I keep getting redirected to Nginx, please help!

[Toaru]

Hi, this started only today. I try to go on a site and a malware warning pops up and then i get redirected to a page saying nginx web server was installed.

 

i attached a screenshot of it. how do i get rid of this???

[MrCharlie]

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[Toaru]

DDS.TXT

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7600.16700  BrowserJavaVersion: 10.45.2
Run by Wei at 20:56:13 on 2013-11-26
Microsoft Windows 7 Enterprise   6.1.7600.0.1252.1.1033.18.2046.917 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Tablet\Pen\WacomHost.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\FixCamera.exe
C:\Windows\tsnp2std.exe
C:\Windows\vsnp2std.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\3.0.285\SSScheduler.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.

BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: WebGuard: {45B9637E-351B-7FAB-4362-0E1519ABA160} -
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [AdobeBridge] <no file>
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [kxesc] "c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" -autorun
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [20131121] c:\program files\avast software\avast\setup\emupdate\faae6410-b8be-4742-ac2c-28a42afc7e7d.exe /check
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.285\SSScheduler.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{662D631C-F11A-4F81-ABF8-CE39041A1AC6} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wei\appdata\roaming\mozilla\firefox\profiles\si0nzlfc.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\qqmailplugin\npQQMailWebKit.dll
FF - plugin: c:\program files\qqmailplugin\nptxftnWebKit.dll
FF - plugin: c:\program files\tabletplugins\npWacomTabletPlugin.dll
FF - plugin: c:\users\wei\appdata\local\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_152.dll
FF - ExtSQL: !HIDDEN! 2012-04-03 18:19; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-6-25 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-6-25 175176]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2013-1-26 20624]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-6-25 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-6-25 369584]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2013-5-15 22312]
R1 QQProtect;QQProtect;c:\windows\system32\drivers\QQProtect.sys [2013-9-4 173152]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-6-25 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-6-25 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-6-25 46808]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-10-8 369256]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-1-27 3027840]
R2 WTabletServiceCon;Wacom Consumer Service;c:\program files\tablet\pen\WTabletServiceCon.exe [2013-9-15 528256]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 WebGuardUpdate;Tencent WebGuard Update Service;c:\program files\tencent\webguard\webguardupdate.exe /service --> c:\program files\tencent\webguard\WebGuardUpdate.exe  [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 hidkmdf;KMDF Driver;c:\windows\system32\drivers\hidkmdf.sys [2013-9-15 11680]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.285\McCHSvc.exe [2012-9-5 234776]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WacHidRouter;Wacom Hid Router;c:\windows\system32\drivers\wachidrouter.sys [2013-9-15 70048]
S3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\drivers\wacomrouterfilter.sys [2013-9-15 13728]
S3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [2012-9-29 666720]
.
=============== Created Last 30 ================
.
2013-11-27 01:17:01    --------    d-----w-    C:\AdwCleaner
2013-11-27 00:55:54    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-11-27 00:55:53    105176    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-27 00:55:30    75992    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-11-26 23:13:12    --------    d-----w-    c:\users\wei\appdata\roaming\Anvisoft
2013-11-26 23:12:59    --------    d-----w-    c:\programdata\Anvisoft
2013-11-26 23:12:57    --------    d-----w-    c:\program files\Anvisoft
2013-11-26 22:38:47    --------    d-----w-    c:\program files\Enigma Software Group
2013-11-26 22:38:05    --------    d-----w-    c:\windows\220FB0354744483A9A0B41DF77061583.TMP
2013-11-26 22:38:04    --------    d-----w-    c:\program files\common files\Wise Installation Wizard
2013-11-22 03:03:22    --------    d-----w-    c:\programdata\McAfee Security Scan
2013-11-22 03:03:19    --------    d-----w-    c:\program files\McAfee Security Scan
2013-10-31 19:21:49    --------    d-----w-    c:\program files\Canon
2013-10-31 19:19:37    --------    d-----w-    c:\program files\common files\Canon
2013-10-28 23:24:32    --------    d-----w-    c:\users\wei\.Creative-Scape.net
.
==================== Find3M  ====================
.
2013-11-22 03:03:17    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-22 03:03:17    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-08 11:50:41    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
.
============= FINISH: 20:56:36.53 ===============
 

 

ATTACH.TXT

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 1/27/2012 12:12:16 PM
System Uptime: 11/26/2013 8:26:44 PM (0 hours ago)
.
Motherboard: Foxconn |  | G31MXP/G31MXP-K
Processor: Intel® Core2 Quad CPU    Q8300  @ 2.50GHz | Socket 775 | 2498/333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 89.426 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet 4500 G510n-z
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 4500 G510n-z
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID:
Description:
Device ID: ACPI\PNP0510\4&1301ABF&0
Manufacturer:
Name:
PNP Device ID: ACPI\PNP0510\4&1301ABF&0
Service:
.
Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: Unknown Device
Device ID: USB\VID_0000&PID_0000\5&38C522B7&0&1
Manufacturer: (Standard USB Host Controller)
Name: Unknown Device
PNP Device ID: USB\VID_0000&PID_0000\5&38C522B7&0&1
Service:
.
==== System Restore Points ===================
.
RP191: 11/23/2013 2:58:52 AM - Scheduled Checkpoint
RP192: 11/26/2013 5:38:11 PM - Installed SpyHunter
RP193: 11/26/2013 6:06:48 PM - Removed SpyHunter
RP194: 11/26/2013 6:07:44 PM - Removed SpyHunter
RP195: 11/26/2013 7:46:31 PM - Removed SpyHunter
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
4500_G510nz_Help
4500G510nz
4500G510nz_Software_Min
Adobe AIR
Adobe Content Viewer
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Help Manager
Adobe Photoshop CS5.1
Adobe Reader XI (11.0.03)
Adobe Shockwave Player 11.6
AIM 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.14 (Unicode)
avast! Free Antivirus
Bonjour
BufferChm
Canon Utilities Digital Photo Professional 3.10
Canon Utilities EOS Utility
Canon Utilities Movie Uploader for YouTube
Canon Utilities PhotoStitch
Defraggler
Destinations
DeviceDiscovery
DocMgr
DocProc
Fax
Google Chrome
GPBaseService2
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510n-z
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPProductAssistant
Intel® Graphics Media Accelerator Driver
Intel® TV Wizard
iTunes
Java 7 Update 45
Java Auto Updater
LAME v3.99.3 (for Windows)
MarketResearch
McAfee Security Scan Plus
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 25.0.1 (x86 en-US)
Mozilla Maintenance Service
Network
NVIDIA 3D Vision Driver 260.89
NVIDIA Control Panel 260.89
NVIDIA Graphics Driver 260.89
NVIDIA HD Audio Driver 1.1.9.0
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
NVIDIA Stereoscopic 3D Driver
OCR Software by I.R.I.S. 13.0
Origin
PDF Settings CS5
PunkBuster Services
QuickTime
Scan
Skype™ 5.5
SmartWebPrinting
SolutionCenter
Status
TeamViewer 7
Toolbox
TrayApp
USB2.0 PC Camera (SN9C201&202)
VLC media player 1.1.11
Wacom
WebGuard
WebReg
WebTablet FB Plugin 32 bit
WinRAR 4.10 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
11/26/2013 8:27:05 PM, Error: Service Control Manager [7000]  - The Tencent WebGuard Update Service service failed to start due to the following error:  The system cannot find the file specified.
11/26/2013 8:21:20 PM, Error: Service Control Manager [7034]  - The Bonjour Service service terminated unexpectedly.  It has done this 1 time(s).
11/26/2013 8:15:15 PM, Error: mbamchameleon [61440]  -
11/22/2013 2:00:28 PM, Error: Microsoft-Windows-Application-Experience [205]  - The Program Compatibility Assistant service failed to perform the phase two initialization.
11/21/2013 6:26:08 PM, Error: Service Control Manager [7034]  - The iPod Service service terminated unexpectedly.  It has done this 1 time(s).
.
==== End Of File ===========================
 

