Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus is Back

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus is Back

Unread postby Tantraka » November 27th, 2009, 10:29 am

A couple of weeks ago, I had posted a log on here looking for help but that night, I ran a system boot scan and thought I had gotten rid of the virus so left my other topic unattended. Just today, I am having the same problems come up mostly with pop-ups and my WinPatrol going off every two minutes asking if programs such as c:\PROGRA~2\kikuvupi\kikuvupi.dll,a and C:\ProgramData\wemafuni\wemafuni.dll,s can start. The program names change regularly though. Please help me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:49 AM, on 11/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\WindowsMobile\wmdSync.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\E_FATIFCA.EXE
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\E_FATIFCA.EXE
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... P&M=GM5420
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GM5420
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... P&M=GM5420
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [EPSON NX410 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFCA.EXE /FU "C:\Windows\TEMP\E_S7017.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [EPSON NX410 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFCA.EXE /FU "C:\Windows\TEMP\E_S9088.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [kawasoyuf] Rundll32.exe "c:\PROGRA~2\kikuvupi\kikuvupi.dll",a
O4 - HKCU\..\Run: [megazujede] Rundll32.exe "C:\ProgramData\wemafuni\wemafuni.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1553491668-2783746715-2578131821-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - Startup: FIFA 10 Registration.lnk = C:\Program Files\EA SPORTS\FIFA 10\Support\EAregister.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: GamersFirst LIVE!.lnk = C:\Program Files\GamersFirst\LIVE!\Live.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: GS In-Game Service - ClanServers Hosting LLC - C:\Program Files\GameTracker\GSInGameService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: lxbf_device - - C:\Windows\system32\lxbfcoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9796 bytes
Tantraka
Regular Member
 
Posts: 25
Joined: January 3rd, 2009, 11:53 pm
Advertisement
Register to Remove

Re: Virus is Back

Unread postby Wingman » November 30th, 2009, 9:10 pm

Hello... Welcome to the forum.
My name is Wingman, and I'll be helping you with any malware problems.
The logs I request can take a while to research, so please be patient.

I am currently under the guidance of the MRU teachers, everything I post to you, has been reviewed by them.
This additional review process can add some extra time to my responses...but not too much
.
;)

Before we begin...please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. DO NOT run any other fix or removal tools unless instructed to do so!
  3. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  4. Only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  5. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  6. Only- reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean"

I am currently reviewing your log and will return, as soon as possible, with additional instructions. In the meantime...
Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
HJT - Uninstall Manager Log
Using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".
    Please run HijackThis Located in: C:\Program Files\Trend Micro\hijackthis.exe
      If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  1. From the Main Menu...Press the "Open the Misc Tools"...button.
  2. Press the "Open Uninstall Manager... button.
  3. Press only the Save List...button.
  4. Press the "Save" button. The file "uninstall_list.txt" will be saved in your HJT folder.
  5. Copy and paste the contents of "uninstall_list.txt' in your next reply.

Step 2.
Please include in your next reply:
  1. HJT uninstall_list.txt file contents
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Virus is Back

Unread postby Tantraka » November 30th, 2009, 10:43 pm

Thanks for replying :D
Here's the uninstall list.

Ace DivX Player v2.1
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Adobe Reader Korean Fonts
Adobe Shockwave Player
AGEIA PhysX v7.11.13
Apple Mobile Device Support
Apple Software Update
Audiosurf Demo
Audition
avast! Antivirus
Battlefield Heroes
Battleswarm: Field of Honor
Bejeweled 2 Deluxe
BigFix
Blasterball 3
Bonjour
BrightShadow
Browser Address Error Redirector
BS.Player FREE
Chuzzle Deluxe
Counter-Strike: Source
Day of Defeat: Source
Digital Media Reader
Diner Dash
DivX 4.12 Codec
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Dynasty Warriors 6
EA SPORTS online 2008
EPSON NX410 Series Printer Uninstall
EPSON Scan
FIFA 08
FIFA 10
Finale Viewer 2008
Free M4a to MP3 Converter 6.0
Frets On Fire
GamersFirst LIVE!
GameSpy Arcade
GameTracker Lite
Garena
Garry's Mod
Gateway Game Console
Gateway Recovery Center Installer
Google Updater
Graboid Video 1.65
Grand Fantasia
Half-Life 2
Half-Life 2: Deathmatch
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hunting Unlimited
ijji REACTOR
Insurgency
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) Viiv(TM) Software
iTunes
Java(TM) SE Runtime Environment 6
JEOPARDY
kill.switch
Killing Floor
K-Lite Codec Pack 3.2.5 Standard
Left 4 Dead
Lexmark X6100 Series
Madden NFL 08
Magic ISO Maker v5.5 (build 0272)
MagicDisc 2.7.105
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Digital Image Starter Edition 2006
Microsoft Money 2006
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIRC
Mozilla Firefox (3.0.15)
MP4 Player
MPlugin
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicnotes Player V1.23.1
Neffy 1,2,0,22
Neo Steam : The Shattered Continent
OGA Notifier 2.0.0048.0
OpenAL
Orbit Downloader
Pando Media Booster
Penguins!
Plain Sight
PokerStars.net
Polar Bowler
Polar Golfer
Power2Go 5.0
PunkBuster Services
QuickTime
Safari
SBC Yahoo! DSL Home Networking Installer
Scions Of Fate
SCRABBLE
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
SigmaTel Audio
Smash Online 1.0
Soft Data Fax Modem with SmartCP
Soul of the Ultimate Nation
Source SDK Base
Steam
System Requirements Lab
System Requirements Lab
TalesRunner 1.58720081016
Team Fortress 2
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims Complete Collection
TmNationsForever
Uniblue RegistryBooster 2009
Uniblue RegistryBooster 2009
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb975960)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Veoh Web Player
VideoLAN VLC media player 0.8.6d
Windows Driver Package - ViXS Systems Inc. ViXS PureTV-U (11/17/2006 6.2.77.1)
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
WinPatrol 2008
WinRAR archiver
WYDGLOBAL (remove only)
Tantraka
Regular Member
 
Posts: 25
Joined: January 3rd, 2009, 11:53 pm

Re: Virus is Back

Unread postby Wingman » December 3rd, 2009, 4:37 pm

Hello Tantraka,

Please do not make any changes to your system, run any "fix" programs and/or remove any files unless instructed to do so, by me.

Please read these instructions carefully before executing and then perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
P2P Advisory!
IMPORTANT There are signs of one or more P2P (Peer to Peer) File Sharing Programs installed on your computer.
GamersFirst LIVE!
Orbit Downloader


As long as you have the P2P program(s) installed, per Forum Policy, I can offer you no further assitance.
If you choose NOT to remove the program(s)...indicate that in your next reply and this topic will be closed.
Otherwise, please perform the following steps:
Remove P2P Program(s)
  1. Click on Start > Control Panel and double click on Programs and Features.
  2. Locate the following program:
    GamersFirst LIVE!
    Orbit Downloader
  3. Click on the Change/Remove button to uninstall it.
    Repeat steps 2 and 3 for each program listed.
  4. When the program(s) have been uninstalled... Close Control Panel.

By using any form of P2P networking to download files you can anticipate infestations of malware to occur. The P2P program
itself, may be safe but the files may not... use P2P at your own risk! Keep in mind that this practice may be the source of your current malware infestation.
References... siting risk factors, using P2P programs: Malware: Help prevent the Infection and How to Prevent the Online Invasion of Spyware and Adware

Step 2.
PunkBuster warning
I noticed you have PunkBuster installed... read the "Published features" section.
PunkBuster can take control over various aspects of your computer and some gaming tools not unlike PunkBuster, also hinder their removals.
By the definition we use, PunkBuster is actual spyware. Therefore, I'm asking you to choose one of the following options:
  1. We "try" to leave PunkBuster alone... however, there is no guarantee a spyware component doesn't "inadvertently" get taken out... so PunkBuster might fail. This will also prevent you from playing games using PunkBuster enabled servers.
  2. We can just remove PunkBuster. You can reinstall it afterwards if you wish, but please keep in mind that it is spyware.
  3. We can not clean this computer at all. This ensures PunkBuster will continue to function.
If you choose to remove PunkBuster, please perform the uninstall steps below. Otherwise, let me know what other option you chose.

