Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing puzominu.dll


  • This topic is locked This topic is locked
8 replies to this topic

#1 Ashryia

Ashryia

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 17 November 2009 - 01:08 PM

I was redirected here from the Am I Infected forum, so I guess that answers that question! Here is the original topic, there are screen shots of the error message in that thread. http://www.bleepingcomputer.com/forums/t/270063/getting-error-msg-bad-image/

Summary of what occured: Was infected with Personal Guard 2009 two weeks ago. Removed Personal Guard 2009 along with some other things using MalwareBytes. At that point, Malware Bytes scans started coming up clean, as well as any other scan I ran, AVG, VundoFix ect. However, I cannot start the computer in safemode - it BSODs if I try. Also, anytime something opens, I get an error message that says, "The application or DLL C:\WINDOWS\system32\puzominu.dll is not a valid Windows image. Please check this against your installation diskette."

Not able to run RootRepeal or Win32kDiag successfully. Ran rkill before hand as well as Process Killer to see if that would help. Couldn't find the process in Process Killer, even after looking for it's alternate names. (Screen shot of the Process Killer windows in the previous thread) Can't get much out of it. However, I did rename Root Repeal and it worked once as the renamed file. The log of that is below the most recent log. Also, anytime Root Repeal starts up, theres a error, it says, "Error - invalid PE image found." I dont know that would effect why it's not working.

I've included the Win32kDiag log although theres really nothing in it.

The final log is the DDS.txt log.

I know y'all are busy, your help is very much appreciated! Thanks <3

The most recent RootRepeal Log in italics

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/17 11:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAABDB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AAC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7AB6000 Size: 7872 File Visible: No Signed: -
Status: -

Name: tatertot.scr.sys
Image Path: C:\WINDOWS\system32\drivers\tatertot.scr.sys
Address: 0xA995A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\cws\Local Settings\Apps\2.0\R7MRLQZX.21W\5A6X5XBP.1LJ\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Apps\2.0\R7MRLQZX.21W\5A6X5XBP.1LJ\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

==EOF==


Previous RootRepeal Log: Renamed and Ran
Root Repeal Log: Renamed Tatertot.scr - Error message shown in ss above
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/13 09:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAABDB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AAC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7AB6000 Size: 7872 File Visible: No Signed: -
Status: -

Name: tatertot.scr.sys
Image Path: C:\WINDOWS\system32\drivers\tatertot.scr.sys
Address: 0xA9872000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\0125lg01[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\021009-bestofthumb-fashion[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\022207-footer-luxemont-logo[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\0300fp0a[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\0300fp3d04[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\031809-header-nav-div[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\031809-header-nav-off[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\049b30f613a95421a8ef2fa6bd69f58a[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\062909-photo-thumb-top[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\070109-best2[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\070609-feat-adv-box-bot[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\1-mobile_banners_130x130[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\4fa37f74-1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\4[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\4[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\55ac3aae-e[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\5[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\728x90_sparkletts_yahoo_ct_NEW[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\817-grey[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\8b01c9db-8[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\;subnid=1;bnid=1;misc=1258127164593;adid=525375;header=yes;dnexpand=auto[1]

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\a120x600[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\a3[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\abc_launcher[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\about-mary[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\acai[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\activitytab[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\httpErrorPagesScripts[2]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon12[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon13[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon14[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon4[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon_calendar[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon_calendar[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon_green[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon_logospin[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\icon_logo[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\id_sarrieri[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\ie_3rd[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\IItBZYCcQe0[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\indexsg[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\index[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\index[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rc[2].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\reauth[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\reauth_js[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\reauth_js[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\redtop[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\register2_v22.2.5[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\registerlogin[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\RenewMTMWizard[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rents_js[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\dashboard[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\datalist[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\datepicker.1257353153[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\dc[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\default2[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\default[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\default[2].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\Default[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\desktop.ini
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\div[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\div[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\div[3].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\div[4].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\div[5].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\div[6].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\DocumentDotWrite[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\documentwrite[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\takeover[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\takeover[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\TC102851631033[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\technet.glassBG1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\technet.TabC[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\techtips_tools_dynamic_728x90[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\TemplateAdRenderer[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\thumbup2[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\th_watchmensmiley-1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\th_Watchmensmiley3[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\tile_sub-lite[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\10282015[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\3[2].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\AC_RunActiveContent[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\backtabback_ov[3].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\budgeting_js[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\calendar[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\CATG5VOI.HTM
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\chu_c_c_on[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\crossdomain[1].xml
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\css_pp_tab_on[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalbestprice[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalheader[1].htc
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalheader[2].htc
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalmanagepackets[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalmanagepackets[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalmanagepackets[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewactivity[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewactivity[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewprospect[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewprospect[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewservicerequest[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewservicerequest[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewservicerequest[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewservicerequest[4].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewservicerequest[5].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalnewservicerequest[6].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalPacketPrint[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modalPrintBarcode[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\modal_attention[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\wizard[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\wizard_ApplyNow[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\wmcaudit[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\workarea[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\workarea[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\workarea[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\xbuttonfacviewsr[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\xbuttonfacviewsr[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\xbuttonfacviewsr[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\xbuttonsprospect[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\xbuttonsprospect[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\fullview_v22.2.2[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\functional[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\functions[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\f_moved[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\f_norm[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\f_poll_no[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\g-button-chocobo-basic-2[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\getimage[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\getimage[2].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\GetMapImage[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\GetRights[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\gl-input-signup-btn[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\gl-rss[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\globalTemplate_27_02[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\basic-5-p[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\bc_new[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\bg[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\bg_header_fade[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\bg_nav[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\bg_ribbon[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\bg_topheadhome[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\bg_tophead[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rplogo[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rplogo[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\RPStatusNotify[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rssxml[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rte-emo-button[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rte-emoticon[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rte-indent[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rte-italic[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rte-justify[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\rte-textcolor[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\calendar[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\calendar[2].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\calendar[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\calendar[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\calendar[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\callt[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\casaleJTag[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\supermodalgeneric[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\supermodalgeneric[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\supertable4[1].htc
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\supertable4[1].xml
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\supertable4[2].htc
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\SurveyTopper[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\swxa[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\tabback[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\tabbedpagescript[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\PBUpload[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\pcsfrm-mini[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\pending[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\pgarrow_left_enabled[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\pgarrow_right_enabled[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\phone[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\photo-thumb-116928[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\photo-thumb-43307[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\mail[4]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\mail[5]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\mail[6]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\main[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\malwarecomplaints2vh[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\mbam.check[1].program
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Settings\Temporary Internet Files\Content.IE5\3GVLAGMI\media-api[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\cws\Local Se==EOF==