[Toaru]

roguekiller report

 

 

 

RogueKiller V8.7.9 [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Wei [Admin rights]
Mode : Scan -- Date : 11/26/2013 21:03:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[66] : NtCreateFile @ 0x8325AF0E -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAF1FD0)
[Address] SSDT[87] : NtCreateThread @ 0x832EAC6A -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAED73A)
[Address] SSDT[88] : NtCreateThreadEx @ 0x83248DD1 -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAEDB9A)
[Address] SSDT[102] : NtDeleteFile @ 0x831CAA0E -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAF1E66)
[Address] SSDT[179] : NtOpenFile @ 0x8328A654 -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAF2172)
[Address] SSDT[190] : NtOpenProcess @ 0x832915C1 -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAF715A)
[Address] SSDT[217] : NtQueryAttributesFile @ 0x83272BD8 -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAF7B6A)
[Address] SSDT[269] : NtQueueApcThread @ 0x831FCB48 -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAF8090)
[Address] SSDT[277] : NtReadVirtualMemory @ 0x83293C09 -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAE7B02)
[Address] SSDT[316] : NtSetContextThread @ 0x832EBD6F -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAF75DC)
[Address] SSDT[329] : NtSetInformationFile @ 0x8325FF3F -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAF1DAA)
[Address] Shadow SSDT[396] : NtUserFindWindowEx -> HOOKED (C:\Windows\System32\drivers\QQProtect.sys @ 0x8DAE948A)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1    localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD1600HLHX-60JJPV0 ATA Device +++++
--- User ---
[MBR] 2299356359541f1b48428cdf444a8c8b
[bSP] 296e94dfad9a6f0cdf523b03adf4d84f : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_11262013_210326.txt >>


 

[MrCharlie]

What browser(s) does this happen in????

Please do this:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

[Toaru]

hi, this is happening in both firefox and google chrome.

 

FRST.TXT

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-11-2013 01
Ran by Wei (administrator) on WEI-PC on 26-11-2013 21:12:29
Running from C:\Users\Wei\Desktop
Microsoft Windows 7 Enterprise  (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Wacom Technology) C:\Program Files\Tablet\Pen\WacomHost.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
() C:\Windows\System32\PnkBstrA.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
() C:\Windows\FixCamera.exe
(SONIX) C:\Windows\tsnp2std.exe
(Sonix) C:\Windows\vsnp2std.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.0.285\SSScheduler.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [bCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuschd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [switchBoard] - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] - C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [4858968 2013-05-09] (AVAST Software)
HKLM\...\Run: [FixCamera] - C:\Windows\FixCamera.exe [20480 2007-02-12] ()
HKLM\...\Run: [tsnp2std] - C:\Windows\tsnp2std.exe [262144 2007-02-13] (SONIX)
HKLM\...\Run: [snp2std] - C:\Windows\vsnp2std.exe [344064 2006-12-05] (Sonix)
HKLM\...\Run: [kxesc] - "c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" -autorun
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKLM\...\Run: [20131121] - C:\Program Files\AVAST Software\Avast\Setup\emupdate\faae6410-b8be-4742-ac2c-28a42afc7e7d.exe [180184 2013-11-23] (AVAST Software)
HKCU\...\Run: [Aim] - C:\Program Files\AIM\aim.exe [4321112 2011-05-03] (AOL Inc.)
HKCU\...\Run: [AdobeBridge] - [x]
HKCU\...\Run: [Akamai NetSession Interface] - "C:\Users\Wei\AppData\Local\Akamai\netsession_win.exe"
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {0233541d-6318-11e1-8913-90fba6edbae1} - E:\LaunchU3.exe -a

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x9215BC5017DDCC01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
SearchScopes: HKLM - DefaultScope value is missing.
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: WebGuard - {45B9637E-351B-7FAB-4362-0E1519ABA160} - C:\Program Files\TENCENT\WebGuard\webguard.dll No File
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: 127.0.0.1    localhost
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Wei\AppData\Roaming\Mozilla\Firefox\Profiles\si0nzlfc.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @kingsfot.com/npkws - c:\program files\kingsoft\kingsoft antivirus\npkws.dll No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll No File
FF Plugin: @nvidia.com/3DVision - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin - C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin: @qq.com/npqscall - C:\Program Files\Common Files\Tencent\Npchrome\npactivex.dll No File
FF Plugin: @qq.com/QQPhotoDrawEx - C:\Program Files\Tencent\Qzone\Ver_247.312\npQQPhotoDrawEx.dll No File
FF Plugin: @qq.com/QzoneMusic - C:\Program Files\Tencent\QZoneMusic\2013.9.4.23.3.16\npQzoneMusic.dll No File
FF Plugin: @qq.com/TXSSO - C:\Program Files\Common Files\Tencent\TXSSO\1.2.2.22\Bin\npSSOAxCtrlForPTLogin.dll No File
FF Plugin: @tencent.com/npQQMailWebKit,version=1.0.0.1 - C:\Program Files\QQMailPlugin\npQQMailWebKit.dll (Tencent)
FF Plugin: @tencent.com/nptxftnWebKit,version=1.0.0.1 - C:\Program Files\QQMailPlugin\nptxftnWebKit.dll (Tencent Technology (Shenzhen) Company Limited)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.2 - C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Wei\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Wei\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: wacom.com/WacomTabletPlugin - C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Extension: tabmix - C:\Users\Wei\AppData\Roaming\Mozilla\Firefox\Profiles\si0nzlfc.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR DefaultSearchURL: (Search the web (Babylon)) - http://www.google.com
CHR DefaultSuggestURL: (Search the web (Babylon)) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Users\Wei\AppData\Local\Google\Chrome\Application\31.0.1650.57\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Wei\AppData\Local\Google\Chrome\Application\31.0.1650.57\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Wei\AppData\Local\Google\Chrome\Application\31.0.1650.57\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Java Platform SE 7 U17) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Pando Web Plugin) - C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\Wei\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.170.2) - C:\Windows\system32\npDeployJava1.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
CHR Extension: (Google Wallet) - C:\Users\Wei\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR StartMenuInternet: Google Chrome - C:\Users\Wei\AppData\Local\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-05-09] (AVAST Software)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe [234776 2012-09-05] (McAfee, Inc.)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-10-07] ()
R2 WTabletServiceCon; C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [528256 2012-12-11] (Wacom Technology, Corp.)
S3 xsherlock; C:\Windows\system32\xsherlock.xem [666720 2012-09-29] (Wellbia.com Co., Ltd.)
S2 WebGuardUpdate; C:\Program Files\Tencent\WebGuard\WebGuardUpdate.exe /Service [x]

