it is not so much that the infection is unknown, just certain elements of it, such as the LSP hijack are not well known. See the following article for a general description of the infection--the details, such as files folders and reg entries that need to be fixed vary tremendously and are usually unique to each affected machine: http://www.f-secure.com/v-descs/trojan-psw...linegames.shtml

In some cases a "Flash Drive' infection is also present, so in order to prevent anything spreading to the/any computer you are using to transfer files, first please do the following:

Please download Flash_Disinfector by sUBs and save it to your desktop:

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


ComboFix did a good deal of cleaning but more is left to do. It may also have repaired your connection. But before testing this out, let's do some more cleaning.

1. Click Start, then Run and type Notepad and click OK.

2. Now copy/paste the entire contents of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/116094/cant-connect-to-internet-possibly-bc-of-malware/?p=671752

Collect::
C:\WINNT\system32\LYLOADMR.EXE
C:\WINNT\IGW.exe
C:\WINNT\system32\0.exe
C:\WINNT\system32\serdst.exe
C:\WINNT\system32\kaqhhzy.dll
C:\WINNT\system32\rarjdpi.dll
C:\WINNT\system32\rsztfpm.dll
C:\WINNT\IGM.exe
C:\WINNT\swchost.exe
C:\WINNT\system32\LYLeador.exe
C:\WINNT\system32\mseam.sys

Suspect::
C:\Winapps\Idd\upidd.exe
C:\WINAPPS\SecurityBanner\PWGSC.exe

File::
C:\WINNT\system32\wdatl.dll
C:\WINNT\system32\tlatl.dll
C:\WINNT\system32\qqhxatl.dll
C:\WINNT\system32\kvdxsfis.exe
C:\WINNT\system32\kvdxsfcf.dll
C:\WINNT\system32\rsjzcfg.dll
C:\WINNT\system32\rsjzcsp.exe
C:\WINNT\system32\kvdxhis.exe
C:\WINNT\system32\kvdxhcf.dll
C:\WINNT\system32\ratbgtl.exe
C:\WINNT\system32\ratbgni.dll
C:\WINNT\system32\avwldin.dll
C:\WINNT\system32\avwldst.exe
C:\WINNT\49400WO.DLL
C:\WINNT\system32\kaqhhcs.dll
C:\WINNT\system32\kaqhhaz.exe
C:\WINNT\system32\kapjdcs.dll
C:\WINNT\system32\kapjdaz.exe
C:\WINNT\system32\sidjbcs.dll
C:\WINNT\system32\sidjbaz.exe
C:\WINNT\system32\avwgest.exe
C:\WINNT\system32\avwgein.dll
C:\WINNT\system32\raqjdtl.exe
C:\WINNT\system32\raqjdni.dll
C:\WINNT\swchost.exe
C:\WINNT\49400WL.DLL
C:\WINNT\system32\rarjdtl.exe
C:\WINNT\system32\rarjdni.dll
C:\WINNT\system32\kawdccs.dll
C:\WINNT\system32\kawdcaz.exe
C:\WINNT\system32\rsztfsp.exe
C:\WINNT\system32\rsztffg.dll
C:\WINNT\system32\rsmygsp.exe
C:\WINNT\system32\rsmygfg.dll
C:\WINNT\system32\kb1111p.dll
C:\WINNT\system32\rsmygpm.dll
C:\WINNT\system32\rsztfpm.dll
C:\WINNT\system32\kawdczy.dll
C:\WINNT\system32\rarjdpi.dll
C:\WINNT\system32\raqjdpi.dll
C:\WINNT\system32\avwgemn.dll
C:\WINNT\system32\sidjbzy.dll
C:\WINNT\system32\kapjdzy.dll
C:\WINNT\system32\kaqhhzy.dll
C:\WINNT\system32\avwldmn.dll
C:\WINNT\system32\ratbgpi.dll
C:\WINNT\system32\kvdxhma.dll
C:\WINNT\system32\rsjzcpm.dll
C:\WINNT\system32\kvdxsfma.dll
C:\WINNT\system32\avzxemn.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSysW"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=-
"NoSMConfigurePrograms"=-
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ED0ACB58-556F-21DA-DDFE-6D20F3F611BB}"=-
"{7E32FA58-3453-FA2D-BC49-F340348ACCE7}"=-
"{634345F1-DACF-3452-CB7D-4620F34A1536}"=-
"{38907901-1416-3389-9981-372178569983}"=-
"{4598FF45-DA60-F48A-BC43-10AC47853D54}"=-
"{44783410-4F90-34A0-7820-3230ACD05F44}"=-
"{5A1247C1-53DA-FF43-ABD3-345F323A48D5}"=-
"{28847374-8323-FADC-B443-4732ABCD3782}"=-
"{4A321487-4977-D98A-C8D5-6488257545A4}"=-
"{87D81718-1314-5200-2597-587901018078}"=-
"{4960356A-458E-DE24-BD50-268F589A56A4}"=-
"{76650011-3344-6688-4899-345FABCD1567}"=-
"{8C87A354-ABC3-DEDE-FF33-3213FD7447C8}"=-
"{32FAACDE-34DA-CCD4-AB4D-DA34485A3423}"=-
"{6D561258-45F3-A451-F908-A258458226D6}"=-
"{5859245F-345D-BC13-AC4F-145D47DA34F5}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Driver::
Wdswsdewn

3. Name the Notepad file CFScript.txt and Save it to your desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. ComboFix will generate the following files on your desktop
-A zipped file on your desktop called Submit [Date Time].zip
-And another file named - CF-Submit.htm<--don't concern yourself with this one
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

9. Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :
-Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
-Click on the file to Select it.
-Submit the file by clicking "OK"
10. Once the file has been submitted, you may DELETE both files on your desktop.
11. Post the ComboFix.log contents in your next reply.

