Jump to content

infected by FBI greendot virus, no safe mode at all, please help!


tym

Recommended Posts

Hi,

My windows 7 laptop is infected by the FBI greendot virus. I can't access safe mode, safe mode with network, or safe mode with command prompt at all. They all bring up to the FBI warning screen.

The dvd drive is broken, so I can't try the system disk either.

I think the only option left is to fix using tools on a flash drive? Please help!

Thanks a lot!!

Link to post
Share on other sites

Welcome to the forum, we'll get it fixed for you....

See if you can do this >>>>

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

Thanks MrC for your help! I have downloaded the tools to a flash drive and will try when I get home.

Are the logs only written to the flash drive? If so, I may have to reply to you tomorrow with the log files. I will bring the infected laptop to work tomorrow so that I can try your tools instantly.

Thanks again!

Link to post
Share on other sites

Hi MrC, thanks a lot!

Here are the FRST.txt and Search.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012

Ran by SYSTEM at 04-01-2013 02:31:43

Running from I:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [825864 2009-09-24] (Dritek System Inc.)

HKLM-x32\...\Run: [KSafeTray] "C:\Program files (x86)\KSafe\KSafeTray.exe" -autorun [75208 2012-09-23] (Kingsoft Corporation)

HKU\Default\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [154144 2009-12-16] ()

HKU\Default User\...\RunOnce: [scrSav] C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe /default [154144 2009-12-16] ()

HKU\tym\...\Run: [uhhcskwy] C:\Users\tym\AppData\Roaming\_bd_uylzs [x]

HKU\tym\...\Policies\system: [DisableTaskMgr] 1

HKLM\...\Winlogon: [shell] explorer.exe, C:\ProgramData\_bd_uylzs [x ] ()

Tcpip\Parameters: [DhcpNameServer] 192.168.10.1

Startup: C:\Users\tym\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ===================

3 Adobe LM Service; "C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [68096 2011-07-12] ()

3 CntvCBoxService; "C:\Program Files (x86)\CNTV\CBox\CntvCBoxService.exe" [1241000 2012-07-23] (???????)

3 ICBC Daemon Service; C:\Program Files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [554112 2011-12-26] ()

2 KSafeSvc; "C:\Program files (x86)\KSafe\KSafeSvc.exe" -svc [230856 2012-09-23] (Kingsoft Corporation)

2 McAfeeEngineService; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe" [19720 2009-08-31] (McAfee, Inc.)

2 McAfeeFramework; "C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [103744 2009-05-18] (McAfee, Inc.)

2 McShield; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe" [178920 2009-08-31] (McAfee, Inc.)

2 McTaskManager; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe" [66896 2009-08-31] (McAfee, Inc.)

2 mfevtp; C:\Windows\system32\mfevtps.exe [79504 2009-08-31] (McAfee, Inc.)

2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)

3 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)

3 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [87728 2011-11-24] (ShenZhen Xunlei Networking Technologies,LTD)

2 kxescore; "C:\????\kingsoft antivirus\kxescore.exe" /service kxescore [x]

==================== Drivers (Whitelisted) =====================

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [1143416 2011-05-19] (Symantec Corporation)

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [481912 2011-05-25] (Symantec Corporation)

1 EncryptedDisk; \??\C:\Users\tym\AppData\Roaming\Kingsoft\klive\bin\encrypteddisk-x64.sys [125544 2012-03-23] ()

1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110722.031\IDSvia64.sys [488056 2011-07-07] (Symantec Corporation)

0 kavbootc; C:\Windows\System32\Drivers\kavbootc.sys [27240 2012-11-24] (Kingsoft Corporation)

1 KDHacker; C:\Windows\System32\Drivers\KDHacker.sys [127992 2012-10-08] (Kingsoft Corporation)

2 kisknl; C:\Windows\System32\Drivers\kisknl.sys [221048 2012-12-28] (Kingsoft Corporation)

1 kmodurl; C:\Windows\System32\Drivers\kmodurl.sys [111048 2012-09-23] (Kingsoft Corporation)

3 ksfmonsys; \??\C:\Program Files (x86)\KSafe\ksfmonsys64.sys [21360 2012-09-23] (Kingsoft Corporation)

3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [97576 2009-08-31] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [119968 2009-08-31] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [469144 2009-08-31] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [77104 2009-08-31] (McAfee, Inc.)

1 mfetdik; C:\Windows\System32\Drivers\mfetdik.sys [83784 2009-08-31] (McAfee, Inc.)

