tym

MrC, just sent donation to you. Thanks so much again for your help!!

MrC, I tried "ComboFix /unintall" from Run, but it behaved like running ComboFix again. Now I just renamed it to "Unintall.exe" but still it is showing "complete item #...". Anything wrong? How can I safely uninstall it? Thanks!!

Great, it worked! Here is the checkup.txt: Results of screen317's Security Check version 0.99.56 Windows 7 x64 (UAC is enabled) Out of date service pack!! Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! ½ðɽ¶¾°Ôʵʱ±£»¤ Norton Internet Security Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Java 6 Update 31 Java version out of Date! Adobe Reader 9 Adobe Reader out of Date! Mozilla Thunderbird (3.1.19) Thunderbird out of Date! Google Chrome plugins... ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe kingsoft antivirus kxescore.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 1% ````````````````````End of Log``````````````````````

MrC, her is the AdwCleaner[s1].txt: # AdwCleaner v2.104 - Logfile created 01/04/2013 at 10:25:18 # Updated 29/12/2012 by Xplode # Operating system : Windows 7 Home Premium (64 bits) # User : tym - TYM-PC # Boot Mode : Normal # Running from : C:\Users\tym\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Deleted : HKCU\Software\TENCENT Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874} Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL Key Deleted : HKLM\Software\TENCENT ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Registry is clean. ************************* AdwCleaner[R1].txt - [835 octets] - [04/01/2013 10:17:06] AdwCleaner[s1].txt - [775 octets] - [04/01/2013 10:25:18] ########## EOF - C:\AdwCleaner[s1].txt - [834 octets] ########## But, I can't download the Security Check because it is blocked by my company -see below for the error message. What can we do? Thanks! This Page Cannot Be Displayed Based on your corporate access policies, this web site ( http://screen317.spywareinfoforum.org/SecurityCheck.exe ) has been blocked because it has been determined by Web Reputation Filters to be a security threat to your computer or the corporate network. This web site has been associated with malware/spyware.

Here is the log -I don't see anything I want to keep.. # AdwCleaner v2.104 - Logfile created 01/04/2013 at 10:17:06 # Updated 29/12/2012 by Xplode # Operating system : Windows 7 Home Premium (64 bits) # User : tym - TYM-PC # Boot Mode : Normal # Running from : C:\Users\tym\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Found : HKCU\Software\TENCENT Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874} Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL Key Found : HKLM\Software\TENCENT ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Registry is clean. ************************* AdwCleaner[R1].txt - [708 octets] - [04/01/2013 10:17:06] ########## EOF - C:\AdwCleaner[R1].txt - [767 octets] ##########

Here is the log after ComboFix finished. So sorry for the weird code which is supposed to be Chinese. I can read them on the laptop. If you need, I can translate them.. ComboFix 13-01-04.01 - tym 4/2013 Fri 9:43.1.2 - x64 Microsoft Windows 7 Home Premium 6.1.7600.0.936.86.1033.18.3001.2024 [GMT -5:00] Ö´ÐÐλÖÃ: c:\users\tym\Desktop\ComboFix.exe AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF} AV: ½ðɽ¶¾°Ôʵʱ±£»¤ *Disabled/Updated* {B6A51389-A795-5AC9-13BA-F569D73F3FE8} FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( ±»É¾³ýµÄµµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files (x86)\Common Files\Tencent\Paycenter c:\program files (x86)\Common Files\Tencent\Paycenter\npqqcert.dll c:\program files (x86)\Common Files\Tencent\Paycenter\npqqedit.dll c:\program files (x86)\Common Files\Tencent\Paycenter\qqcert.dll c:\program files (x86)\Common Files\Tencent\Paycenter\qqedit.dll c:\program files (x86)\Common Files\Tencent\Paycenter\tenpay.ico c:\program files (x86)\Common Files\Tencent\Paycenter\uninstall.exe c:\program files (x86)\Common Files\Tencent\Paycenter\Whatsnew.txt c:\program files (x86)\Common Files\Tencent\Paycenter\XP.sys c:\program files (x86)\Common Files\Tencent\Paycenter\XP_64.sys c:\program files (x86)\StormII C:\RECYCLER88 c:\users\tym\AppData\Local\{33EF426B-A018-43FA-83CD-D52B0EFCF44D} c:\users\tym\AppData\Roaming\CDC1A5 c:\users\tym\AppData\Roaming\SogouExplorer c:\users\tym\AppData\Roaming\SogouExplorer\confdll.dll . . ((((((((((((((((((((((((( 2012-12-04 ÖÁ 2013-01-04 µÄеĵµ°¸ ))))))))))))))))))))))))))))))) . . 2013-01-04 14:58 . 2013-01-04 14:58 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-01-04 14:51 . 2013-01-04 14:51 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3727B5BB-8278-4E5C-9555-CE40AC12407C}\offreg.dll 2013-01-04 10:31 . 2013-01-04 10:31 -------- d-----w- C:\FRST 2012-12-28 07:08 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3727B5BB-8278-4E5C-9555-CE40AC12407C}\mpengine.dll 2012-12-26 12:46 . 2012-12-24 03:05 137632 ----a-w- c:\windows\SysWow64\drivers\QQProtect.sys 2012-12-21 14:31 . 