tym
-
Posts
11 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by tym
-
-
MrC,
I tried "ComboFix /unintall" from Run, but it behaved like running ComboFix again. Now I just renamed it to "Unintall.exe" but still it is showing "complete item #...".
Anything wrong? How can I safely uninstall it? Thanks!!
-
Great, it worked! Here is the checkup.txt:
Results of screen317's Security Check version 0.99.56
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
½ðɽ¶¾°Ôʵʱ±£»¤
Norton Internet Security
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Java 6 Update 31
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Thunderbird (3.1.19) Thunderbird out of Date!
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
kingsoft antivirus kxescore.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
-
MrC, her is the AdwCleaner[s1].txt:
# AdwCleaner v2.104 - Logfile created 01/04/2013 at 10:25:18
# Updated 29/12/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : tym - TYM-PC
# Boot Mode : Normal
# Running from : C:\Users\tym\Desktop\adwcleaner.exe
# Option [Delete]
***** [services] *****
***** [Files / Folders] *****
***** [Registry] *****
Key Deleted : HKCU\Software\TENCENT
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\Software\TENCENT
***** [internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [835 octets] - [04/01/2013 10:17:06]
AdwCleaner[s1].txt - [775 octets] - [04/01/2013 10:25:18]
########## EOF - C:\AdwCleaner[s1].txt - [834 octets] ##########
But, I can't download the Security Check because it is blocked by my company -see below for the error message. What can we do? Thanks!
This Page Cannot Be Displayed
Based on your corporate access policies, this web site ( http://screen317.spywareinfoforum.org/SecurityCheck.exe ) has been blocked because it has been determined by Web Reputation Filters to be a security threat to your computer or the corporate network. This web site has been associated with malware/spyware.
-
Here is the log -I don't see anything I want to keep..
# AdwCleaner v2.104 - Logfile created 01/04/2013 at 10:17:06
# Updated 29/12/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : tym - TYM-PC
# Boot Mode : Normal
# Running from : C:\Users\tym\Desktop\adwcleaner.exe
# Option [search]
***** [services] *****
***** [Files / Folders] *****
***** [Registry] *****
Key Found : HKCU\Software\TENCENT
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\Software\TENCENT
***** [internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [708 octets] - [04/01/2013 10:17:06]
########## EOF - C:\AdwCleaner[R1].txt - [767 octets] ##########
-
Here is the log after ComboFix finished. So sorry for the weird code which is supposed to be Chinese. I can read them on the laptop. If you need, I can translate them..
ComboFix 13-01-04.01 - tym 4/2013 Fri 9:43.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.936.86.1033.18.3001.2024 [GMT -5:00]
Ö´ÐÐλÖÃ: c:\users\tym\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: ½ðɽ¶¾°Ôʵʱ±£»¤ *Disabled/Updated* {B6A51389-A795-5AC9-13BA-F569D73F3FE8}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( ±»É¾³ýµÄµµ°¸ )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\Tencent\Paycenter
c:\program files (x86)\Common Files\Tencent\Paycenter\npqqcert.dll
c:\program files (x86)\Common Files\Tencent\Paycenter\npqqedit.dll
c:\program files (x86)\Common Files\Tencent\Paycenter\qqcert.dll
c:\program files (x86)\Common Files\Tencent\Paycenter\qqedit.dll
c:\program files (x86)\Common Files\Tencent\Paycenter\tenpay.ico
c:\program files (x86)\Common Files\Tencent\Paycenter\uninstall.exe
c:\program files (x86)\Common Files\Tencent\Paycenter\Whatsnew.txt
c:\program files (x86)\Common Files\Tencent\Paycenter\XP.sys
c:\program files (x86)\Common Files\Tencent\Paycenter\XP_64.sys
c:\program files (x86)\StormII
C:\RECYCLER88
c:\users\tym\AppData\Local\{33EF426B-A018-43FA-83CD-D52B0EFCF44D}
c:\users\tym\AppData\Roaming\CDC1A5
c:\users\tym\AppData\Roaming\SogouExplorer
c:\users\tym\AppData\Roaming\SogouExplorer\confdll.dll
.
.
((((((((((((((((((((((((( 2012-12-04 ÖÁ 2013-01-04 µÄеĵµ°¸ )))))))))))))))))))))))))))))))
.
.