3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110723.002\ENG64.SYS [117880 2011-07-14] (Symantec Corporation)

3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110723.002\EX64.SYS [2011768 2011-07-14] (Symantec Corporation)

3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)

1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)

0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)

0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)

3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-25] (Symantec Corporation)

1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)

1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

3 TenpayKeyboard; C:\Windows\System32\Drivers\TenpayKeyboard.sys [29312 2012-06-10] (tenpay.com)

3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

2 MCSTRM; [x]

3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]

3 Spbslvcta_pa; [x]

3 TcHardWare; \??\T:\??\QQPCMgr\6.8.2393.401\QQPCHW-x64.sys [x]

3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-31 04:12 - 2012-12-31 04:12 - 00003352 ____N C:\bootsqm.dat

2012-12-29 19:53 - 2013-01-02 16:21 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Roaming\_bd_uylzs.exe

2012-12-29 19:53 - 2013-01-02 16:17 - 00000280 ____A C:\Windows\setupact.log

2012-12-29 19:53 - 2012-12-29 19:53 - 00000354 ____A C:\Windows\PFRO.log

2012-12-29 19:53 - 2012-12-29 19:53 - 00000000 ____A C:\Windows\setuperr.log

2012-12-29 19:51 - 2013-01-02 17:07 - 00237056 ____A (NeoSmart Technologies) C:\Users\All Users\_bd_uylzs.exe

2012-12-29 19:51 - 2013-01-02 16:21 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Local\_bd_uylzs.exe

2012-12-27 06:42 - 2012-12-27 06:42 - 00000000 ____D C:\Users\tym\AppData\Local\{9F7D2EBB-3441-4794-8237-8E9D319D35BB}

2012-12-26 04:46 - 2012-12-23 19:05 - 00137632 ____A (Tencent) C:\Windows\SysWOW64\Drivers\QQProtect.sys

2012-12-21 06:31 - 2012-12-16 08:52 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-21 06:31 - 2012-12-16 06:40 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-21 06:31 - 2012-12-16 06:25 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-21 06:31 - 2012-12-16 06:25 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2012-12-20 05:19 - 2012-12-20 05:19 - 00000000 ____D C:\Users\tym\AppData\Local\{5E3060F0-0C09-4B95-9877-68B2E4581226}

2012-12-19 11:48 - 2012-12-19 11:48 - 00000000 ____D C:\Users\tym\AppData\Local\{63F6D928-4D6F-4AD1-9BEB-921D01D84D6A}

2012-12-19 07:35 - 2012-12-19 07:35 - 00000000 ____D C:\Users\tym\AppData\Local\{683EC243-2875-44E0-AE48-791B3750FB65}

2012-12-18 05:29 - 2012-12-18 05:29 - 00000000 ____D C:\Users\tym\AppData\Local\{3D929235-54C5-42F8-89BD-19F7489671E4}

2012-12-17 06:27 - 2012-12-17 06:27 - 00000000 ____D C:\Users\tym\AppData\Local\{C6215F33-CC04-413E-A681-6C18C307CC24}

2012-12-14 05:33 - 2012-12-14 05:34 - 00000000 ____D C:\Users\tym\AppData\Local\{56192237-06F2-4CEC-A489-4CB95E3215AD}

2012-12-13 05:26 - 2012-12-13 05:27 - 00000000 ____D C:\Users\tym\AppData\Local\{928A7C5F-2C15-4D50-BDCB-CF8ABF6A4CE5}

2012-12-12 05:41 - 2012-12-12 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{F2F85F28-D8E8-4290-A3C2-9CB8D5E3F3B6}

2012-12-12 04:34 - 2012-11-08 21:34 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2012-12-12 04:34 - 2012-11-08 20:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

2012-12-12 04:33 - 2012-09-06 09:38 - 00295792 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys

2012-12-11 16:35 - 2012-11-01 21:27 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll

2012-12-11 16:35 - 2012-11-01 20:48 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll

2012-12-11 16:25 - 2012-10-04 09:35 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll

2012-12-11 16:25 - 2012-10-04 06:49 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll

2012-12-11 16:22 - 2012-10-04 09:38 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll

2012-12-11 16:22 - 2012-10-04 09:38 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll

2012-12-11 16:22 - 2012-10-04 09:38 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll

2012-12-11 16:22 - 2012-10-04 09:38 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll

2012-12-11 16:22 - 2012-10-04 09:32 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll

2012-12-11 16:22 - 2012-10-04 09:32 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:54 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll

2012-12-11 16:22 - 2012-10-04 08:54 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2012-12-11 16:22 - 2012-10-04 08:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 07:19 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe

2012-12-11 16:22 - 2012-10-04 06:49 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe

2012-12-11 16:22 - 2012-10-04 06:49 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe

2012-12-11 16:22 - 2012-10-04 06:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe

2012-12-11 16:22 - 2012-10-04 06:44 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 06:44 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 06:44 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll

2012-12-11 16:22 - 2012-10-04 06:44 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll

2012-12-11 16:12 - 2012-11-22 00:20 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-12-11 15:52 - 2012-11-13 22:11 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-12-11 15:52 - 2012-11-13 22:04 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-12-11 15:52 - 2012-11-13 22:04 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-12-11 15:52 - 2012-11-13 22:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-12-11 15:52 - 2012-11-13 22:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-12-11 15:52 - 2012-11-13 21:59 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-12-11 15:52 - 2012-11-13 21:58 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-12-11 15:52 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-12-11 15:52 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-12-11 15:52 - 2012-11-13 21:55 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-12-11 15:52 - 2012-11-13 21:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-12-11 15:52 - 2012-11-13 21:52 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-12-11 15:52 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-12-11 15:52 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-12-11 15:52 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-12-11 15:52 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-12-11 15:52 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-12-11 15:52 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-12-11 15:52 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-12-11 15:52 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-12-11 15:52 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-12-11 15:52 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-12-11 15:52 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-12-11 15:52 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-12-11 15:52 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-12-11 15:51 - 2012-11-13 23:06 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-12-11 15:51 - 2012-11-13 22:32 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-12-11 15:51 - 2012-11-13 21:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-12-11 15:51 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-12-11 15:51 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-12-11 15:51 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-12-11 15:51 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-12-11 06:40 - 2012-12-11 06:40 - 00000000 ____D C:\Users\tym\AppData\Local\{4FA07EC4-85F0-4FA4-92A6-3C84619D1E76}