Uninstall PunkBuster
Please download PBSVC Setup Program. Save it to your desktop.
  1. Double click on pbsvc.exe to start it... then click Uninstall.
    Using Vista, you must right click on pbsvc.exe, select "Run As Administrator", to run... then click Uninstall.
    Once that's finished...
  2. Use the Quick Search box... copy and paste the following into the open text box:
    Code: Select all
    cmd /c for %i in (A B K) do sc delete PnkBstr%i
  3. Click OK. A black box will flash very briefly, this is normal.
  4. Use the Quick Search box... copy and paste the following into the open text box:
    PnkBstrK.sys... if found delete it.
Let me know if you performed these steps successfully.

Step 3.
GMER
The downloaded file will have a random name... this prevents malware from detecting and blocking it.
Please download GMER... random file name.exe by GMER. An alternate (zip file) download site.
Note: Do not run any programs while Gmer is running.
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  1. Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
    Using Vista, you must right click random named.exe and choose "Run As Administrator".
  2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO <--- Important!
  3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (see image below)
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All <-- don't miss this one

    Image
    Click on image to enlarge

  4. If you don't get a warning then... Click the Rootkit/Malware tab at the top of the GMER window.
  5. Click the Scan button.
  6. Once the scan has finished... click Copy.
  7. Open Notepad and paste (Ctrl+V) what you copied.
  8. Select "Save As" in Notepad...saving the file to your desktop as "gmerroot.txt"... then close Notepad.
  9. Copy and paste the contents of the file gmerroot.txt in your next reply.

Step 4.
RSIT (Random's System Information Tool)
Please download RSIT by random/random... save it to your desktop.
  1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  2. Please read the disclaimer... click on Continue.
  3. RSIT will start running. When done... 2 logs files...will be produced.
    The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
  4. Please post both... "log.txt" and "info.txt", file contents in your next reply.

Step 5.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. PunkBuster decision. Uninstalled?
  3. GMER gmerroot.txt
  4. RSIT log.txt and info.txt file contents.
  5. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Virus is Back

Unread postby Tantraka » December 3rd, 2009, 8:23 pm

I have uninstalled both Orbit Downloader as well as Gamer First Live!
I have also uninstalled punkbuster.
I seemed to have had a problem trying to run the Gmer program. One of two things will happen, one is that the program says it is non-responding and ask me to close it within a couple of second of running and two is that it will lead to a physical memory dump.
As far as the RIST logs go, I only had one pop up and that was the log.txt and here that is.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Owner at 2009-12-03 18:18:54
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 44 GB (15%) free of 295 GB
Total RAM: 2021 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:57 PM, on 12/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\WindowsMobile\wmdSync.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\E_FATIFCA.EXE
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\E_FATIFCA.EXE
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Users\Owner\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... P&M=GM5420
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GM5420
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... P&M=GM5420
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [EPSON NX410 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFCA.EXE /FU "C:\Windows\TEMP\E_S7017.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [EPSON NX410 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFCA.EXE /FU "C:\Windows\TEMP\E_S9088.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [kawasoyuf] Rundll32.exe "c:\progra~2\lekefoji\lekefoji.dll",a
O4 - HKCU\..\Run: [megazujede] Rundll32.exe "C:\ProgramData\wemafuni\wemafuni.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1553491668-2783746715-2578131821-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: GS In-Game Service - ClanServers Hosting LLC - C:\Program Files\GameTracker\GSInGameService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: lxbf_device - - C:\Windows\system32\lxbfcoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8890 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\mvlsywqj.job
C:\Windows\tasks\oslayclj.job
C:\Windows\tasks\rofybozc.job
C:\Windows\tasks\User_Feed_Synchronization-{93C58487-1B04-4A3C-B209-304F778C35D1}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2008-08-09 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-23 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\google\BAE.dll [2006-02-01 94208]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"=C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe [2006-11-18 182744]
"NMSSupport"=C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe [2006-09-26 423424]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2006-09-29 151552]
"NapsterShell"=C:\Program Files\Napster\napster.exe /systray []
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2006-12-12 98304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2006-12-12 106496]
"Persistence"=C:\Windows\system32\igfxpers.exe [2006-12-12 81920]
"SigmatelSysTrayApp"=C:\Windows\sttray.exe [2006-11-02 303104]
"Windows Mobile-based device management"=C:\Windows\WindowsMobile\wmdSync.exe [2006-11-02 215552]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-09-10 86960]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2008-10-09 333120]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2006-09-10 218032]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-10 218032]
"EPSON NX410 Series"=C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFCA.EXE [2008-10-01 199680]
"VeohPlugin"=C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [2009-10-05 2075384]
"EPSON NX410 Series (Copy 1)"=C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFCA.EXE [2008-10-01 199680]
"kawasoyuf"=c:\progra~2\lekefoji\lekefoji.dll [2009-09-03 92160]
"megazujede"=C:\ProgramData\wemafuni\wemafuni.dll [2009-08-26 52736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2

C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-12-12 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDesktopCleanupWizard"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"EnableShellExecuteHooks"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
shell\AutoRun\command - L:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
shell\AutoRun\command - M:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
shell\AutoRun\command - N:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91fc8272-b0e5-11de-b663-0019d1113830}]
shell\AutoRun\command - P:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91fc8274-b0e5-11de-b663-0019d1113830}]
shell\AutoRun\command - Q:\Menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91fc8276-b0e5-11de-b663-0019d1113830}]
shell\AutoRun\command - R:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91fc8278-b0e5-11de-b663-0019d1113830}]
shell\AutoRun\command - S:\Setup.exe