The above is a standard speech, but without an internet connection it should be different for you starting at step 8. You should still have a .zip file on your desktop with malware files inside we need to have a look at. Please either transfer the zip to your other computer or wait until after the next step, to upload the file. When you are ready, use this link: http://www.bleepingcomputer.com/submit-malware.php


The next step is to test your connection. If you aren't able to surf normally again, do the following:

Run the LSPFix program I had youdownload earlier and check the "I know what I'm doing" box. Place all instances of the following files in bold into the remove section on the right by clicking on the button that points to the right. When all instances of the dll in bold and only this dll are in the Remove section, press the Finish button.

sqmapi32.dll

Then reboot.

If you are still having problems, run WinSockFix.

Post back here with a new ComboFix and HJT logs and let me know how it goes. If you do get your connection back working properly, please still unplug from the net after submitting the file until we get you into a safer state to do so. I don't see a software firewall in your log, tho with Symantec it is hard to tell. Can you tell me if you are running a firewall or not?

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#6 GoSensGo

GoSensGo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 December 2007 - 04:25 PM

Flash_Disinfector run on the flash drives and no issues detected.

CF-Submit file has been submitted to http://bleepingcomputer.com/submit-malware.php

Unfortunately, we still do not have an internet connection. We keep getting a blank page saying "The page cannot be displayed." We've tried to connect with FireFox but also no luck.

Our modem has 4 lights. The 'Power', 'Ethernet', and 'DSL' lights are all showing solid green lights. The 'Activity' light at times shows a slow blink.

We've tried pinging from Command Prompt, but we get a request timed out message or unkown host message.

We've also run LSPFix and WinSockFix, but still no luck connecting.

Here is the latest ComboFix and HJT logs:


http://www.bleepingcomputer.com/forums/ind...st&p=671752

Collect::
C:\WINNT\system32\LYLOADMR.EXE
C:\WINNT\IGW.exe
C:\WINNT\system32\0.exe
C:\WINNT\system32\serdst.exe
C:\WINNT\system32\kaqhhzy.dll
C:\WINNT\system32\rarjdpi.dll
C:\WINNT\system32\rsztfpm.dll
C:\WINNT\IGM.exe
C:\WINNT\swchost.exe
C:\WINNT\system32\LYLeador.exe
C:\WINNT\system32\mseam.sys