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-05-09] (AVAST Software)
R1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [20624 2012-10-30] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [66336 2013-05-09] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [61680 2013-05-09] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-05-09] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-06-27] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-06-27] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-05-09] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [175176 2013-06-27] ()
R1 ElRawDisk; C:\Windows\system32\drivers\rsdrv.sys [22312 2009-02-12] (EldoS Corporation)
S3 hidkmdf; C:\Windows\System32\DRIVERS\hidkmdf.sys [11680 2012-12-03] (Windows ® Win 7 DDK provider)
R1 QQProtect; C:\Windows\system32\drivers\QQProtect.sys [173152 2013-08-05] (Tencent)
R3 SNP2STD; C:\Windows\System32\DRIVERS\snp2sxp.sys [12007296 2007-03-10] ()
S3 WacHidRouter; C:\Windows\System32\DRIVERS\wachidrouter.sys [70048 2012-12-03] (Wacom Technology)
S3 wacomrouterfilter; C:\Windows\System32\DRIVERS\wacomrouterfilter.sys [13728 2012-11-15] (Wacom Technology)
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
S3 FXDrv32; \??\D:\FXDrv32.sys [x]
S3 vtany; \??\C:\Windows\vtany.sys [x]
S3 XDva390; \??\C:\Windows\system32\XDva390.sys [x]
S3 XDva394; \??\C:\Windows\system32\XDva394.sys [x]
S3 XDva397; \??\C:\Windows\system32\XDva397.sys [x]
S3 XDva400; \??\C:\Windows\system32\XDva400.sys [x]
S3 XDva404; \??\C:\Windows\system32\XDva404.sys [x]
S3 XDva405; \??\C:\Windows\system32\XDva405.sys [x]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [x]
S3 xspirit; \??\C:\Windows\xspirit.sys [x]
U3 mbr; \??\C:\Users\Wei\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-26 21:12 - 2013-11-26 21:13 - 00016691 _____ C:\Users\Wei\Desktop\FRST.txt
2013-11-26 21:12 - 2013-11-26 21:12 - 01091605 _____ (Farbar) C:\Users\Wei\Desktop\FRST.exe
2013-11-26 21:12 - 2013-11-26 21:12 - 00000000 ____D C:\FRST
2013-11-26 21:03 - 2013-11-26 21:03 - 00003141 _____ C:\Users\Wei\Desktop\RKreport[0]_S_11262013_210326.txt
2013-11-26 20:56 - 2013-11-26 20:56 - 00013316 _____ C:\Users\Wei\Desktop\dds.txt
2013-11-26 20:56 - 2013-11-26 20:56 - 00005524 _____ C:\Users\Wei\Desktop\attach.txt
2013-11-26 20:55 - 2013-11-26 20:56 - 00688992 ____R (Swearware) C:\Users\Wei\Desktop\dds.scr
2013-11-26 20:17 - 2013-11-26 20:26 - 00000000 ____D C:\AdwCleaner
2013-11-26 20:16 - 2013-11-26 20:16 - 01091882 _____ C:\Users\Wei\Desktop\adwcleaner.exe
2013-11-26 19:55 - 2013-11-26 20:15 - 00000000 ____D C:\Users\Wei\Desktop\mbar
2013-11-26 19:55 - 2013-11-26 20:15 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-11-26 19:55 - 2013-11-26 19:55 - 00105176 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2013-11-26 19:55 - 2013-11-26 19:55 - 00075992 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2013-11-26 19:54 - 2013-11-26 19:54 - 12576792 _____ (Malwarebytes Corp.) C:\Users\Wei\Desktop\mbar-1.07.0.1007.exe
2013-11-26 19:50 - 2013-11-26 19:54 - 00000000 ____D C:\Users\Wei\Desktop\RK_Quarantine
2013-11-26 19:46 - 2013-11-26 19:46 - 03687936 _____ C:\Users\Wei\Desktop\RogueKiller.exe
2013-11-26 18:13 - 2013-11-26 19:46 - 00000000 ____D C:\Users\Wei\AppData\Roaming\Anvisoft
2013-11-26 18:12 - 2013-11-26 19:46 - 00000000 ____D C:\Program Files\Anvisoft
2013-11-26 18:12 - 2013-11-26 18:12 - 00000000 ____D C:\ProgramData\Anvisoft
2013-11-26 17:38 - 2013-11-26 19:47 - 00000000 ____D C:\Windows\220FB0354744483A9A0B41DF77061583.TMP
2013-11-26 17:38 - 2013-11-26 17:38 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-11-26 17:38 - 2013-11-26 17:38 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2013-11-24 08:06 - 2013-11-24 08:06 - 00000000 ____D C:\Users\Wei\Downloads\Johnny English (2003)
2013-11-23 10:06 - 2013-11-23 10:18 - 00000000 ____D C:\Users\Wei\Downloads\The.Grandmaster.2013.BDRip.XviD-ESPiSE
2013-11-21 22:03 - 2013-11-21 22:03 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-11-21 22:03 - 2013-11-21 22:03 - 00000000 ____D C:\Program Files\McAfee Security Scan
2013-11-15 22:08 - 2013-11-15 22:08 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-14 07:51 - 2013-11-14 07:51 - 00000000 ____D C:\Users\Wei\Downloads\Stuck.In.Love.2012.BRRip XViD juggs
2013-10-31 15:57 - 2013-11-21 19:14 - 00000000 ____D C:\Users\Wei\Desktop\canon
2013-10-31 14:22 - 2013-10-31 14:22 - 00001102 _____ C:\Users\Public\Desktop\Digital Photo Professional.lnk
2013-10-31 14:22 - 2013-10-31 14:22 - 00001037 _____ C:\Users\Public\Desktop\EOS Utility.lnk
2013-10-31 14:21 - 2013-10-31 14:22 - 00000000 ____D C:\Program Files\Canon
2013-10-31 14:19 - 2013-10-31 14:19 - 00000000 ____D C:\Program Files\Common Files\Canon
2013-10-29 15:25 - 2013-10-29 15:31 - 00000000 ____D C:\Users\Wei\Downloads\The Shining (1980)
2013-10-28 18:24 - 2013-10-28 18:26 - 00000000 ____D C:\Users\Wei\.Creative-Scape.net
2013-10-28 17:32 - 2013-10-28 17:32 - 00000000 ____D C:\Users\Wei\Documents\AeriaGames
2013-10-27 19:43 - 2013-10-27 19:43 - 00000000 ____D C:\Users\Wei\AppData\Local\EMU