======List of files/folders created in the last 1 months======

2009-12-03 17:52:39 ----D---- C:\ProgramData\talogevi
2009-12-03 17:52:39 ----D---- C:\ProgramData\lekefoji
2009-12-02 17:55:11 ----D---- C:\ProgramData\bonigezi
2009-12-02 17:55:10 ----D---- C:\ProgramData\yavawoji
2009-12-01 17:22:00 ----D---- C:\ProgramData\raditile
2009-11-27 12:07:36 ----D---- C:\Program Files\PokerStars.NET
2009-11-26 18:11:10 ----D---- C:\Program Files\kill.switch
2009-11-26 18:09:46 ----D---- C:\ProgramData\wemafuni
2009-11-25 09:48:47 ----A---- C:\Windows\system32\tzres.dll
2009-11-24 17:46:11 ----A---- C:\Windows\system32\msxml6.dll
2009-11-24 17:46:10 ----A---- C:\Windows\system32\msxml3.dll
2009-11-15 20:49:12 ----D---- C:\Users\Owner\AppData\Roaming\Leadertech
2009-11-15 20:27:01 ----A---- C:\Windows\system32\D3DX9_37.dll
2009-11-15 20:26:59 ----A---- C:\Windows\system32\d3dx9_35.dll
2009-11-15 20:26:56 ----A---- C:\Windows\system32\xinput1_3.dll
2009-11-15 20:26:56 ----A---- C:\Windows\system32\d3dx9_34.dll
2009-11-15 20:26:55 ----A---- C:\Windows\system32\d3dx9_33.dll
2009-11-15 20:26:53 ----A---- C:\Windows\system32\d3dx9_32.dll
2009-11-15 20:26:52 ----A---- C:\Windows\system32\d3dx9_31.dll
2009-11-15 20:26:29 ----A---- C:\Windows\system32\d3dx9_30.dll
2009-11-15 20:26:26 ----A---- C:\Windows\system32\d3dx9_29.dll
2009-11-15 20:26:25 ----A---- C:\Windows\system32\d3dx9_28.dll
2009-11-15 20:26:24 ----A---- C:\Windows\system32\d3dx9_27.dll
2009-11-15 20:26:23 ----A---- C:\Windows\system32\d3dx9_26.dll
2009-11-15 20:26:22 ----A---- C:\Windows\system32\d3dx9_25.dll
2009-11-15 20:26:20 ----A---- C:\Windows\system32\d3dx9_24.dll
2009-11-11 18:03:19 ----D---- C:\b14cae4524a2c91c9480
2009-11-10 21:58:55 ----A---- C:\Windows\system32\WSDApi.dll
2009-11-09 19:22:09 ----A---- C:\Windows\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2009-12-03 18:18:55 ----D---- C:\Windows\Temp
2009-12-03 18:18:34 ----D---- C:\Windows\Tasks
2009-12-03 18:16:04 ----D---- C:\Windows\Minidump
2009-12-03 18:16:04 ----D---- C:\WINDOWS
2009-12-03 18:13:10 ----SHD---- C:\System Volume Information
2009-12-03 18:06:12 ----D---- C:\Windows\system32\drivers
2009-12-03 18:06:12 ----D---- C:\Windows\System32
2009-12-03 18:06:12 ----A---- C:\Windows\system32\pbsvc.exe
2009-12-03 17:57:33 ----D---- C:\Program Files\Orbitdownloader
2009-12-03 17:57:32 ----D---- C:\Users\Owner\AppData\Roaming\Orbit
2009-12-03 17:57:11 ----D---- C:\Program Files\GamersFirst
2009-12-03 17:57:06 ----D---- C:\Windows\inf
2009-12-03 17:57:06 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-12-03 17:52:39 ----HD---- C:\ProgramData
2009-12-02 18:23:13 ----D---- C:\ProgramData\Google Updater
2009-11-30 20:38:34 ----RD---- C:\Program Files
2009-11-30 20:38:14 ----D---- C:\Windows\Prefetch
2009-11-29 14:29:12 ----D---- C:\Users\Owner\AppData\Roaming\LimeWire
2009-11-26 20:24:17 ----D---- C:\Program Files\Common Files\Steam
2009-11-26 18:09:55 ----SHD---- C:\Windows\Installer
2009-11-26 18:09:55 ----SHD---- C:\Config.Msi
2009-11-26 18:09:55 ----D---- C:\Program Files\SystemRequirementsLab
2009-11-26 18:09:49 ----D---- C:\Users\Owner\AppData\Roaming\SystemRequirementsLab
2009-11-26 15:14:36 ----D---- C:\Users\Owner\AppData\Roaming\DNA
2009-11-26 13:28:57 ----D---- C:\Downloads
2009-11-26 13:02:47 ----D---- C:\Program Files\DNA
2009-11-26 12:59:28 ----D---- C:\Program Files\Steam
2009-11-25 15:37:23 ----D---- C:\Windows\rescache
2009-11-25 13:12:10 ----D---- C:\Windows\system32\en-US
2009-11-25 11:28:26 ----D---- C:\AeriaGames
2009-11-25 09:49:47 ----D---- C:\Windows\winsxs
2009-11-25 09:49:27 ----D---- C:\Windows\system32\catroot
2009-11-25 09:49:23 ----D---- C:\Windows\system32\catroot2
2009-11-15 22:53:33 ----D---- C:\Users\Owner\AppData\Roaming\uTorrent
2009-11-15 20:27:03 ----D---- C:\Program Files\EA SPORTS
2009-11-15 20:26:52 ----RSD---- C:\Windows\assembly
2009-11-14 07:36:09 ----D---- C:\ProgramData\Microsoft Help
2009-11-14 07:34:13 ----D---- C:\Program Files\Common Files\microsoft shared
2009-11-14 07:33:40 ----D---- C:\Program Files\Microsoft Works
2009-11-14 07:30:24 ----A---- C:\Windows\win.ini
2009-11-14 07:30:21 ----D---- C:\Program Files\Common Files\System
2009-11-11 18:08:27 ----D---- C:\Program Files\Windows Mail
2009-11-08 16:49:47 ----D---- C:\Windows\system32\Tasks
2009-11-07 10:30:35 ----D---- C:\Users\Owner\AppData\Roaming\GameTracker
2009-11-05 11:36:21 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2009-02-05 23152]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2009-02-05 51376]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 nmsgopro;GoProto Protocol Driver for NMS; C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
R2 nmsunidr;UniDriver for NMS; C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-06-29 8704]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-16 214912]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HECI;Intel(R) Management Engine Interface; C:\Windows\system32\DRIVERS\HECI.sys [2006-10-30 44416]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-06-20 984064]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2007-06-20 267264]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
R3 IntelDH;IntelDH Driver; C:\Windows\System32\Drivers\IntelDH.sys [2008-08-09 5504]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\Windows\system32\DRIVERS\mcdbus.sys [2008-07-28 116736]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2006-11-02 812032]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-06-20 660480]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC); C:\Windows\system32\DRIVERS\xcbda.sys [2006-11-17 147328]
S3 2WIREPCP;2Wire USB; C:\Windows\system32\DRIVERS\2WirePCP.sys [2003-04-17 68672]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\Windows\system32\drivers\ac97intc.sys [2006-11-02 108032]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 EagleNT;EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys []
S3 fglcapog;fglcapog; \??\C:\User [2008-08-09 2]
S3 GarenaPEngine;GarenaPEngine; \??\C:\User [2008-08-09 2]
S3 gmer;gmer; C:\Windows\System32\DRIVERS\gmer.sys []
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HookProtect;HookProtect; \??\C:\STEPS\element\HookProtect.sys [2009-04-12 215552]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\ialmnt5.sys [2006-11-02 1302492]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 SDDMI2;SDDMI2; \??\C:\Windows\system32\DDMI2.sys []
S3 TSHWMDTCP;TSHWMDTCP; \??\C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys [2006-11-18 18904]
S3 usb_rndisx;USB RNDIS Adapter; C:\Windows\system32\DRIVERS\usb8023x.sys [2008-01-18 15872]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 winusb;WinUSB Service; C:\Windows\system32\DRIVERS\winusb.sys [2008-01-18 31616]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 XDva189;XDva189; \??\C:\Windows\system32\XDva189.sys []
S3 XDva214;XDva214; \??\C:\Windows\system32\XDva214.sys []
S3 XDva262;XDva262; \??\C:\Windows\system32\XDva262.sys []
S3 XDva288;XDva288; \??\C:\Windows\system32\XDva288.sys []
S3 XDva294;XDva294; \??\C:\Windows\system32\XDva294.sys []
S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AlertService;Intel(R) Alert Service; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [2006-11-18 195032]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 DQLWinService;DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
R2 GS In-Game Service;GS In-Game Service; C:\Program Files\GameTracker\GSInGameService.exe [2009-02-26 1547264]
R2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 183280]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2006-09-29 81920]
R2 ISSM;Intel(R) Software Services Manager; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [2006-11-18 81880]
R2 lxbf_device;lxbf_device; C:\Windows\system32\lxbfcoms.exe [2007-04-24 537520]
R2 M1 Server;Intel(R) Viiv(TM) Media Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [2006-11-18 32216]
R2 MCLServiceATL;Intel(R) Application Tracker; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [2006-11-18 174552]
R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 Remote UI Service;Intel(R) Remoting Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [2006-11-18 550872]
R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-06-29 386560]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S2 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-11-26 320760]
S3 npggsvc;nProtect GameGuard Service; C:\Windows\system32\GameMon.des [2009-02-16 2736890]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 usprserv;User Privilege Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------
Tantraka
Regular Member
 
Posts: 25
Joined: January 3rd, 2009, 11:53 pm

Re: Virus is Back

Unread postby Wingman » December 4th, 2009, 6:48 pm

Hi Tantraka,

Good deal removing the P2P programs and PunkBuster. :)
I'm sorry you had problems with the GMER process. Did you right-click and "Run As Administrator"? If NOT, please do so and post the results.
If you did and had problems, let me know. Also the other report produced in the RSIT run was not posted... the one the was minimized per the instructions. We will be using RSIT frequently. The logs can be found in the C:\rsit folder

Please do not make any changes to your system, run any "fix" programs and/or remove any files unless instructed to do so, by me.

Please read these instructions carefully before executing and then perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
RSIT report files
From the last RSIT run, the info.txt file contents, need to be posted.
You should be able to find this file in your C:\ RSITfolder.
Once located, please copy and paste the contents of the info.txt file in your next reply.