Suspect::
C:\Winapps\Idd\upidd.exe
C:\WINAPPS\SecurityBanner\PWGSC.exe

File::
C:\WINNT\system32\wdatl.dll
C:\WINNT\system32\tlatl.dll
C:\WINNT\system32\qqhxatl.dll
C:\WINNT\system32\kvdxsfis.exe
C:\WINNT\system32\kvdxsfcf.dll
C:\WINNT\system32\rsjzcfg.dll
C:\WINNT\system32\rsjzcsp.exe
C:\WINNT\system32\kvdxhis.exe
C:\WINNT\system32\kvdxhcf.dll
C:\WINNT\system32\ratbgtl.exe
C:\WINNT\system32\ratbgni.dll
C:\WINNT\system32\avwldin.dll
C:\WINNT\system32\avwldst.exe
C:\WINNT\49400WO.DLL
C:\WINNT\system32\kaqhhcs.dll
C:\WINNT\system32\kaqhhaz.exe
C:\WINNT\system32\kapjdcs.dll
C:\WINNT\system32\kapjdaz.exe
C:\WINNT\system32\sidjbcs.dll
C:\WINNT\system32\sidjbaz.exe
C:\WINNT\system32\avwgest.exe
C:\WINNT\system32\avwgein.dll
C:\WINNT\system32\raqjdtl.exe
C:\WINNT\system32\raqjdni.dll
C:\WINNT\swchost.exe
C:\WINNT\49400WL.DLL
C:\WINNT\system32\rarjdtl.exe
C:\WINNT\system32\rarjdni.dll
C:\WINNT\system32\kawdccs.dll
C:\WINNT\system32\kawdcaz.exe
C:\WINNT\system32\rsztfsp.exe
C:\WINNT\system32\rsztffg.dll
C:\WINNT\system32\rsmygsp.exe
C:\WINNT\system32\rsmygfg.dll
C:\WINNT\system32\kb1111p.dll
C:\WINNT\system32\rsmygpm.dll
C:\WINNT\system32\rsztfpm.dll
C:\WINNT\system32\kawdczy.dll
C:\WINNT\system32\rarjdpi.dll
C:\WINNT\system32\raqjdpi.dll
C:\WINNT\system32\avwgemn.dll
C:\WINNT\system32\sidjbzy.dll
C:\WINNT\system32\kapjdzy.dll
C:\WINNT\system32\kaqhhzy.dll
C:\WINNT\system32\avwldmn.dll
C:\WINNT\system32\ratbgpi.dll
C:\WINNT\system32\kvdxhma.dll
C:\WINNT\system32\rsjzcpm.dll
C:\WINNT\system32\kvdxsfma.dll
C:\WINNT\system32\avzxemn.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSysW"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=-
"NoSMConfigurePrograms"=-
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ED0ACB58-556F-21DA-DDFE-6D20F3F611BB}"=-
"{7E32FA58-3453-FA2D-BC49-F340348ACCE7}"=-
"{634345F1-DACF-3452-CB7D-4620F34A1536}"=-
"{38907901-1416-3389-9981-372178569983}"=-
"{4598FF45-DA60-F48A-BC43-10AC47853D54}"=-
"{44783410-4F90-34A0-7820-3230ACD05F44}"=-
"{5A1247C1-53DA-FF43-ABD3-345F323A48D5}"=-
"{28847374-8323-FADC-B443-4732ABCD3782}"=-
"{4A321487-4977-D98A-C8D5-6488257545A4}"=-
"{87D81718-1314-5200-2597-587901018078}"=-
"{4960356A-458E-DE24-BD50-268F589A56A4}"=-
"{76650011-3344-6688-4899-345FABCD1567}"=-
"{8C87A354-ABC3-DEDE-FF33-3213FD7447C8}"=-
"{32FAACDE-34DA-CCD4-AB4D-DA34485A3423}"=-
"{6D561258-45F3-A451-F908-A258458226D6}"=-
"{5859245F-345D-BC13-AC4F-145D47DA34F5}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Driver::
Wdswsdewn



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:48 PM, on 11/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\etlisrv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\etlitr50.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\SMARTCTR.EXE
C:\lotus\smartctr\SUITEST.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
C:\Documents and Settings\yamamurd\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\YAMAMURD\Application Data\Mozilla\Profiles\default\ubinv4vg.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SecurityBanner] C:\WINAPPS\SecurityBanner\PWGSC.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IDD] C:\Winapps\Idd\upidd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194436251843
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = NCR.PWGSC.GC.CA
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINNT\etlisrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe

--
End of file - 9975 bytes



We aren't getting the ccApp.exe error message as often when we boot up now.

We're running Symantec AntiVirus.

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 01 December 2007 - 11:27 PM

Well, your HijackThis log is now clean, but you posted the CFScript text file instead of ComboFix.txt. So post it for confirmation, please.

I'm afraid I'm not the best to help with the cable modem connection problem. I'm not a technician, but a typical home user condemned to a dialup connection (it's all I've ever had) that just happens to know a bit about malware. I'll have to research this and consult with my colleagues while I wait on the ComboFix log.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#8 GoSensGo

GoSensGo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 03 December 2007 - 09:24 AM

We've been able to restore our Internet connection. We had to reset the user name and password provided by our internet provider. I think we're OK now. Glad to hear our computer is now clean. (We won't post the ComboFix.txt file unless you think it's absolutely necessary).

Thanks soooooooooo much for your help!!

:thumbsup:

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 03 December 2007 - 11:19 AM

You're welcome for the help and I'm glad you worked out the connection problem.

However, it is absolutely necessary that you post the ComboFix.txt contents as requested. As mentioned earlier, the type infection you are dealing with customizes itself to each individual machine where it is present. Just because the HJT log is clean doesn't mean your system is and CF's log has more diagnostic data.

I would also like for you to answer the question as to whether or not you are running a software firewall and if you are still having the other problems you described. You did a very smart thing by disconnecting form the internet when you found you were infected and you may be mostly clear now. But this particular malware downloads massive amounts of files, so if we didn't get it all, reinfection is very easily accomplished. A firewall nowdays is essential not only to because it can block incoming packets, but also because notification about outgoing packets could have assisted in discovery of this infection and it's removal even earlier.

Very sophisticated malware like this will also often corrupt your antivirus protection, especially older versions of Norton/Symantec--and lately it is also possible that the malware has injected itself into the AV processes and in essence taken it over even tho it looks as if the correct AV processes are running. So I would suggest reinstalling Symantec and consider switching to something else or a more recent version that protects itself better.

I can give you some suggestions about all of this and how to prevent getting reinfected, but I need to see the CF log first and hear how the system is running.

Also as further followup, please perform this online scan: Kaspersky Webscan
Note that you need to run this scan with Internet Explorer for it to work correctly.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As HTML" Give the Report a name and save it to your desktop. If you have any problem saving the report, copy its text to the clipboard, then paste it into an empty Notepad and save it to your desktop.
9. Post the Kaspersky scan results in your next reply.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#10 GoSensGo

GoSensGo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 05 December 2007 - 11:38 PM

We are running Symantec Antivirus, but no specific software firewall.