2012-12-10 06:28 - 2012-12-10 06:28 - 00000000 ____D C:\Users\tym\AppData\Local\{423AF44E-AAB2-41FF-98F0-AFD9151F3233}

2012-12-08 05:56 - 2012-12-08 05:56 - 00000000 ____D C:\Users\tym\AppData\Local\{F9814C92-394F-4810-975D-087B15C4BE84}

2012-12-07 05:41 - 2012-12-07 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{CE7D4F68-6122-485D-AC66-7C830CA57217}

2012-12-06 07:41 - 2012-12-06 07:41 - 00000000 ____D C:\Windows\Easyrecovery

2012-12-06 05:32 - 2012-12-06 05:33 - 00000000 ____D C:\Users\tym\AppData\Local\{E04E32D8-EF73-4A2B-99F3-CD7C7E8479BE}

2012-12-05 05:57 - 2012-12-05 05:58 - 00000000 ____D C:\Users\tym\AppData\Local\{DF64FEEC-CE0A-4827-945B-1B90BB2A0FB2}

==================== One Month Modified Files and Folders =======

2013-01-02 17:07 - 2012-12-29 19:51 - 00237056 ____A (NeoSmart Technologies) C:\Users\All Users\_bd_uylzs.exe

2013-01-02 16:21 - 2012-12-29 19:53 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Roaming\_bd_uylzs.exe

2013-01-02 16:21 - 2012-12-29 19:51 - 00237056 ____A (NeoSmart Technologies) C:\Users\tym\AppData\Local\_bd_uylzs.exe

2013-01-02 16:17 - 2012-12-29 19:53 - 00000280 ____A C:\Windows\setupact.log

2013-01-02 16:17 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-31 04:12 - 2012-12-31 04:12 - 00003352 ____N C:\bootsqm.dat

2012-12-29 19:54 - 2011-05-25 00:55 - 00000000 ____D C:\Users\tym\AppData\Roaming\Dropbox

2012-12-29 19:53 - 2012-12-29 19:53 - 00000354 ____A C:\Windows\PFRO.log

2012-12-29 19:53 - 2012-12-29 19:53 - 00000000 ____A C:\Windows\setuperr.log

2012-12-29 18:45 - 2011-11-21 01:11 - 00000000 ____D C:\QUARANTINE

2012-12-29 18:37 - 2011-05-25 01:12 - 00000000 ____D C:\Users\tym\Documents\Tencent Files

2012-12-29 16:40 - 2011-11-22 00:31 - 00000000 ____D C:\Program Files (x86)\KSafe

2012-12-29 16:34 - 2011-11-22 00:33 - 00000000 ____D C:\Users\All Users\KSafe

2012-12-29 16:23 - 2009-07-13 21:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-29 16:19 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-29 16:19 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-29 16:10 - 2011-05-25 00:57 - 00000000 ___RD C:\Users\tym\Dropbox

2012-12-28 20:21 - 2011-12-21 06:39 - 00083320 ____A (Kingsoft Corporation) C:\Windows\System32\Drivers\ksapi.sys

2012-12-28 20:20 - 2011-12-21 06:39 - 00221048 ____A (Kingsoft Corporation) C:\Windows\System32\Drivers\kisknl.sys

2012-12-28 19:39 - 2011-05-25 23:11 - 00000000 ____D C:\Users\tym\AppData\Roaming\Skype

2012-12-28 17:08 - 2011-11-25 23:21 - 00000739 ____A C:\Users\tym\Desktop\??7.lnk

2012-12-27 06:42 - 2012-12-27 06:42 - 00000000 ____D C:\Users\tym\AppData\Local\{9F7D2EBB-3441-4794-8237-8E9D319D35BB}

2012-12-27 06:42 - 2011-05-25 01:10 - 00000000 ____D C:\Users\tym\AppData\Local\Windows Live

2012-12-26 11:37 - 2012-11-10 10:58 - 00020992 ____A C:\Users\tym\Desktop\????.xls

2012-12-26 11:37 - 2011-05-25 19:14 - 00000000 ____D C:\Users\All Users\Tencent

2012-12-25 19:55 - 2011-11-22 05:44 - 00000000 __SHD C:\KRECYCLE

2012-12-24 04:12 - 2011-05-25 01:02 - 00000000 ____D C:\Program Files (x86)\SogouExtension

2012-12-23 19:05 - 2012-12-26 04:46 - 00137632 ____A (Tencent) C:\Windows\SysWOW64\Drivers\QQProtect.sys

2012-12-22 16:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

2012-12-21 17:29 - 2009-07-13 20:45 - 00299136 ____A C:\Windows\System32\FNTCACHE.DAT