Step 2.
SysProt AntiRootkit
Perform this step ONLY if you did not successfully run the GMER scan!
Please download SysProt.zip ... by swatkat. Save it to your desktop.
Alternate download sites include: Softpedia, MajorGeeks, BetaNews and FreewareGeeks
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...
  1. Right click on SysProt.zip and select "Extract All"....
  2. Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
  3. Click on the Browse...button, then click on Desktop, then click OK.
  4. Once done, check (tick) the Show extracted files box and click Finish.
  5. Open the SysProt folder... Double click Sysprot.exe to start the program.
    Using VISTA, you must right-click "Sysprot.exe" and select "Run As Administrator", to start the program.
  6. Click on the Log tab.
  7. In the Write to log box... check ALL items... then check Hidden Objects Only at the bottom of the window.
  8. Click the Create Log button... (After a few seconds a new window should appear.)
  9. Select Scan root drive only... then click the Start button, to begin scanning.
    When completed, a window appears indicating the scan finished & a log file was successfully created.
    The SysProt folder on your desktop, will contain the scan results file named "SysProtLog.txt".
  10. Please copy and paste the contents of SysProtLog.txt into your next reply.

Step 3.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. GMER results if it was re-run as Admin.
  3. RSIT info.txt file contents.
  4. SysProtLog.txt file contents (only if GMER was not re-run)
  5. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Virus is Back

Unread postby Tantraka » December 4th, 2009, 8:36 pm

Got the info.txt and the SysProt.txt since Gmer would not work. I had ran it as an administrator before too.
As far as how my computer is acting, I get constant alerts from WinPatrol asking if programs such as c:\PROGRA~2\hazafupe\hazafupe.dll,a and C:\ProgramData\wemafuni\wemafuni.dll,s and the names of these programs may occasionally change.
I also have trouble running some websites on my browsers. I have Firefox, Internet Explorer, and Safari. I can't run Youtube on any of them. I can only run Facebook on Internet Explorer. I can only google search on Safari and so forth. I have also been getting pop ups.

info.txt logfile of random's system information tool 1.06 2009-12-04 18:22:59

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
Ace DivX Player v2.1-->"C:\Program Files\GustoSoft\Ace DivX Player\unins000.exe"
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Reader Korean Fonts-->MsiExec.exe /I{AC76BA86-7AD7-5670-0000-7E8A45000001}
Adobe Shockwave Player-->C:\WINDOWS\System32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\System32\Adobe\SHOCKW~1\Install.log
AGEIA PhysX v7.11.13-->MsiExec.exe /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
Apple Mobile Device Support-->MsiExec.exe /I{8355F970-601D-442D-A79B-1D7DB4F24CAD}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Audiosurf Demo-->"C:\Program Files\Steam\steam.exe" steam://uninstall/12910
Audition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D281B1C-BF39-4893-B32A-EAB3B84BDE34}\setup.exe" -l0x9 -removeonly
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Battlefield Heroes-->"C:\Program Files\EA Games\Battlefield Heroes\uninstaller.exe" "C:\Program Files\EA Games\Battlefield Heroes\Uninstall.xml"
Battleswarm: Field of Honor-->C:\Program Files\Reality Gap\Battleswarm\Uninstall.exe
Bejeweled 2 Deluxe-->"C:\Program Files\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe"
BigFix-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34FF0741-EC67-4C05-AC2A-6D257123DF2E}\setup.exe" -l0x9 -uninst -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Blasterball 3-->"C:\Program Files\Gateway Games\Blasterball 3\Uninstall.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
BrightShadow-->C:\Program Files\InstallShield Installation Information\{68A6DB8D-478D-41C9-BE5C-43B2C4E9C143}\setup.exe -runfromtemp -l0x0009 -removeonly
Browser Address Error Redirector-->regsvr32 /u /s "c:\google\BAE.dll"
BS.Player FREE-->"C:\Program Files\Webteh\BSplayer\uninstall.exe"
Chuzzle Deluxe-->"C:\Program Files\Gateway Games\Chuzzle Deluxe\Uninstall.exe"
Counter-Strike: Source-->"C:\Program Files\Steam\steam.exe" steam://uninstall/240
Day of Defeat: Source-->"C:\Program Files\Steam\steam.exe" steam://uninstall/300
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61} /l1033
Diner Dash-->"C:\Program Files\Gateway Games\Diner Dash\Uninstall.exe"
DivX 4.12 Codec-->"C:\Program Files\DivXCodec\uninstall.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dynasty Warriors 6-->MsiExec.exe /X{7506D1CD-B7FE-40C7-AE1F-FE8666361700}
EA SPORTS online 2008-->C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
EPSON NX410 Series Printer Uninstall-->C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FINSFCA.EXE /R /APD /P:"EPSON NX410 Series"
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
FIFA 08-->MsiExec.exe /X{0A2A5039-B37F-489D-B1DC-A5258DF9E697}
FIFA 10-->MsiExec.exe /X{11202615-E557-4ECF-9B86-F59C81E52909}
Finale Viewer 2008-->C:\Program Files\Finale Viewer 2008\uninstallFinViewer.exe
Free M4a to MP3 Converter 6.0-->"C:\Program Files\Free M4a to MP3 Converter\unins000.exe"
Frets On Fire-->"C:\Program Files\Frets on Fire\Uninstall.exe"
GameSpy Arcade-->C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
GameTracker Lite-->C:\Program Files\GameTracker\gametracker-uninst.exe
Garena-->C:\Program Files\InstallShield Installation Information\{89C89156-A70F-4C6D-9CAE-2EA71F1396FE}\setup.exe -runfromtemp -l0x0009 -removeonly
Garry's Mod-->"C:\Program Files\Steam\steam.exe" steam://uninstall/4000
Gateway Game Console-->"C:\Program Files\Gateway Games\Gateway Game Console\Uninstall.exe"
Gateway Recovery Center Installer-->MsiExec.exe /X{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Graboid Video 1.65-->C:\Program Files\Graboid\uninst.exe
Grand Fantasia-->C:\AeriaGames\GrandFantasia\Uninst.exe
Half-Life 2: Deathmatch-->"C:\Program Files\Steam\steam.exe" steam://uninstall/320
Half-Life 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/220
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hunting Unlimited-->C:\Windows\IsUninst.exe -f"C:\Program Files\Hunting Unlimited\Uninst.isu"
ijji REACTOR-->"C:\Program Files\InstallShield Installation Information\{901DC58A-5C1B-4315-BA40-5AD3D3A463B9}\setup.exe" -runfromtemp -l0x0009 -removeonly
Insurgency-->"C:\Program Files\Steam\steam.exe" steam://uninstall/17700
Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Intel(R) Management Engine Interface-->C:\Windows\system32\heciudlg.exe -uninstall
Intel(R) Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Intel(R) Viiv(TM) Software-->MsiExec.exe /X{26C610BF-761B-4209-BD6A-A0F1B73D6DDE} /qb!
iTunes-->MsiExec.exe /I{5D601655-6D54-4384-B52C-17EC5385FBBD}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
JEOPARDY-->"C:\Program Files\Gateway Games\JEOPARDY\Uninstall.exe"
kill.switch-->C:\PROGRA~1\KILL~1.SWI\UNWISE.EXE C:\PROGRA~1\KILL~1.SWI\INSTALL.LOG
Killing Floor-->"C:\Program Files\Steam\steam.exe" steam://uninstall/1250
K-Lite Codec Pack 3.2.5 Standard-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Left 4 Dead-->"C:\Program Files\Steam\steam.exe" steam://uninstall/500
Lexmark X6100 Series-->C:\Program Files\Lexmark X6100 Series\Install\x86\Uninst.exe
Madden NFL 08-->C:\Program Files\EA Sports\Madden NFL 08\EAUninstall.exe
Magic ISO Maker v5.5 (build 0272)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.7.105-->C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Digital Image Starter Edition 2006-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=12
Microsoft Money 2006-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 Trial-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Professional 2007-->MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (3.0.15)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP4 Player -->C:\Program Files\MP4 Player\uninst.exe
MPlugin-->"C:\Program Files\InstallShield Installation Information\{6102D63A-9387-4FC8-98E4-181121F8C0BA}\setup.exe" -runfromtemp -l0x0009 -removeonly
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Musicnotes Player V1.23.1-->"C:\Program Files\Musicnotes\Player\unins000.exe"
Neffy 1,2,0,22-->C:\Program Files\Neffy\uninst.exe
Neo Steam : The Shattered Continent-->C:\Games\Neo Steam\uninst.exe
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OpenAL-->"C:\Program Files\OpenAL\oalinst.exe" /U
Pando Media Booster-->C:\Program Files\Pando Networks\Media Booster\uninst.exe
Penguins!-->"C:\Program Files\Gateway Games\Penguins!\Uninstall.exe"
Plain Sight-->MsiExec.exe /I{A4957F2C-A8C1-4575-A5C7-78BCDA42A83A}
PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net
Polar Bowler-->"C:\Program Files\Gateway Games\Polar Bowler\Uninstall.exe"
Polar Golfer-->"C:\Program Files\Gateway Games\Polar Golfer\Uninstall.exe"
Power2Go 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Safari-->MsiExec.exe /I{E56D39F8-2A9F-44B4-B068-A72E45A073E6}
SBC Yahoo! DSL Home Networking Installer-->C:\Program Files\2Wire\Uninstaller.exe
Scions Of Fate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DA3C53B8-49B0-41CF-9D5C-D96A7FCBD029}\setup.exe" -l0x9 -removeonly
SCRABBLE-->"C:\Program Files\Gateway Games\SCRABBLE\Uninstall.exe"
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB973704)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {E626DC89-A787-4553-9BB3-DC2EC7E1593F}
Security Update for Microsoft Office Excel 2007 (KB973593)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {7D6255E3-3423-4D8B-A328-F6F8D28DD5FE}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Smash Online 1.0-->C:\Gamigo Games\Smash Online\uninst.exe
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe -U -I*.INF
Soul of the Ultimate Nation-->C:\Program Files\InstallShield Installation Information\{4B22DD86-47B1-4454-BFF7-64FCA3D0631C}\setup.exe -runfromtemp -l0x0009 -removeonly
Source SDK Base-->"C:\Program Files\Steam\steam.exe" steam://uninstall/215
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
System Requirements Lab-->MsiExec.exe /I{1E99F5D7-4262-4C7C-9135-F066E7485811}
TalesRunner 1.58720081016-->C:\Program Files\gpotato\TalesRunner\uninst.exe
Team Fortress 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/440
The Sims 2 Family Fun Stuff-->C:\Program Files\EA GAMES\The Sims 2 Family Fun Stuff\EAUninstall.exe
The Sims 2 Glamour Life Stuff-->C:\Program Files\EA GAMES\The Sims 2 Glamour Life Stuff\EAUninstall.exe
The Sims 2 Nightlife-->C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Open For Business-->C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
The Sims 2 Pets-->C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
The Sims 2 University-->C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims 2-->C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims Complete Collection-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2527115-B8BF-4FDB-B5DA-5AADFB7C13E1}\Setup.exe" -l0x9 -l0009
TmNationsForever-->"C:\Program Files\TmNationsForever\unins000.exe"
Uniblue RegistryBooster 2009-->"C:\ProgramData\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}\Uniblue RegistryBooster.exe" REMOVE=TRUE MODIFY=FALSE
Uniblue RegistryBooster 2009-->C:\ProgramData\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}\Uniblue RegistryBooster.exe
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Update for Outlook 2007 Junk Email Filter (kb975960)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {F1AB1BED-7477-4D5A-BD0C-04C2109459A5}
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Veoh Web Player-->"C:\Program Files\Veoh Networks\VeohWebPlayer\uninst.exe"
VideoLAN VLC media player 0.8.6d-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Driver Package - ViXS Systems Inc. ViXS PureTV-U (11/17/2006 6.2.77.1)-->C:\PROGRA~1\DIFX\2B7BF24833E54BA6\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\xcbda.inf_80d7a2b2\xcbda.inf
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner-->"C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner-->MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
WinPatrol 2008-->C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WYDGLOBAL (remove only)-->"C:\GameNetworks\WYDGLOBAL\uninstall.exe"