==================== One Month Modified Files and Folders =======

2013-11-26 21:13 - 2013-11-26 21:12 - 00016691 _____ C:\Users\Wei\Desktop\FRST.txt
2013-11-26 21:12 - 2013-11-26 21:12 - 01091605 _____ (Farbar) C:\Users\Wei\Desktop\FRST.exe
2013-11-26 21:12 - 2013-11-26 21:12 - 00000000 ____D C:\FRST
2013-11-26 21:03 - 2013-11-26 21:03 - 00003141 _____ C:\Users\Wei\Desktop\RKreport[0]_S_11262013_210326.txt
2013-11-26 20:58 - 2012-01-27 12:24 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1509593049-3746581815-257761438-1001UA.job
2013-11-26 20:56 - 2013-11-26 20:56 - 00013316 _____ C:\Users\Wei\Desktop\dds.txt
2013-11-26 20:56 - 2013-11-26 20:56 - 00005524 _____ C:\Users\Wei\Desktop\attach.txt
2013-11-26 20:56 - 2013-11-26 20:55 - 00688992 ____R (Swearware) C:\Users\Wei\Desktop\dds.scr
2013-11-26 20:34 - 2009-07-13 23:34 - 00014544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-26 20:34 - 2009-07-13 23:34 - 00014544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-26 20:31 - 2010-12-13 14:29 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-26 20:30 - 2012-01-27 12:12 - 01403237 _____ C:\Windows\WindowsUpdate.log
2013-11-26 20:27 - 2012-10-07 10:51 - 00000000 ____D C:\ProgramData\NVIDIA
2013-11-26 20:26 - 2013-11-26 20:17 - 00000000 ____D C:\AdwCleaner
2013-11-26 20:26 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-26 20:26 - 2009-07-13 23:39 - 00106240 _____ C:\Windows\setupact.log
2013-11-26 20:23 - 2012-09-29 17:59 - 00000000 ____D C:\ProgramData\NexonUS
2013-11-26 20:20 - 2012-01-28 09:33 - 00057808 _____ C:\Windows\PFRO.log
2013-11-26 20:16 - 2013-11-26 20:16 - 01091882 _____ C:\Users\Wei\Desktop\adwcleaner.exe
2013-11-26 20:15 - 2013-11-26 19:55 - 00000000 ____D C:\Users\Wei\Desktop\mbar
2013-11-26 20:15 - 2013-11-26 19:55 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-11-26 19:55 - 2013-11-26 19:55 - 00105176 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2013-11-26 19:55 - 2013-11-26 19:55 - 00075992 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2013-11-26 19:54 - 2013-11-26 19:54 - 12576792 _____ (Malwarebytes Corp.) C:\Users\Wei\Desktop\mbar-1.07.0.1007.exe
2013-11-26 19:54 - 2013-11-26 19:50 - 00000000 ____D C:\Users\Wei\Desktop\RK_Quarantine
2013-11-26 19:48 - 2013-06-08 12:11 - 00000000 ____D C:\Users\Wei\AppData\Roaming\uTorrent
2013-11-26 19:47 - 2013-11-26 17:38 - 00000000 ____D C:\Windows\220FB0354744483A9A0B41DF77061583.TMP
2013-11-26 19:46 - 2013-11-26 19:46 - 03687936 _____ C:\Users\Wei\Desktop\RogueKiller.exe
2013-11-26 19:46 - 2013-11-26 18:13 - 00000000 ____D C:\Users\Wei\AppData\Roaming\Anvisoft
2013-11-26 19:46 - 2013-11-26 18:12 - 00000000 ____D C:\Program Files\Anvisoft
2013-11-26 19:27 - 2012-01-27 12:29 - 00000000 ____D C:\Program Files\AIM
2013-11-26 18:18 - 2012-10-05 20:51 - 00000000 ____D C:\Program Files\Adobe Download Assistant
2013-11-26 18:12 - 2013-11-26 18:12 - 00000000 ____D C:\ProgramData\Anvisoft
2013-11-26 17:58 - 2012-01-27 12:24 - 00000848 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1509593049-3746581815-257761438-1001Core.job
2013-11-26 17:38 - 2013-11-26 17:38 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-11-26 17:38 - 2013-11-26 17:38 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2013-11-24 08:06 - 2013-11-24 08:06 - 00000000 ____D C:\Users\Wei\Downloads\Johnny English (2003)
2013-11-23 10:18 - 2013-11-23 10:06 - 00000000 ____D C:\Users\Wei\Downloads\The.Grandmaster.2013.BDRip.XviD-ESPiSE
2013-11-22 00:21 - 2012-01-27 12:25 - 00000000 ____D C:\Users\Wei\AppData\Local\Adobe
2013-11-21 22:03 - 2013-11-21 22:03 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-11-21 22:03 - 2013-11-21 22:03 - 00000000 ____D C:\Program Files\McAfee Security Scan
2013-11-21 22:03 - 2012-09-20 16:04 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-11-21 22:03 - 2012-01-27 12:24 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-11-21 19:14 - 2013-10-31 15:57 - 00000000 ____D C:\Users\Wei\Desktop\canon
2013-11-19 17:05 - 2012-01-28 09:33 - 00000000 ____D C:\Users\Wei\AppData\Roaming\Skype
2013-11-17 12:56 - 2012-04-25 18:03 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-11-15 22:08 - 2013-11-15 22:08 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-14 22:46 - 2013-08-28 06:49 - 00000000 __SHD C:\AI_RecycleBin
2013-11-14 22:46 - 2013-06-11 21:36 - 00000000 __SHD C:\Windows\system32\AI_RecycleBin
2013-11-14 20:56 - 2013-06-11 21:35 - 00000000 ____D C:\Users\Wei\AppData\Roaming\Riot Games
2013-11-14 07:51 - 2013-11-14 07:51 - 00000000 ____D C:\Users\Wei\Downloads\Stuck.In.Love.2012.BRRip XViD juggs
2013-11-05 14:30 - 2013-09-04 22:02 - 00000000 ____D C:\Users\Wei\Documents\Tencent Files
2013-10-31 14:22 - 2013-10-31 14:22 - 00001102 _____ C:\Users\Public\Desktop\Digital Photo Professional.lnk
2013-10-31 14:22 - 2013-10-31 14:22 - 00001037 _____ C:\Users\Public\Desktop\EOS Utility.lnk
2013-10-31 14:22 - 2013-10-31 14:21 - 00000000 ____D C:\Program Files\Canon
2013-10-31 14:19 - 2013-10-31 14:19 - 00000000 ____D C:\Program Files\Common Files\Canon
2013-10-29 15:31 - 2013-10-29 15:25 - 00000000 ____D C:\Users\Wei\Downloads\The Shining (1980)
2013-10-28 18:26 - 2013-10-28 18:24 - 00000000 ____D C:\Users\Wei\.Creative-Scape.net
2013-10-28 18:24 - 2012-01-27 12:12 - 00000000 ____D C:\Users\Wei
2013-10-28 17:32 - 2013-10-28 17:32 - 00000000 ____D C:\Users\Wei\Documents\AeriaGames
2013-10-27 19:43 - 2013-10-27 19:43 - 00000000 ____D C:\Users\Wei\AppData\Local\EMU

Files to move or delete:
====================
C:\Users\Wei\jagex_cl_loginapplet_LIVE.dat
C:\Users\Wei\jagex_cl_oldschool_LIVE.dat
C:\Users\Wei\jagex_cl_runescape_LIVE.dat
C:\Users\Wei\random.dat