Most Recent Win32kDiag Log
Running from: C:\Documents and Settings\cws\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\cws\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!



DDS.txt

DDS (Ver_09-10-26.01) - NTFSx86
Run by cws at 11:48:00.60 on Tue 11/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.480 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\cws\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\cws\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cwsapartments.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [Google Update] "c:\documents and settings\cws\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\zzzzzzzz\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera\fileutility\NsCatCom.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bluemoon.com
Trusted Zone: employease.com
Trusted Zone: ocius.net
Trusted Zone: realpage.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} - hxxp://onesite.realpage.com/coreglobal/RealpageCab/Realpage.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196456792025
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: c:\windows\system32\dahemoji.dll puzominu.dll c:\windows\system32\yowajaka.dll
SSODL: futejezoj - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll
SSODL: watumoluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll
STS: kupuhivus: {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll
STS: tokatiluy: {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll
LSA: Notification Packages = scecli jedemeja.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-8 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-8 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-8 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-8 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-8 285392]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-9-21 10384]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]

=============== Created Last 30 ================

2009-11-08 22:19:06 0 d--h--w- C:\$AVG
2009-11-08 22:18:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-08 22:18:44 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 22:18:36 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-08 22:18:07 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-08 22:17:15 0 d-----w- c:\program files\AVG
2009-11-08 22:17:06 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-08 22:16:24 0 d-----w- c:\windows\SxsCaPendDel
2009-11-08 22:09:36 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-08 22:08:56 0 d-----w- c:\program files\Panda Security
2009-11-08 19:37:17 0 d-----w- C:\VundoFix Backups
2009-11-07 22:37:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 22:37:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 22:37:18 0 d-----w- c:\program files\zzzzzzzz
2009-11-07 22:06:33 0 d-----w- C:\QUARANTINE
2009-11-07 22:02:22 0 d-----w- c:\docume~1\cws\applic~1\Malwarebytes
2009-11-07 21:54:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 21:54:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-06 17:48:45 0 d-----w- C:\scans
2009-11-06 17:48:03 175 ----a-w- c:\windows\nscatch.ini
2009-11-06 17:48:03 0 d-----w- c:\program files\Kyocera

==================== Find3M ====================

2009-11-08 18:39:06 51712 --sha-w- c:\windows\system32\puzominu.dll
2009-11-07 22:46:45 52736 --sha-w- c:\windows\system32\nozapuso.dll.tmp
2009-11-07 22:06:37 52736 --sha-w- c:\windows\system32\yimolizo.dll.tmp
2009-11-06 21:22:35 50368 ----a-w- c:\windows\fonts\Candcu__.ttf
2009-10-29 20:57:19 63796 ----a-w- c:\windows\fonts\CHRICI__.TTF
2009-10-29 19:14:45 26840 ----a-w- c:\windows\fonts\WillyWonka.ttf
2009-10-29 19:14:31 20124 ----a-w- c:\windows\fonts\thundercaps.ttf
2009-10-29 19:14:30 24424 ----a-w- c:\windows\fonts\thundercats.ttf
2009-10-29 19:14:12 81544 ----a-w- c:\windows\fonts\ParryHotter.ttf
2009-10-29 19:13:57 77476 ----a-w- c:\windows\fonts\LITTLELO.TTF
2009-10-29 19:13:48 31520 ----a-w- c:\windows\fonts\Grinched.ttf
2009-10-29 19:05:57 176320 ----a-w- c:\windows\fonts\Beyond Wonderland.ttf
2009-10-29 18:19:12 57292 ----a-w- c:\windows\fonts\Flakes.ttf
2009-10-29 18:19:12 47704 ----a-w- c:\windows\fonts\Christmas.ttf
2009-10-17 15:36:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-03 16:12:40 521608 ----a-w- c:\windows\fonts\vtks Deja Vu.ttf
2009-10-03 16:12:29 66256 ----a-w- c:\windows\fonts\STARDI__.TTF
2009-10-03 16:12:29 66164 ----a-w- c:\windows\fonts\STARDRG_.TTF
2009-10-03 16:12:28 66224 ----a-w- c:\windows\fonts\STARDCI_.TTF
2009-10-03 16:12:28 66044 ----a-w- c:\windows\fonts\STARDCRG.TTF
2009-10-03 16:12:21 18080 ----a-w- c:\windows\fonts\phillysans.ttf
2009-10-03 16:12:16 23616 ----a-w- c:\windows\fonts\nusaliver.ttf
2009-10-03 16:12:11 146376 ----a-w- c:\windows\fonts\Nemo Nightmares.ttf
2009-10-03 16:12:02 28042 ----a-w- c:\windows\fonts\James Almacen.ttf
2009-10-03 16:11:54 51068 ----a-w- c:\windows\fonts\flableep.ttf
2009-10-03 16:11:45 148896 ----a-w- c:\windows\fonts\Bleeding_Cowboys.ttf
2009-10-03 16:11:38 39340 ----a-w- c:\windows\fonts\atlandsketchesbb_ital.ttf
2009-10-03 16:11:38 37876 ----a-w- c:\windows\fonts\atlandsketchesbb_reg.ttf
2009-10-03 16:11:31 40836 ----a-w- c:\windows\fonts\AGENTORANGE.TTF
2009-10-03 16:11:21 25884 ----a-w- c:\windows\fonts\abaddon.TTF
2009-09-21 18:24:35 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-09-21 18:24:19 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-21 18:24:15 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-09-21 00:51:13 37 ----a-w- c:\documents and settings\cws\jagex_runescape_preferences.dat
2009-09-20 23:35:54 45 ----a-w- c:\documents and settings\cws\jagex_runescape_preferences2.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-06-18 08:06:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061820080619\index.dat