2013-01-04 14:58 . 2013-01-04 14:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-04 14:51 . 2013-01-04 14:51 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3727B5BB-8278-4E5C-9555-CE40AC12407C}\offreg.dll
2013-01-04 10:31 . 2013-01-04 10:31 -------- d-----w- C:\FRST
2012-12-28 07:08 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3727B5BB-8278-4E5C-9555-CE40AC12407C}\mpengine.dll
2012-12-26 12:46 . 2012-12-24 03:05 137632 ----a-w- c:\windows\SysWow64\drivers\QQProtect.sys
2012-12-21 14:31 . 2012-12-16 16:52 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-21 14:31 . 2012-12-16 14:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-21 14:31 . 2012-12-16 14:40 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-21 14:31 . 2012-12-16 14:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-12 12:34 . 2012-11-09 05:34 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-12 12:34 . 2012-11-09 04:49 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-12-12 12:33 . 2012-09-06 17:38 295792 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-12-12 00:35 . 2012-11-02 05:27 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-12-12 00:35 . 2012-11-02 04:48 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-12 00:25 . 2012-10-04 17:35 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2012-12-12 00:25 . 2012-10-04 14:49 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2012-12-12 00:12 . 2012-11-22 08:20 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-12-11 23:51 . 2012-11-14 05:55 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-12-11 23:51 . 2012-11-14 06:06 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
2012-12-11 23:51 . 2012-11-14 02:00 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll
2012-12-11 23:51 . 2012-11-14 06:06 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2012-12-11 23:51 . 2012-11-14 02:01 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
2012-12-11 23:51 . 2012-11-14 07:06 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-12-11 23:51 . 2012-11-14 06:32 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-12-06 15:41 . 2012-12-06 15:41 -------- d-----w- c:\windows\Easyrecovery
2012-12-06 15:24 . 2012-12-06 15:32 -------- d-----w- c:\program files (x86)\Common Files\gssoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸öÔÂÄÚ±»Ð޸ĵĵµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-29 04:21 . 2011-12-21 14:39 83320 ----a-w- c:\windows\system32\drivers\ksapi.sys
2012-12-29 04:20 . 2011-12-21 14:39 221048 ----a-w- c:\windows\system32\drivers\kisknl.sys
2012-11-29 06:27 . 2012-03-25 18:50 18296 ----a-w- c:\windows\system32\drivers\kusbquery64.sys
2012-11-29 06:27 . 2012-03-25 18:50 14200 ----a-w- c:\windows\system32\drivers\kusbquery.sys
2012-11-25 07:11 . 2011-12-21 14:39 31848 ----a-w- c:\windows\system32\drivers\kavbootc64.sys
2012-11-25 07:11 . 2011-12-21 14:39 27240 ----a-w- c:\windows\system32\drivers\kavbootc.sys
2012-10-16 21:20 . 2012-11-27 23:10 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 21:20 . 2012-11-27 23:10 347648 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 20:34 . 2012-11-27 23:10 559104 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-08 11:40 . 2011-12-21 14:39 166776 ----a-w- c:\windows\system32\drivers\kdhacker64.sys
2012-10-08 11:40 . 2011-12-21 14:39 127992 ----a-w- c:\windows\system32\drivers\kdhacker.sys
.
.
((((((((((((((((((((((((((((((((((((( ÖØÒªµÇÈëµã ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*×¢Òâ* ¿Õ°×ÓëºÏ·¨È±Ê¡µÇ¼½«²»»á±»ÏÔʾ
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0EA37B17-6B8B-4085-8257-F3A4AA69C27A}]
2011-11-24 10:05 79536 ----a-w- t:\xunlei\BHO\XlBrowserAddin1.0.5.64.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_ForbidSync]
@="{2A301372-EF60-4a54-9071-E93655AF2377}"
[HKEY_CLASSES_ROOT\CLSID\{2A301372-EF60-4a54-9071-E93655AF2377}]
2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Synced]
@="{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}"
[HKEY_CLASSES_ROOT\CLSID\{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}]
2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Syncing]
@="{72F4CD64-93FD-42da-BEBC-F516496A1C44}"
[HKEY_CLASSES_ROOT\CLSID\{72F4CD64-93FD-42da-BEBC-F516496A1C44}]
2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips]
@="{4562B511-62E9-4533-B7B2-56A8BB10B482}"
[HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}]
2011-12-30 05:37 247408 ----a-w- c:\program files (x86)\Common Files\Thunder Network\Kankan\xappex.1.1.1.38.(478).dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-09-24 825864]
"KSafeTray"="c:\program files (x86)\KSafe\KSafeTray.exe" [2012-09-24 75208]
.