2012-12-16 16:52 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-12-21 14:31 . 2012-12-16 14:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll 2012-12-21 14:31 . 2012-12-16 14:40 367616 ----a-w- c:\windows\system32\atmfd.dll 2012-12-21 14:31 . 2012-12-16 14:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll 2012-12-12 12:34 . 2012-11-09 05:34 2048 ----a-w- c:\windows\system32\tzres.dll 2012-12-12 12:34 . 2012-11-09 04:49 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2012-12-12 12:33 . 2012-09-06 17:38 295792 ----a-w- c:\windows\system32\drivers\volsnap.sys 2012-12-12 00:35 . 2012-11-02 05:27 478208 ----a-w- c:\windows\system32\dpnet.dll 2012-12-12 00:35 . 2012-11-02 04:48 376832 ----a-w- c:\windows\SysWow64\dpnet.dll 2012-12-12 00:25 . 2012-10-04 17:35 16384 ----a-w- c:\windows\system32\ntvdm64.dll 2012-12-12 00:25 . 2012-10-04 14:49 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll 2012-12-12 00:12 . 2012-11-22 08:20 3147264 ----a-w- c:\windows\system32\win32k.sys 2012-12-11 23:51 . 2012-11-14 05:55 2144768 ----a-w- c:\windows\system32\iertutil.dll 2012-12-11 23:51 . 2012-11-14 06:06 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll 2012-12-11 23:51 . 2012-11-14 02:00 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll 2012-12-11 23:51 . 2012-11-14 06:06 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll 2012-12-11 23:51 . 2012-11-14 02:01 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll 2012-12-11 23:51 . 2012-11-14 07:06 17811968 ----a-w- c:\windows\system32\mshtml.dll 2012-12-11 23:51 . 2012-11-14 06:32 10925568 ----a-w- c:\windows\system32\ieframe.dll 2012-12-06 15:41 . 2012-12-06 15:41 -------- d-----w- c:\windows\Easyrecovery 2012-12-06 15:24 . 2012-12-06 15:32 -------- d-----w- c:\program files (x86)\Common Files\gssoft . . . (((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸öÔÂÄÚ±»Ð޸ĵĵµ°¸ )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-29 04:21 . 2011-12-21 14:39 83320 ----a-w- c:\windows\system32\drivers\ksapi.sys 2012-12-29 04:20 . 2011-12-21 14:39 221048 ----a-w- c:\windows\system32\drivers\kisknl.sys 2012-11-29 06:27 . 2012-03-25 18:50 18296 ----a-w- c:\windows\system32\drivers\kusbquery64.sys 2012-11-29 06:27 . 2012-03-25 18:50 14200 ----a-w- c:\windows\system32\drivers\kusbquery.sys 2012-11-25 07:11 . 2011-12-21 14:39 31848 ----a-w- c:\windows\system32\drivers\kavbootc64.sys 2012-11-25 07:11 . 2011-12-21 14:39 27240 ----a-w- c:\windows\system32\drivers\kavbootc.sys 2012-10-16 21:20 . 2012-11-27 23:10 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll 2012-10-16 21:20 . 2012-11-27 23:10 347648 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll 2012-10-16 20:34 . 2012-11-27 23:10 559104 ----a-w- c:\windows\apppatch\AcLayers.dll 2012-10-08 11:40 . 2011-12-21 14:39 166776 ----a-w- c:\windows\system32\drivers\kdhacker64.sys 2012-10-08 11:40 . 2011-12-21 14:39 127992 ----a-w- c:\windows\system32\drivers\kdhacker.sys . . ((((((((((((((((((((((((((((((((((((( ÖØÒªµÇÈëµã )))))))))))))))))))))))))))))))))))))))))))))))))) . . *×¢Òâ* ¿Õ°×ÓëºÏ·¨È±Ê¡µÇ¼½«²»»á±»ÏÔʾ REGEDIT4 . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0EA37B17-6B8B-4085-8257-F3A4AA69C27A}] 2011-11-24 10:05 79536 ----a-w- t:\xunlei\BHO\XlBrowserAddin1.0.5.64.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_ForbidSync] @="{2A301372-EF60-4a54-9071-E93655AF2377}" [HKEY_CLASSES_ROOT\CLSID\{2A301372-EF60-4a54-9071-E93655AF2377}] 2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Synced] @="{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}" [HKEY_CLASSES_ROOT\CLSID\{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}] 2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Syncing] @="{72F4CD64-93FD-42da-BEBC-F516496A1C44}" [HKEY_CLASSES_ROOT\CLSID\{72F4CD64-93FD-42da-BEBC-F516496A1C44}] 2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips] @="{4562B511-62E9-4533-B7B2-56A8BB10B482}" [HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}] 2011-12-30 05:37 247408 ----a-w- c:\program files (x86)\Common Files\Thunder Network\Kankan\xappex.1.1.1.38.(478).dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-09-24 825864] "KSafeTray"="c:\program files (x86)\KSafe\KSafeTray.exe" [2012-09-24 75208] . c:\users\tym\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\tym\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "EnableShellExecuteHooks"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804] Ime File REG_SZ SOGOUPY.IME . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 KSafeSvc;KSafe service;c:\program files (x86)\KSafe\KSafeSvc.exe [2012-09-24 230856] R3 CntvCBoxService;CNTV CBox Service;c:\program files (x86)\CNTV\CBox\CntvCBoxService.exe [2012-07-23 1241000] R3 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x] R3 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [2010-01-08 23584] R3 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336] R3 ICBC Daemon Service;ICBC Daemon Service;c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [2011-12-26 554112] R3 ksfmonsys;ksfmonsys;c:\program files (x86)\KSafe\ksfmonsys64.sys [2012-09-24 21360] R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368] R3 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 216576] R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x] R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264] R3 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776] R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648] R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960] R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376] R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496] R3 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944] R3 Spbslvcta_pa;Spbslvcta_pa; [x] R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864] R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312] R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864] R3 TcHardWare;TcHardWare;t:\èí¼þ\QQPCMgr\6.8.2393.401\QQPCHW-x64.sys [x] R3 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 243232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-26 1255736] R3 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost [x] S0 kavbootc;kavbootc;c:\windows\system32\drivers\kavbootc64.sys [2012-11-25 31848] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS [2011-01-27 450680] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS [2011-03-15 912504] S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [2011-05-19 1143416] S1 EncryptedDisk;EncryptedDisk;c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\encrypteddisk-x64.sys [2012-03-24 125544] S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110722.031\IDSvia64.sys [2011-07-07 488056] S1 KDHacker;KDHacker;t:\½ðé½îàê¿\kingsoft antivirus\security\kxescan\kdhacker64.sys [2012-10-08 166776] S1 kmodurl;kmodurl;c:\program files (x86)\KSafe\kmodurl64.sys [2012-09-24 133144] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [2011-01-27 171128] S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [2011-04-21 386168] S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2010-02-26 841248] S2 kisknl;kisknl;c:\windows\system32\drivers\kisknl.sys [2012-12-29 221048] S2 kxescore;Kingsoft Core Service;t:\½ðé½îàê¿\kingsoft antivirus\kxescore.exe [2012-12-29 153424] S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [2011-04-17 130008] S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-06-28 255744] S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-01-07 144896] S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848] S3 TenpayKeyboard;TenpayKeyboard; [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] XLServicePlatform REG_MULTI_SZ XLServicePlatform . ¡®¼Æ»®ÈÎÎñ¡¯ Îļþ¼Ð ÀïµÄÄÚÈÝ . 2012-11-06 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 21:57] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{004B0726-A010-4ABF-8556-FCDB7F1FCA1E}] 2011-11-24 10:06 627888 ----a-w- t:\xunlei\BHO\XunleiBHO647.2.4.3312.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8BCB0605-D909-4c3b-B490-DEFE88BA95FA}] 2011-12-26 21:48 466048 ----a-w- c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\Icbc_AntiPhishing_64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_ForbidSync] @="{2A301372-EF60-4a54-9071-E93655AF2377}" [HKEY_CLASSES_ROOT\CLSID\{2A301372-EF60-4a54-9071-E93655AF2377}] 2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Synced] @="{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}" [HKEY_CLASSES_ROOT\CLSID\{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}] 2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Syncing] @="{72F4CD64-93FD-42da-BEBC-F516496A1C44}" [HKEY_CLASSES_ROOT\CLSID\{72F4CD64-93FD-42da-BEBC-F516496A1C44}] 2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . ------- ¶øÍâµÄɨÃè ------- . uStart Page = hxxp://www.hao123.com/?tn=98012088_1_hao_pg uLocal Page = c:\windows\system32\blank.htm mDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW mStart Page = hxxp://www.hao123.com/?tn=98012088_1_hao_pg mLocal Page = c:\windows\SysWOW64\blank.htm IE: &ʹÓÃ&ѸÀ×ÏÂÔØ - t:\xunlei\BHO\geturl.htm IE: &ʹÓÃ&ѸÀ×ÏÂÔØÈ«²¿Á´½Ó - t:\xunlei\BHO\GetAllUrl.htm IE: &ʹÓÃ&ѸÀ×ÀëÏßÏÂÔØ - t:\xunlei\BHO\OfflineDownload.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: ʹÓùâÓ°±à¼­ºÍÃÀ»¯ - t:\¹âó°ä§êõêö\nEO iMAGING\NeoOpenNeo.htm Trusted Zone: alipay.com Trusted Zone: alisoft.com Trusted Zone: icbc.com.cn Trusted Zone: taobao.com Trusted Zone: alipay.com Trusted Zone: alisoft.com Trusted Zone: taobao.com DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} - hxxps://b2c.icbc.com.cn/icbc/GDReadPub.cab DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AxSafeControls.cab DPF: {7CCE07A5-A590-4554-B5C3-082840D7012E} - hxxps://b2c.icbc.com.cn/icbc/icbc_gdgetdv.dll DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} - hxxps://b2c.icbc.com.cn/icbc/ICBC_NetSign.dll . . ------- ÎļþÀàÐÍ ------- . inifile=c:\windows\SysWow64\NOTEPAD.EXE %1 txtfile=c:\windows\notepad.exe %1 . - - - - ORPHANS REMOVED - - - - . BHO-{941D90F8-2F14-3EA2-AA01-6ADABA1E623E} - (no file) Toolbar-Locked - (no file) Toolbar-Locked - (no file) AddRemove-Tenpay Security Control - c:\program files (x86)\Common Files\Tencent\Paycenter\uninstall.exe . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS] "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–N}] @Allowed: (Read) (RestrictedCode) @="t:\\xunlei\\BHO\\geturl.htm" "Name"="xl_geturl" "Contexts"=dword:00000022 . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–N}hQèþ”¥c] @Allowed: (Read) (RestrictedCode) @="t:\\xunlei\\BHO\\GetAllUrl.htm" "Name"="xl_getallurl" "Contexts"=dword:000000f3 . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–»y¿~N}] @Allowed: (Read) (RestrictedCode) @="t:\\xunlei\\BHO\\OfflineDownload.htm" "Name"="xl_offlinedownload" "Contexts"=dword:00000022 . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\t:\oöN\Ðrørzl*e*a*w*o*v*i*d*e*o*c*o*n*v*e*r*t*e*r*_*c*h*s*-*v*4*.*2*\Video Converter\imageformats] "qgif4.dll"=multi:"2011-12-08T16:04\00gif\00\00" "qico4.dll"=multi:"2011-12-08T16:05\00ico\00\00" "qjpeg4.dll"=multi:"2011-12-08T16:04\00jpeg\00jpg\00\00" "qmng4.dll"=multi:"2011-12-08T16:05\00mng\00\00" "qtiff4.dll"=multi:"2011-12-08T16:05\00tiff\00tif\00\00" . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\t:\oön\Ðrørzl*e*a*w*o*v*i*d*e*o*c*o*n*v*e*r*t*e*r*_*c*h*s*-*v*4*.*2*\Video Converter\imageformats] "qgif4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:04\00\00" "qico4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00" "qjpeg4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:04\00\00" "qmng4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00" "qsvg4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00" "qtiff4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00" . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell] @="Play" . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\open\command] @=expand:"\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Open \"%L\"" . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\play] @="&Play" "MUIVerb"=expand:"@%SystemRoot%\\system32\\unregmp2.exe,-9991" . [HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\play\command] @=expand:"\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Play \"%L\"" DUMPHIVE0.003 (REGF) . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Íê³Éʱ¼ä: 2013-01-04 10:02:08 ComboFix-quarantined-files.txt 2013-01-04 15:02 . Pre-Run: 96,214,614,016 bytes free Post-Run: 95,954,792,448 bytes free . - - End Of File - - 119000356624286112DCE15DB8D51D53

Yes, it starts normally! sorry I was waiting for the next instruction.. So are there any other steps I should do, e.g., run a mbam scan or it is all set? And how can I prevent this from happening in the future? Really appreciate your help!

Here is the Fixlog.txt: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-12-2012 Ran by SYSTEM at 2013-01-04 08:51:28 Run:1 Running from I:\ ============================================== HKEY_USERS\tym\Software\Microsoft\Windows\CurrentVersion\Run\\uhhcskwy Value deleted successfully. HKEY_USERS\tym\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully . C:\Users\tym\AppData\Roaming\_bd_uylzs.exe moved successfully. C:\Users\All Users\_bd_uylzs.exe moved successfully. C:\Users\tym\AppData\Local\_bd_uylzs.exe moved successfully. C:\Users\All Users\_bd_uylzs.exe not found. C:\Users\tym\AppData\Roaming\_bd_uylzs.exe not found. C:\Users\tym\AppData\Local\_bd_uylzs.exe not found. ==== End of Fixlog ====

Hi MrC, thanks a lot! Here are the FRST.txt and Search.txt: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012 Ran by SYSTEM at 04-01-2013 02:31:43 Running from I:\ Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [825864 2009-09-24] (Dritek System Inc.) HKLM-x32\...\Run: [KSafeTray] "C:\Program files (x86)\KSafe\KSafeTray.exe" -autorun [75208 2012-09-23] (Kingsoft Corporation) HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [154144 2009-12-16] () HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [154144 2009-12-16] () HKU\tym\...\Run: [uhhcskwy] C:\Users\tym\AppData\Roaming\_bd_uylzs [x] HKU\tym\...\Policies\system: [DisableTaskMgr] 1 HKLM\...\Winlogon: [shell] explorer.exe, C:\ProgramData\_bd_uylzs [x ] () Tcpip\Parameters: [DhcpNameServer] 192.168.10.1 Startup: C:\Users\tym\Start Menu\Programs\Startup\Dropbox.lnk ShortcutTarget: Dropbox.lnk -> (No File) ==================== Services (Whitelisted) =================== 3 Adobe LM Service; "C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [68096 2011-07-12] () 3 CntvCBoxService; "C:\Program Files (x86)\CNTV\CBox\CntvCBoxService.exe" [1241000 2012-07-23] (???????) 