============= FINISH: 11:48:55.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:08 AM

Posted 25 November 2009 - 10:45 AM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 Ashryia

Ashryia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 28 November 2009 - 11:21 AM

Thank you for your help!

Here are the logs:

Log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by cws at 2009-11-28 10:14:17
Microsoft Windows XP Professional Service Pack 3
System drive C: has 47 GB (73%) free of 65 GB
Total RAM: 1014 MB (21% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:31 AM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Documents and Settings\cws\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Novell\GroupWise\grpwise.exe
C:\Novell\GroupWise\GWSync.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\cws\Desktop\RSIT.exe
C:\Program Files\trend micro\cws.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cwsapartments.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\zzzzzzzz\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\cws\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bluemoon.com
O15 - Trusted Zone: *.employease.com
O15 - Trusted Zone: *.ocius.net
O15 - Trusted Zone: *.realpage.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} (RealPage Web Objects) - http://onesite.realpage.com/coreglobal/Rea...ab/Realpage.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196456792025
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\dahemoji.dll puzominu.dll c:\windows\system32\yowajaka.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: futejezoj - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll (file missing)
O21 - SSODL: watumoluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll (file missing)
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)

--
End of file - 8319 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\cilcwejn.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1757981266-725345543-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1757981266-725345543-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2009-11-10 1475864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll [2006-11-30 67136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-17 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-17 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-03-23 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-03-23 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-03-23 118784]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2006-11-30 112216]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-17 149280]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-10-07 413696]
"Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2009-06-17 55824]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\zzzzzzzz\mbam.exe [2009-09-10 1312080]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2009-11-13 2020120]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"=C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe []
"Google Update"=C:\Documents and Settings\cws\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-22 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
Scanner File Utility.lnk - C:\Program Files\Kyocera\FileUtility\NsCatCom.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\windows\system32\dahemoji.dll puzominu.dll c:\windows\system32\yowajaka.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-11-08 12464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-03-23 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2009-07-20 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
C:\WINDOWS\system32\PCANotify.dll [2003-05-29 8704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
futejezoj - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll []
watumoluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
kupuhivus - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll []
tokatiluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
jedemeja.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Symantec\pcAnywhere\WinAw32.exe"="C:\Program Files\Symantec\pcAnywhere\WinAw32.exe:*:Enabled:pcAnywhere Main Executable"
"C:\Program Files\Symantec\pcAnywhere\awhost32.exe"="C:\Program Files\Symantec\pcAnywhere\awhost32.exe:*:Enabled:pcAnywhere Host Service"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:Spooler SubSystem App"
"C:\Novell\GroupWise\grpwise.exe"="C:\Novell\GroupWise\grpwise.exe:*:Enabled:Novell GroupWise"
"C:\Novell\GroupWise\notify.exe"="C:\Novell\GroupWise\notify.exe:*:Enabled:Novell Notify"
"C:\Program Files\Kyocera\FileUtility\NsCatCom.exe"="C:\Program Files\Kyocera\FileUtility\NsCatCom.exe:*:Enabled:NsCatCom"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"
"C:\Program Files\AVG\AVG9\avgemc.exe"="C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-11-28 10:15:10 ----D---- C:\Program Files\trend micro
2009-11-28 10:14:17 ----D---- C:\rsit
2009-11-25 03:09:07 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-25 03:07:26 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2009-11-17 11:55:35 ----A---- C:\RootRepeal report 11-17-09 (11-55-35).txt
2009-11-17 11:46:50 ----A---- C:\RootRepeal report 11-17-09 (11-46-50).txt
2009-11-17 11:31:28 ----A---- C:\RootRepeal report 11-17-09 (11-31-28).txt
2009-11-13 09:59:25 ----A---- C:\RootRepeal report 11-13-09 (09-59-25).txt
2009-11-13 09:48:25 ----A---- C:\RootRepeal report 11-13-09 (09-48-25).txt
2009-11-12 03:02:40 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-12 03:02:11 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-11 15:04:39 ----A---- C:\RootRepeal report 11-11-09 (15-04-39).txt
2009-11-11 09:30:25 ----A---- C:\Log.txt
2009-11-11 09:22:39 ----A---- C:\RootRepeal report 11-11-09 (09-22-39).txt
2009-11-08 16:19:06 ----HD---- C:\$AVG
2009-11-08 16:18:46 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-11-08 16:17:15 ----D---- C:\Program Files\AVG
2009-11-08 16:17:06 ----D---- C:\Documents and Settings\All Users\Application Data\avg9
2009-11-08 16:16:24 ----D---- C:\WINDOWS\SxsCaPendDel
2009-11-08 16:08:56 ----D---- C:\Program Files\Panda Security
2009-11-08 13:37:17 ----D---- C:\VundoFix Backups
2009-11-08 13:37:17 ----A---- C:\VundoFix.txt
2009-11-07 16:37:18 ----D---- C:\Program Files\zzzzzzzz
2009-11-07 16:14:40 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-11-07 16:06:33 ----D---- C:\QUARANTINE
2009-11-07 16:02:22 ----D---- C:\Documents and Settings\cws\Application Data\Malwarebytes
2009-11-07 15:54:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-07 15:54:22 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-06 11:48:45 ----D---- C:\scans
2009-11-06 11:48:03 ----D---- C:\Program Files\Kyocera
2009-11-06 11:48:03 ----A---- C:\WINDOWS\nscatch.ini
2009-11-06 11:47:49 ----D---- C:\Documents and Settings\cws\Application Data\InstallShield