c:\users\tym\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\tym\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ SOGOUPY.IME
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 KSafeSvc;KSafe service;c:\program files (x86)\KSafe\KSafeSvc.exe [2012-09-24 230856]
R3 CntvCBoxService;CNTV CBox Service;c:\program files (x86)\CNTV\CBox\CntvCBoxService.exe [2012-07-23 1241000]
R3 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [2010-01-08 23584]
R3 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
R3 ICBC Daemon Service;ICBC Daemon Service;c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [2011-12-26 554112]
R3 ksfmonsys;ksfmonsys;c:\program files (x86)\KSafe\ksfmonsys64.sys [2012-09-24 21360]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 216576]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
R3 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
R3 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R3 Spbslvcta_pa;Spbslvcta_pa; [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TcHardWare;TcHardWare;t:\èí¼þ\QQPCMgr\6.8.2393.401\QQPCHW-x64.sys [x]
R3 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 243232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-26 1255736]
R3 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost [x]
S0 kavbootc;kavbootc;c:\windows\system32\drivers\kavbootc64.sys [2012-11-25 31848]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS [2011-01-27 450680]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS [2011-03-15 912504]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [2011-05-19 1143416]
S1 EncryptedDisk;EncryptedDisk;c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\encrypteddisk-x64.sys [2012-03-24 125544]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110722.031\IDSvia64.sys [2011-07-07 488056]
S1 KDHacker;KDHacker;t:\½ðé½îàê¿\kingsoft antivirus\security\kxescan\kdhacker64.sys [2012-10-08 166776]
S1 kmodurl;kmodurl;c:\program files (x86)\KSafe\kmodurl64.sys [2012-09-24 133144]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [2011-01-27 171128]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [2011-04-21 386168]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2010-02-26 841248]
S2 kisknl;kisknl;c:\windows\system32\drivers\kisknl.sys [2012-12-29 221048]
S2 kxescore;Kingsoft Core Service;t:\½ðé½îàê¿\kingsoft antivirus\kxescore.exe [2012-12-29 153424]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [2011-04-17 130008]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-06-28 255744]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-01-07 144896]
S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848]
S3 TenpayKeyboard;TenpayKeyboard; [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
XLServicePlatform REG_MULTI_SZ XLServicePlatform
.
¡®¼Æ»®ÈÎÎñ¡¯ Îļþ¼Ð ÀïµÄÄÚÈÝ
.
2012-11-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 21:57]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{004B0726-A010-4ABF-8556-FCDB7F1FCA1E}]
2011-11-24 10:06 627888 ----a-w- t:\xunlei\BHO\XunleiBHO647.2.4.3312.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8BCB0605-D909-4c3b-B490-DEFE88BA95FA}]
2011-12-26 21:48 466048 ----a-w- c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\Icbc_AntiPhishing_64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_ForbidSync]
@="{2A301372-EF60-4a54-9071-E93655AF2377}"
[HKEY_CLASSES_ROOT\CLSID\{2A301372-EF60-4a54-9071-E93655AF2377}]
2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Synced]
@="{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}"
[HKEY_CLASSES_ROOT\CLSID\{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}]
2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Syncing]
@="{72F4CD64-93FD-42da-BEBC-F516496A1C44}"
[HKEY_CLASSES_ROOT\CLSID\{72F4CD64-93FD-42da-BEBC-F516496A1C44}]
2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
------- ¶øÍâµÄɨÃè -------
.
uStart Page = hxxp://www.hao123.com/?tn=98012088_1_hao_pg
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
mStart Page = hxxp://www.hao123.com/?tn=98012088_1_hao_pg
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &ʹÓÃ&ѸÀ×ÏÂÔØ - t:\xunlei\BHO\geturl.htm
IE: &ʹÓÃ&ѸÀ×ÏÂÔØÈ«²¿Á´½Ó - t:\xunlei\BHO\GetAllUrl.htm
IE: &ʹÓÃ&ѸÀ×ÀëÏßÏÂÔØ - t:\xunlei\BHO\OfflineDownload.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: ʹÓùâÓ°±à¼ºÍÃÀ»¯ - t:\¹âó°ä§êõêö\nEO iMAGING\NeoOpenNeo.htm
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: icbc.com.cn
Trusted Zone: taobao.com
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} - hxxps://b2c.icbc.com.cn/icbc/GDReadPub.cab
DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
DPF: {7CCE07A5-A590-4554-B5C3-082840D7012E} - hxxps://b2c.icbc.com.cn/icbc/icbc_gdgetdv.dll
DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} - hxxps://b2c.icbc.com.cn/icbc/ICBC_NetSign.dll
.
.
------- ÎļþÀàÐÍ -------
.