=====HijackThis Backups=====

O4 - HKCU\..\Run: [ares vista] "C:\Program Files\Ares Vista\AresVista.exe" -h [2009-01-10]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2009-01-10]
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU) [2009-01-10]
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU) [2009-01-10]

======Security center information======

AS: Windows Defender (disabled)

======System event log======

Computer Name: Phong-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid= ... tid=146262
Scan ID: {E3965903-E764-4A40-A42C-FE993AB19867}
User: PHONG-PC\Owner
Name: Trojan:Win32/Vundo.gen!BS
ID: 146262
Severity ID: 5
Category ID: 8
Path Found: file:C:\ProgramData\wemafuni\wemafuni.dll
Alert Type: Spyware or other potentially unwanted software
Detection Type: Generic
Record Number: 159507
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091204235558.000000-000
Event Type: Warning
User:

Computer Name: Phong-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid= ... tid=146262
Scan ID: {A9E52797-6E44-48DD-A49A-EDFC2525BB95}
User: PHONG-PC\Owner
Name: Trojan:Win32/Vundo.gen!BS
ID: 146262
Severity ID: 5
Category ID: 8
Path Found: file:C:\ProgramData\wemafuni\wemafuni.dll
Alert Type: Spyware or other potentially unwanted software
Detection Type: Generic
Record Number: 159508
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091204235713.000000-000
Event Type: Warning
User:

Computer Name: Phong-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid= ... tid=146262
Scan ID: {5DA5151F-7FFA-4E7F-8177-BCF486300AD6}
User: PHONG-PC\Owner
Name: Trojan:Win32/Vundo.gen!BS
ID: 146262
Severity ID: 5
Category ID: 8
Path Found: file:C:\ProgramData\wemafuni\wemafuni.dll
Alert Type: Spyware or other potentially unwanted software
Detection Type: Generic
Record Number: 159510
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091205000644.000000-000
Event Type: Warning
User:

Computer Name: Phong-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid= ... tid=146262
Scan ID: {0D4A7DF4-225E-47FB-B7DF-E75184D67F1D}
User: PHONG-PC\Owner
Name: Trojan:Win32/Vundo.gen!BS
ID: 146262
Severity ID: 5
Category ID: 8
Path Found: file:C:\ProgramData\wemafuni\wemafuni.dll
Alert Type: Spyware or other potentially unwanted software
Detection Type: Generic
Record Number: 159513
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091205000951.000000-000
Event Type: Warning
User:

Computer Name: Phong-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid= ... tid=146262
Scan ID: {36B3B20A-3E30-41D3-B1AB-644F753D8B8D}
User: PHONG-PC\Owner
Name: Trojan:Win32/Vundo.gen!BS
ID: 146262
Severity ID: 5
Category ID: 8
Path Found: file:C:\ProgramData\wemafuni\wemafuni.dll
Alert Type: Spyware or other potentially unwanted software
Detection Type: Generic
Record Number: 159515
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20091205002144.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Phong-PC
Event Code: 1000
Message: Faulting application 6uie5oim.exe, version 1.0.15.15252, time stamp 0x4b07cc3d, faulting module 6uie5oim.exe, version 1.0.15.15252, time stamp 0x4b07cc3d, exception code 0xc0000005, fault offset 0x0000c4b1, process id 0x17f4, application start time 0x01ca74761a759b82.
Record Number: 37466
Source Name: Application Error
Time Written: 20091204001120.000000-000
Event Type: Error
User:

Computer Name: Phong-PC
Event Code: 1000
Message: Faulting application 6uie5oim.exe, version 1.0.15.15252, time stamp 0x4b07cc3d, faulting module 6uie5oim.exe, version 1.0.15.15252, time stamp 0x4b07cc3d, exception code 0xc0000005, fault offset 0x0000c4b1, process id 0x818, application start time 0x01ca747654a5584c.
Record Number: 37467
Source Name: Application Error
Time Written: 20091204001240.000000-000
Event Type: Error
User:

Computer Name: Phong-PC
Event Code: 1000
Message: Faulting application 6uie5oim.exe, version 1.0.15.15252, time stamp 0x4b07cc3d, faulting module 6uie5oim.exe, version 1.0.15.15252, time stamp 0x4b07cc3d, exception code 0xc0000005, fault offset 0x0000c4b1, process id 0x870, application start time 0x01ca747728045f53.
Record Number: 37494
Source Name: Application Error
Time Written: 20091204001835.000000-000
Event Type: Error
User:

Computer Name: Phong-PC
Event Code: 1000
Message: Faulting application firefox.exe, version 1.9.0.3576, time


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 8BA0B000
Module End: 8BAC3000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: PHONG-P.GATEWAY.2WIRE.NET:54484
Remote Address: IP-72-55-158-137.HOSTMEUP.COM:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: CLOSE_WAIT