======List of files/folders modified in the last 1 months======

2009-11-28 10:15:46 ----D---- C:\WINDOWS\Prefetch
2009-11-28 10:15:10 ----RD---- C:\Program Files
2009-11-28 09:57:29 ----D---- C:\WINDOWS\Temp
2009-11-28 09:57:14 ----A---- C:\WINDOWS\WPCMAPI.INI
2009-11-28 09:35:24 ----D---- C:\WINDOWS
2009-11-25 03:26:37 ----D---- C:\WINDOWS\system32
2009-11-25 03:25:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-25 03:09:32 ----HD---- C:\WINDOWS\inf
2009-11-25 03:08:39 ----A---- C:\WINDOWS\imsins.BAK
2009-11-25 03:07:52 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-25 03:03:17 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-25 03:02:36 ----SHD---- C:\WINDOWS\Installer
2009-11-25 03:02:32 ----D---- C:\WINDOWS\WinSxS
2009-11-24 16:41:40 ----D---- C:\Documents and Settings\cws\Application Data\.oit
2009-11-24 14:25:14 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-17 16:33:24 ----D---- C:\Program Files\MSECache
2009-11-17 12:07:07 ----D---- C:\WINDOWS\system32\drivers
2009-11-08 16:16:53 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-11-08 16:14:15 ----SD---- C:\Documents and Settings\cws\Application Data\Microsoft
2009-11-08 16:08:31 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-08 12:39:06 ----ASH---- C:\WINDOWS\system32\puzominu.dll
2009-11-08 12:35:51 ----D---- C:\Program Files\Internet Explorer
2009-11-08 11:05:01 ----SD---- C:\WINDOWS\Tasks
2009-11-07 16:46:45 ----ASH---- C:\WINDOWS\system32\nozapuso.dll.tmp
2009-11-07 16:06:37 ----ASH---- C:\WINDOWS\system32\yimolizo.dll.tmp
2009-11-06 15:23:20 ----RSD---- C:\WINDOWS\Fonts
2009-11-06 11:48:06 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-06 11:46:51 ----D---- C:\IT
2009-11-05 09:34:14 ----D---- C:\WINDOWS\system32\KB905474
2009-11-05 09:27:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-29 22:12:50 ----D---- C:\WINDOWS\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-11-08 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-11-08 28424]
R1 AvgTdiX;AVG Free Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-11-10 360584]
R1 AW_HOST;AW_HOST; C:\WINDOWS\system32\drivers\aw_host5.sys [2003-05-05 24365]
R1 awlegacy;awlegacy; C:\WINDOWS\System32\Drivers\awlegacy.sys [2003-04-21 10901]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R2 LBeepKE;LBeepKE; C:\WINDOWS\System32\Drivers\LBeepKE.sys [2009-06-17 10384]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-03-17 132608]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-03-23 1166972]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2009-06-17 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2009-06-17 37392]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2009-11-08 906520]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2009-11-08 285392]
R2 awhost32;pcAnywhere Host Service; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [2003-05-29 106496]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-17 153376]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 MyWebSearchService;My Web Search Service; C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-07-20 121360]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Info.txt

info.txt logfile of random's system information tool 1.06 2009-11-28 10:18:05

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP BiDi Channel Components Installer-->MsiExec.exe /I{9DE3F260-B88E-42CE-90E7-73C78C37D95E}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
Broadcom Gigabit Integrated Controller-->MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
erLT-->MsiExec.exe /I{A498D9EB-927B-459B-85D6-DD6EF8C2C564}
GLSnap-->MsiExec.exe /I{788D9F04-6FF8-4517-A99C-6C28C3C721B0}
GroupWise-->MsiExec.exe /I{B99964A9-ED15-4058-B783-8AEE281B2325}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
J2SE Runtime Environment 5.0 Update 12-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150120}
Java™ 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
Kyocera Scanner File Utility-->C:\Program Files\InstallShield Installation Information\{61C79AE1-5403-4687-AC68-28BFA5EF3895}\Setup.exe -runfromtemp -l0x0009 -removeonly
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech SetPoint-->"C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe" -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files\zzzzzzzz\unins000.exe"
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs-->MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft WSE 3.0 Runtime-->MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPage Document Management System Upload Monitor-->MsiExec.exe /I{206856E9-48B2-43C3-AEAF-140A8A1C6590}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
Symantec pcAnywhere-->MsiExec.exe /I{E05E8183-866A-11D3-97DF-0000F8D8F2E9}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 7 (KB976749)-->"C:\WINDOWS\ie7updates\KB976749-IE7\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows NT Messaging-->RunDll32 setupapi.dll,InstallHinfSection Uninstall 4 MSMail.inf
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: AVG Anti-Virus Free
AV: McAfee VirusScan Enterprise (outdated)