2012-12-20 05:19 - 2012-12-20 05:19 - 00000000 ____D C:\Users\tym\AppData\Local\{5E3060F0-0C09-4B95-9877-68B2E4581226}

2012-12-19 11:48 - 2012-12-19 11:48 - 00000000 ____D C:\Users\tym\AppData\Local\{63F6D928-4D6F-4AD1-9BEB-921D01D84D6A}

2012-12-19 07:35 - 2012-12-19 07:35 - 00000000 ____D C:\Users\tym\AppData\Local\{683EC243-2875-44E0-AE48-791B3750FB65}

2012-12-18 05:29 - 2012-12-18 05:29 - 00000000 ____D C:\Users\tym\AppData\Local\{3D929235-54C5-42F8-89BD-19F7489671E4}

2012-12-17 06:27 - 2012-12-17 06:27 - 00000000 ____D C:\Users\tym\AppData\Local\{C6215F33-CC04-413E-A681-6C18C307CC24}

2012-12-16 22:25 - 2011-06-05 06:25 - 00000000 ____D C:\Users\tym\AppData\Roaming\EndNote

2012-12-16 08:52 - 2012-12-21 06:31 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-16 06:40 - 2012-12-21 06:31 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-16 06:25 - 2012-12-21 06:31 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-16 06:25 - 2012-12-21 06:31 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2012-12-14 05:34 - 2012-12-14 05:33 - 00000000 ____D C:\Users\tym\AppData\Local\{56192237-06F2-4CEC-A489-4CB95E3215AD}

2012-12-13 11:47 - 2011-05-25 19:30 - 00000000 ____D C:\Users\tym\AppData\Local\CrashDumps

2012-12-13 05:27 - 2012-12-13 05:26 - 00000000 ____D C:\Users\tym\AppData\Local\{928A7C5F-2C15-4D50-BDCB-CF8ABF6A4CE5}

2012-12-12 19:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2012-12-12 10:20 - 2009-07-13 18:34 - 00000633 ____A C:\Windows\win.ini

2012-12-12 05:41 - 2012-12-12 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{F2F85F28-D8E8-4290-A3C2-9CB8D5E3F3B6}

2012-12-11 06:40 - 2012-12-11 06:40 - 00000000 ____D C:\Users\tym\AppData\Local\{4FA07EC4-85F0-4FA4-92A6-3C84619D1E76}

2012-12-10 06:28 - 2012-12-10 06:28 - 00000000 ____D C:\Users\tym\AppData\Local\{423AF44E-AAB2-41FF-98F0-AFD9151F3233}

2012-12-08 20:42 - 2011-05-25 01:22 - 00000000 ____D C:\Users\tym\AppData\Roaming\SoftGrid Client

2012-12-08 05:56 - 2012-12-08 05:56 - 00000000 ____D C:\Users\tym\AppData\Local\{F9814C92-394F-4810-975D-087B15C4BE84}

2012-12-07 05:41 - 2012-12-07 05:41 - 00000000 ____D C:\Users\tym\AppData\Local\{CE7D4F68-6122-485D-AC66-7C830CA57217}

2012-12-06 09:20 - 2011-12-05 10:37 - 00000915 ____A C:\Users\tym\AppData\Roaming\coreavc.ini

2012-12-06 07:41 - 2012-12-06 07:41 - 00000000 ____D C:\Windows\Easyrecovery

2012-12-06 05:33 - 2012-12-06 05:32 - 00000000 ____D C:\Users\tym\AppData\Local\{E04E32D8-EF73-4A2B-99F3-CD7C7E8479BE}

2012-12-05 05:58 - 2012-12-05 05:57 - 00000000 ____D C:\Users\tym\AppData\Local\{DF64FEEC-CE0A-4827-945B-1B90BB2A0FB2}

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys

[2012-12-12 04:33] - [2012-09-06 09:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-04 04:11:54

Restore point made on: 2012-12-07 18:59:08

Restore point made on: 2012-12-11 04:02:35

Restore point made on: 2012-12-11 15:51:39

Restore point made on: 2012-12-11 16:02:21

Restore point made on: 2012-12-11 16:12:19

Restore point made on: 2012-12-11 16:21:56

Restore point made on: 2012-12-11 16:34:54

Restore point made on: 2012-12-12 10:16:00

Restore point made on: 2012-12-18 06:48:03

Restore point made on: 2012-12-21 06:31:39

Restore point made on: 2012-12-25 05:44:43

==================== Memory info ===========================

Percentage of memory in use: 22%

Total physical RAM: 3000.93 MB

Available physical RAM: 2331.84 MB

Total Pagefile: 2999.08 MB

Available Pagefile: 2322.74 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (Gateway) (Fixed) (Total:145.9 GB) (Free:89 GB) NTFS

2 Drive d: (New Volume) (Fixed) (Total:100.03 GB) (Free:14.32 GB) NTFS

3 Drive e: (New Volume) (Fixed) (Total:39.06 GB) (Free:38.97 GB) NTFS

4 Drive g: (PQSERVICE) (Fixed) (Total:13 GB) (Free:2 GB) NTFS

6 Drive i: (USB_SEEKER) (Removable) (Total:1.93 GB) (Free:1.41 GB) FAT32

7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

8 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 298 GB 2048 KB

Disk 1 Online 1986 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 13 GB 1024 KB