3 ICBC Daemon Service; C:\Program Files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [554112 2011-12-26] () 2 KSafeSvc; "C:\Program files (x86)\KSafe\KSafeSvc.exe" -svc [230856 2012-09-23] (Kingsoft Corporation) 2 McAfeeEngineService; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe" [19720 2009-08-31] (McAfee, Inc.) 2 McAfeeFramework; "C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [103744 2009-05-18] (McAfee, Inc.) 2 McShield; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe" [178920 2009-08-31] (McAfee, Inc.) 2 McTaskManager; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe" [66896 2009-08-31] (McAfee, Inc.) 2 mfevtp; C:\Windows\system32\mfevtps.exe [79504 2009-08-31] (McAfee, Inc.) 2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation) 3 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation) 3 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [87728 2011-11-24] (ShenZhen Xunlei Networking Technologies,LTD) 2 kxescore; "C:\????\kingsoft antivirus\kxescore.exe" /service kxescore [x] ==================== Drivers (Whitelisted) ===================== 1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation) 1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-25] (Symantec Corporation) 1 EncryptedDisk; \??\C:\Users\tym\AppData\Roaming\Kingsoft\klive\bin\encrypteddisk-x64.sys [125544 2012-03-23] () 1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110722.031\IDSvia64.sys [488056 2011-07-07] (Symantec Corporation) 0 kavbootc; C:\Windows\System32\Drivers\kavbootc.sys [27240 2012-11-24] (Kingsoft Corporation) 1 KDHacker; C:\Windows\System32\Drivers\KDHacker.sys [127992 2012-10-08] (Kingsoft Corporation) 2 kisknl; C:\Windows\System32\Drivers\kisknl.sys [221048 2012-12-28] (Kingsoft Corporation) 1 kmodurl; C:\Windows\System32\Drivers\kmodurl.sys [111048 2012-09-23] (Kingsoft Corporation) 3 ksfmonsys; \??\C:\Program Files (x86)\KSafe\ksfmonsys64.sys [21360 2012-09-23] (Kingsoft Corporation) 3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [97576 2009-08-31] (McAfee, Inc.) 3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [119968 2009-08-31] (McAfee, Inc.) 0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [469144 2009-08-31] (McAfee, Inc.) 3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [77104 2009-08-31] (McAfee, Inc.) 1 mfetdik; C:\Windows\System32\Drivers\mfetdik.sys [83784 2009-08-31] (McAfee, Inc.) 3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110723.002\ENG64.SYS [117880 2011-07-14] (Symantec Corporation) 3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110723.002\EX64.SYS [2011768 2011-07-14] (Symantec Corporation) 3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation) 1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation) 0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation) 0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation) 3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-25] (Symantec Corporation) 1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation) 1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation) 3 TenpayKeyboard; C:\Windows\System32\Drivers\TenpayKeyboard.sys [29312 2012-06-10] (tenpay.com) 3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x] 2 MCSTRM; [x] 3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x] 3 Spbslvcta_pa; [x] 3 TcHardWare; \??\T:\??\QQPCMgr\6.8.2393.401\QQPCHW-x64.sys [x] 3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x] ==================== NetSvcs (Whitelisted) ==================== ==================== One Month Created Files and Folders ======== 2012-12-31 04:12 - 2012-12-31 04:12 - 00003352 ____N C:\bootsqm.dat 2012-12-29 19:53 - 2013-01-02 16:21 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Roaming\_bd_uylzs.exe 2012-12-29 19:53 - 2013-01-02 16:17 - 00000280 ____A C:\Windows\setupact.log 2012-12-29 19:53 - 2012-12-29 19:53 - 00000354 ____A C:\Windows\PFRO.log 2012-12-29 19:53 - 2012-12-29 19:53 - 00000000 ____A C:\Windows\setuperr.log 2012-12-29 19:51 - 2013-01-02 17:07 - 00237056 ____A (NeoSmart Technologies) C:\Users\All Users\_bd_uylzs.exe 2012-12-29 19:51 - 2013-01-02 16:21 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Local\_bd_uylzs.exe 2012-12-27 06:42 - 2012-12-27 06:42 - 00000000 ____D C:\Users\tym\AppData\Local\{9F7D2EBB-3441-4794-8237-8E9D319D35BB} 2012-12-26 04:46 - 2012-12-23 19:05 - 00137632 ____A (Tencent) C:\Windows\SysWOW64\Drivers\QQProtect.sys 2012-12-21 06:31 - 2012-12-16 08:52 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll 2012-12-21 06:31 - 2012-12-16 06:40 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll 2012-12-21 06:31 - 2012-12-16 06:25 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll 2012-12-21 06:31 - 2012-12-16 06:25 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll 2012-12-20 05:19 - 2012-12-20 05:19 - 00000000 ____D C:\Users\tym\AppData\Local\{5E3060F0-0C09-4B95-9877-68B2E4581226} 2012-12-19 11:48 - 2012-12-19 11:48 - 00000000 ____D C:\Users\tym\AppData\Local\{63F6D928-4D6F-4AD1-9BEB-921D01D84D6A} 2012-12-19 07:35 - 2012-12-19 07:35 - 00000000 ____D C:\Users\tym\AppData\Local\{683EC243-2875-44E0-AE48-791B3750FB65} 2012-12-18 05:29 - 2012-12-18 05:29 - 00000000 ____D