Some content of TEMP:
====================
C:\Users\Wei\AppData\Local\Temp\hcuninstaller_20131008_174105_2504.exe
C:\Users\Wei\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Wei\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Wei\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\Wei\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Wei\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe
C:\Users\Wei\AppData\Local\Temp\NGM.exe
C:\Users\Wei\AppData\Local\Temp\NGMDll.dll
C:\Users\Wei\AppData\Local\Temp\NGMResource.dll
C:\Users\Wei\AppData\Local\Temp\NGMSetup.exe
C:\Users\Wei\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Wei\AppData\Local\Temp\qqsafeud.exe
C:\Users\Wei\AppData\Local\Temp\Quarantine.exe
C:\Users\Wei\AppData\Local\Temp\QzoneMusic.exe
C:\Users\Wei\AppData\Local\Temp\SHSetup.exe
C:\Users\Wei\AppData\Local\Temp\StpA26E_TMP.EXE
C:\Users\Wei\AppData\Local\Temp\StpD1C7_TMP.EXE
C:\Users\Wei\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Wei\AppData\Local\Temp\swt-win32-3740.dll
C:\Users\Wei\AppData\Local\Temp\ubi5661.tmp.exe
C:\Users\Wei\AppData\Local\Temp\unicows.dll
C:\Users\Wei\AppData\Local\Temp\Uninstaller-5920.exe
C:\Users\Wei\AppData\Local\Temp\uttCC0B.tmp.exe
C:\Users\Wei\AppData\Local\Temp\vrayuninst.dll


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-11-20 00:29

==================== End Of Log ============================

 

 

 

ADDITION.txt

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 25-11-2013 01
Ran by Wei at 2013-11-26 21:14:43
Running from C:\Users\Wei\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: avast! Antivirus (Enabled - Up to date) {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AS: avast! Antivirus (Enabled - Up to date) {904CF271-6431-DA47-5FCE-A87D98DFB681}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

32 Bit HP CIO Components Installer (Version: 7.1.8)
4500_G510nz_Help (Version: 000.0.439.000)
4500G510nz (Version: 000.0.439.000)
4500G510nz_Software_Min (Version: 000.0.423.000)
Adobe AIR (Version: 3.3.0.3670)
Adobe Content Viewer (Version: 1.4.0)
Adobe Download Assistant (Version: 1.2.3)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Flash Player 11 Plugin (Version: 11.9.900.152)
Adobe Help Manager (Version: 4.0.244)
Adobe Photoshop CS5.1 (Version: 12.1)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
Adobe Shockwave Player 11.6 (Version: 11.6.3.633)
AIM 7
Apple Application Support (Version: 2.3.6)
Apple Mobile Device Support (Version: 7.0.0.117)
Apple Software Update (Version: 2.1.3.127)
Audacity 1.3.14 (Unicode)
avast! Free Antivirus (Version: 8.0.1489.0)
Bonjour (Version: 3.0.0.10)
BufferChm (Version: 130.0.331.000)
Canon Utilities Digital Photo Professional 3.10 (Version: 3.10.2.0)
Canon Utilities EOS Utility (Version: 2.10.2.0)
Canon Utilities Movie Uploader for YouTube (Version: 1.2.0.7)
Canon Utilities PhotoStitch (Version: 3.1.22.46)
Defraggler (Version: 2.12)
Destinations (Version: 130.0.0.0)
DeviceDiscovery (Version: 130.0.372.000)
DocMgr (Version: 130.0.000.000)
DocProc (Version: 13.0.0.0)
Fax (Version: 130.0.418.000)
Google Chrome (HKCU Version: 31.0.1650.57)
GPBaseService2 (Version: 130.0.371.000)
HP Customer Participation Program 13.0 (Version: 13.0)
HP Document Manager 2.0 (Version: 2.0)
HP Imaging Device Functions 13.0 (Version: 13.0)
HP Officejet 4500 G510n-z (Version: 13.0)
HP Smart Web Printing 4.5 (Version: 4.5)
HP Solution Center 13.0 (Version: 13.0)
HP Update (Version: 5.003.001.001)
HPProductAssistant (Version: 130.0.371.000)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1930)
Intel® TV Wizard
iTunes (Version: 11.1.0.126)
Java 7 Update 45 (Version: 7.0.450)
Java Auto Updater (Version: 2.1.9.8)
LAME v3.99.3 (for Windows)
MarketResearch (Version: 130.0.374.000)
McAfee Security Scan Plus (Version: 3.0.285.6)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.4763.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Silverlight (Version: 5.0.61118.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
Mozilla Firefox 25.0.1 (x86 en-US) (Version: 25.0.1)
Mozilla Maintenance Service (Version: 25.0.1)
Network (Version: 130.0.374.000)
NVIDIA 3D Vision Driver 260.89 (Version: 260.89)
NVIDIA Control Panel 260.89 (Version: 260.89)
NVIDIA Graphics Driver 260.89 (Version: 260.89)
NVIDIA HD Audio Driver 1.1.9.0 (Version: 1.1.9.0)
NVIDIA Install Application (Version: 2.0.14.0)
NVIDIA PhysX (Version: 9.10.0514)
NVIDIA PhysX System Software 9.10.0514 (Version: 9.10.0514)
NVIDIA Stereoscopic 3D Driver (Version: 7.17.12.6089)
OCR Software by I.R.I.S. 13.0 (Version: 13.0)
Origin (Version: 9.3.1.4482)
PDF Settings CS5 (Version: 10.0)
PunkBuster Services (Version: 0.992)
QuickTime (Version: 7.73.80.64)
Scan (Version: 13.0.0.0)
Skype™ 5.5 (Version: 5.5.124)
SmartWebPrinting (Version: 130.0.373.000)
SolutionCenter (Version: 130.0.373.000)
Status (Version: 130.0.373.000)
TeamViewer 7 (Version: 7.0.12541)
Toolbox (Version: 130.0.648.000)
TrayApp (Version: 130.0.376.000)
USB2.0 PC Camera (SN9C201&202) (Version: 5.7.19.106)
VLC media player 1.1.11 (Version: 1.1.11)
Wacom (Version: 5.3.2-1)
WebGuard (Version: 7.3.2.3)
WebReg (Version: 130.0.132.017)
WebTablet FB Plugin 32 bit (Version: 2.1.0.2)
WinRAR 4.10 (32-bit) (Version: 4.10.0)

==================== Restore Points  =========================

23-11-2013 07:58:52 Scheduled Checkpoint
26-11-2013 22:38:11 Installed SpyHunter
26-11-2013 23:06:48 Removed SpyHunter
26-11-2013 23:07:44 Removed SpyHunter
27-11-2013 00:46:31 Removed SpyHunter
27-11-2013 01:22:50 删除 腾讯QQ2013。