Partition 2 Primary 100 MB 13 GB

Partition 3 Primary 145 GB 13 GB

Partition 0 Extended 139 GB 158 GB

Partition 4 Logical 100 GB 158 GB

Partition 5 Logical 39 GB 259 GB

==================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 G PQSERVICE NTFS Partition 13 GB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C Gateway NTFS Partition 145 GB Healthy

=========================================================

Disk: 0

Partition 4

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D New Volume NTFS Partition 100 GB Healthy

=========================================================

Disk: 0

Partition 5

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E New Volume NTFS Partition 39 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1984 MB 31 KB

==================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 I USB_SEEKER FAT32 Removable 1984 MB Healthy

=========================================================

Last Boot: 2012-12-25 06:11

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 31-12-2012

Ran by SYSTEM at 2013-01-04 02:33:59

Running from I:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Here is the Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-12-2012

Ran by SYSTEM at 2013-01-04 08:51:28 Run:1

Running from I:\

==============================================

HKEY_USERS\tym\Software\Microsoft\Windows\CurrentVersion\Run\\uhhcskwy Value deleted successfully.

HKEY_USERS\tym\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .

C:\Users\tym\AppData\Roaming\_bd_uylzs.exe moved successfully.

C:\Users\All Users\_bd_uylzs.exe moved successfully.

C:\Users\tym\AppData\Local\_bd_uylzs.exe moved successfully.

C:\Users\All Users\_bd_uylzs.exe not found.

C:\Users\tym\AppData\Roaming\_bd_uylzs.exe not found.

C:\Users\tym\AppData\Local\_bd_uylzs.exe not found.

==== End of Fixlog ====

Link to post
Share on other sites

Yes, it starts normally! sorry I was waiting for the next instruction..

So are there any other steps I should do, e.g., run a mbam scan or it is all set?

And how can I prevent this from happening in the future?

Really appreciate your help!