C:\Users\tym\AppData\Local\{3D929235-54C5-42F8-89BD-19F7489671E4} 2012-12-17 06:27 - 2012-12-17 06:27 - 00000000 ____D C:\Users\tym\AppData\Local\{C6215F33-CC04-413E-A681-6C18C307CC24} 2012-12-14 05:33 - 2012-12-14 05:34 - 00000000 ____D C:\Users\tym\AppData\Local\{56192237-06F2-4CEC-A489-4CB95E3215AD} 2012-12-13 05:26 - 2012-12-13 05:27 - 00000000 ____D C:\Users\tym\AppData\Local\{928A7C5F-2C15-4D50-BDCB-CF8ABF6A4CE5} 2012-12-12 05:41 - 2012-12-12 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{F2F85F28-D8E8-4290-A3C2-9CB8D5E3F3B6} 2012-12-12 04:34 - 2012-11-08 21:34 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll 2012-12-12 04:34 - 2012-11-08 20:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll 2012-12-12 04:33 - 2012-09-06 09:38 - 00295792 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys 2012-12-11 16:35 - 2012-11-01 21:27 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll 2012-12-11 16:35 - 2012-11-01 20:48 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll 2012-12-11 16:25 - 2012-10-04 09:35 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll 2012-12-11 16:25 - 2012-10-04 06:49 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2012-12-11 16:22 - 2012-10-04 09:38 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll 2012-12-11 16:22 - 2012-10-04 09:38 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll 2012-12-11 16:22 - 2012-10-04 09:38 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll 2012-12-11 16:22 - 2012-10-04 09:38 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll 2012-12-11 16:22 - 2012-10-04 09:32 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll 2012-12-11 16:22 - 2012-10-04 09:32 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:54 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll 2012-12-11 16:22 - 2012-10-04 08:54 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll 2012-12-11 16:22 - 2012-10-04 08:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 07:19 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe 2012-12-11 16:22 - 2012-10-04 06:49 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2012-12-11 16:22 - 2012-10-04 06:49 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2012-12-11 16:22 - 2012-10-04 06:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2012-12-11 16:22 - 2012-10-04 06:44 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 06:44 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 06:44 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll 2012-12-11 16:22 - 2012-10-04 06:44 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll 2012-12-11 16:12 - 2012-11-22 00:20 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-12-11 15:52 - 2012-11-13 22:11 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-12-11 15:52 - 2012-11-13 22:04 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-12-11 15:52 - 2012-11-13 22:04 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-12-11 15:52 - 2012-11-13 22:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-12-11 15:52 - 2012-11-13 22:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-12-11 15:52 - 2012-11-13 21:59 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-12-11 15:52 - 2012-11-13 21:58 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-12-11 15:52 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2012-12-11 15:52 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-12-11 15:52 - 2012-11-13 21:55 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2012-12-11 15:52 - 2012-11-13 21:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-12-11 15:52 - 2012-11-13 21:52 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-12-11 15:52 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-12-11 15:52 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-12-11 15:52 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-12-11 15:52 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-12-11 15:52 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-12-11 15:52 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-12-11 15:52 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-12-11 15:52 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-12-11 15:52 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2012-12-11 15:52 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2012-12-11 15:52 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-12-11 15:52 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-12-11 15:52 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-12-11 15:51 - 2012-11-13 23:06 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-12-11 15:51 - 2012-11-13 22:32 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-12-11 15:51 - 2012-11-13 21:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-12-11 15:51 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-12-11 15:51 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-12-11 15:51 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-12-11 15:51 