======System event log======

Computer Name: TREETOPS-LS1
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 10397
Source Name: W32Time
Time Written: 20091111224055.000000-360
Event Type: warning
User:

Computer Name: TREETOPS-LS1
Event Code: 7000
Message: The My Web Search Service service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 10258
Source Name: Service Control Manager
Time Written: 20091111090145.000000-360
Event Type: error
User:

Computer Name: TREETOPS-LS1
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 10242
Source Name: W32Time
Time Written: 20091109061411.000000-360
Event Type: warning
User:

Computer Name: TREETOPS-LS1
Event Code: 7
Message: The device, \Device\CdRom0, has a bad block.

Record Number: 10241
Source Name: Cdrom
Time Written: 20091109033915.000000-360
Event Type: error
User:

Computer Name: TREETOPS-LS1
Event Code: 7000
Message: The My Web Search Service service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 10195
Source Name: Service Control Manager
Time Written: 20091108163559.000000-360
Event Type: error
User:

=====Application event log=====

Computer Name: TREETOPS-LS1
Event Code: 258
Message: The file C:\Program Files\Personal Guard 2009\uninstalls.exe contains FakeAlert-JU Trojan. The file was successfully deleted.

Record Number: 6787
Source Name: McLogEvent
Time Written: 20091107172957.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: TREETOPS-LS1
Event Code: 258
Message: The file C:\PROGRAM FILES\PERSONAL GUARD 2009\UNINSTALLS.EXE contains FakeAlert-JU Trojan. The file was successfully deleted.

Record Number: 6786
Source Name: McLogEvent
Time Written: 20091107172957.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: TREETOPS-LS1
Event Code: 258
Message: The file C:\Program Files\Personal Guard 2009\personalguard.exe contains FakeAlert-JU Trojan. The file was successfully deleted.

Record Number: 6785
Source Name: McLogEvent
Time Written: 20091107172936.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: TREETOPS-LS1
Event Code: 258
Message: The file C:\PROGRAM FILES\PERSONAL GUARD 2009\PERSONALGUARD.EXE contains FakeAlert-JU Trojan. The file was successfully deleted.

Record Number: 6784
Source Name: McLogEvent
Time Written: 20091107172936.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: TREETOPS-LS1
Event Code: 258
Message: The file C:\Program Files\Personal Guard 2009\uninstalls.exe contains FakeAlert-JU Trojan. The file was successfully deleted.

Record Number: 6783
Source Name: McLogEvent
Time Written: 20091107172936.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Symantec\pcAnywhere\;C:\Program Files\QuickTime\QTSystem\;C:\Novell\GroupWise
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:08 AM

Posted 28 November 2009 - 11:37 AM

Hi Ashryia,


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove McAfee since it is outdated.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Please post back here with the following logs:
  • MBAM log
  • Gmer log
  • New Rsit log
Thanks

unite.jpg


#5 Ashryia

Ashryia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 28 November 2009 - 01:35 PM

I think the updated Malware Bytes scan took care of the problem, it found it, removed it and after the restart the problem has stopped occurring.

Thank you for your help!

Here are the logs:

MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 3251
Windows 5.1.2600 Service Pack 3

11/28/2009 11:06:12 AM
mbam-log-2009-11-28 (11-06-12).txt

Scan type: Quick Scan
Objects scanned: 115711
Time elapsed: 15 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\puzominu.dll (Trojan.Vundo.N) -> Quarantined and deleted successfully.

GMER:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 12:27:06
Windows 5.1.2600 Service Pack 3
Running: 5l6vn965.exe; Driver: C:\DOCUME~1\cws\LOCALS~1\Temp\fxddruog.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6FEEF80]

---- EOF - GMER 1.0.15 ----


New RSIT
Logfile of random's system information tool 1.06 (written by random/random)
Run by cws at 2009-11-28 12:27:34
Microsoft Windows XP Professional Service Pack 3
System drive C: has 47 GB (73%) free of 65 GB
Total RAM: 1014 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:34 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\cws\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\cws\Desktop\5l6vn965.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\cws\Desktop\RSIT.exe
C:\Program Files\trend micro\cws.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cwsapartments.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\zzzzzzzz\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\cws\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bluemoon.com
O15 - Trusted Zone: *.employease.com
O15 - Trusted Zone: *.ocius.net
O15 - Trusted Zone: *.realpage.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} (RealPage Web Objects) - http://onesite.realpage.com/coreglobal/Rea...ab/Realpage.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196456792025
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O20 - AppInit_DLLs: c:\windows\system32\dahemoji.dll puzominu.dll c:\windows\system32\yowajaka.dll
O21 - SSODL: futejezoj - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll (file missing)
O21 - SSODL: watumoluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)