inifile=c:\windows\SysWow64\NOTEPAD.EXE %1
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{941D90F8-2F14-3EA2-AA01-6ADABA1E623E} - (no file)
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
AddRemove-Tenpay Security Control - c:\program files (x86)\Common Files\Tencent\Paycenter\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–N}]
@Allowed: (Read) (RestrictedCode)
@="t:\\xunlei\\BHO\\geturl.htm"
"Name"="xl_geturl"
"Contexts"=dword:00000022
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–N}hQèþ”¥c]
@Allowed: (Read) (RestrictedCode)
@="t:\\xunlei\\BHO\\GetAllUrl.htm"
"Name"="xl_getallurl"
"Contexts"=dword:000000f3
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–»y¿~N}]
@Allowed: (Read) (RestrictedCode)
@="t:\\xunlei\\BHO\\OfflineDownload.htm"
"Name"="xl_offlinedownload"
"Contexts"=dword:00000022
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\t:\oöN\Ðrørzl*e*a*w*o*v*i*d*e*o*c*o*n*v*e*r*t*e*r*_*c*h*s*-*v*4*.*2*\Video Converter\imageformats]
"qgif4.dll"=multi:"2011-12-08T16:04\00gif\00\00"
"qico4.dll"=multi:"2011-12-08T16:05\00ico\00\00"
"qjpeg4.dll"=multi:"2011-12-08T16:04\00jpeg\00jpg\00\00"
"qmng4.dll"=multi:"2011-12-08T16:05\00mng\00\00"
"qtiff4.dll"=multi:"2011-12-08T16:05\00tiff\00tif\00\00"
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\t:\oön\Ðrørzl*e*a*w*o*v*i*d*e*o*c*o*n*v*e*r*t*e*r*_*c*h*s*-*v*4*.*2*\Video Converter\imageformats]
"qgif4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:04\00\00"
"qico4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00"
"qjpeg4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:04\00\00"
"qmng4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00"
"qsvg4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00"
"qtiff4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00"
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell]
@="Play"
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Open \"%L\""
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\play]
@="&Play"
"MUIVerb"=expand:"@%SystemRoot%\\system32\\unregmp2.exe,-9991"
.
[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\play\command]
@=expand:"\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Play \"%L\""
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Íê³Éʱ¼ä: 2013-01-04 10:02:08
ComboFix-quarantined-files.txt 2013-01-04 15:02
.
Pre-Run: 96,214,614,016 bytes free
Post-Run: 95,954,792,448 bytes free
.
- - End Of File - - 119000356624286112DCE15DB8D51D53
-
Yes, it starts normally! sorry I was waiting for the next instruction..
So are there any other steps I should do, e.g., run a mbam scan or it is all set?
And how can I prevent this from happening in the future?
Really appreciate your help!
-
Here is the Fixlog.txt:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-12-2012
Ran by SYSTEM at 2013-01-04 08:51:28 Run:1
Running from I:\
==============================================
HKEY_USERS\tym\Software\Microsoft\Windows\CurrentVersion\Run\\uhhcskwy Value deleted successfully.
HKEY_USERS\tym\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
C:\Users\tym\AppData\Roaming\_bd_uylzs.exe moved successfully.
C:\Users\All Users\_bd_uylzs.exe moved successfully.
C:\Users\tym\AppData\Local\_bd_uylzs.exe moved successfully.
C:\Users\All Users\_bd_uylzs.exe not found.
C:\Users\tym\AppData\Roaming\_bd_uylzs.exe not found.
C:\Users\tym\AppData\Local\_bd_uylzs.exe not found.
==== End of Fixlog ====
-
Hi MrC, thanks a lot!
Here are the FRST.txt and Search.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012
Ran by SYSTEM at 04-01-2013 02:31:43
Running from I:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [825864 2009-09-24] (Dritek System Inc.)
HKLM-x32\...\Run: [KSafeTray] "C:\Program files (x86)\KSafe\KSafeTray.exe" -autorun [75208 2012-09-23] (Kingsoft Corporation)
HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [154144 2009-12-16] ()
HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [154144 2009-12-16] ()
HKU\tym\...\Run: [uhhcskwy] C:\Users\tym\AppData\Roaming\_bd_uylzs [x]
HKU\tym\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [shell] explorer.exe, C:\ProgramData\_bd_uylzs [x ] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.10.1
Startup: C:\Users\tym\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
==================== Services (Whitelisted) ===================
3 Adobe LM Service; "C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [68096 2011-07-12] ()
3 CntvCBoxService; "C:\Program Files (x86)\CNTV\CBox\CntvCBoxService.exe" [1241000 2012-07-23] (???????)
3 ICBC Daemon Service; C:\Program Files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [554112 2011-12-26] ()
2 KSafeSvc; "C:\Program files (x86)\KSafe\KSafeSvc.exe" -svc [230856 2012-09-23] (Kingsoft Corporation)
2 McAfeeEngineService; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe" [19720 2009-08-31] (McAfee, Inc.)
2 McAfeeFramework; "C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [103744 2009-05-18] (McAfee, Inc.)
2 McShield; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe" [178920 2009-08-31] (McAfee, Inc.)
2 McTaskManager; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe" [66896 2009-08-31] (McAfee, Inc.)
2 mfevtp; C:\Windows\system32\mfevtps.exe [79504 2009-08-31] (McAfee, Inc.)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
3 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
3 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [87728 2011-11-24] (ShenZhen Xunlei Networking Technologies,LTD)
2 kxescore; "C:\????\kingsoft antivirus\kxescore.exe" /service kxescore [x]
==================== Drivers (Whitelisted) =====================
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-25] (Symantec Corporation)
1 EncryptedDisk; \??\C:\Users\tym\AppData\Roaming\Kingsoft\klive\bin\encrypteddisk-x64.sys [125544 2012-03-23] ()
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110722.031\IDSvia64.sys [488056 2011-07-07] (Symantec Corporation)
0 kavbootc; C:\Windows\System32\Drivers\kavbootc.sys [27240 2012-11-24] (Kingsoft Corporation)
1 KDHacker; C:\Windows\System32\Drivers\KDHacker.sys [127992 2012-10-08] (Kingsoft Corporation)
2 kisknl; C:\Windows\System32\Drivers\kisknl.sys [221048 2012-12-28] (Kingsoft Corporation)
1 kmodurl; C:\Windows\System32\Drivers\kmodurl.sys [111048 2012-09-23] (Kingsoft Corporation)
3 ksfmonsys; \??\C:\Program Files (x86)\KSafe\ksfmonsys64.sys [21360 2012-09-23] (Kingsoft Corporation)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [97576 2009-08-31] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [119968 2009-08-31] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [469144 2009-08-31] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [77104 2009-08-31] (McAfee, Inc.)
1 mfetdik; C:\Windows\System32\Drivers\mfetdik.sys [83784 2009-08-31] (McAfee, Inc.)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110723.002\ENG64.SYS [117880 2011-07-14] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110723.002\EX64.SYS [2011768 2011-07-14] (Symantec Corporation)
3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-25] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)
3 TenpayKeyboard; C:\Windows\System32\Drivers\TenpayKeyboard.sys [29312 2012-06-10] (tenpay.com)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
2 MCSTRM; [x]
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 Spbslvcta_pa; [x]
3 TcHardWare; \??\T:\??\QQPCMgr\6.8.2393.401\QQPCHW-x64.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]
==================== NetSvcs (Whitelisted) ====================
==================== One Month Created Files and Folders ========
2012-12-31 04:12 - 2012-12-31 04:12 - 00003352 ____N C:\bootsqm.dat
2012-12-29 19:53 - 2013-01-02 16:21 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Roaming\_bd_uylzs.exe
2012-12-29 19:53 - 2013-01-02 16:17 - 00000280 ____A C:\Windows\setupact.log
2012-12-29 19:53 - 2012-12-29 19:53 - 00000354 ____A C:\Windows\PFRO.log
2012-12-29 19:53 - 2012-12-29 19:53 - 00000000 ____A C:\Windows\setuperr.log
2012-12-29 19:51 - 2013-01-02 17:07 - 00237056 ____A (NeoSmart Technologies) C:\Users\All Users\_bd_uylzs.exe
2012-12-29 19:51 - 2013-01-02 16:21 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Local\_bd_uylzs.exe
2012-12-27 06:42 - 2012-12-27 06:42 - 00000000 ____D C:\Users\tym\AppData\Local\{9F7D2EBB-3441-4794-8237-8E9D319D35BB}
2012-12-26 04:46 - 2012-12-23 19:05 - 00137632 ____A (Tencent) C:\Windows\SysWOW64\Drivers\QQProtect.sys
2012-12-21 06:31 - 2012-12-16 08:52 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-21 06:31 - 2012-12-16 06:40 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-21 06:31 - 2012-12-16 06:25 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-21 06:31 - 2012-12-16 06:25 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-20 05:19 - 2012-12-20 05:19 - 00000000 ____D C:\Users\tym\AppData\Local\{5E3060F0-0C09-4B95-9877-68B2E4581226}
2012-12-19 11:48 - 2012-12-19 11:48 - 00000000 ____D C:\Users\tym\AppData\Local\{63F6D928-4D6F-4AD1-9BEB-921D01D84D6A}