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-12-11 06:40 - 2012-12-11 06:40 - 00000000 ____D C:\Users\tym\AppData\Local\{4FA07EC4-85F0-4FA4-92A6-3C84619D1E76} 2012-12-10 06:28 - 2012-12-10 06:28 - 00000000 ____D C:\Users\tym\AppData\Local\{423AF44E-AAB2-41FF-98F0-AFD9151F3233} 2012-12-08 05:56 - 2012-12-08 05:56 - 00000000 ____D C:\Users\tym\AppData\Local\{F9814C92-394F-4810-975D-087B15C4BE84} 2012-12-07 05:41 - 2012-12-07 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{CE7D4F68-6122-485D-AC66-7C830CA57217} 2012-12-06 07:41 - 2012-12-06 07:41 - 00000000 ____D C:\Windows\Easyrecovery 2012-12-06 05:32 - 2012-12-06 05:33 - 00000000 ____D C:\Users\tym\AppData\Local\{E04E32D8-EF73-4A2B-99F3-CD7C7E8479BE} 2012-12-05 05:57 - 2012-12-05 05:58 - 00000000 ____D C:\Users\tym\AppData\Local\{DF64FEEC-CE0A-4827-945B-1B90BB2A0FB2} ==================== One Month Modified Files and Folders ======= 2013-01-02 17:07 - 2012-12-29 19:51 - 00237056 ____A (NeoSmart Technologies) C:\Users\All Users\_bd_uylzs.exe 2013-01-02 16:21 - 2012-12-29 19:53 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Roaming\_bd_uylzs.exe 2013-01-02 16:21 - 2012-12-29 19:51 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Local\_bd_uylzs.exe 2013-01-02 16:17 - 2012-12-29 19:53 - 00000280 ____A C:\Windows\setupact.log 2013-01-02 16:17 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-12-31 04:12 - 2012-12-31 04:12 - 00003352 ____N C:\bootsqm.dat 2012-12-29 19:54 - 2011-05-25 00:55 - 00000000 ____D C:\Users\tym\AppData\Roaming\Dropbox 2012-12-29 19:53 - 2012-12-29 19:53 - 00000354 ____A C:\Windows\PFRO.log 2012-12-29 19:53 - 2012-12-29 19:53 - 00000000 ____A C:\Windows\setuperr.log 2012-12-29 18:45 - 2011-11-21 01:11 - 00000000 ____D C:\QUARANTINE 2012-12-29 18:37 - 2011-05-25 01:12 - 00000000 ____D C:\Users\tym\Documents\Tencent Files 2012-12-29 16:40 - 2011-11-22 00:31 - 00000000 ____D C:\Program Files (x86)\KSafe 2012-12-29 16:34 - 2011-11-22 00:33 - 00000000 ____D C:\Users\All Users\KSafe 2012-12-29 16:23 - 2009-07-13 21:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI 2012-12-29 16:19 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-12-29 16:19 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-12-29 16:10 - 2011-05-25 00:57 - 00000000 ___RD C:\Users\tym\Dropbox 2012-12-28 20:21 - 2011-12-21 06:39 - 00083320 ____A (Kingsoft Corporation) C:\Windows\System32\Drivers\ksapi.sys 2012-12-28 20:20 - 2011-12-21 06:39 - 00221048 ____A (Kingsoft Corporation) C:\Windows\System32\Drivers\kisknl.sys 2012-12-28 19:39 - 2011-05-25 23:11 - 00000000 ____D C:\Users\tym\AppData\Roaming\Skype 2012-12-28 17:08 - 2011-11-25 23:21 - 00000739 ____A C:\Users\tym\Desktop\??7.lnk 2012-12-27 06:42 - 2012-12-27 06:42 - 00000000 ____D C:\Users\tym\AppData\Local\{9F7D2EBB-3441-4794-8237-8E9D319D35BB} 2012-12-27 06:42 - 2011-05-25 01:10 - 00000000 ____D C:\Users\tym\AppData\Local\Windows Live 2012-12-26 11:37 - 2012-11-10 10:58 - 00020992 ____A C:\Users\tym\Desktop\????.xls 2012-12-26 11:37 - 2011-05-25 19:14 - 00000000 ____D C:\Users\All Users\Tencent 2012-12-25 19:55 - 2011-11-22 05:44 - 00000000 __SHD C:\KRECYCLE 2012-12-24 04:12 - 2011-05-25 01:02 - 00000000 ____D C:\Program Files (x86)\SogouExtension 2012-12-23 19:05 - 2012-12-26 04:46 - 00137632 ____A (Tencent) C:\Windows\SysWOW64\Drivers\QQProtect.sys 2012-12-22 16:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF 2012-12-21 17:29 - 2009-07-13 20:45 - 00299136 ____A C:\Windows\System32\FNTCACHE.DAT 2012-12-20 05:19 - 2012-12-20 05:19 - 00000000 ____D C:\Users\tym\AppData\Local\{5E3060F0-0C09-4B95-9877-68B2E4581226} 2012-12-19 11:48 - 2012-12-19 11:48 - 00000000 ____D C:\Users\tym\AppData\Local\{63F6D928-4D6F-4AD1-9BEB-921D01D84D6A} 2012-12-19 07:35 - 2012-12-19 07:35 - 00000000 ____D C:\Users\tym\AppData\Local\{683EC243-2875-44E0-AE48-791B3750FB65} 2012-12-18 05:29 - 2012-12-18 05:29 - 00000000 ____D C:\Users\tym\AppData\Local\{3D929235-54C5-42F8-89BD-19F7489671E4} 2012-12-17 06:27 - 2012-12-17 06:27 - 00000000 ____D C:\Users\tym\AppData\Local\{C6215F33-CC04-413E-A681-6C18C307CC24} 2012-12-16 22:25 - 2011-06-05 06:25 - 00000000 ____D C:\Users\tym\AppData\Roaming\EndNote 2012-12-16 08:52 - 2012-12-21 06:31 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll 2012-12-16 06:40 - 2012-12-21 06:31 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll 2012-12-16 06:25 - 2012-12-21 06:31 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll 2012-12-16 06:25 - 2012-12-21 06:31 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll 2012-12-14 05:34 - 2012-12-14 05:33 - 00000000 ____D C:\Users\tym\AppData\Local\{56192237-06F2-4CEC-A489-4CB95E3215AD} 2012-12-13 11:47 - 2011-05-25 19:30 - 00000000 ____D C:\Users\tym\AppData\Local\CrashDumps 2012-12-13 05:27 - 2012-12-13 05:26 - 00000000 ____D C:\Users\tym\AppData\Local\{928A7C5F-2C15-4D50-BDCB-CF8ABF6A4CE5} 2012-12-12 19:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache 2012-12-12 10:20 - 2009-07-13 18:34 - 00000633 ____A