--
End of file - 6875 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\cilcwejn.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1757981266-725345543-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1757981266-725345543-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-17 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-17 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-03-23 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-03-23 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-03-23 118784]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-17 149280]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-10-07 413696]
"Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2009-06-17 55824]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\zzzzzzzz\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Documents and Settings\cws\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-22 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
Scanner File Utility.lnk - C:\Program Files\Kyocera\FileUtility\NsCatCom.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\windows\system32\dahemoji.dll puzominu.dll c:\windows\system32\yowajaka.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-03-23 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2009-07-20 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
C:\WINDOWS\system32\PCANotify.dll [2003-05-29 8704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
futejezoj - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll []
watumoluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
kupuhivus - {be708989-b69b-40c3-95a4-0bb42589fab3} - c:\windows\system32\dahemoji.dll []
tokatiluy - {7265e17e-160d-4369-8089-4cea6d8fad20} - c:\windows\system32\yowajaka.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
jedemeja.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Symantec\pcAnywhere\WinAw32.exe"="C:\Program Files\Symantec\pcAnywhere\WinAw32.exe:*:Enabled:pcAnywhere Main Executable"
"C:\Program Files\Symantec\pcAnywhere\awhost32.exe"="C:\Program Files\Symantec\pcAnywhere\awhost32.exe:*:Enabled:pcAnywhere Host Service"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:Spooler SubSystem App"
"C:\Novell\GroupWise\grpwise.exe"="C:\Novell\GroupWise\grpwise.exe:*:Enabled:Novell GroupWise"
"C:\Novell\GroupWise\notify.exe"="C:\Novell\GroupWise\notify.exe:*:Enabled:Novell Notify"
"C:\Program Files\Kyocera\FileUtility\NsCatCom.exe"="C:\Program Files\Kyocera\FileUtility\NsCatCom.exe:*:Enabled:NsCatCom"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-11-28 10:45:00 ----SHD---- C:\Config.Msi
2009-11-28 10:15:10 ----D---- C:\Program Files\trend micro
2009-11-28 10:14:17 ----D---- C:\rsit
2009-11-25 03:09:07 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-25 03:07:26 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2009-11-17 11:55:35 ----A---- C:\RootRepeal report 11-17-09 (11-55-35).txt
2009-11-17 11:46:50 ----A---- C:\RootRepeal report 11-17-09 (11-46-50).txt
2009-11-17 11:31:28 ----A---- C:\RootRepeal report 11-17-09 (11-31-28).txt
2009-11-13 09:59:25 ----A---- C:\RootRepeal report 11-13-09 (09-59-25).txt
2009-11-13 09:48:25 ----A---- C:\RootRepeal report 11-13-09 (09-48-25).txt
2009-11-12 03:02:40 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-12 03:02:11 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-11 15:04:39 ----A---- C:\RootRepeal report 11-11-09 (15-04-39).txt
2009-11-11 09:30:25 ----A---- C:\Log.txt
2009-11-11 09:22:39 ----A---- C:\RootRepeal report 11-11-09 (09-22-39).txt
2009-11-08 16:17:15 ----D---- C:\Program Files\AVG
2009-11-08 16:16:24 ----D---- C:\WINDOWS\SxsCaPendDel
2009-11-08 16:08:56 ----D---- C:\Program Files\Panda Security
2009-11-08 13:37:17 ----D---- C:\VundoFix Backups
2009-11-08 13:37:17 ----A---- C:\VundoFix.txt
2009-11-07 16:37:18 ----D---- C:\Program Files\zzzzzzzz
2009-11-07 16:14:40 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-11-07 16:06:33 ----D---- C:\QUARANTINE
2009-11-07 16:02:22 ----D---- C:\Documents and Settings\cws\Application Data\Malwarebytes
2009-11-07 15:54:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-07 15:54:22 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-11-06 11:48:45 ----D---- C:\scans
2009-11-06 11:48:03 ----D---- C:\Program Files\Kyocera
2009-11-06 11:48:03 ----A---- C:\WINDOWS\nscatch.ini
2009-11-06 11:47:49 ----D---- C:\Documents and Settings\cws\Application Data\InstallShield