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54445
Remote Address: 66.179.234.169:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: CLOSE_WAIT

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54392
Remote Address: CHANNEL64-09-01-SNC1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54349
Remote Address: PHONG-P.GATEWAY.2WIRE.NET:58080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54348
Remote Address: PHONG-P.GATEWAY.2WIRE.NET:58080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54300
Remote Address: PHONG-P.GATEWAY.2WIRE.NET:58080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54299
Remote Address: PHONG-P.GATEWAY.2WIRE.NET:58080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54272
Remote Address: 69.63.187.16:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54250
Remote Address: WWW-11-03-ASH1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P.GATEWAY.2WIRE.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PHONG-P:54483
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED

Local Address: PHONG-P:54481
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54478
Remote Address: LOCALHOST:21660
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED

Local Address: PHONG-P:54444
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED

Local Address: PHONG-P:54443
Remote Address: LOCALHOST:21660
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED

Local Address: PHONG-P:54433
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54403
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54401
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54398
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54391
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:54390
Remote Address: LOCALHOST:21668
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:54383
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54382
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54366
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54363
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54360
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54354
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54343
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54336
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54329
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54317
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54308
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54305
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54296
Remote Address: LOCALHOST:21668
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54291
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:54271
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:54270
Remote Address: LOCALHOST:21668
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: FIN_WAIT2

Local Address: PHONG-P:54249
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:54248
Remote Address: LOCALHOST:21668
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: FIN_WAIT2

Local Address: PHONG-P:54162
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:54161
Remote Address: LOCALHOST:21668
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: FIN_WAIT2

Local Address: PHONG-P:54068
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53899
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53740
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53712
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53706
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53499
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53445
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53425
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53288
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53255
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53030
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53021
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53014
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:53008
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:52838
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:52623
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:52389
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:52369
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:52315
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51816
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51598
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51588
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51492
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51375
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51048
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51034
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51024
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:51000
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:49209
Remote Address: LOCALHOST:49208
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:49208
Remote Address: LOCALHOST:49209
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:49205
Remote Address: LOCALHOST:49204
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:49204
Remote Address: LOCALHOST:49205
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:49169
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: LISTENING

Local Address: PHONG-P:49168
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: PHONG-P:27015
Remote Address: LOCALHOST:49168
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: PHONG-P:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54437
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54435
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54432
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54429
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54426
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54423
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54420
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54417
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54414
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54411
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54408
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54405
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54400
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54397
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54396
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54393
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54390
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54386
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54381
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54380
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54371
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54370
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54369
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54367
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54365
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54362
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54359
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54356
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54350
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54345
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54342
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54335
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54332
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54331
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54328
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54315
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54314
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54313
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54312
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54311
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54310
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54307
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54301
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54293
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54290
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54287
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54284
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54270
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: CLOSE_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54248
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: CLOSE_WAIT

Local Address: PHONG-P:21668
Remote Address: LOCALHOST:54161
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: CLOSE_WAIT

Local Address: PHONG-P:21668
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: LISTENING

Local Address: PHONG-P:21660
Remote Address: LOCALHOST:54493
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21660
Remote Address: LOCALHOST:54488
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21660
Remote Address: LOCALHOST:54478
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED

Local Address: PHONG-P:21660
Remote Address: LOCALHOST:54477
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:21660
Remote Address: LOCALHOST:54443
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED

Local Address: PHONG-P:21660
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: LISTENING

Local Address: PHONG-P:12143
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: PHONG-P:12119
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: PHONG-P:12110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54494
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54483
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54444
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54441
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54421
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54418
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54415
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54391
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54340
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54297
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54288
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54285
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54271
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54249
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54162
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:54068
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53899
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53740
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53712
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53706
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53499
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53445
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53425
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53288
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53255
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53030
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53021
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53014
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:53008
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:52838
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:52623
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:52389
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:52369
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:52315
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51816
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51598
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51588
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51492
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51375
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51048
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51034
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51024
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: LOCALHOST:51000
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: PHONG-P:12080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LISTENING

Local Address: PHONG-P:12025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: PHONG-P:7438
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING

Local Address: PHONG-P:DCCM
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING

Local Address: PHONG-P:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: PHONG-P:63843
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: LISTENING

Local Address: PHONG-P:62590
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
State: LISTENING

Local Address: PHONG-P:61660
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: LISTENING

Local Address: PHONG-P:58080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: LISTENING

Local Address: PHONG-P:58002
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: LISTENING

Local Address: PHONG-P:58001
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: LISTENING

Local Address: PHONG-P:54772
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
State: LISTENING

Local Address: PHONG-P:49161
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\services.exe
State: LISTENING

Local Address: PHONG-P:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\lsass.exe
State: LISTENING

Local Address: PHONG-P:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING

Local Address: PHONG-P:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING

Local Address: PHONG-P:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\wininit.exe
State: LISTENING

Local Address: PHONG-P:10035
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\lxbfcoms.exe
State: LISTENING

Local Address: PHONG-P:9667
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: LISTENING

Local Address: PHONG-P:9666
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: LISTENING

Local Address: PHONG-P:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PHONG-P:FTPS
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING

Local Address: PHONG-P:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PHONG-P:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING

Local Address: PHONG-P.GATEWAY.2WIRE.NET:61234
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P.GATEWAY.2WIRE.NET:58855
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P.GATEWAY.2WIRE.NET:54573
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P.GATEWAY.2WIRE.NET:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PHONG-P.GATEWAY.2WIRE.NET:SSDP
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P.GATEWAY.2WIRE.NET:SSDP
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P.GATEWAY.2WIRE.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PHONG-P.GATEWAY.2WIRE.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PHONG-P:62404
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P:61234
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P:58856
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P:55272
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: PHONG-P:55074
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P:55073
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P:54574
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P:54572
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P:51896
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: PHONG-P:SSDP
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P:SSDP
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
State: NA

Local Address: PHONG-P:64592
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PHONG-P:59024
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PHONG-P:58224
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
State: NA

Local Address: PHONG-P:55075
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: PHONG-P:53299
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P:51895
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: PHONG-P:31439
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: PHONG-P:31438
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: PHONG-P:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P:SSDP
Remote Address: NA
Type: UDP
Process: C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
State: NA

Local Address: PHONG-P:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

Local Address: PHONG-P:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\SPP
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\{15896458-dfb5-11de-a628-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3678dced-dbda-11de-819b-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3eb5f9f1-d9d9-11de-a5b7-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{42e134ed-db09-11de-a939-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{471f3b07-da94-11de-be83-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{60074506-dd4f-11de-9159-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{6725b791-d6ac-11de-9c43-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{6c3edb6b-d327-11de-993e-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{9225e8f2-e066-11de-91a3-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{b3a74b35-d120-11de-8b45-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{b3a74b49-d120-11de-8b45-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{bc987379-d4b6-11de-bf98-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{bd465686-d876-11de-8bc3-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{c2a764fe-d61a-11de-a96c-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{d616de4d-db96-11de-bf15-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{e2e2db0b-ddf5-11de-a135-0019d1113830}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied
Tantraka
Regular Member
 
Posts: 25
Joined: January 3rd, 2009, 11:53 pm

Re: Virus is Back

Unread postby Wingman » December 5th, 2009, 3:50 pm

Hello Tantraka,

Thanks for the logs. It appears the bottom portion of the RSIT Info report was cut off, please locate the C:\rsit\info.txt file and post the bottom portion of the log, beginning with =====Application event log===== section down to the -----EOF---- marker.