Here is the ComboFix log as well as the Kaspersky OnLine scanner report


ComboFix 07-11-19.4 - yamamurd 11/29/2007 19:10:23.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.741 [GMT -5:00]
Running from: C:\Documents and Settings\yamamurd\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\yamamurd\Desktop\CFScript.txt

FILE
C:\WINNT\49400WL.DLL
C:\WINNT\49400WO.DLL
C:\WINNT\swchost.exe
C:\WINNT\system32\avwgein.dll
C:\WINNT\system32\avwgemn.dll
C:\WINNT\system32\avwgest.exe
C:\WINNT\system32\avwldin.dll
C:\WINNT\system32\avwldmn.dll
C:\WINNT\system32\avwldst.exe
C:\WINNT\system32\avzxemn.dll
C:\WINNT\system32\kapjdaz.exe
C:\WINNT\system32\kapjdcs.dll
C:\WINNT\system32\kapjdzy.dll
C:\WINNT\system32\kaqhhaz.exe
C:\WINNT\system32\kaqhhcs.dll
C:\WINNT\system32\kaqhhzy.dll
C:\WINNT\system32\kawdcaz.exe
C:\WINNT\system32\kawdccs.dll
C:\WINNT\system32\kawdczy.dll
C:\WINNT\system32\kb1111p.dll
C:\WINNT\system32\kvdxhcf.dll
C:\WINNT\system32\kvdxhis.exe
C:\WINNT\system32\kvdxhma.dll
C:\WINNT\system32\kvdxsfcf.dll
C:\WINNT\system32\kvdxsfis.exe
C:\WINNT\system32\kvdxsfma.dll
C:\WINNT\system32\qqhxatl.dll
C:\WINNT\system32\raqjdni.dll
C:\WINNT\system32\raqjdpi.dll
C:\WINNT\system32\raqjdtl.exe
C:\WINNT\system32\rarjdni.dll
C:\WINNT\system32\rarjdpi.dll
C:\WINNT\system32\rarjdtl.exe
C:\WINNT\system32\ratbgni.dll
C:\WINNT\system32\ratbgpi.dll
C:\WINNT\system32\ratbgtl.exe
C:\WINNT\system32\rsjzcfg.dll
C:\WINNT\system32\rsjzcpm.dll
C:\WINNT\system32\rsjzcsp.exe
C:\WINNT\system32\rsmygfg.dll
C:\WINNT\system32\rsmygpm.dll
C:\WINNT\system32\rsmygsp.exe
C:\WINNT\system32\rsztffg.dll
C:\WINNT\system32\rsztfpm.dll
C:\WINNT\system32\rsztfsp.exe
C:\WINNT\system32\sidjbaz.exe
C:\WINNT\system32\sidjbcs.dll
C:\WINNT\system32\sidjbzy.dll
C:\WINNT\system32\tlatl.dll
C:\WINNT\system32\wdatl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\49400WL.DLL
C:\WINNT\49400WO.DLL
C:\WINNT\IGW.exe
C:\WINNT\swchost.exe
C:\WINNT\system32\avwgein.dll
C:\WINNT\system32\avwgemn.dll
C:\WINNT\system32\avwgest.exe
C:\WINNT\system32\avwldin.dll
C:\WINNT\system32\avwldmn.dll
C:\WINNT\system32\avwldst.exe
C:\WINNT\system32\kapjdaz.exe
C:\WINNT\system32\kapjdcs.dll
C:\WINNT\system32\kapjdzy.dll
C:\WINNT\system32\kaqhhaz.exe
C:\WINNT\system32\kaqhhcs.dll
C:\WINNT\system32\kaqhhzy.dll
C:\WINNT\system32\kawdcaz.exe
C:\WINNT\system32\kawdccs.dll
C:\WINNT\system32\kawdczy.dll
C:\WINNT\system32\kb1111p.dll
C:\WINNT\system32\kvdxhcf.dll
C:\WINNT\system32\kvdxhis.exe
C:\WINNT\system32\kvdxhma.dll
C:\WINNT\system32\kvdxsfcf.dll
C:\WINNT\system32\kvdxsfis.exe
C:\WINNT\system32\kvdxsfma.dll
C:\WINNT\system32\LYLOADMR.EXE
C:\WINNT\system32\mseam.sys
C:\WINNT\system32\qqhxatl.dll
C:\WINNT\system32\raqjdni.dll
C:\WINNT\system32\raqjdpi.dll
C:\WINNT\system32\raqjdtl.exe
C:\WINNT\system32\rarjdni.dll
C:\WINNT\system32\rarjdpi.dll
C:\WINNT\system32\rarjdtl.exe
C:\WINNT\system32\ratbgni.dll
C:\WINNT\system32\ratbgpi.dll
C:\WINNT\system32\ratbgtl.exe
C:\WINNT\system32\rsjzcfg.dll
C:\WINNT\system32\rsjzcsp.exe
C:\WINNT\system32\rsmygfg.dll
C:\WINNT\system32\rsmygsp.exe
C:\WINNT\system32\rsztffg.dll
C:\WINNT\system32\rsztfsp.exe
C:\WINNT\system32\serdst.exe
C:\WINNT\system32\sidjbaz.exe
C:\WINNT\system32\sidjbcs.dll
C:\WINNT\system32\sidjbzy.dll
C:\WINNT\system32\tlatl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WDSWSDEWN
-------\Wdswsdewn