==================== Hosts content: ==========================

2012-02-29 18:12 - 2013-11-26 19:54 - 00000741 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1    localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {09F4A528-9B0F-4F79-9AFB-967230E81751} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {2DDE3BF1-7C4F-4E4A-A319-9D6797670879} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2013-05-09] (AVAST Software)
Task: {2F76EED0-31B5-4CF6-8DE3-73DE5084C4B7} - System32\Tasks\AdobeAAMUpdater-1.0-Wei-PC-Wei => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-03-15] (Adobe Systems Incorporated)
Task: {3A7936A7-6FB0-4866-BEFD-0948A8D479E6} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1509593049-3746581815-257761438-1001Core => C:\Users\Wei\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-01] (Google Inc.)
Task: {5F0D6055-2A81-4137-84B1-7C9A74607C5A} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {9BA603D8-757E-4B6A-B44D-B56F0444016A} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1509593049-3746581815-257761438-1001UA => C:\Users\Wei\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-01] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1509593049-3746581815-257761438-1001Core.job => C:\Users\Wei\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1509593049-3746581815-257761438-1001UA.job => C:\Users\Wei\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2010-01-30 01:41 - 2010-01-30 01:41 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-03-24 20:17 - 2010-03-24 20:17 - 08794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2012-01-27 12:28 - 2012-01-09 19:44 - 00166912 _____ () C:\Program Files\WinRAR\rarext.dll
2011-11-01 23:26 - 2011-11-01 23:26 - 00087912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2011-11-01 23:26 - 2011-11-01 23:26 - 01242472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2013-09-15 16:22 - 2012-12-11 12:07 - 00963456 _____ () C:\Program Files\Tablet\Pen\libxml2.dll
2013-11-15 22:08 - 2013-11-15 22:08 - 03363952 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll
2013-11-21 22:03 - 2013-11-21 22:03 - 16237448 _____ () C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Faulty Device Manager Devices =============

Name: Officejet 4500 G510n-z
Description: Officejet 4500 G510n-z
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Unknown Device
Description: Unknown Device
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service:
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/26/2013 07:46:36 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary AnviSmartDefender Web Guard.

System Error:
The system cannot find the file specified.
.

Error: (11/26/2013 07:46:36 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary asdrm.

System Error:
The system cannot find the file specified.
.

Error: (11/16/2013 11:50:56 AM) (Source: Application Hang) (User: )
Description: The program firefox.exe version 25.0.1.5064 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: fe4

Start Time: 01cee2c2654c4bac

Termination Time: 114

Application Path: C:\Program Files\Mozilla Firefox\firefox.exe

Report Id: 3edeffd0-4edf-11e3-82e3-90fba6edbae1

Error: (11/15/2013 00:56:14 PM) (Source: Application Error) (User: )
Description: Faulting application name: plugin-container.exe, version: 25.0.0.5046, time stamp: 0x526b1daa
Faulting module name: mozalloc.dll, version: 25.0.0.5046, time stamp: 0x526af0bc
Exception code: 0x80000003
Fault offset: 0x0000119c
Faulting process id: 0x1098
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (11/14/2013 09:01:55 PM) (Source: Application Hang) (User: )
Description: The program firefox.exe version 25.0.0.5046 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 14e8

Start Time: 01cee17c2ff9df40

Termination Time: 179

Application Path: C:\Program Files\Mozilla Firefox\firefox.exe

Report Id: e478079a-4d99-11e3-808d-90fba6edbae1

Error: (11/14/2013 10:36:02 AM) (Source: Application Error) (User: )
Description: Faulting application name: firefox.exe, version: 25.0.0.5046, time stamp: 0x526b1e27
Faulting module name: xul.dll, version: 25.0.0.5046, time stamp: 0x526b1d27
Exception code: 0xc0000005
Fault offset: 0x001157e7
Faulting process id: 0x1310
Faulting application start time: 0xfirefox.exe0
Faulting application path: firefox.exe1
Faulting module path: firefox.exe2
Report Id: firefox.exe3

Error: (10/26/2013 03:47:59 PM) (Source: Application Hang) (User: )
Description: The program patcher_cf.exe version 1.0.0.6 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 14e4

Start Time: 01ced28bcd967dc5

Termination Time: 3

Application Path: C:\Program Files\Z8Games\CrossFire\patcher_cf.exe

Report Id: e4496330-3e7f-11e3-901b-90fba6edbae1

Error: (10/26/2013 03:41:45 PM) (Source: Application Hang) (User: )
Description: The program patcher_cf.exe version 1.0.0.6 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 92c

Start Time: 01ced28b7a5eb932

Termination Time: 3

Application Path: C:\Program Files\Z8Games\CrossFire\patcher_cf.exe

Report Id: 05a4b81f-3e7f-11e3-901b-90fba6edbae1

Error: (10/26/2013 03:39:05 PM) (Source: Application Hang) (User: )
Description: The program patcher_cf.exe version 1.0.0.6 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 770

Start Time: 01ced28b28df0bf1

Termination Time: 10

Application Path: C:\Program Files\Z8Games\CrossFire\patcher_cf.exe

Report Id: a51a61d5-3e7e-11e3-901b-90fba6edbae1

Error: (10/22/2013 02:27:39 PM) (Source: Application Hang) (User: )
Description: The program Conquer_v5788_P2P_20131008.exe version 1.0.2.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1db0

Start Time: 01cecf5a07a44cc5

Termination Time: 102

Application Path: C:\Users\Wei\Desktop\Conquer_v5788_P2P_20131008.exe

Report Id: 00da926b-3b50-11e3-8fd2-90fba6edbae1


System errors:
=============
Error: (11/26/2013 08:27:05 PM) (Source: Service Control Manager) (User: )
Description: The Tencent WebGuard Update Service service failed to start due to the following error:
%%2

Error: (11/26/2013 08:21:20 PM) (Source: Service Control Manager) (User: )
Description: The Bonjour Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/26/2013 08:21:12 PM) (Source: Service Control Manager) (User: )
Description: The Tencent WebGuard Update Service service failed to start due to the following error:
%%2

Error: (11/26/2013 08:15:15 PM) (Source: mbamchameleon) (User: )
Description: M FILES\MCAFEE SECURITY SCAN\3.0.285\SSSCHEDULER.EXE

Error: (11/26/2013 08:15:15 PM) (Source: mbamchameleon) (User: )
Description: lume2\PROGRAM FILES\AVAST SOFTWARE\AVAST\AVASTUI.EXE

Error: (11/26/2013 08:15:15 PM) (Source: mbamchameleon) (User: )
Description: ume2\PROGRAM FILES\AVAST SOFTWARE\AVAST\AVASTSVC.EXE

Error: (11/26/2013 07:55:33 PM) (Source: mbamchameleon) (User: )
Description: M FILES\MCAFEE SECURITY SCAN\3.0.285\SSSCHEDULER.EXE

Error: (11/26/2013 07:55:32 PM) (Source: mbamchameleon) (User: )
Description: lume2\PROGRAM FILES\AVAST SOFTWARE\AVAST\AVASTUI.EXE

Error: (11/26/2013 07:55:32 PM) (Source: mbamchameleon) (User: )
Description: ume2\PROGRAM FILES\AVAST SOFTWARE\AVAST\AVASTSVC.EXE

Error: (11/26/2013 07:55:32 PM) (Source: mbamchameleon) (User: )
Description: M FILES\MCAFEE SECURITY SCAN\3.0.285\SSSCHEDULER.EXE


Microsoft Office Sessions:
=========================
Error: (11/26/2013 07:46:36 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary AnviSmartDefender Web Guard.