======List of files/folders modified in the last 1 months======

2009-11-28 11:18:11 ----D---- C:\WINDOWS\Temp
2009-11-28 11:17:39 ----D---- C:\WINDOWS\system32
2009-11-28 11:17:17 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-28 11:17:05 ----D---- C:\WINDOWS\system32\drivers
2009-11-28 11:17:05 ----D---- C:\WINDOWS
2009-11-28 11:14:15 ----SD---- C:\Documents and Settings\cws\Application Data\Microsoft
2009-11-28 10:45:20 ----SHD---- C:\WINDOWS\Installer
2009-11-28 10:45:20 ----D---- C:\Program Files\Common Files
2009-11-28 10:45:19 ----D---- C:\Program Files\McAfee
2009-11-28 10:45:19 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-11-28 10:35:31 ----D---- C:\WINDOWS\Prefetch
2009-11-28 10:35:09 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-28 10:35:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-28 10:15:10 ----RD---- C:\Program Files
2009-11-28 09:57:14 ----A---- C:\WINDOWS\WPCMAPI.INI
2009-11-25 03:09:32 ----HD---- C:\WINDOWS\inf
2009-11-25 03:08:39 ----A---- C:\WINDOWS\imsins.BAK
2009-11-25 03:07:52 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-25 03:03:17 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-25 03:02:32 ----D---- C:\WINDOWS\WinSxS
2009-11-24 16:41:40 ----D---- C:\Documents and Settings\cws\Application Data\.oit
2009-11-17 16:33:24 ----D---- C:\Program Files\MSECache
2009-11-08 16:16:53 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-11-08 12:35:51 ----D---- C:\Program Files\Internet Explorer
2009-11-08 11:05:01 ----SD---- C:\WINDOWS\Tasks
2009-11-07 16:46:45 ----ASH---- C:\WINDOWS\system32\nozapuso.dll.tmp
2009-11-07 16:06:37 ----ASH---- C:\WINDOWS\system32\yimolizo.dll.tmp
2009-11-06 15:23:20 ----RSD---- C:\WINDOWS\Fonts
2009-11-06 11:48:06 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-06 11:46:51 ----D---- C:\IT
2009-11-05 09:34:14 ----D---- C:\WINDOWS\system32\KB905474
2009-11-05 09:27:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-29 22:12:50 ----D---- C:\WINDOWS\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AW_HOST;AW_HOST; C:\WINDOWS\system32\drivers\aw_host5.sys [2003-05-05 24365]
R1 awlegacy;awlegacy; C:\WINDOWS\System32\Drivers\awlegacy.sys [2003-04-21 10901]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 LBeepKE;LBeepKE; C:\WINDOWS\System32\Drivers\LBeepKE.sys [2009-06-17 10384]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-03-17 132608]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-03-23 1166972]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2009-06-17 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2009-06-17 37392]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
S3 fxddruog;fxddruog; \??\C:\DOCUME~1\cws\LOCALS~1\Temp\fxddruog.sys []
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 awhost32;pcAnywhere Host Service; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [2003-05-29 106496]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-17 153376]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 MyWebSearchService;My Web Search Service; C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-07-20 121360]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:08 AM

Posted 28 November 2009 - 01:46 PM

It still looks like you have McAfee installed, if you are having problems uninstalling it then please run the following tool to clean it up.


Download and run the McAfee Consumer Products Removal tool (MCPR.exe).
Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 and newer versions of McAfee consumer products.
  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302



Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Services
    MyWebSearchService
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "MyWebSearch Email Plugin"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "futejezoj"=-
    "watumoluy"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
    "{be708989-b69b-40c3-95a4-0bb42589fab3}"=-
    "{7265e17e-160d-4369-8089-4cea6d8fad20}"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\WINDOWS\system32\spoolsv.exe"=-
    "C:\WINDOWS\explorer.exe"=-
    "C:\WINDOWS\system32\winlogon.exe"=-
    "C:\WINDOWS\system32\lsass.exe"=-
    :Files
    C:\WINDOWS\tasks\cilcwejn.job
    C:\WINDOWS\system32\nozapuso.dll.tmp
    C:\WINDOWS\system32\yimolizo.dll.tmp
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • OTM results
  • Kaspersky report
  • New Rsit log
Thanks

unite.jpg


#7 Ashryia

Ashryia
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 28 November 2009 - 05:58 PM

I've done the first few steps, however I'm still running the Kaspersky scan. It says its 42% done, and its been running for about two hours now, so it'll probably take the rest of the night to finish. This computer is a work computer, so I will leave it running over night and then update this post on Monday at 9am when I get into work. I've put what I'd done so far in this post. Thank you!

1) McAfee Removal - Had attempted to remove using the Add/Remove Programs button, it is no longer on that screen. Ran the MCPR.exe tool to finish removal, however, I received this message:

Posted Image

2) Ran ERUNT.


3) Ran OTM. Here is the log from that:

All processes killed
========== SERVICES/DRIVERS ==========
Service MyWebSearchService stopped successfully!
Service MyWebSearchService deleted successfully!
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MyWebSearch Email Plugin not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\futejezoj deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\watumoluy deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\\{be708989-b69b-40c3-95a4-0bb42589fab3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be708989-b69b-40c3-95a4-0bb42589fab3}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\\{7265e17e-160d-4369-8089-4cea6d8fad20} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7265e17e-160d-4369-8089-4cea6d8fad20}\ deleted successfully.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\spoolsv.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\explorer.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\winlogon.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\system32\lsass.exe deleted successfully.
========== FILES ==========
C:\WINDOWS\tasks\cilcwejn.job moved successfully.
C:\WINDOWS\system32\nozapuso.dll.tmp moved successfully.
C:\WINDOWS\system32\yimolizo.dll.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: cws
->Temp folder emptied: 363247015 bytes
->Temporary Internet Files folder emptied: 293637702 bytes
->Java cache emptied: 26259161 bytes
->Google Chrome cache emptied: 422603661 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1807448 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 140847468 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23936464 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1151950920 bytes