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-29 19:13 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4f0.dat
2007-11-26 22:33 <DIR> d-------- C:\Deckard
2007-11-25 20:17 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-25 20:12 <DIR> d-------- C:\Documents and Settings\yamamurd\Application Data\U3
2007-11-10 19:04 801,072 --a--c--- C:\WINNT\system32\dllcache\3cpciadi.sys
2007-11-10 19:04 792,176 --a--c--- C:\WINNT\system32\dllcache\3cisaadi.sys
2007-11-10 19:04 774,928 --a--c--- C:\WINNT\system32\dllcache\3cisati.sys
2007-11-10 19:04 763,024 --a--c--- C:\WINNT\system32\dllcache\3cwmcru.sys
2007-11-10 19:04 91,920 --a--c--- C:\WINNT\system32\dllcache\acq32.dll
2007-11-10 19:04 40,752 --a--c--- C:\WINNT\system32\dllcache\1394bus.sys
2007-11-10 19:04 38,320 --a--c--- C:\WINNT\system32\dllcache\8514a.dll
2007-11-10 19:04 22,992 --a--c--- C:\WINNT\system32\dllcache\15_16wdm.sys
2007-11-10 19:04 10,928 --a--c--- C:\WINNT\system32\dllcache\4mmdat.sys
2007-11-07 22:56 <DIR> d-------- C:\Documents and Settings\yamamurd\.housecall6.6
2007-11-07 22:56 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-11-07 22:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 22:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-07 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-07 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 06:51 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-11-07 06:51 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-11-07 06:51 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-11-07 06:51 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2007-11-07 06:51 33,624 --a------ C:\WINNT\system32\wups.dll
2007-11-07 06:51 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2007-11-07 06:51 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2007-11-07 06:51 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2007-11-04 12:56 20 --a------ C:\mhsha1.dat
2007-10-08 09:28 <DIR> d-------- C:\Program Files\Common Files\Nullsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 00:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-10 01:14 447 ----a-w C:\Program Files\INSTALL.LOG
2007-10-24 13:20 --------- d-----w C:\Documents and Settings\yamamurd\Application Data\Image Zone Express
2006-03-06 17:06 3,604,092 ----a-w C:\Program Files\log.txt
2006-03-06 16:24 271 ---h--w C:\Program Files\desktop.ini
2006-03-06 16:24 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 03:00 C:\WINNT\system32\internat.exe]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-17 17:37 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 03:00 C:\WINNT\system32\mobsync.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04-05-25 22:35 ]
"SecurityBanner"="C:\WINAPPS\SecurityBanner\PWGSC.exe" [04-11-02 06:07 ]
"NDPS"="C:\WINNT\system32\dpmw32.exe" [00-01-21 02:47 ]
"NWTRAY"="NWTRAY.EXE" [02-03-12 10:37 C:\WINNT\system32\nwtray.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05-02-17 20:32 ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [05-04-24 17:21 ]
"IDD"="C:\Winapps\Idd\upidd.exe" [06-03-07 10:14 ]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [04-10-22 14:13 ]
"StandardInstall"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [06-12-15 03:23 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05-09-23 23:08 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-03-03 17:38 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [03-06-20 03:00 C:\WINNT\system32\internat.exe]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-17 17:37 ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 03:00 ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Entrust.lnk - C:\WINNT\system32\etlitr50.exe [2006-03-06 13:33:40]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-23 23:28:44]
Lotus Organizer EasyClip.lnk - C:\lotus\organize\easyclip.exe [2001-07-25 09:05:08]
Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe [2001-08-14 05:16:14]
Lotus SmartCenter.lnk - C:\lotus\smartctr\SMARTCTR.EXE [2000-04-25 08:08:08]
Lotus SuiteStart.lnk - C:\lotus\smartctr\SUITEST.EXE [1999-04-23 07:02:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2006-06-18 16:23:08]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-06 12:05:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= qvphook.dll [ ]
"{ED0ACB58-556F-21DA-DDFE-6D20F3F611BB}"= C:\WINNT\system32\kb1111p.dll [ ]
"{7E32FA58-3453-FA2D-BC49-F340348ACCE7}"= C:\WINNT\system32\rsmygpm.dll [ ]
"{634345F1-DACF-3452-CB7D-4620F34A1536}"= C:\WINNT\system32\rsztfpm.dll [ ]
"{38907901-1416-3389-9981-372178569983}"= C:\WINNT\system32\kawdczy.dll [ ]
"{4598FF45-DA60-F48A-BC43-10AC47853D54}"= C:\WINNT\system32\rarjdpi.dll [ ]
"{44783410-4F90-34A0-7820-3230ACD05F44}"= C:\WINNT\system32\raqjdpi.dll [ ]
"{5A1247C1-53DA-FF43-ABD3-345F323A48D5}"= C:\WINNT\system32\avwgemn.dll [ ]
"{28847374-8323-FADC-B443-4732ABCD3782}"= C:\WINNT\system32\sidjbzy.dll [ ]
"{4A321487-4977-D98A-C8D5-6488257545A4}"= C:\WINNT\system32\kapjdzy.dll [ ]
"{87D81718-1314-5200-2597-587901018078}"= C:\WINNT\system32\kaqhhzy.dll [ ]
"{4960356A-458E-DE24-BD50-268F589A56A4}"= C:\WINNT\system32\avwldmn.dll [ ]
"{76650011-3344-6688-4899-345FABCD1567}"= C:\WINNT\system32\ratbgpi.dll [ ]
"{8C87A354-ABC3-DEDE-FF33-3213FD7447C8}"= C:\WINNT\system32\kvdxhma.dll [ ]
"{32FAACDE-34DA-CCD4-AB4D-DA34485A3423}"= C:\WINNT\system32\rsjzcpm.dll [ ]
"{6D561258-45F3-A451-F908-A258458226D6}"= C:\WINNT\system32\kvdxsfma.dll [ ]
"{5859245F-345D-BC13-AC4F-145D47DA34F5}"= C:\WINNT\system32\avzxemn.dll [ ]
C:\WINNT\system32\NavLogon.dll 05-04-24 17:21 55104 C:\WINNT\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0