Please do not add or remove and software, run any "fix" programs and/or remove any files unless instructed to do so, by me.
Please read these instructions carefully before executing and then perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
ERUNT - Emergency Recovery Utility NT
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
This is a free program that allows you to keep a complete backup of your registry and restore it when needed.
ERUNT utility program
Download:

  1. Please download ERUNT...by Lars Hederer. Save it to your desktop.
  2. Double-click erunt-setup-exe to run the install process. Install ERUNT by following the prompts.
    VISTA users must right-click erunt-setup-exe, select "Run As Administrator" to run the install process. Install by following prompts.
  3. Use the default install settings... say "NO" to the section that asks you to add ERUNT to the Start-Up folder. You can enable this later.
  4. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
    VISTA users must right-click the desktop icon, select "Run As Administrator" or start it at the end of the setup process.
  5. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is fine.
  6. Make sure the first two check boxes are selected.
  7. Click on OK ... then click on "YES" to create the folder.
Run:
This will create a full backup of your registry... ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
    Vista users: Right-click on ERUNT in the menu, then select "Run As Administrator". If UAC prompts, please allow it.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
TFC (Temp File Cleaner)
  1. Please download TFC.exe...by Old Timer. Save it to your desktop.
    Print these instructions. Save any unsaved work. TFC will close ALL open programs... including your browser!
  2. Right click on TFC.exe and select Run As Administrator to run it. If Windows UAC prompts, please allow it.
  3. Click the Start button to begin the cleanup.
    TFC will begin cleaning up the "temp" files... it may take only a few seconds or it could be several minutes, depending on the amount of temp files found.
  4. If prompted to reboot... click Yes.
! Important ! If TFC prompts you to reboot, please do so immediately, before proceeding to any other steps or other use of your computer.

Step 3.
Malwarebytes' Anti-Malware
Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware and save it to your desktop. If needed...Tutorial w/screenshots
Alternate download sites available here or here.
  1. Make sure you are connected to the Internet.
  2. Double-click on mbam-setup.exe to install the application.
    VISTA users: Right-click on mbam-setup.exe, select "Run As Administrator" to install the application.
  3. When the installation begins, follow the prompts and do not make any changes to default settings.
  4. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • Problems downloading the updates? Manually download them from here and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
  1. Make sure the "Perform Quick Scan" option is selected.
  2. Then click on the Scan button.
  3. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  4. Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  1. Click on the Show Results button to see a list of any malware that was found.
  2. Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
    We will take care of the System Volume Information items later.
    When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  3. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Info.txt file (last portion)
  3. MBAM log
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Virus is Back

Unread postby Tantraka » December 6th, 2009, 12:11 am

Here's the missing part of the log. I didn't have any trouble running TFC or Erunt but Malwarebyte Anti-Malware will not run after I clicked it to. I have it set to run as an administrator too and have rebooted and reinstalled the program. That's the only problem so far. As far as how my PC is acting, same as the last time.

Application event log

Computer Name: Phong-PC
Event Code: 1
Message: Certificate Services Client has been started successfully.
Record Number: 37712
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20091206030339.516132-000
Event Type: Information
User: PHONG-PC\Owner

Computer Name: Phong-PC
Event Code: 1
Message: Certificate Services Client has been started successfully.
Record Number: 37713
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20091206030347.484882-000
Event Type: Information
User: NT AUTHORITY\SYSTEM

Computer Name: Phong-PC
Event Code: 0
Message:
Record Number: 37714
Source Name: gusvc
Time Written: 20091206030456.000000-000
Event Type: Information
User:

Computer Name: Phong-PC
Event Code: 1
Message: The Windows Security Center Service has started.
Record Number: 37715
Source Name: SecurityCenter
Time Written: 20091206030459.000000-000
Event Type: Information
User:

Computer Name: Phong-PC
Event Code: 0
Message:
Record Number: 37716
Source Name: DQLWinService
Time Written: 20091206030518.000000-000
Event Type: Information
User:

Security event log

Computer Name: Phong-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: PHONG-PC$
Account Domain: HOME
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x288
Process Name: C:\WINDOWS\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 58874
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091203235354.616055-000
Event Type: Audit Success
User:

Computer Name: Phong-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: PHONG-PC$
Account Domain: HOME
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x288
Process Name: C:\WINDOWS\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 58875
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091203235354.616055-000
Event Type: Audit Success
User:

Computer Name: Phong-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 58876
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091203235354.616055-000
Event Type: Audit Success
User:

Computer Name: Phong-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: PHONG-PC$
Account Domain: HOME
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x288
Process Name: C:\WINDOWS\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 58877
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091203235611.815490-000
Event Type: Audit Success
User:

Computer Name: Phong-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: PHONG-PC$
Account Domain: HOME
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x288
Process Name: C:\WINDOWS\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 58878
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091203235611.815490-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip

-----------------EOF-----------------
Tantraka
Regular Member
 
Posts: 25
Joined: January 3rd, 2009, 11:53 pm

Re: Virus is Back

Unread postby Wingman » December 6th, 2009, 6:38 pm

Hello tantraka,

Thanks for hanging in there. :) Let's try to get MBAM to work, as something may be blocking it's execution.
Please do not make any changes to your system, run any "fix" programs and/or remove any files unless instructed to do so, by me.

Please read these instructions carefully before executing and then perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
Rkill
Note: If your security software warns about Rkill, please ignore and allow the download to continue.
Please download Rkill... by Grinler... using one of the following links. Save it to your Desktop.
Download links: One, Two, Three or Four
  1. Double click on the Rkill Desktop icon.
  2. A command window will open then disappear upon completion, this is normal.
Please leave Rkill on the Desktop unless instructed otherwise.

Step 2.
Malwarebytes' Anti-Malware
  1. Please start MBAM (Malwarebytes' Anti-Malware) again.
    Vista users, right-click on MBAM, select "Run As Administrator", to execute.
  2. Press the Update tab.. then press the Check for Updates...button.
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab...
  4. Select FULL SCAN this time... then press the Scan...button. This scan will take a while, so please be patient.
    When the scan finishes...
  5. Check everything to be removed, except the System Volume entries
  6. Let MBAM remove what it can... if there are files to be deleted on reboot... please reboot the machine so MBAM can finish the removal.
    If you rebooted, then you'll need to start MBAM again.
  7. Press the LOG... tab. Locate the most current log file.
Please copy and paste the most recent log (from this new run) in your next reply.

If you still can not get MBAM to execute... please, using the Quick Search entry,
  1. type: mbam.exe, press the search button.
  2. Once located, go to the folder and rename mbam.exe to trythis.exe.
  3. Right click on "trythis.exe", select Run As Administrator to begin execution.
    Follow the (Step 2.) MBAM instructions above.

Step 3.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. MBAM log
  3. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Virus is Back

Unread postby Tantraka » December 7th, 2009, 9:13 am

MBAM worked after I changed to file name to trythis.exe so thanks :)
Here's the log and as far as how my computer is acting, still getting pop-ups and running slow browser. I usually have a fast loading browser but now kinda slow.

Malwarebytes' Anti-Malware 1.42
Database version: 3307
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

12/7/2009 6:43:39 AM
mbam-log-2009-12-07 (06-43-39).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 471434
Time elapsed: 2 hour(s), 42 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\megazujede (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Hunting Unlimited\sys\input.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\end (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\wemafuni\wemafuni.dll (Trojan.Agent) -> Delete on reboot.
Tantraka
Regular Member
 
Posts: 25
Joined: January 3rd, 2009, 11:53 pm

Re: Virus is Back

Unread postby Wingman » December 7th, 2009, 6:16 pm

Hello tantraka,

It appears that MBAM needs to reboot in order for it to complete the removal of one of the files. This needs to be done before we go any further.
Unless you have already rebooted your machine, since running MBAM, please reboot now.

Please do not make any changes to your system, run any "fix" programs and/or remove any files unless instructed to do so, by me.

Please read these instructions carefully before executing and then perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

After you have rebooted, please go to MBAM (trythis.exe) and open the LOGS tab and post the most recent log found.

Step 1.
Show hidden files in Windows Vista
Please enable the Show Hidden Files and Folders option:
  1. Close all programs so that you are at your desktop.
  2. Press Image.
  3. Click the Start Search box on the Start Menu
  4. Copy and paste the following value, in the open text entry box:
    control folders
      Depending on you view settings: choose one of these options:
    • Double-click on the Folder Options icon... then click on the View tab.
    • Click on the Appearance and Personalization link... then click on Show Hidden Files or Folders.
  5. SELECT...button Show hidden files and folders.
    under the "Hidden files and folders" section.
  6. Remove check mark from check box... Hide extensions for known file types.
  7. Remove check mark from check box... Hide protected operating system files.
  8. Press the Apply button...then the OK button.
Now Windows Vista is configured to show all hidden files.