2012-12-19 07:35 - 2012-12-19 07:35 - 00000000 ____D C:\Users\tym\AppData\Local\{683EC243-2875-44E0-AE48-791B3750FB65}
2012-12-18 05:29 - 2012-12-18 05:29 - 00000000 ____D C:\Users\tym\AppData\Local\{3D929235-54C5-42F8-89BD-19F7489671E4}
2012-12-17 06:27 - 2012-12-17 06:27 - 00000000 ____D C:\Users\tym\AppData\Local\{C6215F33-CC04-413E-A681-6C18C307CC24}
2012-12-14 05:33 - 2012-12-14 05:34 - 00000000 ____D C:\Users\tym\AppData\Local\{56192237-06F2-4CEC-A489-4CB95E3215AD}
2012-12-13 05:26 - 2012-12-13 05:27 - 00000000 ____D C:\Users\tym\AppData\Local\{928A7C5F-2C15-4D50-BDCB-CF8ABF6A4CE5}
2012-12-12 05:41 - 2012-12-12 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{F2F85F28-D8E8-4290-A3C2-9CB8D5E3F3B6}
2012-12-12 04:34 - 2012-11-08 21:34 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-12-12 04:34 - 2012-11-08 20:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-12-12 04:33 - 2012-09-06 09:38 - 00295792 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys
2012-12-11 16:35 - 2012-11-01 21:27 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-11 16:35 - 2012-11-01 20:48 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll
2012-12-11 16:25 - 2012-10-04 09:35 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-12-11 16:25 - 2012-10-04 06:49 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-12-11 16:22 - 2012-10-04 09:38 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-12-11 16:22 - 2012-10-04 09:38 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-12-11 16:22 - 2012-10-04 09:38 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-12-11 16:22 - 2012-10-04 09:38 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-12-11 16:22 - 2012-10-04 09:32 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-12-11 16:22 - 2012-10-04 09:32 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:54 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-12-11 16:22 - 2012-10-04 08:54 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-12-11 16:22 - 2012-10-04 08:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 07:19 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-12-11 16:22 - 2012-10-04 06:49 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-12-11 16:22 - 2012-10-04 06:49 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-12-11 16:22 - 2012-10-04 06:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-12-11 16:22 - 2012-10-04 06:44 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 06:44 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 06:44 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-12-11 16:22 - 2012-10-04 06:44 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-12-11 16:12 - 2012-11-22 00:20 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-12-11 15:52 - 2012-11-13 22:11 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-12-11 15:52 - 2012-11-13 22:04 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-11 15:52 - 2012-11-13 22:04 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-11 15:52 - 2012-11-13 22:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-12-11 15:52 - 2012-11-13 22:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-11 15:52 - 2012-11-13 21:59 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-11 15:52 - 2012-11-13 21:58 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-12-11 15:52 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-11 15:52 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-11 15:52 - 2012-11-13 21:55 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-11 15:52 - 2012-11-13 21:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-11 15:52 - 2012-11-13 21:52 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-11 15:52 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-11 15:52 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-12-11 15:52 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-12-11 15:52 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-12-11 15:52 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-12-11 15:52 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-12-11 15:52 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-12-11 15:52 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-12-11 15:52 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-12-11 15:52 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-12-11 15:52 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-12-11 15:52 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-12-11 15:52 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-12-11 15:51 - 2012-11-13 23:06 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-11 15:51 - 2012-11-13 22:32 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-11 15:51 - 2012-11-13 21:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-11 15:51 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-12-11 15:51 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-12-11 15:51 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-12-11 15:51 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-12-11 06:40 - 2012-12-11 06:40 - 00000000 ____D C:\Users\tym\AppData\Local\{4FA07EC4-85F0-4FA4-92A6-3C84619D1E76}