.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 14:00:01 C:\WINNT\Tasks\Live Update.job"
- C:\Progra~1\Symant~1\VPDN_LU.exe
"2006-03-06 16:48:06 C:\WINNT\Tasks\System State.job"
- C:\WINNT\system32\ntbackup.exeibackup
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 19:14:02
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 19:15:15 - machine was rebooted
C:\ComboFix2.txt ... 07-11-26 22:45
.
--- E O F ---


KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 05, 2007 11:28:12 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/12/2007
Kaspersky Anti-Virus database records: 473567


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 43892
Number of viruses found 48
Number of infected objects 240
Number of suspicious objects 0
Duration of the scan process 00:48:56

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\yamamurd\LOCALS~1\Temp\LYLOADER.EXE Infected: Trojan-PSW.Win32.OnLineGames.gmw skipped

C:\Deckard\System Scanner\backup\DOCUME~1\yamamurd\LOCALS~1\Temp\LYLOADMR.EXE Infected: Trojan-PSW.Win32.OnLineGames.gwt skipped

C:\Deckard\System Scanner\backup\DOCUME~1\yamamurd\LOCALS~1\Temp\LYMANGR.DLL Infected: Trojan-PSW.Win32.OnLineGames.gyn skipped

C:\Deckard\System Scanner\backup\DOCUME~1\yamamurd\LOCALS~1\Temp\MSDEG32.DLL Infected: Trojan-PSW.Win32.OnLineGames.gyo skipped

C:\Deckard\System Scanner\backup\DOCUME~1\yamamurd\LOCALS~1\Temp\SHQ.DLL Infected: Trojan-PSW.Win32.OnLineGames.gzd skipped

C:\Deckard\System Scanner\backup\DOCUME~1\yamamurd\LOCALS~1\Temp\SHQMANGR.DLL Infected: Trojan-PSW.Win32.OnLineGames.gwt skipped

C:\Deckard\System Scanner\backup\WINNT\temp\LYLOADER.EXE Infected: Trojan-PSW.Win32.OnLineGames.gym skipped

C:\Deckard\System Scanner\backup\WINNT\temp\LYLOADMR.EXE Infected: Trojan-PSW.Win32.OnLineGames.gwt skipped

C:\Deckard\System Scanner\backup\WINNT\temp\LYMANGR.DLL Infected: Trojan-PSW.Win32.OnLineGames.gyn skipped

C:\Deckard\System Scanner\backup\WINNT\temp\MSDEG32.DLL Infected: Trojan-PSW.Win32.OnLineGames.gyo skipped

C:\Deckard\System Scanner\backup\WINNT\temp\SHQ.DLL Infected: Trojan-PSW.Win32.OnLineGames.gwt skipped