Total Files Cleaned = -1781.86 mb


OTM by OldTimer - Version 3.1.2.0 log created on 11282009_150648

Files moved on Reboot...
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\RNJ19BHS\ard%26rnd%3D611552816%26ged%3D0%3A0%3Amzyzzthingrjntnhnmnjmmlyrasjqm0ctkmrcfvnuu18ftnqsakz2oamyt9ho-no2rofrlxvftoeqaeolhwmnln810dmsmh2m0twbrbuml3dhz1fhep7isi8tykud8js,;ord=1196629653 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\RNJ19BHS\dref=http%253A%252F%252Fmessaging.myspace.com%252Findex[1].sent%2526type%253DInbox%2526messageID%253D186558263%2526fed%253DTrue%2526compose%253D0%2526friendID%253D65085902 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\RNJ19BHS\dref=http%253A%252F%252Fmessa[1].reply%2526friendId%253D65085902%2526type%253DInbox%2526messageID%253D186558263%2526fed%253DTrue%2526MyToken%253D3c29ee6c-786e-4f5a-88c3-75a6f0236249 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\RNJ19BHS\per%26rnd%3D240067224%26ged%3D0%3A0%3Ayzdjy2zlngixnmqwzdyzonhs2v8zns9oaaq1xe9pvfscofjeue79xb9iejcqesfs9hjxkg95iko7btxqbuj-toayzatrm7eiqm3oihfplgqlbcmtyix-4fknnh_qkofg,;ord=1196705220 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\RNJ19BHS\per%26rnd%3D544293267%26ged%3D0%3A0%3Amzyzzthingrjntnhnmnjmmlyrasjqm0ctkmrcfvnuu18ftnqsakz2oamyt9ho-no2rofrlxvftoeqaeolhwmnln810dmsmh2m0twbrbuml3dhz1fhep7isi8tykud8js,;ord=1196629693 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\PLUHHEC9\ard%26rnd%3D002610552%26ged%3D0%3A0%3An2rhyjziowu3ndc3odfmnnyss4pdgbgpx3wb05pg7zl6pgjyw0yzehwei9lz6p0uoye20jtmqcx6kghu91xdhl8x90pllej-5hsqltdkyops5c0zuoazozpouxsxaccv,;ord=1196708773 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\PLUHHEC9\ard%26rnd%3D321226847%26ged%3D0%3A0%3An2rhyjziowu3ndc3odfmnnyss4pdgbgpx3wb05pg7zl6pgjyw0yzehwei9lz6p0uoye20jtmqcx6kghu91xdhl8x90pllej-5hsqltdkyops5c0zuoazozpouxsxaccv,;ord=1196708916 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\PLUHHEC9\ard%26rnd%3D767009558%26ged%3D0%3A0%3Amzyzzthingrjntnhnmnjmmlyrasjqm0ctkmrcfvnuu18ftnqsakz2oamyt9ho-no2rofrlxvftoeqaeolhwmnln810dmsmh2m0twbrbuml3dhz1fhep7isi8tykud8js,;ord=1196629658 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\PLUHHEC9\cli[2].styles%3Dleaderboard%26rnd%3D243323413%26fid%3D119250452%26ged%3D0%3A0%3Antnjzdg3mtrkodbioti1yr4hviqcbt4fzhixrpcbsnuxatlwbddly_xmos_zemwkk6kdgvrfqvbwuczlyhnl3,;ord=1196705663 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\FCWC5AQ1\cli[2].styles%3Dleaderboard%26rnd%3D547619481%26fid%3D119250452%26ged%3D0%3A0%3Antnjzdg3mtrkodbioti1yr4hviqcbt4fzhixrpcbsnuxatlwbddly_xmos_zemwkk6kdgvrfqvbwuczlyhnl3,;ord=1196705696 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\FCWC5AQ1\dref=http%253A%252F%252Fmessaging.myspace.com%252Findex[1].sent%2526type%253DInbox%2526messageID%253D186205313%2526fed%253DTrue%2526compose%253D0%2526friendID%253D276793090 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\FCWC5AQ1\dref=http%253A%252F%252Fmess[1].reply%2526friendId%253D276793090%2526type%253DInbox%2526messageID%253D186205313%2526fed%253DTrue%2526MyToken%253D178e4faa-6262-4c78-a9bc-f7bf3df6a481 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\FCWC5AQ1\dref=http%253A%252F%252Fmess[2].reply%2526friendId%253D276793090%2526type%253DInbox%2526messageID%253D186205313%2526fed%253DTrue%2526MyToken%253D178e4faa-6262-4c78-a9bc-f7bf3df6a481 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\DWFNRDS2\3D864064983%26fid%3D26560320%26ged%3D0%3A0%3Ayzdjy2zlngixnmqwzdyzonhs2v8zns9oaaq1xe9pvfscofjeue79xb9iejcqesfs9hjxkg95iko7btxqbuj-toayzatrm7eiqm3oihfplgqlbcmtyix-4fknn,;ord=1196705544 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\DWFNRDS2\cli[2].styles%3Dleaderboard%26rnd%3D240067224%26ged%3D0%3A0%3Ayzdjy2zlngixnmqwzdyzonhs2v8zns9oaaq1xe9pvfscofjeue79xb9iejcqesfs9hjxkg95iko7btxqbuj-toayzatrm7eiqm3oihf,;ord=1196705220 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\DWFNRDS2\cli[2].styles%3Dleaderboard%26rnd%3D544293267%26ged%3D0%3A0%3Amzyzzthingrjntnhnmnjmmlyrasjqm0ctkmrcfvnuu18ftnqsakz2oamyt9ho-no2rofrlxvftoeqaeolhwmnln810dmsmh2m0twbrb,;ord=1196629693 not found!
File C:\Documents and Settings\cws\Local Settings\Temp\Temporary Internet Files\Content.IE5\DWFNRDS2\dref=http%253A%252F%252Fmessa[1].reply%2526friendId%253D65085902%2526type%253DInbox%2526messageID%253D186558263%2526fed%253DTrue%2526MyToken%253D3c29ee6c-786e-4f5a-88c3-75a6f0236249 not found!

Registry entries deleted on Reboot...

4) Kaspersky Log:

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:08 AM

Posted 28 November 2009 - 06:10 PM

Great work so far, Kaspersky can take a while sometimes so it's usually best left over night. I will look into McAfee we may just remove it manualy, I will await
your Kaspersky log before posting any more instructions.

unite.jpg


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:08 AM

Posted 03 December 2009 - 09:33 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users