System Error:
The system cannot find the file specified.

Error: (11/26/2013 07:46:36 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary asdrm.

System Error:
The system cannot find the file specified.

Error: (11/16/2013 11:50:56 AM) (Source: Application Hang)(User: )
Description: firefox.exe25.0.1.5064fe401cee2c2654c4bac114C:\Program Files\Mozilla Firefox\firefox.exe3edeffd0-4edf-11e3-82e3-90fba6edbae1

Error: (11/15/2013 00:56:14 PM) (Source: Application Error)(User: )
Description: plugin-container.exe25.0.0.5046526b1daamozalloc.dll25.0.0.5046526af0bc800000030000119c109801cee22878b2632dC:\Program Files\Mozilla Firefox\plugin-container.exeC:\Program Files\Mozilla Firefox\mozalloc.dll375de47d-4e1f-11e3-87d6-90fba6edbae1

Error: (11/14/2013 09:01:55 PM) (Source: Application Hang)(User: )
Description: firefox.exe25.0.0.504614e801cee17c2ff9df40179C:\Program Files\Mozilla Firefox\firefox.exee478079a-4d99-11e3-808d-90fba6edbae1

Error: (11/14/2013 10:36:02 AM) (Source: Application Error)(User: )
Description: firefox.exe25.0.0.5046526b1e27xul.dll25.0.0.5046526b1d27c0000005001157e7131001cee12427943ad7C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll7763d580-4d42-11e3-808d-90fba6edbae1

Error: (10/26/2013 03:47:59 PM) (Source: Application Hang)(User: )
Description: patcher_cf.exe1.0.0.614e401ced28bcd967dc53C:\Program Files\Z8Games\CrossFire\patcher_cf.exee4496330-3e7f-11e3-901b-90fba6edbae1

Error: (10/26/2013 03:41:45 PM) (Source: Application Hang)(User: )
Description: patcher_cf.exe1.0.0.692c01ced28b7a5eb9323C:\Program Files\Z8Games\CrossFire\patcher_cf.exe05a4b81f-3e7f-11e3-901b-90fba6edbae1

Error: (10/26/2013 03:39:05 PM) (Source: Application Hang)(User: )
Description: patcher_cf.exe1.0.0.677001ced28b28df0bf110C:\Program Files\Z8Games\CrossFire\patcher_cf.exea51a61d5-3e7e-11e3-901b-90fba6edbae1

Error: (10/22/2013 02:27:39 PM) (Source: Application Hang)(User: )
Description: Conquer_v5788_P2P_20131008.exe1.0.2.01db001cecf5a07a44cc5102C:\Users\Wei\Desktop\Conquer_v5788_P2P_20131008.exe00da926b-3b50-11e3-8fd2-90fba6edbae1


CodeIntegrity Errors:
===================================
  Date: 2013-06-08 08:11:59.540
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-08 08:09:25.515
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-08 07:06:45.020
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-07 21:58:31.750
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-07 17:53:20.894
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-07 16:53:38.282
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-07 16:27:43.564
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-07 08:38:04.048
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-07 07:01:46.393
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2013-06-07 06:54:46.280
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 61%
Total physical RAM: 2046.18 MB
Available physical RAM: 792.91 MB
Total Pagefile: 4092.36 MB
Available Pagefile: 2671.11 MB
Total Virtual: 2047.88 MB
Available Virtual: 1892.29 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.95 GB) (Free:89.34 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: B70D4D30)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End Of Log ============================

[MrCharlie]

It looks like you have a ZeroAccess infection, I see you ran MBAR which would have taken care of some of it....but it's still active.
I see you also ran AdwCleaner.

I have to give you this warning about the infection:

Please read the following information first.
 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------


Download the attached fixlist.txt to the same folder as FRST.
Run FRST.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Update and run MBAR again.

MrC

[Toaru]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-11-2013 01
Ran by Wei at 2013-11-26 21:48:21 Run:1
Running from C:\Users\Wei\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
C:\Users\Wei\AppData\Local\Temp\hcuninstaller_20131008_174105_2504.exe
C:\Users\Wei\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Wei\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Wei\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\Wei\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Wei\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe
C:\Users\Wei\AppData\Local\Temp\NGM.exe
C:\Users\Wei\AppData\Local\Temp\NGMDll.dll
C:\Users\Wei\AppData\Local\Temp\NGMResource.dll
C:\Users\Wei\AppData\Local\Temp\NGMSetup.exe
C:\Users\Wei\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Wei\AppData\Local\Temp\qqsafeud.exe
C:\Users\Wei\AppData\Local\Temp\Quarantine.exe
C:\Users\Wei\AppData\Local\Temp\QzoneMusic.exe
C:\Users\Wei\AppData\Local\Temp\SHSetup.exe
C:\Users\Wei\AppData\Local\Temp\StpA26E_TMP.EXE
C:\Users\Wei\AppData\Local\Temp\StpD1C7_TMP.EXE
C:\Users\Wei\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Wei\AppData\Local\Temp\swt-win32-3740.dll
C:\Users\Wei\AppData\Local\Temp\ubi5661.tmp.exe
C:\Users\Wei\AppData\Local\Temp\unicows.dll
C:\Users\Wei\AppData\Local\Temp\Uninstaller-5920.exe
C:\Users\Wei\AppData\Local\Temp\uttCC0B.tmp.exe
C:\Users\Wei\AppData\Local\Temp\vrayuninst.dll
C:\Users\Wei\jagex_cl_loginapplet_LIVE.dat
C:\Users\Wei\jagex_cl_oldschool_LIVE.dat
C:\Users\Wei\jagex_cl_runescape_LIVE.dat
C:\Users\Wei\random.dat


*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
C:\Users\Wei\AppData\Local\Temp\hcuninstaller_20131008_174105_2504.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\NGM.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\NGMDll.dll => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\NGMResource.dll => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\NGMSetup.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\qqsafeud.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\QzoneMusic.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\SHSetup.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\StpA26E_TMP.EXE => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\StpD1C7_TMP.EXE => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\swt-win32-3349.dll => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\swt-win32-3740.dll => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\ubi5661.tmp.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\unicows.dll => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\Uninstaller-5920.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\uttCC0B.tmp.exe => Moved successfully.
C:\Users\Wei\AppData\Local\Temp\vrayuninst.dll => Moved successfully.
C:\Users\Wei\jagex_cl_loginapplet_LIVE.dat => Moved successfully.
C:\Users\Wei\jagex_cl_oldschool_LIVE.dat => Moved successfully.
C:\Users\Wei\jagex_cl_runescape_LIVE.dat => Moved successfully.
C:\Users\Wei\random.dat => Moved successfully.

==== End of Fixlog ====

[Toaru]

i updated and ran MBAR again, it says no malware found. but that happened last time too, even though there are viruses.