C:\Deckard\System Scanner\backup\WINNT\temp\SHQMANGR.DLL Infected: Trojan-PSW.Win32.OnLineGames.gwt skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp10.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp11.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp12.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp125.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp13.tmp Infected: Trojan-PSW.Win32.OnLineGames.hef skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp14.tmp Infected: Trojan-PSW.Win32.OnLineGames.heg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp15.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp16.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp17.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp18.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp19.tmp Infected: Trojan-PSW.Win32.OnLineGames.heh skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp193.tmp Infected: Trojan-PSW.Win32.OnLineGames.hde skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp1A.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp1B.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp1C.tmp Infected: Trojan-PSW.Win32.OnLineGames.hef skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp1D.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp1E.tmp Infected: Trojan-PSW.Win32.OnLineGames.heg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp1F.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp1FD.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp20.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp21.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp22.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp23.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp239.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp23B.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp23D.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp23E.tmp Infected: Trojan-PSW.Win32.OnLineGames.hde skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp24.tmp Infected: Trojan-PSW.Win32.OnLineGames.hef skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp240.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp241.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp242.tmp Infected: Trojan-PSW.Win32.OnLineGames.gwp skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp243.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp244.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdy skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp245.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp246.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp247.tmp Infected: Trojan-PSW.Win32.OnLineGames.heh skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp248.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp249.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp24B.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp24C.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdr skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp24D.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp24E.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdy skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp24F.tmp Infected: Trojan-PSW.Win32.OnLineGames.heh skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp25.tmp Infected: Trojan-PSW.Win32.OnLineGames.heg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp250.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp251.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp252.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp253.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp254.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp255.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp256.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdr skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp257.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp258.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdx skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp259.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp25A.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp25B.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp25C.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp25D.tmp Infected: Trojan-PSW.Win32.OnLineGames.heh skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp25E.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp25F.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp260.tmp Infected: Trojan-PSW.Win32.OnLineGames.hde skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp261.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp262.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp263.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdx skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp264.tmp Infected: Trojan-PSW.Win32.OnLineGames.gwp skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp265.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp266.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp267.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp268.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp269.tmp Infected: Trojan-PSW.Win32.OnLineGames.heh skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp26A.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp26B.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp26C.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdy skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp26D.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp26E.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp26F.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp27.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp270.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp272.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp273.tmp Infected: Trojan-PSW.Win32.OnLineGames.hde skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp274.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdr skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp275.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp276.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp277.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp278.tmp Infected: Trojan-PSW.Win32.OnLineGames.gwp skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp279.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdx skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp27A.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp27B.tmp Infected: Trojan-PSW.Win32.OnLineGames.heh skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp27C.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp27D.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp27E.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp27F.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp28.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp280.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdy skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp281.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp282.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp284.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp285.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp286.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp287.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp288.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdr skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp289.tmp Infected: Trojan-PSW.Win32.OnLineGames.hde skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp28A.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp28B.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp28C.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdx skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp28D.tmp Infected: Trojan-PSW.Win32.OnLineGames.gwp skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp28F.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp29.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp290.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp291.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp292.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp293.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp294.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp295.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdy skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp297.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp298.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp299.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp29A.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp29B.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp29C.tmp Infected: Trojan-PSW.Win32.OnLineGames.hde skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp29D.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdr skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp29F.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A.tmp Infected: Trojan-PSW.Win32.OnLineGames.hef skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A0.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdx skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A1.tmp Infected: Trojan-PSW.Win32.OnLineGames.gwp skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A3.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A4.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A5.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A7.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A8.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2A9.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdy skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2AB.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2AC.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2AD.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2AF.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2B.tmp Infected: Trojan-PSW.Win32.OnLineGames.heg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2B0.tmp Infected: Trojan-PSW.Win32.OnLineGames.hde skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2B1.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdr skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2B3.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2B5.tmp Infected: Trojan-PSW.Win32.OnLineGames.gwp skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2B7.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2B9.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2BB.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2BD.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdy skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2BF.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2C1.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2C3.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2C5.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdr skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2E.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp2F.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp3.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp30.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp32.tmp Infected: Trojan-PSW.Win32.OnLineGames.heg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp4.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdn skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp46.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp5.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp6.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp6C.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdx skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp7.tmp Infected: Trojan-PSW.Win32.OnLineGames.hef skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp8.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmp9.tmp Infected: Trojan-PSW.Win32.WOW.adu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmpA.tmp Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmpB.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmpC.tmp Infected: Trojan-PSW.Win32.OnLineGames.hef skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmpD.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmpD3.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmpE.tmp Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmpE2.tmp Infected: Trojan-PSW.Win32.OnLineGames.hdg skipped

C:\Deckard\System Scanner\backup\WINNT\temp\tmpF.tmp Infected: Trojan-PSW.Win32.OnLineGames.grk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\yamamurd\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\yamamurd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\yamamurd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\yamamurd\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\yamamurd\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\yamamurd\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\yamamurd\ntuser.dat.LOG Object is locked skipped

C:\Program Files\NetAssistant\log\mpbtn.log Object is locked skipped

C:\Program Files\NetAssistant\SmartBridge\AlertFilter.log Object is locked skipped

C:\Program Files\NetAssistant\SmartBridge\log\httpclient.log Object is locked skipped

C:\Program Files\NetAssistant\SmartBridge\SmartBridge.log Object is locked skipped

C:\qoobox\Quarantine\C\Privilege.dat.vir Infected: Trojan-PSW.Win32.OnLineGames.gwt skipped

C:\qoobox\Quarantine\C\WINNT\49400MM.DLL.vir Infected: Trojan-PSW.Win32.Lmir.bnv skipped

C:\qoobox\Quarantine\C\WINNT\49400WL.DLL.vir Infected: Trojan-PSW.Win32.OnLineGames.gis skipped