Link to post
Share on other sites

Great, we have more to do and I'll give you recommendations when we're done.

~~~~~~~~~~~~~~~~~~~~~~~~~

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Here is the log after ComboFix finished. So sorry for the weird code which is supposed to be Chinese. I can read them on the laptop. If you need, I can translate them..

ComboFix 13-01-04.01 - tym 4/2013 Fri 9:43.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.936.86.1033.18.3001.2024 [GMT -5:00]

Ö´ÐÐλÖÃ: c:\users\tym\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

AV: ½ðɽ¶¾°Ôʵʱ±£»¤ *Disabled/Updated* {B6A51389-A795-5AC9-13BA-F569D73F3FE8}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( ±»É¾³ýµÄµµ°¸ )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\Common Files\Tencent\Paycenter

c:\program files (x86)\Common Files\Tencent\Paycenter\npqqcert.dll

c:\program files (x86)\Common Files\Tencent\Paycenter\npqqedit.dll

c:\program files (x86)\Common Files\Tencent\Paycenter\qqcert.dll

c:\program files (x86)\Common Files\Tencent\Paycenter\qqedit.dll

c:\program files (x86)\Common Files\Tencent\Paycenter\tenpay.ico

c:\program files (x86)\Common Files\Tencent\Paycenter\uninstall.exe

c:\program files (x86)\Common Files\Tencent\Paycenter\Whatsnew.txt

c:\program files (x86)\Common Files\Tencent\Paycenter\XP.sys

c:\program files (x86)\Common Files\Tencent\Paycenter\XP_64.sys

c:\program files (x86)\StormII

C:\RECYCLER88

c:\users\tym\AppData\Local\{33EF426B-A018-43FA-83CD-D52B0EFCF44D}

c:\users\tym\AppData\Roaming\CDC1A5

c:\users\tym\AppData\Roaming\SogouExplorer

c:\users\tym\AppData\Roaming\SogouExplorer\confdll.dll

.

.

((((((((((((((((((((((((( 2012-12-04 ÖÁ 2013-01-04 µÄеĵµ°¸ )))))))))))))))))))))))))))))))

.

.

2013-01-04 14:58 . 2013-01-04 14:58 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-04 14:51 . 2013-01-04 14:51 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3727B5BB-8278-4E5C-9555-CE40AC12407C}\offreg.dll

2013-01-04 10:31 . 2013-01-04 10:31 -------- d-----w- C:\FRST

2012-12-28 07:08 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3727B5BB-8278-4E5C-9555-CE40AC12407C}\mpengine.dll

2012-12-26 12:46 . 2012-12-24 03:05 137632 ----a-w- c:\windows\SysWow64\drivers\QQProtect.sys

2012-12-21 14:31 . 2012-12-16 16:52 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 14:31 . 2012-12-16 14:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 14:31 . 2012-12-16 14:40 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 14:31 . 2012-12-16 14:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-12 12:34 . 2012-11-09 05:34 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-12 12:34 . 2012-11-09 04:49 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-12-12 12:33 . 2012-09-06 17:38 295792 ----a-w- c:\windows\system32\drivers\volsnap.sys

2012-12-12 00:35 . 2012-11-02 05:27 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-12-12 00:35 . 2012-11-02 04:48 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-12-12 00:25 . 2012-10-04 17:35 16384 ----a-w- c:\windows\system32\ntvdm64.dll

2012-12-12 00:25 . 2012-10-04 14:49 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2012-12-12 00:12 . 2012-11-22 08:20 3147264 ----a-w- c:\windows\system32\win32k.sys

2012-12-11 23:51 . 2012-11-14 05:55 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-12-11 23:51 . 2012-11-14 06:06 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll

2012-12-11 23:51 . 2012-11-14 02:00 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll

2012-12-11 23:51 . 2012-11-14 06:06 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll

2012-12-11 23:51 . 2012-11-14 02:01 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll

2012-12-11 23:51 . 2012-11-14 07:06 17811968 ----a-w- c:\windows\system32\mshtml.dll

2012-12-11 23:51 . 2012-11-14 06:32 10925568 ----a-w- c:\windows\system32\ieframe.dll

2012-12-06 15:41 . 2012-12-06 15:41 -------- d-----w- c:\windows\Easyrecovery

2012-12-06 15:24 . 2012-12-06 15:32 -------- d-----w- c:\program files (x86)\Common Files\gssoft

.

.

.

(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸öÔÂÄÚ±»Ð޸ĵĵµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-29 04:21 . 2011-12-21 14:39 83320 ----a-w- c:\windows\system32\drivers\ksapi.sys

2012-12-29 04:20 . 2011-12-21 14:39 221048 ----a-w- c:\windows\system32\drivers\kisknl.sys

2012-11-29 06:27 . 2012-03-25 18:50 18296 ----a-w- c:\windows\system32\drivers\kusbquery64.sys

2012-11-29 06:27 . 2012-03-25 18:50 14200 ----a-w- c:\windows\system32\drivers\kusbquery.sys

2012-11-25 07:11 . 2011-12-21 14:39 31848 ----a-w- c:\windows\system32\drivers\kavbootc64.sys

2012-11-25 07:11 . 2011-12-21 14:39 27240 ----a-w- c:\windows\system32\drivers\kavbootc.sys

2012-10-16 21:20 . 2012-11-27 23:10 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 21:20 . 2012-11-27 23:10 347648 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 20:34 . 2012-11-27 23:10 559104 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-08 11:40 . 2011-12-21 14:39 166776 ----a-w- c:\windows\system32\drivers\kdhacker64.sys

2012-10-08 11:40 . 2011-12-21 14:39 127992 ----a-w- c:\windows\system32\drivers\kdhacker.sys

.

.

((((((((((((((((((((((((((((((((((((( ÖØÒªµÇÈëµã ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*×¢Òâ* ¿Õ°×ÓëºÏ·¨È±Ê¡µÇ¼½«²»»á±»ÏÔʾ

REGEDIT4

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0EA37B17-6B8B-4085-8257-F3A4AA69C27A}]

2011-11-24 10:05 79536 ----a-w- t:\xunlei\BHO\XlBrowserAddin1.0.5.64.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_ForbidSync]

@="{2A301372-EF60-4a54-9071-E93655AF2377}"

[HKEY_CLASSES_ROOT\CLSID\{2A301372-EF60-4a54-9071-E93655AF2377}]

2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Synced]

@="{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}"

[HKEY_CLASSES_ROOT\CLSID\{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}]

2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Syncing]

@="{72F4CD64-93FD-42da-BEBC-F516496A1C44}"

[HKEY_CLASSES_ROOT\CLSID\{72F4CD64-93FD-42da-BEBC-F516496A1C44}]

2012-03-24 02:31 460664 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips]

@="{4562B511-62E9-4533-B7B2-56A8BB10B482}"

[HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}]

2011-12-30 05:37 247408 ----a-w- c:\program files (x86)\Common Files\Thunder Network\Kankan\xappex.1.1.1.38.(478).dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-09-24 825864]

"KSafeTray"="c:\program files (x86)\KSafe\KSafeTray.exe" [2012-09-24 75208]

.

c:\users\tym\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\tym\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]

Ime File REG_SZ SOGOUPY.IME

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 KSafeSvc;KSafe service;c:\program files (x86)\KSafe\KSafeSvc.exe [2012-09-24 230856]

R3 CntvCBoxService;CNTV CBox Service;c:\program files (x86)\CNTV\CBox\CntvCBoxService.exe [2012-07-23 1241000]

R3 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

R3 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [2010-01-08 23584]

R3 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]

R3 ICBC Daemon Service;ICBC Daemon Service;c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [2011-12-26 554112]

R3 ksfmonsys;ksfmonsys;c:\program files (x86)\KSafe\ksfmonsys64.sys [2012-09-24 21360]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

R3 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 216576]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]

R3 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]

R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]

R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]

R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]

R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]

R3 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]

R3 Spbslvcta_pa;Spbslvcta_pa; [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

R3 TcHardWare;TcHardWare;t:\èí¼þ\QQPCMgr\6.8.2393.401\QQPCHW-x64.sys [x]

R3 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 243232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-26 1255736]

R3 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost [x]

S0 kavbootc;kavbootc;c:\windows\system32\drivers\kavbootc64.sys [2012-11-25 31848]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS [2011-01-27 450680]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS [2011-03-15 912504]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [2011-05-19 1143416]

S1 EncryptedDisk;EncryptedDisk;c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\encrypteddisk-x64.sys [2012-03-24 125544]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110722.031\IDSvia64.sys [2011-07-07 488056]

S1 KDHacker;KDHacker;t:\½ðé½îàê¿\kingsoft antivirus\security\kxescan\kdhacker64.sys [2012-10-08 166776]

S1 kmodurl;kmodurl;c:\program files (x86)\KSafe\kmodurl64.sys [2012-09-24 133144]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [2011-01-27 171128]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [2011-04-21 386168]

S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2010-02-26 841248]

S2 kisknl;kisknl;c:\windows\system32\drivers\kisknl.sys [2012-12-29 221048]

S2 kxescore;Kingsoft Core Service;t:\½ðé½îàê¿\kingsoft antivirus\kxescore.exe [2012-12-29 153424]

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [2011-04-17 130008]

S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-06-28 255744]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-01-07 144896]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848]

S3 TenpayKeyboard;TenpayKeyboard; [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

XLServicePlatform REG_MULTI_SZ XLServicePlatform

.

¡®¼Æ»®ÈÎÎñ¡¯ Îļþ¼Ð ÀïµÄÄÚÈÝ

.

2012-11-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 21:57]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{004B0726-A010-4ABF-8556-FCDB7F1FCA1E}]

2011-11-24 10:06 627888 ----a-w- t:\xunlei\BHO\XunleiBHO647.2.4.3312.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8BCB0605-D909-4c3b-B490-DEFE88BA95FA}]

2011-12-26 21:48 466048 ----a-w- c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\Icbc_AntiPhishing_64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_ForbidSync]

@="{2A301372-EF60-4a54-9071-E93655AF2377}"

[HKEY_CLASSES_ROOT\CLSID\{2A301372-EF60-4a54-9071-E93655AF2377}]

2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Synced]

@="{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}"

[HKEY_CLASSES_ROOT\CLSID\{7EE556A7-CACD-4a70-8C73-FCFD5BD487F9}]

2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\.KLive_OverlayIcon_Syncing]

@="{72F4CD64-93FD-42da-BEBC-F516496A1C44}"

[HKEY_CLASSES_ROOT\CLSID\{72F4CD64-93FD-42da-BEBC-F516496A1C44}]

2012-03-24 02:31 571256 ----a-w- c:\users\tym\AppData\Roaming\Kingsoft\klive\bin\kliveshellext64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\tym\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

------- ¶øÍâµÄɨÃè -------

.

uStart Page = hxxp://www.hao123.com/?tn=98012088_1_hao_pg

uLocal Page = c:\windows\system32\blank.htm

mDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW

mStart Page = hxxp://www.hao123.com/?tn=98012088_1_hao_pg

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: &ʹÓÃ&ѸÀ×ÏÂÔØ - t:\xunlei\BHO\geturl.htm

IE: &ʹÓÃ&ѸÀ×ÏÂÔØÈ«²¿Á´½Ó - t:\xunlei\BHO\GetAllUrl.htm

IE: &ʹÓÃ&ѸÀ×ÀëÏßÏÂÔØ - t:\xunlei\BHO\OfflineDownload.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: ʹÓùâÓ°±à¼­ºÍÃÀ»¯ - t:\¹âó°ä§êõêö\nEO iMAGING\NeoOpenNeo.htm

Trusted Zone: alipay.com

Trusted Zone: alisoft.com

Trusted Zone: icbc.com.cn

Trusted Zone: taobao.com

Trusted Zone: alipay.com

Trusted Zone: alisoft.com

Trusted Zone: taobao.com

DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} - hxxps://b2c.icbc.com.cn/icbc/GDReadPub.cab

DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AxSafeControls.cab

DPF: {7CCE07A5-A590-4554-B5C3-082840D7012E} - hxxps://b2c.icbc.com.cn/icbc/icbc_gdgetdv.dll

DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} - hxxps://b2c.icbc.com.cn/icbc/ICBC_NetSign.dll

.

.

------- ÎļþÀàÐÍ -------

.

inifile=c:\windows\SysWow64\NOTEPAD.EXE %1

txtfile=c:\windows\notepad.exe %1

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{941D90F8-2F14-3EA2-AA01-6ADABA1E623E} - (no file)

Toolbar-Locked - (no file)

Toolbar-Locked - (no file)

AddRemove-Tenpay Security Control - c:\program files (x86)\Common Files\Tencent\Paycenter\uninstall.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–N}]

@Allowed: (Read) (RestrictedCode)

@="t:\\xunlei\\BHO\\geturl.htm"

"Name"="xl_geturl"

"Contexts"=dword:00000022

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–N}hQèþ”¥c]

@Allowed: (Read) (RestrictedCode)

@="t:\\xunlei\\BHO\\GetAllUrl.htm"

"Name"="xl_getallurl"

"Contexts"=dword:000000f3

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*Å÷–»y¿~N}]

@Allowed: (Read) (RestrictedCode)

@="t:\\xunlei\\BHO\\OfflineDownload.htm"

"Name"="xl_offlinedownload"

"Contexts"=dword:00000022

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\t:\oöN\Ðrørzl*e*a*w*o*v*i*d*e*o*c*o*n*v*e*r*t*e*r*_*c*h*s*-*v*4*.*2*\Video Converter\imageformats]

"qgif4.dll"=multi:"2011-12-08T16:04\00gif\00\00"

"qico4.dll"=multi:"2011-12-08T16:05\00ico\00\00"

"qjpeg4.dll"=multi:"2011-12-08T16:04\00jpeg\00jpg\00\00"

"qmng4.dll"=multi:"2011-12-08T16:05\00mng\00\00"

"qtiff4.dll"=multi:"2011-12-08T16:05\00tiff\00tif\00\00"

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\t:\oön\Ðrørzl*e*a*w*o*v*i*d*e*o*c*o*n*v*e*r*t*e*r*_*c*h*s*-*v*4*.*2*\Video Converter\imageformats]

"qgif4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:04\00\00"

"qico4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00"

"qjpeg4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:04\00\00"

"qmng4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00"

"qsvg4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00"

"qtiff4.dll"=multi:"40800\000\00Windows msvc release full-config\002011-12-08T16:05\00\00"

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell]

@="Play"

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\open\command]

@=expand:"\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Open \"%L\""

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\play]

@="&Play"

"MUIVerb"=expand:"@%SystemRoot%\\system32\\unregmp2.exe,-9991"

.

[HKEY_USERS\S-1-5-21-3665345015-2513349007-1015702687-1000_Classes\Å•,a÷ç"”ð\?a*v*i*_*a*u*t*o*_*f*i*l*e*\shell\play\command]

@=expand:"\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Play \"%L\""

DUMPHIVE0.003 (REGF)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Íê³Éʱ¼ä: 2013-01-04 10:02:08

ComboFix-quarantined-files.txt 2013-01-04 15:02

.

Pre-Run: 96,214,614,016 bytes free

Post-Run: 95,954,792,448 bytes free

.

- - End Of File - - 119000356624286112DCE15DB8D51D53

Link to post
Share on other sites

Looks Good..........

Lets check the system for any adware........

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for adware, toolbar and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC

Link to post
Share on other sites

Here is the log -I don't see anything I want to keep..

# AdwCleaner v2.104 - Logfile created 01/04/2013 at 10:17:06

# Updated 29/12/2012 by Xplode

# Operating system : Windows 7 Home Premium (64 bits)

# User : tym - TYM-PC

# Boot Mode : Normal

# Running from : C:\Users\tym\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\TENCENT

Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Found : HKLM\Software\TENCENT

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [708 octets] - [04/01/2013 10:17:06]

########## EOF - C:\AdwCleaner[R1].txt - [767 octets] ##########

Link to post
Share on other sites

A couple of items found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Then.............

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

MrC, her is the AdwCleaner[s1].txt:

# AdwCleaner v2.104 - Logfile created 01/04/2013 at 10:25:18

# Updated 29/12/2012 by Xplode

# Operating system : Windows 7 Home Premium (64 bits)

# User : tym - TYM-PC

# Boot Mode : Normal

# Running from : C:\Users\tym\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\TENCENT

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Deleted : HKLM\Software\TENCENT

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [835 octets] - [04/01/2013 10:17:06]

AdwCleaner[s1].txt - [775 octets] - [04/01/2013 10:25:18]

########## EOF - C:\AdwCleaner[s1].txt - [834 octets] ##########

But, I can't download the Security Check because it is blocked by my company -see below for the error message. What can we do? Thanks!

This Page Cannot Be Displayed

Based on your corporate access policies, this web site ( http://screen317.spywareinfoforum.org/SecurityCheck.exe ) has been blocked because it has been determined by Web Reputation Filters to be a security threat to your computer or the corporate network. This web site has been associated with malware/spyware.

Link to post
Share on other sites

Great, it worked! Here is the checkup.txt:

Results of screen317's Security Check version 0.99.56

Windows 7 x64 (UAC is enabled)

Out of date service pack!!

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

½ðɽ¶¾°Ôʵʱ±£»¤

Norton Internet Security

Antivirus up to date! (On Access scanning disabled!)

`````````Anti-malware/Other Utilities Check:`````````

Java 6 Update 31

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Thunderbird (3.1.19) Thunderbird out of Date!

Google Chrome plugins...

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

kingsoft antivirus kxescore.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Windows 7 x64 (UAC is enabled)

Out of date service pack!! <---------Visit Windows Update for this

Norton Internet Security

Antivirus up to date! (On Access scanning disabled!) <----- -please enable

Java™ 6 Update 31 <----uninstall from add/remove programs

Java version out of Date! <-------Download and install the latest version from Here

Adobe Reader 9 Adobe Reader out of Date! <----please check for an update

Mozilla Thunderbird (3.1.19) Thunderbird out of Date! <----please check for an update

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

MrC,

I tried "ComboFix /unintall" from Run, but it behaved like running ComboFix again. Now I just renamed it to "Unintall.exe" but still it is showing "complete item #...".

Anything wrong? How can I safely uninstall it? Thanks!!

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.