C:\Windows\win.ini 2012-12-12 05:41 - 2012-12-12 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{F2F85F28-D8E8-4290-A3C2-9CB8D5E3F3B6} 2012-12-11 06:40 - 2012-12-11 06:40 - 00000000 ____D C:\Users\tym\AppData\Local\{4FA07EC4-85F0-4FA4-92A6-3C84619D1E76} 2012-12-10 06:28 - 2012-12-10 06:28 - 00000000 ____D C:\Users\tym\AppData\Local\{423AF44E-AAB2-41FF-98F0-AFD9151F3233} 2012-12-08 20:42 - 2011-05-25 01:22 - 00000000 ____D C:\Users\tym\AppData\Roaming\SoftGrid Client 2012-12-08 05:56 - 2012-12-08 05:56 - 00000000 ____D C:\Users\tym\AppData\Local\{F9814C92-394F-4810-975D-087B15C4BE84} 2012-12-07 05:41 - 2012-12-07 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{CE7D4F68-6122-485D-AC66-7C830CA57217} 2012-12-06 09:20 - 2011-12-05 10:37 - 00000915 ____A C:\Users\tym\AppData\Roaming\coreavc.ini 2012-12-06 07:41 - 2012-12-06 07:41 - 00000000 ____D C:\Windows\Easyrecovery 2012-12-06 05:33 - 2012-12-06 05:32 - 00000000 ____D C:\Users\tym\AppData\Local\{E04E32D8-EF73-4A2B-99F3-CD7C7E8479BE} 2012-12-05 05:58 - 2012-12-05 05:57 - 00000000 ____D C:\Users\tym\AppData\Local\{DF64FEEC-CE0A-4827-945B-1B90BB2A0FB2} ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys [2012-12-12 04:33] - [2012-09-06 09:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1 ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2012-12-04 04:11:54 Restore point made on: 2012-12-07 18:59:08 Restore point made on: 2012-12-11 04:02:35 Restore point made on: 2012-12-11 15:51:39 Restore point made on: 2012-12-11 16:02:21 Restore point made on: 2012-12-11 16:12:19 Restore point made on: 2012-12-11 16:21:56 Restore point made on: 2012-12-11 16:34:54 Restore point made on: 2012-12-12 10:16:00 Restore point made on: 2012-12-18 06:48:03 Restore point made on: 2012-12-21 06:31:39 Restore point made on: 2012-12-25 05:44:43 ==================== Memory info =========================== Percentage of memory in use: 22% Total physical RAM: 3000.93 MB Available physical RAM: 2331.84 MB Total Pagefile: 2999.08 MB Available Pagefile: 2322.74 MB Total Virtual: 8192 MB Available Virtual: 8191.9 MB ==================== Partitions ============================= 1 Drive c: (Gateway) (Fixed) (Total:145.9 GB) (Free:89 GB) NTFS 2 Drive d: (New Volume) (Fixed) (Total:100.03 GB) (Free:14.32 GB) NTFS 3 Drive e: (New Volume) (Fixed) (Total:39.06 GB) (Free:38.97 GB) NTFS 4 Drive g: (PQSERVICE) (Fixed) (Total:13 GB) (Free:2 GB) NTFS 6 Drive i: (USB_SEEKER) (Removable) (Total:1.93 GB) (Free:1.41 GB) FAT32 7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 8 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 298 GB 2048 KB Disk 1 Online 1986 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Recovery 13 GB 1024 KB Partition 2 Primary 100 MB 13 GB Partition 3 Primary 145 GB 13 GB Partition 0 Extended 139 GB 158 GB Partition 4 Logical 100 GB 158 GB Partition 5 Logical 39 GB 259 GB ================================================================================== Disk: 0 Partition 1 Type : 27 Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 G PQSERVICE NTFS Partition 13 GB Healthy Hidden ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy ========================================================= Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C Gateway NTFS Partition 145 GB Healthy ========================================================= Disk: 0 Partition 4 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 D New Volume NTFS Partition 100 GB Healthy ========================================================= Disk: 0 Partition 5 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 E New Volume NTFS Partition 39 GB Healthy ========================================================= Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 1984 MB 31 KB ================================================================================== Disk: 1 Partition 1 Type : 0B Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 6 I USB_SEEKER FAT32 Removable 1984 MB Healthy ========================================================= Last Boot: 2012-12-25 06:11 ==================== End Of Log ============================= Farbar Recovery Scan Tool (x64) Version: 31-12-2012 Ran by SYSTEM at 2013-01-04 02:33:59 Running from I:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB ====== End Of Search ======

Thanks MrC for your help! I have downloaded the tools to a flash drive and will try when I get home. Are the logs only written to the flash drive? If so, I may have to reply to you tomorrow with the log files. I will bring the infected laptop to work tomorrow so that I can try your tools instantly. Thanks again!

Hi, My windows 7 laptop is infected by the FBI greendot virus. I can't access safe mode, safe mode with network, or safe mode with command prompt at all. They all bring up to the FBI warning screen. The dvd drive is broken, so I can't try the system disk either. I think the only option left is to fix using tools on a flash drive? Please help! Thanks a lot!!