2012-12-10 06:28 - 2012-12-10 06:28 - 00000000 ____D C:\Users\tym\AppData\Local\{423AF44E-AAB2-41FF-98F0-AFD9151F3233}
2012-12-08 05:56 - 2012-12-08 05:56 - 00000000 ____D C:\Users\tym\AppData\Local\{F9814C92-394F-4810-975D-087B15C4BE84}
2012-12-07 05:41 - 2012-12-07 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{CE7D4F68-6122-485D-AC66-7C830CA57217}
2012-12-06 07:41 - 2012-12-06 07:41 - 00000000 ____D C:\Windows\Easyrecovery
2012-12-06 05:32 - 2012-12-06 05:33 - 00000000 ____D C:\Users\tym\AppData\Local\{E04E32D8-EF73-4A2B-99F3-CD7C7E8479BE}
2012-12-05 05:57 - 2012-12-05 05:58 - 00000000 ____D C:\Users\tym\AppData\Local\{DF64FEEC-CE0A-4827-945B-1B90BB2A0FB2}
==================== One Month Modified Files and Folders =======
2013-01-02 17:07 - 2012-12-29 19:51 - 00237056 ____A (NeoSmart Technologies) C:\Users\All Users\_bd_uylzs.exe
2013-01-02 16:21 - 2012-12-29 19:53 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Roaming\_bd_uylzs.exe
2013-01-02 16:21 - 2012-12-29 19:51 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Local\_bd_uylzs.exe
2013-01-02 16:17 - 2012-12-29 19:53 - 00000280 ____A C:\Windows\setupact.log
2013-01-02 16:17 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-31 04:12 - 2012-12-31 04:12 - 00003352 ____N C:\bootsqm.dat
2012-12-29 19:54 - 2011-05-25 00:55 - 00000000 ____D C:\Users\tym\AppData\Roaming\Dropbox
2012-12-29 19:53 - 2012-12-29 19:53 - 00000354 ____A C:\Windows\PFRO.log
2012-12-29 19:53 - 2012-12-29 19:53 - 00000000 ____A C:\Windows\setuperr.log
2012-12-29 18:45 - 2011-11-21 01:11 - 00000000 ____D C:\QUARANTINE
2012-12-29 18:37 - 2011-05-25 01:12 - 00000000 ____D C:\Users\tym\Documents\Tencent Files
2012-12-29 16:40 - 2011-11-22 00:31 - 00000000 ____D C:\Program Files (x86)\KSafe
2012-12-29 16:34 - 2011-11-22 00:33 - 00000000 ____D C:\Users\All Users\KSafe
2012-12-29 16:23 - 2009-07-13 21:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-29 16:19 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-29 16:19 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-29 16:10 - 2011-05-25 00:57 - 00000000 ___RD C:\Users\tym\Dropbox
2012-12-28 20:21 - 2011-12-21 06:39 - 00083320 ____A (Kingsoft Corporation) C:\Windows\System32\Drivers\ksapi.sys
2012-12-28 20:20 - 2011-12-21 06:39 - 00221048 ____A (Kingsoft Corporation) C:\Windows\System32\Drivers\kisknl.sys
2012-12-28 19:39 - 2011-05-25 23:11 - 00000000 ____D C:\Users\tym\AppData\Roaming\Skype
2012-12-28 17:08 - 2011-11-25 23:21 - 00000739 ____A C:\Users\tym\Desktop\??7.lnk
2012-12-27 06:42 - 2012-12-27 06:42 - 00000000 ____D C:\Users\tym\AppData\Local\{9F7D2EBB-3441-4794-8237-8E9D319D35BB}
2012-12-27 06:42 - 2011-05-25 01:10 - 00000000 ____D C:\Users\tym\AppData\Local\Windows Live
2012-12-26 11:37 - 2012-11-10 10:58 - 00020992 ____A C:\Users\tym\Desktop\????.xls
2012-12-26 11:37 - 2011-05-25 19:14 - 00000000 ____D C:\Users\All Users\Tencent
2012-12-25 19:55 - 2011-11-22 05:44 - 00000000 __SHD C:\KRECYCLE
2012-12-24 04:12 - 2011-05-25 01:02 - 00000000 ____D C:\Program Files (x86)\SogouExtension
2012-12-23 19:05 - 2012-12-26 04:46 - 00137632 ____A (Tencent) C:\Windows\SysWOW64\Drivers\QQProtect.sys
2012-12-22 16:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-12-21 17:29 - 2009-07-13 20:45 - 00299136 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-20 05:19 - 2012-12-20 05:19 - 00000000 ____D C:\Users\tym\AppData\Local\{5E3060F0-0C09-4B95-9877-68B2E4581226}
2012-12-19 11:48 - 2012-12-19 11:48 - 00000000 ____D C:\Users\tym\AppData\Local\{63F6D928-4D6F-4AD1-9BEB-921D01D84D6A}
2012-12-19 07:35 - 2012-12-19 07:35 - 00000000 ____D C:\Users\tym\AppData\Local\{683EC243-2875-44E0-AE48-791B3750FB65}
2012-12-18 05:29 - 2012-12-18 05:29 - 00000000 ____D C:\Users\tym\AppData\Local\{3D929235-54C5-42F8-89BD-19F7489671E4}
2012-12-17 06:27 - 2012-12-17 06:27 - 00000000 ____D C:\Users\tym\AppData\Local\{C6215F33-CC04-413E-A681-6C18C307CC24}
2012-12-16 22:25 - 2011-06-05 06:25 - 00000000 ____D C:\Users\tym\AppData\Roaming\EndNote
2012-12-16 08:52 - 2012-12-21 06:31 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-16 06:40 - 2012-12-21 06:31 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 06:25 - 2012-12-21 06:31 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-16 06:25 - 2012-12-21 06:31 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-14 05:34 - 2012-12-14 05:33 - 00000000 ____D C:\Users\tym\AppData\Local\{56192237-06F2-4CEC-A489-4CB95E3215AD}
2012-12-13 11:47 - 2011-05-25 19:30 - 00000000 ____D C:\Users\tym\AppData\Local\CrashDumps
2012-12-13 05:27 - 2012-12-13 05:26 - 00000000 ____D C:\Users\tym\AppData\Local\{928A7C5F-2C15-4D50-BDCB-CF8ABF6A4CE5}