Step 2.
Command Line Search
I need you to perform a file search on your computer... please follow these steps:
  1. Press the Start button ...then press Run.
      If you do not have the RUN command on your Vista Start Menu:
    • Click the Start Search box on the Start Menu.
  2. Copy/paste the following command into the text entry box.
    cmd /c dir C:\*.* /L /A /B /S|Find "6uie5oim.exe" >> "%userprofile%\desktop\fileloc.txt"
  3. Press the "OK"...button
  4. A file called "fileloc.txt" should appear on your Desktop. The command window will eventually close.
  5. Double click on this file... Notepad or Wordpad should open.
Please copy/paste the contents of the fileloc.txt file...in your next reply.

Step 3.
There are 3 jobs or scheduled tasks that I need information about. Please tell me if you set these jobs up, otherwise we can remove them,
so they will no longer be executed.
C:\Windows\tasks\mvlsywqj.job
C:\Windows\tasks\oslayclj.job
C:\Windows\tasks\rofybozc.job


Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. MBAM log
  3. Fileloc.txt file contents
  4. 3 Scheduled tasks job info.
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Virus is Back

Unread postby Tantraka » December 7th, 2009, 10:28 pm

Rebooted my Computer and here's the new Mbam log.
I also don't know what any of those .jobs are so they can be removed too if you would help me :)
and here is the fileloc.txt too

Malwarebytes' Anti-Malware 1.42
Database version: 3307
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

12/7/2009 6:43:39 AM
mbam-log-2009-12-07 (06-43-39).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 471434
Time elapsed: 2 hour(s), 42 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\megazujede (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Hunting Unlimited\sys\input.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\end (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\wemafuni\wemafuni.dll (Trojan.Agent) -> Delete on reboot.

fileloc.txt
c:\users\owner\downloads\6uie5oim.exe
Tantraka
Regular Member
 
Posts: 25
Joined: January 3rd, 2009, 11:53 pm

Re: Virus is Back

Unread postby Wingman » December 8th, 2009, 10:53 am

Hello tantraka,
Thanks for the info on the 3 scheduled tasks... we'll remove them shortly.

Please do not make any changes to your system, run any "fix" programs and/or remove any files unless instructed to do so, by me.
Please read these instructions carefully before executing and then perform the steps, in the order given. lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
Online Multi Antivirus file scan
Please go to either: Jotti or Virus Total and upload -only one file per scan- the following file(s) for scanning:

c:\users\owner\downloads\6uie5oim.exe

Using Jotti
  1. Choose the appropriate language... once a language is selected, you'll see a message "Ready to receive files"
  2. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
  3. Click on Submit..button.
      If you receive the message: This file has been scanned before. The results for this previous scan are listed below.
      Please press the Scan again button, so your file will be scanned.
  4. The file will be uploaded and scanned by various antivirus scanners..this may take a few minutes.
  5. When all scans have completed... Highlight the results text from the Jotti's malware scan box.
  6. Copy the selected text... Open Notepad... Paste the contents into Notepad... Save the file to a convenient place.
  7. Please repeat this procedure for each file listed above.
  8. Paste the contents of all the Jotti scan results in your next reply.

Using Virus Total
  1. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
  2. Click on Send File...button.
  3. The file will be queued, uploaded and scanned by various antivirus scanners..this may take a few minutes.
      If you receive the message: File has already been analysed:
      Please press the Reanalyse file now button, so your file will be scanned.
  4. When the scan is completed...press the "Compact" icon
  5. The results will be shown in a grid like window... right-click on the text, choose Select All, then Copy the entire contents.
  6. Open Notepad...Paste the result contents into the Notepad window...Save this file to a convenient place.
  7. Please repeat this procedure for each file listed above.
  8. Paste the contents of all the Virus Total results in your next reply.

Step 2.
Malwarebytes' Anti-Malware
  1. Please start MBAM (trythis.exe) again.
  2. Press the Update tab.. then press the Check for Updates...button. <<=== Important!
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab...
  4. Select FULL SCAN this time... then press the Scan...button. This scan will take a while, so please be patient.
    When the scan finishes...
  5. Check everything to be removed, except the System Volume entries
  6. Let MBAM remove what it can... if there are files to be deleted on reboot... please reboot the machine so MBAM can finish the removal.
    If you rebooted, then you'll need to start MBAM again.
  7. Press the LOG... tab. Locate the most current log file.
Please copy and paste the most recent log (from this new run) in your next reply.

Step 3.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. Jotti or VirusTotal scan results
  3. New MBAM log
  4. How is your computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Virus is Back

Unread postby Tantraka » December 8th, 2009, 11:25 pm

Ran virus total and I got the logs for that as well as another Mbam scan but it said nothing malicious was found but I think there is still a virus because of a new WinPatrol alert saying Rundll32.exe c:\progra~2\witeyaza\witeyaza.dll,a wants to start and that just seems like a virus. Also still getting pop-ups as well as certain sites not working for some browsers.
Here are the logs though :)


Srpski | ?????????? | ??????? | Suomi | ihMdI | | ????? | | Slovenšcina | Dansk | ??????? | Româna | Türkçe | Nederlands | ???????? | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Cesky | Polski | Español
Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File 6uie5oim.exe received on 2009.12.09 00:14:01 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.08 -
AhnLab-V3 5.0.0.2 2009.12.08 -
AntiVir 7.9.1.102 2009.12.08 -
Antiy-AVL 2.0.3.7 2009.12.08 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.08 -
AVG 8.5.0.426 2009.12.08 -
BitDefender 7.2 2009.12.08 -
CAT-QuickHeal 10.00 2009.12.08 -
ClamAV 0.94.1 2009.12.09 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.08 -
eSafe 7.0.17.0 2009.12.08 -
eTrust-Vet 35.1.7165 2009.12.08 -
F-Prot 4.5.1.85 2009.12.08 -
F-Secure 9.0.15370.0 2009.12.07 -
Fortinet 4.0.14.0 2009.12.08 -
GData 19 2009.12.08 -
Ikarus T3.1.1.74.0 2009.12.08 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.915 2009.12.08 -
Kaspersky 7.0.0.125 2009.12.08 -
McAfee 5826 2009.12.08 -
McAfee+Artemis 5826 2009.12.08 -
McAfee-GW-Edition 6.8.5 2009.12.09 -
Microsoft 1.5302 2009.12.09 -
NOD32 4671 2009.12.08 -
Norman 6.03.02 2009.12.08 -
nProtect 2009.1.8.0 2009.12.08 -
Panda 10.0.2.2 2009.12.08 -
PCTools 7.0.3.5 2009.12.08 -
Rising 22.25.01.09 2009.12.08 -
Sophos 4.48.0 2009.12.08 -
Sunbelt 3.2.1858.2 2009.12.08 -
Symantec 1.4.4.12 2009.12.09 -
TheHacker 6.5.0.2.088 2009.12.07 -
TrendMicro 9.100.0.1001 2009.12.08 -
VBA32 3.12.12.0 2009.12.08 -
ViRobot 2009.12.8.2076 2009.12.08 -
VirusBuster 5.0.21.0 2009.12.08 -
Additional information
File size: 292352 bytes
MD5...: ce4baa2eabae3385bc7b2d000a58afa9
SHA1..: 96655ef163ee09b7d59d2d5a9f39be74a89dff4a
SHA256: a04653f2bfaca87f94d7ab709f67d5aa8e24fbdfbf00a143ff2a838f5e1cc9a8
ssdeep: 6144:zYHJF/CmFRaakGM6iRuKlJ9iQqBk+/KMFyTMZncru6q0:UpUdaDM17iQqBr
/KMcTwcy6q
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb2be0
timedatestamp.....: 0x4b07cc3d (Sat Nov 21 11:17:17 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6c000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6d000 0x46000 0x45e00 7.93 4bcd84d56f9d623bf7353eb635a63fe4
.rsrc 0xb3000 0x2000 0x1400 3.39 e2387c4d064e7459c7ca637abd882dd5

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
packers (F-Prot): UPX
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15252
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

Malwarebytes' Anti-Malware 1.42
Database version: 3325
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

12/8/2009 9:22:26 PM
mbam-log-2009-12-08 (21-22-26).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 473469
Time elapsed: 2 hour(s), 44 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Tantraka
Regular Member
 
Posts: 25
Joined: January 3rd, 2009, 11:53 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware