help, pls! Can't enter safe mode with the virus infection

tian · August 30, 2013

My PC got infection yesterday. I didn't know it is such a big problem and only used my anti-virus software to scan the virus and take some actions(I don't remember what actions it took!) Then I can continue to use my PC after that. But today, I am totally blocked from using my PC. Whenever I turn on the PC, there is a white screen. I tried to enter the safe mode and download your software, but I cannot even enter the safe mode now!! What should I do now!

Can anybody help me out here! I have very important files and I really don't want to format my PC. Thank you so much for any kind of help and suggestions!!!!

MrCharlie · August 30, 2013

Welcome to the forum, see if you can do this:

Please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Plug the flash drive into the infected PC.
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
If you are using Vista or Windows 7 enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
- - Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    Select Command Prompt
    Once in the Command Prompt:
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

MrC

tian · August 31, 2013

Thank you so much for your quick reply and help! You are deeply appreciated!

Here is the log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-08-2013 01
Ran by SYSTEM on MININT-HP9RNO7 on 30-08-2013 23:23:32
Running from H:\
Windows 7 Ultimate (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Trend Micro Titanium] - C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe [1111568 2011-02-16] (Trend Micro Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11545192 2010-11-02] (Realtek Semiconductor)
HKLM\...\Run: [Trend Micro Client Framework] - C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [197152 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [intelliPoint] - c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2399632 2011-04-13] (Microsoft Corporation)
HKLM\...\Run: [PocketCloud Location] - C:\Program Files (x86)\Wyse\PocketCloud Windows Companion\WyseBrowser.exe [807936 2011-08-18] ()
HKLM-x32\...\Run: [RunAIShell] - C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe [232064 2009-12-23] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [bCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [tvncontrol] - C:\Program Files (x86)\TightVNC\tvnserver.exe [815704 2010-07-08] (GlavSoft LLC.)
HKLM-x32\...\Run: [ccApp] - C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe [115560 2010-05-06] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [38768 2009-10-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640376 2009-10-02] (Adobe Systems Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [sendori Tray] - C:\Program Files (x86)\Sendori\SendoriTray.exe [83232 2013-07-01] (Sendori, Inc.)
HKLM-x32\...\Run: [DivXMediaServer] - C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-01-29] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-12] ()
HKU\lhygjw\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4280184 2012-03-08] (Microsoft Corporation)
HKU\lhygjw\...\Run: [bAIDUMEDIA] - C:\Program Files (x86)\Baidu\BaiduPlayer\1.19.0.137\BaiduPlayer.exe [1328720 2013-04-01] ()
HKU\lhygjw\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3673728 2012-11-06] (DT Soft Ltd)
HKU\lhygjw\...\Winlogon: [shell] C:\Users\lhygjw\AppData\Roaming\dlc.xmm,explorer.exe <==== ATTENTION
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Services (Whitelisted) =================

S2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [119072 2013-07-01] (Sendori, Inc.)
S2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [918144 2010-11-03] ()
S2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe [915072 2010-11-19] ()
S2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe [586880 2010-10-21] ()
S2 ccEvtMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-05-06] (Symantec Corporation)
S2 ccSetMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-05-06] (Symantec Corporation)
S3 DMService; C:\Windows\DOWNLO~1\DMService.exe [487312 2012-06-20] (Microsoft Corporation)
S3 LiveUpdate; C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE [3093880 2010-02-17] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [22304 2013-07-01] (sendori)
S2 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe [3234848 2010-08-05] (Symantec Corporation)
S4 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE [425800 2010-07-01] (Symantec Corporation)
S2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3623200 2013-07-01] (Sendori)
S2 Symantec AntiVirus; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1832072 2010-07-01] (Symantec Corporation)
S2 tvnserver; C:\Program Files (x86)\TightVNC\tvnserver.exe [815704 2010-07-08] (GlavSoft LLC.)
S2 uagqecsvc; C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [150928 2010-11-25] (Microsoft Corporation)
S2 WysePocketCloud; C:\Program Files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [103424 2011-08-18] ()
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [x]

==================== Drivers (Whitelisted) ====================

S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-23] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-23] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-02] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-02] ()
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-12-14] (DT Soft Ltd)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-08-26] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-08-26] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-08-26] (Symantec Corporation)
S3 NAVENG; C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130829.017\ENG64.SYS [126040 2013-08-28] (Symantec Corporation)
S3 NAVENG; C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130829.017\ENG64.SYS [126040 2013-08-28] (Symantec Corporation)
S3 NAVEX15; C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130829.017\EX64.SYS [2099288 2013-08-28] (Symantec Corporation)
S3 NAVEX15; C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130829.017\EX64.SYS [2099288 2013-08-28] (Symantec Corporation)
S1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [447536 2010-03-08] (Symantec Corporation)
S1 SRTSP; C:\Windows\SysWow64\Drivers\SRTSP64.SYS [447536 2010-03-08] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [482352 2010-03-08] (Symantec Corporation)
S3 SRTSPL; C:\Windows\SysWow64\Drivers\SRTSPL64.SYS [482352 2010-03-08] (Symantec Corporation)
S1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2010-03-08] (Symantec Corporation)
S1 SRTSPX; C:\Windows\SysWow64\Drivers\SRTSPX64.SYS [32304 2010-03-08] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [173616 2011-12-03] (Symantec Corporation)
S3 Teefer2; C:\Windows\System32\DRIVERS\teefer2.sys [64048 2009-12-28] (Symantec Corporation)
S2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90704 2010-09-17] (Trend Micro Inc.)
S2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [144464 2010-09-17] (Trend Micro Inc.)
S2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [67664 2010-09-17] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2010-09-17] (Trend Micro Inc.)
S1 WPS; C:\Windows\system32\drivers\wpsdrvnt.sys [52784 2010-08-05] (Symantec Corporation)
S3 WpsHelper; C:\Windows\system32\drivers\WpsHelper.sys [233120 2012-10-04] (Symantec Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-30 18:39 - 2013-08-30 18:39 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{48056469-E8DF-470A-BB75-8C0B16778067}
2013-08-30 06:28 - 2013-08-30 06:28 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{7937607D-3D26-4466-9859-2B1F836965C7}
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\ynwl.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\xplhgfe.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\xaktl.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\vcecnld.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\ujfuoy.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\tdsi.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\tbjbwx.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\qigt.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\omlqd.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\lpeh.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\iacham.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\fioly.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\emeqb.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\egjny.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\eaenn.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\dugq.exe
2013-08-29 02:37 - 2013-08-29 18:48 - 00000000 ____D C:\ProgramData\dlhi
2013-08-29 02:36 - 2013-08-29 02:52 - 00000000 ____D C:\ProgramData\xwmnu
2013-08-29 02:35 - 2013-08-29 02:35 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{AB6D49A1-5CBD-443E-B176-71694D1DA018}
2013-08-28 15:39 - 2013-08-29 02:44 - 00008838 _____ C:\Users\lhygjw\Desktop\estimation with real data_082813.xlsx
2013-08-28 02:52 - 2013-08-28 02:52 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{F84433F5-A0FF-4E39-A98C-77D9F6A721BC}
2013-08-27 07:43 - 2013-08-27 07:43 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{5CF85B06-1FA5-41D3-BE2C-7BAD5337C530}
2013-08-26 05:55 - 2013-08-26 05:56 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{38392558-BF2F-49E3-A6FB-607E4C53087F}
2013-08-25 06:44 - 2013-08-25 06:44 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{F0A168D5-0954-4ADB-BBA2-B35D5B63B6C9}
2013-08-24 16:59 - 2013-08-24 16:59 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{E363BB00-646E-4C06-BE78-705823F77512}
2013-08-20 21:00 - 2013-08-20 21:00 - 17737608 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-08-20 18:31 - 2013-08-20 18:31 - 00735499 _____ C:\Users\lhygjw\Desktop\insurance waiver.jpeg.jpeg
2013-08-18 11:34 - 2013-08-18 11:34 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{0E40875A-0D86-4AAB-ABF5-F9A7970F1323}
2013-08-16 06:46 - 2013-08-16 07:54 - 00415099 _____ C:\Users\lhygjw\Desktop\results_summary_081013_2 (2) (2).xlsx
2013-08-15 18:15 - 2013-08-20 19:29 - 00073841 _____ C:\Users\lhygjw\Desktop\results_081513.xlsx
2013-08-15 13:32 - 2013-08-16 06:31 - 00389618 _____ C:\Users\lhygjw\Desktop\results_summary_081013_2 (2).xlsx
2013-08-15 06:48 - 2013-08-15 06:48 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{DDEAEFB4-2FBB-49E7-8DC4-272DB91A6CBB}
2013-08-14 23:10 - 2013-07-25 21:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-08-14 23:10 - 2013-07-25 21:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-08-14 23:10 - 2013-07-25 21:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-08-14 23:10 - 2013-07-25 21:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-08-14 23:10 - 2013-07-25 21:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-08-14 23:10 - 2013-07-25 19:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-08-14 23:10 - 2013-07-25 19:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-14 23:10 - 2013-07-25 19:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-14 23:10 - 2013-07-25 19:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-14 23:10 - 2013-07-25 19:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-14 23:10 - 2013-07-25 19:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-14 23:10 - 2013-07-25 18:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-14 23:10 - 2013-07-25 18:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-14 23:10 - 2013-07-25 17:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-14 23:04 - 2013-08-14 23:06 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 17:29 - 2013-08-15 13:43 - 00358706 _____ C:\Users\lhygjw\Desktop\results_summary_081013_2.xlsx
2013-08-14 13:15 - 2013-08-14 17:26 - 00255754 _____ C:\Users\lhygjw\Desktop\results_summary_081013.xlsx
2013-08-14 13:15 - 2013-08-14 13:15 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{A2D0653F-890E-4785-B86B-CFB66610BB4F}
2013-08-14 04:03 - 2013-07-08 21:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2013-08-14 04:03 - 2013-07-08 21:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-08-14 04:03 - 2013-07-08 21:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-08-14 04:03 - 2013-07-08 21:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-08-14 04:03 - 2013-07-08 20:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-14 04:03 - 2013-07-08 20:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-14 04:03 - 2013-07-08 20:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-14 04:03 - 2013-07-08 20:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-14 03:59 - 2013-07-25 01:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-08-14 03:59 - 2013-07-25 00:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-14 03:59 - 2013-07-18 17:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2013-08-14 03:59 - 2013-07-18 17:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-14 03:59 - 2013-07-08 22:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-08-14 03:59 - 2013-07-08 21:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-08-14 03:59 - 2013-07-08 21:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-08-14 03:59 - 2013-07-08 21:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\System32\rpcrt4.dll
2013-08-14 03:59 - 2013-07-08 21:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-14 03:59 - 2013-07-08 21:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-14 03:59 - 2013-07-08 20:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-14 03:59 - 2013-07-08 20:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-14 03:59 - 2013-07-08 20:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-14 03:59 - 2013-07-08 18:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-14 03:59 - 2013-07-08 18:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-14 03:59 - 2013-07-08 18:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-14 03:59 - 2013-07-08 18:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-14 03:58 - 2013-07-05 22:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-08-14 03:58 - 2013-06-14 20:35 - 01111552 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2013-08-14 03:58 - 2013-06-14 20:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tssecsrv.sys
2013-08-13 06:53 - 2013-08-13 06:53 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{C87C8B6D-711F-490E-9578-397D51472F84}
2013-08-12 04:28 - 2013-08-20 19:28 - 00000000 ____D C:\Users\lhygjw\Desktop\ads_070513
2013-08-11 07:22 - 2013-08-11 12:58 - 00000000 ____D C:\Users\lhygjw\Desktop\recover files
2013-08-11 06:00 - 2013-08-11 06:03 - 00000000 ____D C:\Program Files\Recuva
2013-08-11 04:19 - 2013-08-11 04:19 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{7CC4C42A-3DDE-45BE-9BD5-9820172E6AB1}
2013-08-06 03:21 - 2013-08-06 03:21 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{A5469912-92E2-4233-A84D-163AC3A2F9BA}
2013-08-01 06:19 - 2013-08-01 06:19 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{6FD1B030-5F0A-4F53-80CC-860723AEDDBE}

==================== One Month Modified Files and Folders =======

2013-08-30 18:50 - 2012-12-10 07:43 - 00393216 _____ C:\Windows\System32\Ikeext.etl
2013-08-30 18:49 - 2013-03-08 21:06 - 00000342 _____ C:\Windows\Tasks\dsmonitor.job
2013-08-30 18:49 - 2011-08-02 06:52 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-08-30 18:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing
2013-08-30 18:48 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-30 18:48 - 2009-07-13 20:51 - 00034943 _____ C:\Windows\setupact.log
2013-08-30 18:39 - 2013-08-30 18:39 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{48056469-E8DF-470A-BB75-8C0B16778067}
2013-08-30 14:44 - 2010-11-20 19:47 - 00413038 _____ C:\Windows\PFRO.log
2013-08-30 07:50 - 2009-07-13 21:13 - 00742028 _____ C:\Windows\System32\PerfStringBackup.INI
2013-08-30 07:45 - 2011-07-28 18:12 - 01453182 _____ C:\Windows\WindowsUpdate.log
2013-08-30 07:39 - 2009-07-13 20:45 - 00022112 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-30 07:39 - 2009-07-13 20:45 - 00022112 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-30 06:59 - 2012-04-09 04:49 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-30 06:28 - 2013-08-30 06:28 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{7937607D-3D26-4466-9859-2B1F836965C7}
2013-08-29 18:48 - 2013-08-29 02:37 - 00000000 ____D C:\ProgramData\dlhi
2013-08-29 18:15 - 2012-01-15 08:24 - 00002187 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-08-29 18:15 - 2011-08-02 06:52 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-08-29 03:19 - 2012-03-21 18:49 - 00000000 ____D C:\Users\lhygjw\Desktop\shopping receipt
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\ynwl.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\xplhgfe.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\xaktl.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\vcecnld.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\ujfuoy.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\tdsi.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\tbjbwx.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\qigt.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\omlqd.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\lpeh.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\iacham.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\fioly.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\emeqb.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\egjny.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\eaenn.exe
2013-08-29 02:52 - 2013-08-29 02:52 - 00201216 _____ C:\ProgramData\dugq.exe
2013-08-29 02:52 - 2013-08-29 02:36 - 00000000 ____D C:\ProgramData\xwmnu
2013-08-29 02:44 - 2013-08-28 15:39 - 00008838 _____ C:\Users\lhygjw\Desktop\estimation with real data_082813.xlsx
2013-08-29 02:36 - 2012-12-14 19:01 - 00000000 ____D C:\ProgramData\Sendori
2013-08-29 02:35 - 2013-08-29 02:35 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{AB6D49A1-5CBD-443E-B176-71694D1DA018}
2013-08-28 17:49 - 2011-08-16 07:37 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-08-28 02:52 - 2013-08-28 02:52 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{F84433F5-A0FF-4E39-A98C-77D9F6A721BC}
2013-08-27 07:43 - 2013-08-27 07:43 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{5CF85B06-1FA5-41D3-BE2C-7BAD5337C530}
2013-08-26 14:10 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-08-26 05:56 - 2013-08-26 05:55 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{38392558-BF2F-49E3-A6FB-607E4C53087F}
2013-08-25 06:44 - 2013-08-25 06:44 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{F0A168D5-0954-4ADB-BBA2-B35D5B63B6C9}
2013-08-24 16:59 - 2013-08-24 16:59 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{E363BB00-646E-4C06-BE78-705823F77512}
2013-08-22 14:33 - 2011-09-28 16:19 - 00000000 ____D C:\Users\lhygjw\Documents\Tencent Files
2013-08-20 21:00 - 2013-08-20 21:00 - 17737608 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-08-20 21:00 - 2012-04-09 04:49 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-20 21:00 - 2012-04-09 04:49 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-20 21:00 - 2011-09-23 12:11 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-20 19:29 - 2013-08-15 18:15 - 00073841 _____ C:\Users\lhygjw\Desktop\results_081513.xlsx
2013-08-20 19:28 - 2013-08-12 04:28 - 00000000 ____D C:\Users\lhygjw\Desktop\ads_070513
2013-08-20 18:31 - 2013-08-20 18:31 - 00735499 _____ C:\Users\lhygjw\Desktop\insurance waiver.jpeg.jpeg
2013-08-18 11:34 - 2013-08-18 11:34 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{0E40875A-0D86-4AAB-ABF5-F9A7970F1323}
2013-08-16 07:54 - 2013-08-16 06:46 - 00415099 _____ C:\Users\lhygjw\Desktop\results_summary_081013_2 (2) (2).xlsx
2013-08-16 06:31 - 2013-08-15 13:32 - 00389618 _____ C:\Users\lhygjw\Desktop\results_summary_081013_2 (2).xlsx
2013-08-15 13:43 - 2013-08-14 17:29 - 00358706 _____ C:\Users\lhygjw\Desktop\results_summary_081013_2.xlsx
2013-08-15 06:48 - 2013-08-15 06:48 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{DDEAEFB4-2FBB-49E7-8DC4-272DB91A6CBB}
2013-08-15 00:07 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-08-14 23:06 - 2013-08-14 23:04 - 00000000 ____D C:\Windows\System32\MRT
2013-08-14 23:04 - 2011-09-23 10:17 - 78161360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-08-14 17:26 - 2013-08-14 13:15 - 00255754 _____ C:\Users\lhygjw\Desktop\results_summary_081013.xlsx
2013-08-14 13:15 - 2013-08-14 13:15 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{A2D0653F-890E-4785-B86B-CFB66610BB4F}
2013-08-14 13:01 - 2013-07-15 12:22 - 00000000 ____D C:\Users\lhygjw\Desktop\签证延期
2013-08-13 17:28 - 2013-05-14 12:28 - 00000000 ____D C:\Users\lhygjw\Desktop\estimation results
2013-08-13 06:53 - 2013-08-13 06:53 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{C87C8B6D-711F-490E-9578-397D51472F84}
2013-08-11 17:57 - 2011-07-28 18:12 - 00000000 ____D C:\users\lhygjw
2013-08-11 12:58 - 2013-08-11 07:22 - 00000000 ____D C:\Users\lhygjw\Desktop\recover files
2013-08-11 06:03 - 2013-08-11 06:00 - 00000000 ____D C:\Program Files\Recuva
2013-08-11 04:19 - 2013-08-11 04:19 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{7CC4C42A-3DDE-45BE-9BD5-9820172E6AB1}
2013-08-06 03:21 - 2013-08-06 03:21 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{A5469912-92E2-4233-A84D-163AC3A2F9BA}
2013-08-01 06:19 - 2013-08-01 06:19 - 00000000 ____D C:\Users\lhygjw\AppData\Local\{6FD1B030-5F0A-4F53-80CC-860723AEDDBE}

Files to move or delete:
====================
C:\ProgramData\dugq.exe
C:\ProgramData\eaenn.exe
C:\ProgramData\egjny.exe
C:\ProgramData\emeqb.exe
C:\ProgramData\fioly.exe
C:\ProgramData\iacham.exe
C:\ProgramData\lpeh.exe
C:\ProgramData\omlqd.exe
C:\ProgramData\qigt.exe
C:\ProgramData\tbjbwx.exe
C:\ProgramData\tdsi.exe
C:\ProgramData\ujfuoy.exe
C:\ProgramData\vcecnld.exe
C:\ProgramData\xaktl.exe
C:\ProgramData\xplhgfe.exe
C:\ProgramData\ynwl.exe
C:\Users\lhygjw\AppData\Local\Temp\0pvx32mr.dll
C:\Users\lhygjw\AppData\Local\Temp\20120216090204847jniverify.dll
C:\Users\lhygjw\AppData\Local\Temp\Baidu-ASBar-Silent_For_YingYin.exe
C:\Users\lhygjw\AppData\Local\Temp\Baidu-Toolbar-Silent_For_YingYin.exe
C:\Users\lhygjw\AppData\Local\Temp\bdplayer_2_hao_pg_hao123inst.exe
C:\Users\lhygjw\AppData\Local\Temp\contentDATs.exe
C:\Users\lhygjw\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\lhygjw\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\lhygjw\AppData\Local\Temp\ose00000.exe
C:\Users\lhygjw\AppData\Local\Temp\qqsafeud.exe
C:\Users\lhygjw\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\lhygjw\AppData\Local\Temp\vqqsdl.dll
C:\Users\lhygjw\AppData\Local\Temp\WFBS-SVC_Agent.exe
C:\Users\lhygjw\AppData\Local\Temp\{FE269EB0-2FF0-441B-8780-F3BE5567D800}\ISBEW64.exe
C:\Users\lhygjw\AppData\Local\Temp\_ir_sf_temp_0\npCouponPrinter.dll
C:\Users\lhygjw\AppData\Local\Temp\_ir_sf_temp_0\npMozCouponPrinter.dll
C:\Users\lhygjw\AppData\Local\Temp\x64\LuCheck.exe
C:\Users\lhygjw\AppData\Local\Temp\x64\lusetup.exe
C:\Users\lhygjw\AppData\Local\Temp\x64\Setup.exe
C:\Users\lhygjw\AppData\Local\Temp\x64\smcinst.exe
C:\Users\lhygjw\AppData\Local\Temp\x64\vcredist_x64.exe
C:\Users\lhygjw\AppData\Local\Temp\VSD3F75.tmp\dotnetfx\dotnetchk.exe
C:\Users\lhygjw\AppData\Local\Temp\Temp1_knitro-8.0.0-z-WinMSVC10-64.zip\knitro-8.0.0-z-WinMSVC10-64\get_machine_ID.exe
C:\Users\lhygjw\AppData\Local\Temp\Setup000016c0\OSETUPUI.DLL
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\matlab_R2011a_win64_installer.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\utils\uninstall\bin\win64\deactivate_matlab.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\utils\uninstall\bin\win64\uninstall.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\awt.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\cmm.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\dcpr.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\deploy.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\deploytk.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\dt_shmem.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\dt_socket.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\eula.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\fontmanager.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\hpi.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\hprof.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\instrument.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\ioser12.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\j2pcsc.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jaas_nt.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\java-rmi.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\java.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\java_crw_demo.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jawt.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jbroker.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\JdbcOdbc.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jdwp.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jli.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jp2iexp.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jp2launcher.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jp2native.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jp2ssv.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jpeg.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jsound.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\jureg.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\management.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\mlib_image.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\msvcrt.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\net.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\nio.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\npdeploytk.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\npt.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\pack200.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\regutils.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\rmi.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\splashscreen.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\ssv.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\ssvagent.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\unpack.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\unpack200.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\verify.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\w2k_lsa_auth.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\wsdetect.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\zip.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\server\jvm.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\new_plugin\msvcrt.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\java\jre\win64\jre\bin\new_plugin\npjp2.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\etc\win64\lmgrd.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\etc\win64\lmtools.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\etc\win64\lmutil.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\etc\win64\MLM.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\dotnetinst.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\instutil.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\java_launcher.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\mwinstall.dll
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\setup.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\vcredist_x64.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\VCRT_check.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\vc90\vcredist_x64.exe
C:\Users\lhygjw\AppData\Local\Temp\mathworks_downloads\R2011a\bin\win64\vc90\VCRT_check.exe
C:\Users\lhygjw\AppData\Local\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51\twapi-be29e7f1-71ae-4703-50cb-1d52be512f51.dll
C:\Users\lhygjw\AppData\Local\Temp\Baidu\BaiduSetupAx\BaiduPlayer\BaiduPlayer1.19.0.137_49076037.exe
C:\Users\lhygjw\AppData\Local\Temp\._msige61\GoogleEarth.exe
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\plugin\earthps.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\plugin\geplugin.exe
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\plugin\ge_expat.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\plugin\googleearth_free.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\plugin\msvcp100.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\plugin\msvcr100.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\plugin\npgeplugin.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\plugin\plugin_ax.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\earthflashsol.exe
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\earthps.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\ge_expat.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\googleearth.exe
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\googleearth_free.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\gpsbabel.exe
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\msvcp100.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\msvcr100.dll
C:\Users\lhygjw\AppData\Local\Temp\._msige61\program files\Google\Google Earth\client\Plugins\npgeinprocessplugin.dll

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-08-04 03:27:24
Restore point made on: 2013-08-11 08:54:58
Restore point made on: 2013-08-14 23:01:18
Restore point made on: 2013-08-22 06:07:08
Restore point made on: 2013-08-28 17:49:20

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8173.22 MB
Available physical RAM: 7312.98 MB
Total Pagefile: 8171.37 MB
Available Pagefile: 7320.36 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (WIN7) (Fixed) (Total:429.04 GB) (Free:342.66 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (New Volume) (Fixed) (Total:244.14 GB) (Free:171.86 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:244.14 GB) (Free:238.92 GB) NTFS
Drive f: (GRMCULXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
Drive h: () (Removable) (Total:0.95 GB) (Free:0.53 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 932 GB) (Disk ID: CB5BD2B2)
Partition 1: (Not Active) - (Size=14 GB) - (Type=1B)
Partition 2: (Active) - (Size=429 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=244 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=244 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 974 MB) (Disk ID: 21771D61)
Partition 1: (Not Active) - (Size=973 MB) - (Type=0B)

LastRegBack: 2013-08-22 05:59

==================== End Of Log ============================

MrCharlie · August 31, 2013

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........run MBAR

If not...rescan with FRST and post the new log

Download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

tian · August 31, 2013

Thank you so much! Now the computer boots normally and I cleaned up all found threats. The system looks fine too.

Attachments are those log files you asked for. So what should I do for the next? Can I trust my computer as before and use it as before? Or should I just copy my important files and format my computer (which I really don't want to do!!! I have very important software installed) If I copy files from the computer, is it safe for to copy them to another clean computer? Too many questions But really appreciate your help!!!

Fixlog.txt

mbar-log-2013-08-31 (11-24-21).txt

system-log.txt

MrCharlie · August 31, 2013

Your computer should be safe after we're done, I would change all my passwords and keep a close eye on all your sensitive accounts.

Next.........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

tian · August 31, 2013

Here is the ComboFix.txt. Thanks!

ComboFix 13-08-31.01 - lhygjw 1/2013 Sat 17:49:03.2.8 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.936.86.1033.18.8173.6522 [GMT -4:00]
Ö´ÐÐÎ»ÖÃ: c:\users\lhygjw\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
AV: Trend Micro Titanium Internet Security *Disabled/Outdated* {68F968AC-2AA0-091D-848C-803E83E35902}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Trend Micro Titanium Internet Security *Disabled/Outdated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( 2013-07-28 ÖÁ 2013-08-31 µÄÐÂµÄµµ°¸ )))))))))))))))))))))))))))))))
.
.
2013-08-31 21:56 . 2013-08-31 21:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-31 15:02 . 2013-08-31 15:02 -------- d-----w- c:\programdata\Malwarebytes
2013-08-31 07:23 . 2013-08-31 07:23 -------- d-----w- C:\FRST
2013-08-21 05:00 . 2013-08-21 05:00 17737608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-08-15 07:04 . 2013-08-15 07:06 -------- d-----w- c:\windows\system32\MRT
2013-08-14 12:03 . 2013-07-09 05:46 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 12:03 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 12:03 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-08-14 12:03 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-08-14 12:03 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-14 12:03 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 12:03 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-08-14 12:03 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-08-14 11:58 . 2013-06-15 04:35 1111552 ----a-w- c:\windows\system32\rdpcorets.dll
2013-08-14 11:58 . 2013-06-15 04:32 39936 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 11:58 . 2013-07-06 06:03 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-11 14:00 . 2013-08-11 14:03 -------- d-----w- c:\program files\Recuva
.
.
.
((((((((((((((((((((((((((((((((((((((((   ÔÚÈý¸öÔÂÄÚ±»ÐÞ¸ÄµÄµµ°¸   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-21 05:00 . 2012-04-09 12:49 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-08-21 05:00 . 2011-09-23 20:11 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-15 07:04 . 2011-09-23 18:17 78161360 ----a-w- c:\windows\system32\MRT.exe
2013-07-15 19:03 . 2013-07-15 19:03 45056 ----a-r- c:\users\lhygjw\AppData\Roaming\Microsoft\Installer\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}\UNINST_Uninstall_C_EBD1846850A64C858760A659B987DCFF.exe
2013-07-15 19:03 . 2013-07-15 19:03 45056 ----a-r- c:\users\lhygjw\AppData\Roaming\Microsoft\Installer\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}\ARPPRODUCTICON.exe
2013-07-09 04:45 . 2013-08-14 11:59 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-07-01 19:28 . 2012-12-15 03:01 325920 ----a-w- c:\windows\SysWow64\Sendori.dll
2013-06-05 07:06 . 2013-06-05 07:06 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-06-05 07:06 . 2013-06-05 07:06 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-06-05 07:06 . 2013-06-05 07:06 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-06-05 07:06 . 2013-06-05 07:06 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-06-05 07:06 . 2013-06-05 07:06 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-06-05 07:06 . 2013-06-05 07:06 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-06-05 07:06 . 2013-06-05 07:06 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-06-05 07:06 . 2013-06-05 07:06 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-06-05 07:06 . 2013-06-05 07:06 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-06-05 07:06 . 2013-06-05 07:06 197120 ----a-w- c:\windows\system32\msrating.dll
2013-06-05 07:06 . 2013-06-05 07:06 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-06-05 07:06 . 2013-06-05 07:06 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-06-05 07:06 . 2013-06-05 07:06 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-06-05 07:06 . 2013-06-05 07:06 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-06-05 07:06 . 2013-06-05 07:06 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-06-05 07:06 . 2013-06-05 07:06 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-06-05 07:06 . 2013-06-05 07:06 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-06-05 07:06 . 2013-06-05 07:06 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-06-05 07:06 . 2013-06-05 07:06 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-06-05 07:06 . 2013-06-05 07:06 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-06-05 07:06 . 2013-06-05 07:06 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-06-05 07:06 . 2013-06-05 07:06 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-06-05 07:06 . 2013-06-05 07:06 81408 ----a-w- c:\windows\system32\icardie.dll
2013-06-05 07:06 . 2013-06-05 07:06 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-06-05 07:06 . 2013-06-05 07:06 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-06-05 07:06 . 2013-06-05 07:06 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-06-05 07:06 . 2013-06-05 07:06 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-06-05 07:06 . 2013-06-05 07:06 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-06-05 07:06 . 2013-06-05 07:06 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-06-05 07:06 . 2013-06-05 07:06 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-06-05 07:06 . 2013-06-05 07:06 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-06-05 07:06 . 2013-06-05 07:06 441856 ----a-w- c:\windows\system32\html.iec
2013-06-05 07:06 . 2013-06-05 07:06 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-06-05 07:06 . 2013-06-05 07:06 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-05 07:06 . 2013-06-05 07:06 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-06-05 07:06 . 2013-06-05 07:06 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-06-05 07:06 . 2013-06-05 07:06 235008 ----a-w- c:\windows\system32\url.dll
2013-06-05 07:06 . 2013-06-05 07:06 216064 ----a-w- c:\windows\system32\msls31.dll
2013-06-05 07:06 . 2013-06-05 07:06 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-06-05 07:06 . 2013-06-05 07:06 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-06-05 07:06 . 2013-06-05 07:06 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-06-05 07:06 . 2013-06-05 07:06 149504 ----a-w- c:\windows\system32\occache.dll
2013-06-05 07:06 . 2013-06-05 07:06 144896 ----a-w- c:\windows\system32\wextract.exe
2013-06-05 07:06 . 2013-06-05 07:06 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-06-05 07:06 . 2013-06-05 07:06 13824 ----a-w- c:\windows\system32\mshta.exe
2013-06-05 07:06 . 2013-06-05 07:06 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-06-05 07:06 . 2013-06-05 07:06 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-06-05 07:06 . 2013-06-05 07:06 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-06-05 07:06 . 2013-06-05 07:06 102912 ----a-w- c:\windows\system32\inseng.dll
2013-06-05 03:34 . 2013-07-11 15:31 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-06-04 06:00 . 2013-07-11 15:32 624128 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 04:53 . 2013-07-11 15:32 509440 ----a-w- c:\windows\SysWow64\qedit.dll
.
.
(((((((((((((((((((((((((((((((((((((   ÖØÒªµÇÈëµã   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*×¢Òâ* ¿Õ°×ÓëºÏ·¨È±Ê¡µÇÂ¼½«²»»á±»ÏÔÊ¾
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-11-06 3673728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RunAIShell"="c:\program files (x86)\ASUS\AI Manager\AsShellApplication.exe" [2009-12-23 232064]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"tvncontrol"="c:\program files (x86)\TightVNC\tvnserver.exe" [2010-07-08 815704]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2010-05-06 115560]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"Sendori Tray"="c:\program files (x86)\Sendori\SendoriTray.exe" [2013-07-01 83232]
"DivXMediaServer"="c:\program files (x86)\DivX\DivX Media Server\DivXMediaServer.exe" [2013-01-30 450560]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [2011-4-12 548528]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
UVA ITC Network Setup Tool Cert Checker.lnk - c:\windows\Installer\{A4766C69-E64B-47D4-984C-BE9E91FDDBF3}\_93C62315C0D5B38E0A1810.exe [2012-2-16 3262]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe "c:\programdata\Best Buy pc app\Best Buy pc app.application" [2011-2-25 15776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
   Ime File REG_SZ         GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 sndappv2;sndappv2;c:\program files (x86)\Sendori\sndappv2.exe;c:\program files (x86)\Sendori\sndappv2.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\DOWNLO~1\DMService.exe;c:\windows\DOWNLO~1\DMService.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtTeam60.sys;c:\windows\SYSNATIVE\DRIVERS\RtTeam60.sys [x]
R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys;c:\windows\SYSNATIVE\DRIVERS\RtVlan60.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);c:\windows\system32\DRIVERS\RtTeam60.sys;c:\windows\SYSNATIVE\DRIVERS\RtTeam60.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Application Sendori;Application Sendori;c:\program files (x86)\Sendori\SendoriSvc.exe;c:\program files (x86)\Sendori\SendoriSvc.exe [x]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [x]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe [x]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe [x]
S2 Device Handle Service;Device Handle Service;c:\windows\SysWOW64\AsHookDevice.exe;c:\windows\SysWOW64\AsHookDevice.exe [x]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys;c:\windows\SYSNATIVE\DRIVERS\RtNdPt60.sys [x]
S2 Service Sendori;Service Sendori;c:\program files (x86)\Sendori\Sendori.Service.exe;c:\program files (x86)\Sendori\Sendori.Service.exe [x]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys;c:\windows\SYSNATIVE\DRIVERS\tmevtmgr.sys [x]
S2 tvnserver;TightVNC Server;c:\program files (x86)\TightVNC\tvnserver.exe;c:\program files (x86)\TightVNC\tvnserver.exe [x]
S2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [x]
S2 WysePocketCloud;Wyse PocketCloud;c:\program files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe;c:\program files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-30 02:13 1177552 ----a-w- c:\program files (x86)\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe
.
¡®¼Æ»®ÈÎÎñ¡¯ ÎÄ¼þ¼Ð ÀïµÄÄÚÈÝ
.
2013-08-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 05:00]
.
2013-08-31 c:\windows\Tasks\dsmonitor.job
- c:\program files (x86)\Uniblue\DriverScanner\dsmonitor.exe [2013-03-09 19:47]
.
2013-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-02 14:52]
.
2013-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-02 14:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-02 11545192]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"PocketCloud Location"="c:\program files (x86)\Wyse\PocketCloud Windows Companion\WyseBrowser.exe" [2011-08-18 807936]
.
------- ¶øÍâµÄÉ¨Ãè -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: ½«×ª»»Á´½ÓÄ¿±êÎª Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: ½«Á´½ÓÄ¿±ê×ª»»µ½ÏÖÓÐµÄ PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: ×ª»»Îª Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: ×·¼Óµ½ÏÖÓÐµÄ PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: virginia.edu\uva-anywhere-1.itc
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

FF - ProfilePath - c:\users\lhygjw\AppData\Roaming\Mozilla\Firefox\Profiles\su3boazw.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Íê³ÉÊ±¼ä: 2013-08-31 17:58:07
ComboFix-quarantined-files.txt 2013-08-31 21:58
ComboFix2.txt 2013-08-31 21:40
.
Pre-Run: 370,937,929,728 bytes free
Post-Run: 370,634,158,080 bytes free
.
- - End Of File - - C4DE9F82742FE60E9BB81112A7588D32
4976D4A7A40B83FC7F06EE4BDD84EB9B

tian · August 31, 2013

I repost the text file here, since I notice there is something unreadable in the copied and pasted content. Thanks!

ComboFix.txt

MrCharlie · August 31, 2013

I'm not sure why those symbols are in the log but a little research comes up with "it's not uncommon".

Lets clean out any adware while you're here:

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
Copy and paste the contents of that logfile in your next reply.
A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

If you agree with everything listed to be removed in the folders section...........

Double click on AdwCleaner.exe to run the tool again.

Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...
This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

tian · September 1, 2013

Hi

I got confused by the following step:

"Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal."

I only download the free version of MBAR and have the zipped file on my desktop. My understanding of "open up Malwarebytes" is to click on mbar.exe, but I didn't find the "setting tab". Did I misunderstood this step??

Here are those two log files:

AdwCleaner[R0]

# AdwCleaner v3.001 - Report created 31/08/2013 at 20:48:08
# Updated 24/08/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : lhygjw - LHYGJW-PC
# Running from : C:\Users\lhygjw\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Users\Public\Desktop\DriverScanner.lnk
Folder Found : C:\Users\lhygjw\AppData\Roaming\Mozilla\Firefox\Profiles\su3boazw.default\Extensions\wecarereminder@bryan
Folder Found C:\Program Files (x86)\baidu
Folder Found C:\Program Files (x86)\Common Files\Tencent
Folder Found C:\Program Files (x86)\Tencent
Folder Found C:\Program Files (x86)\Uniblue\DriverScanner
Folder Found C:\ProgramData\baidu
Folder Found C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\DriverScanner
Folder Found C:\ProgramData\Tencent
Folder Found C:\ProgramData\WeCareReminder
Folder Found C:\Users\lhygjw\AppData\Local\Tencent
Folder Found C:\Users\lhygjw\AppData\LocalLow\baidu
Folder Found C:\Users\lhygjw\AppData\Roaming\baidu
Folder Found C:\Users\lhygjw\AppData\Roaming\OpenCandy
Folder Found C:\Users\lhygjw\AppData\Roaming\Tencent
Folder Found C:\Users\lhygjw\AppData\Roaming\Uniblue\DriverScanner

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\TENCENT
Key Found : HKCU\Software\wecarereminder
Key Found : [x64] HKCU\Software\Softonic
Key Found : [x64] HKCU\Software\TENCENT
Key Found : [x64] HKCU\Software\wecarereminder
Key Found : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
Key Found : HKLM\SOFTWARE\Classes\AppID\{6517DD27-EA6F-4947-9DEA-F9C487BB1020}
Key Found : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Found : HKLM\SOFTWARE\Classes\driverscanner
Key Found : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder
Key Found : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6517DD27-EA6F-4947-9DEA-F9C487BB1020}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_daemon-tools_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_daemon-tools_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2F8CA82-2BD9-4513-B2D1-08A47914C1DA}_is1
Key Found : HKLM\Software\TENCENT
Key Found : HKLM\Software\Uniblue\DriverScanner

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16660

-\\ Mozilla Firefox v21.0 (en-US)

[ File : C:\Users\lhygjw\AppData\Roaming\Mozilla\Firefox\Profiles\su3boazw.default\prefs.js ]

-\\ Google Chrome v29.0.1547.62

[ File : C:\Users\lhygjw\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [3652 octets] - [31/08/2013 20:48:08]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3712 octets] ##########

AdwCleaner[s0]

# AdwCleaner v3.001 - Report created 31/08/2013 at 20:54:32
# Updated 24/08/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : lhygjw - LHYGJW-PC
# Running from : C:\Users\lhygjw\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\baidu
Folder Deleted : C:\ProgramData\Tencent
Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\DriverScanner
Folder Deleted : C:\Program Files (x86)\baidu
Folder Deleted : C:\Program Files (x86)\Tencent
Folder Deleted : C:\Program Files (x86)\Uniblue\DriverScanner
Folder Deleted : C:\Program Files (x86)\Common Files\Tencent
Folder Deleted : C:\Users\lhygjw\AppData\Local\Tencent
Folder Deleted : C:\Users\lhygjw\AppData\LocalLow\baidu
Folder Deleted : C:\Users\lhygjw\AppData\Roaming\baidu
Folder Deleted : C:\Users\lhygjw\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\lhygjw\AppData\Roaming\Tencent
Folder Deleted : C:\Users\lhygjw\AppData\Roaming\Uniblue\DriverScanner
Folder Deleted : C:\Users\lhygjw\AppData\Roaming\Mozilla\Firefox\Profiles\su3boazw.default\Extensions\wecarereminder@bryan
File Deleted : C:\Users\Public\Desktop\DriverScanner.lnk

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL
Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder
Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_daemon-tools_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_daemon-tools_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6517DD27-EA6F-4947-9DEA-F9C487BB1020}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6517DD27-EA6F-4947-9DEA-F9C487BB1020}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\TENCENT
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKLM\Software\TENCENT
Key Deleted : HKLM\Software\Uniblue\DriverScanner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2F8CA82-2BD9-4513-B2D1-08A47914C1DA}_is1

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16660

-\\ Mozilla Firefox v21.0 (en-US)

[ File : C:\Users\lhygjw\AppData\Roaming\Mozilla\Firefox\Profiles\su3boazw.default\prefs.js ]

-\\ Google Chrome v29.0.1547.62

[ File : C:\Users\lhygjw\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [3804 octets] - [31/08/2013 20:48:08]
AdwCleaner[R1].txt - [3864 octets] - [31/08/2013 20:53:36]
AdwCleaner[s0].txt - [3762 octets] - [31/08/2013 20:54:32]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [3822 octets] ##########

MrCharlie · September 1, 2013

I'm sorry....I thought you had Malwarebytes Anti-Malware on the system. (MBAR is different)

You can download it here: (free version)

http://fileforum.betanews.com/detail/Malwarebytes-AntiMalware/1186760019/1

Here's a tutorial on how to use it:

http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial

Mrc

tian · September 1, 2013

Thanks!

I installed Malwarebytes Anti-Malware and then followed your instruction. The quick scan found one infection. What should I do next? How do I know whether my computer is back to normal?

Here is the log:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.31.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
lhygjw :: LHYGJW-PC [administrator]

Protection: Disabled

8/31/2013 9:46:40 PM
mbam-log-2013-08-31 (21-46-40).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\4004f81.msi (PUP.Optional.WeCare.A) -> Quarantined and deleted successfully.

(end)

MrCharlie · September 1, 2013

It should be back to normal now, how is it???

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
If you get Unsupported operating system. Aborting now, just reboot and try again.
A Notepad document should open automatically called checkup.txt.
Please Post the contents of that document.
Do Not Attach It!!!

MrC

tian · September 1, 2013

It looks normal..... Nothing strange shows up.

Here is the checkup text:

Results of screen317's Security Check version 0.99.73
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
Trend Micro Titanium Internet Security
Symantec Endpoint Protection
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Java 6 Update 26
Java version out of Date!
Adobe Flash Player 11.8.800.94
Adobe Reader 10.1.7 Adobe Reader out of Date!
Mozilla Firefox 21.0 Firefox out of Date!
Google Chrome 29.0.1547.57
Google Chrome 29.0.1547.62
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Malwarebytes Anti-Malware mbam.exe
Trend Micro AMSP coreServiceShell.exe
Trend Micro UniClient UiFrmWrk uiWatchDog.exe
Trend Micro AMSP coreFrameworkHost.exe
Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

MrCharlie · September 1, 2013

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

---------------------------------------

Java™ 6 Update 26 <---please uninstall from your add/remove programs

Java version out of Date! <-------Download and install the latest version (Java™ 7 Update 25) from Here. Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

Adobe Reader 10.1.7 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

Mozilla Firefox 21.0 Firefox out of Date! <-----please check for an update if available

------------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used FRST:
Download the fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
That will delete the quarantine folder created by FRST.

-----------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

tian · September 1, 2013

Thank you so much!

I have all the updates and clean ups. Everything goes smoothly, only one thing: when I update Java 7, after finishing the install, there is error reported: "BrowerLaunchError:3"

Does this mean anything abnormal? I am super cautious now

MrCharlie · September 1, 2013

If it continues, re-install Java.

MrC

LDTate · September 3, 2013

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

help, pls! Can't enter safe mode with the virus infection

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information