2012-12-12 19:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-12-12 10:20 - 2009-07-13 18:34 - 00000633 ____A C:\Windows\win.ini
2012-12-12 05:41 - 2012-12-12 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{F2F85F28-D8E8-4290-A3C2-9CB8D5E3F3B6}
2012-12-11 06:40 - 2012-12-11 06:40 - 00000000 ____D C:\Users\tym\AppData\Local\{4FA07EC4-85F0-4FA4-92A6-3C84619D1E76}
2012-12-10 06:28 - 2012-12-10 06:28 - 00000000 ____D C:\Users\tym\AppData\Local\{423AF44E-AAB2-41FF-98F0-AFD9151F3233}
2012-12-08 20:42 - 2011-05-25 01:22 - 00000000 ____D C:\Users\tym\AppData\Roaming\SoftGrid Client
2012-12-08 05:56 - 2012-12-08 05:56 - 00000000 ____D C:\Users\tym\AppData\Local\{F9814C92-394F-4810-975D-087B15C4BE84}
2012-12-07 05:41 - 2012-12-07 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{CE7D4F68-6122-485D-AC66-7C830CA57217}
2012-12-06 09:20 - 2011-12-05 10:37 - 00000915 ____A C:\Users\tym\AppData\Roaming\coreavc.ini
2012-12-06 07:41 - 2012-12-06 07:41 - 00000000 ____D C:\Windows\Easyrecovery
2012-12-06 05:33 - 2012-12-06 05:32 - 00000000 ____D C:\Users\tym\AppData\Local\{E04E32D8-EF73-4A2B-99F3-CD7C7E8479BE}
2012-12-05 05:58 - 2012-12-05 05:57 - 00000000 ____D C:\Users\tym\AppData\Local\{DF64FEEC-CE0A-4827-945B-1B90BB2A0FB2}
==================== Known DLLs (Whitelisted) =================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-12 04:33] - [2012-09-06 09:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2012-12-04 04:11:54
Restore point made on: 2012-12-07 18:59:08
Restore point made on: 2012-12-11 04:02:35
Restore point made on: 2012-12-11 15:51:39
Restore point made on: 2012-12-11 16:02:21
Restore point made on: 2012-12-11 16:12:19
Restore point made on: 2012-12-11 16:21:56
Restore point made on: 2012-12-11 16:34:54
Restore point made on: 2012-12-12 10:16:00
Restore point made on: 2012-12-18 06:48:03
Restore point made on: 2012-12-21 06:31:39
Restore point made on: 2012-12-25 05:44:43
==================== Memory info ===========================
Percentage of memory in use: 22%
Total physical RAM: 3000.93 MB
Available physical RAM: 2331.84 MB
Total Pagefile: 2999.08 MB
Available Pagefile: 2322.74 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
==================== Partitions =============================
1 Drive c: (Gateway) (Fixed) (Total:145.9 GB) (Free:89 GB) NTFS
2 Drive d: (New Volume) (Fixed) (Total:100.03 GB) (Free:14.32 GB) NTFS
3 Drive e: (New Volume) (Fixed) (Total:39.06 GB) (Free:38.97 GB) NTFS
4 Drive g: (PQSERVICE) (Fixed) (Total:13 GB) (Free:2 GB) NTFS
6 Drive i: (USB_SEEKER) (Removable) (Total:1.93 GB) (Free:1.41 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 2048 KB
Disk 1 Online 1986 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 13 GB 1024 KB
Partition 2 Primary 100 MB 13 GB
Partition 3 Primary 145 GB 13 GB
Partition 0 Extended 139 GB 158 GB
Partition 4 Logical 100 GB 158 GB
Partition 5 Logical 39 GB 259 GB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 G PQSERVICE NTFS Partition 13 GB Healthy Hidden
=========================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy
=========================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Gateway NTFS Partition 145 GB Healthy
=========================================================
Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D New Volume NTFS Partition 100 GB Healthy
=========================================================
Disk: 0
Partition 5
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E New Volume NTFS Partition 39 GB Healthy
=========================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1984 MB 31 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 I USB_SEEKER FAT32 Removable 1984 MB Healthy
=========================================================
Last Boot: 2012-12-25 06:11
==================== End Of Log =============================
Farbar Recovery Scan Tool (x64) Version: 31-12-2012
Ran by SYSTEM at 2013-01-04 02:33:59
Running from I:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
====== End Of Search ======
-
Thanks MrC for your help! I have downloaded the tools to a flash drive and will try when I get home.
Are the logs only written to the flash drive? If so, I may have to reply to you tomorrow with the log files. I will bring the infected laptop to work tomorrow so that I can try your tools instantly.
Thanks again!
-
Hi,
My windows 7 laptop is infected by the FBI greendot virus. I can't access safe mode, safe mode with network, or safe mode with command prompt at all. They all bring up to the FBI warning screen.
The dvd drive is broken, so I can't try the system disk either.
I think the only option left is to fix using tools on a flash drive? Please help!
Thanks a lot!!
infected by FBI greendot virus, no safe mode at all, please help!
in Resolved Malware Removal Logs
Posted
MrC, just sent donation to you. Thanks so much again for your help!!