[MrCharlie]

OK...run ComboFix next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Toaru]

ComboFix 13-11-27.01 - Wei 11/26/2013  22:29:42.1.4 - x86
Microsoft Windows 7 Enterprise   6.1.7600.0.1252.1.1033.18.2046.554 [GMT -5:00]
Running from: c:\users\Wei\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\cflog\CrashLog_20120403.txt
c:\cflog\CrashLog_20120406.txt
c:\cflog\CrashLog_20120930.txt
c:\windows\system32\FlashPlayerApp.exe
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-27 to 2013-11-27  )))))))))))))))))))))))))))))))
.
.
2013-11-27 03:36 . 2013-11-27 03:38    --------    d-----w-    c:\users\Wei\AppData\Local\temp
2013-11-27 03:36 . 2013-11-27 03:36    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-11-27 02:12 . 2013-11-27 02:12    --------    d-----w-    C:\FRST
2013-11-27 01:17 . 2013-11-27 01:26    --------    d-----w-    C:\AdwCleaner
2013-11-27 00:55 . 2013-11-27 03:12    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-11-27 00:55 . 2013-11-27 02:56    105176    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-27 00:55 . 2013-11-27 02:51    75992    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-11-26 23:13 . 2013-11-27 00:46    --------    d-----w-    c:\users\Wei\AppData\Roaming\Anvisoft
2013-11-26 23:12 . 2013-11-26 23:12    --------    d-----w-    c:\programdata\Anvisoft
2013-11-26 23:12 . 2013-11-27 00:46    --------    d-----w-    c:\program files\Anvisoft
2013-11-26 22:38 . 2013-11-26 22:38    --------    d-----w-    c:\program files\Enigma Software Group
2013-11-26 22:38 . 2013-11-27 00:47    --------    d-----w-    c:\windows\220FB0354744483A9A0B41DF77061583.TMP
2013-11-26 22:38 . 2013-11-26 22:38    --------    d-----w-    c:\program files\Common Files\Wise Installation Wizard
2013-11-22 03:03 . 2013-11-22 03:03    --------    d-----w-    c:\programdata\McAfee Security Scan
2013-11-22 03:03 . 2013-11-22 03:03    --------    d-----w-    c:\program files\McAfee Security Scan
2013-10-31 19:21 . 2013-10-31 19:22    --------    d-----w-    c:\program files\Canon
2013-10-31 19:19 . 2013-10-31 19:19    --------    d-----w-    c:\program files\Common Files\Canon
2013-10-28 23:24 . 2013-10-28 23:26    --------    d-----w-    c:\users\Wei\.Creative-Scape.net
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-22 03:03 . 2012-01-27 17:24    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-08 11:50 . 2013-10-20 02:38    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58    121968    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2011-05-03 4321112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-12 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-02-13 262144]
"snp2std"="c:\windows\vsnp2std.exe" [2006-12-05 344064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-09-18 152392]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.285\SSScheduler.exe [2012-9-5 271808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
R2 WebGuardUpdate;Tencent WebGuard Update Service;c:\program files\Tencent\WebGuard\WebGuardUpdate.exe [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 FXDrv32;FXDrv32;D:\FXDrv32.sys [x]
R3 hidkmdf;KMDF Driver;c:\windows\system32\DRIVERS\hidkmdf.sys [2012-12-03 11680]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.285\McCHSvc.exe [2012-09-05 234776]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 vtany;vtany;c:\windows\vtany.sys [x]
R3 WacHidRouter;Wacom Hid Router;c:\windows\system32\DRIVERS\wachidrouter.sys [2012-12-03 70048]
R3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\DRIVERS\wacomrouterfilter.sys [2012-11-15 13728]
R3 XDva390;XDva390;c:\windows\system32\XDva390.sys [x]
R3 XDva394;XDva394;c:\windows\system32\XDva394.sys [x]
R3 XDva397;XDva397;c:\windows\system32\XDva397.sys [x]
R3 XDva400;XDva400;c:\windows\system32\XDva400.sys [x]
R3 XDva404;XDva404;c:\windows\system32\XDva404.sys [x]
R3 XDva405;XDva405;c:\windows\system32\XDva405.sys [x]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]
R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [2012-09-29 666720]
R3 xspirit;xspirit;c:\windows\xspirit.sys [x]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
S1 aswKbd;aswKbd; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 QQProtect;QQProtect;c:\windows\system32\drivers\QQProtect.sys [2013-08-06 173152]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-05-09 66336]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-08 369256]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840]
S2 WTabletServiceCon;Wacom Consumer Service;c:\program files\Tablet\Pen\WTabletServiceCon.exe [2012-12-11 528256]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1509593049-3746581815-257761438-1001Core.job
- c:\users\Wei\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-27 06:15]
.
2013-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1509593049-3746581815-257761438-1001UA.job
- c:\users\Wei\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-27 06:15]
.
.
------- Supplementary Scan -------
.

uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: soso.com\toolbar
Trusted Zone: toolbar.soso.com\*
Trusted Zone: qq.com\cache.tv
Trusted Zone: qq.com\qqlivecaption
Trusted Zone: qq.com\qqlivehabit
Trusted Zone: qq.com\qqlivesearch
Trusted Zone: qq.com\video_1
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Wei\AppData\Roaming\Mozilla\Firefox\Profiles\si0nzlfc.default\
FF - ExtSQL: !HIDDEN! 2012-04-03 18:19; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{45B9637E-351B-7FAB-4362-0E1519ABA160} - c:\program files\TENCENT\WebGuard\webguard.dll
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-Akamai NetSession Interface - c:\users\Wei\AppData\Local\Akamai\netsession_win.exe
HKLM-Run-kxesc - c:\program files\kingsoft\kingsoft antivirus\kxetray.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xsherlock]
"ImagePath"="c:\windows\system32\xsherlock.xem"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Tablet\Pen\Pen_TabletUser.exe
c:\program files\Tablet\Pen\WacomHost.exe
c:\program files\Tablet\Pen\Pen_Tablet.exe
c:\program files\Tablet\Pen\Pen_TouchUser.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2013-11-26  22:40:31 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-27 03:40
.
Pre-Run: 95,788,703,744 bytes free
Post-Run: 98,537,455,616 bytes free
.
- - End Of File - - 85C97222CFDF6DB83B31092F313F3C78
A36C5E4F47E84449FF07ED3517B43A31
 

[MrCharlie]

Is there any difference???

userinit.exe <---ComboFix found this file to be infected and replaced it.

-----------------------

If not improvement......

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look like this, not "sponsored ad links":

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

[Toaru]

it doesnt seem to be redirecting me anymore. thanks a lot! if it happens again i will be sure to come back and ask you. anything else i need to do?

[MrCharlie]

Good......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[Toaru]

 Results of screen317's Security Check version 0.99.77  
 Windows 7  x86 (UAC is enabled)  
 Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 45  
 Adobe Flash Player     11.9.900.152  
 Adobe Reader XI  
 Mozilla Firefox (25.0.1)
 Google Chrome 30.0.1599.101  
 Google Chrome 31.0.1650.57  
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

[MrCharlie]

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Windows 7 x86 (UAC is enabled)
Out of date service pack!! <-------Visit Windows Update for this

The rest looks OK

----------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

[Toaru]

k i think ive deleted them all

[MrCharlie]

OK...Take Care MrC

[gringo_pr]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.