C:\qoobox\Quarantine\C\WINNT\49400WO.DLL.vir Infected: Trojan-PSW.Win32.OnLineGames.fhz skipped

C:\qoobox\Quarantine\C\WINNT\IGM.exe.vir Infected: Trojan-PSW.Win32.Lmir.bnx skipped

C:\qoobox\Quarantine\C\WINNT\system32\0.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.hec skipped

C:\qoobox\Quarantine\C\WINNT\system32\12.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.hqh skipped

C:\qoobox\Quarantine\C\WINNT\system32\15.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.hqh skipped

C:\qoobox\Quarantine\C\WINNT\system32\avwgemn.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.grj skipped

C:\qoobox\Quarantine\C\WINNT\system32\avwgest.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\avwldmn.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gie skipped

C:\qoobox\Quarantine\C\WINNT\system32\avwldst.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gih skipped

C:\qoobox\Quarantine\C\WINNT\system32\avzxemn.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gqb skipped

C:\qoobox\Quarantine\C\WINNT\system32\avzxest.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gqb skipped

C:\qoobox\Quarantine\C\WINNT\system32\dh3atl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.hdr skipped

C:\qoobox\Quarantine\C\WINNT\system32\dhatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.hdy skipped

C:\qoobox\Quarantine\C\WINNT\system32\djatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\qoobox\Quarantine\C\WINNT\system32\gjatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.hdx skipped

C:\qoobox\Quarantine\C\WINNT\system32\jzatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.hdz skipped

C:\qoobox\Quarantine\C\WINNT\system32\kapjdaz.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\kapjdzy.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gri skipped

C:\qoobox\Quarantine\C\WINNT\system32\kaqhhaz.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\kawdcaz.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\kawdczy.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gql skipped

C:\qoobox\Quarantine\C\WINNT\system32\kb1111p.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.guk skipped

C:\qoobox\Quarantine\C\WINNT\system32\kvdxhis.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gux skipped

C:\qoobox\Quarantine\C\WINNT\system32\kvdxhma.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gqo skipped

C:\qoobox\Quarantine\C\WINNT\system32\kvdxsfis.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\kvdxsfma.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gpv skipped

C:\qoobox\Quarantine\C\WINNT\system32\LYLOADER.EXE.vir Infected: Trojan-PSW.Win32.OnLineGames.gym skipped

C:\qoobox\Quarantine\C\WINNT\system32\LYMANGR.DLL.vir Infected: Trojan-PSW.Win32.OnLineGames.gyn skipped

C:\qoobox\Quarantine\C\WINNT\system32\MSDEG32.DLL.vir Infected: Trojan-PSW.Win32.OnLineGames.gyo skipped

C:\qoobox\Quarantine\C\WINNT\system32\myatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.hef skipped

C:\qoobox\Quarantine\C\WINNT\system32\qjatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.guz skipped

C:\qoobox\Quarantine\C\WINNT\system32\qqhxatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.hde skipped

C:\qoobox\Quarantine\C\WINNT\system32\raqjdpi.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gqj skipped

C:\qoobox\Quarantine\C\WINNT\system32\raqjdtl.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\rarjdtl.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gtd skipped

C:\qoobox\Quarantine\C\WINNT\system32\ratbgpi.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gqn skipped

C:\qoobox\Quarantine\C\WINNT\system32\ratbgtl.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gvw skipped

C:\qoobox\Quarantine\C\WINNT\system32\rsjzcpm.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.grg skipped

C:\qoobox\Quarantine\C\WINNT\system32\rsjzcsp.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\rsmygpm.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gqg skipped

C:\qoobox\Quarantine\C\WINNT\system32\rsmygsp.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\rsztfpm.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gqm skipped

C:\qoobox\Quarantine\C\WINNT\system32\rsztfsp.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\rxjhatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.hdg skipped

C:\qoobox\Quarantine\C\WINNT\system32\SHQ.DLL.vir Infected: Trojan-PSW.Win32.OnLineGames.gzd skipped

C:\qoobox\Quarantine\C\WINNT\system32\SHQMANGR.DLL.vir Infected: Trojan-PSW.Win32.OnLineGames.gwt skipped

C:\qoobox\Quarantine\C\WINNT\system32\sidjbaz.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.gpx skipped

C:\qoobox\Quarantine\C\WINNT\system32\sidjbzy.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.grh skipped

C:\qoobox\Quarantine\C\WINNT\system32\sqmapi32.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\qoobox\Quarantine\C\WINNT\system32\tlatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gyu skipped

C:\qoobox\Quarantine\C\WINNT\system32\wdatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.heg skipped

C:\qoobox\Quarantine\C\WINNT\system32\wlatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.gwp skipped

C:\qoobox\Quarantine\C\WINNT\system32\zhtuatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.hcg skipped

C:\qoobox\Quarantine\C\WINNT\system32\zxatl.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.heh skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

C:\WINNT\~Temp7370.tmp Infected: Trojan-PSW.Win32.OnLineGames.gul skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users