PDA

View Full Version : Get-Answers-Fast redirect



brisk
2011-12-19, 21:02
Hello, I would appreciate any help to cure my hijacked browser!! :/
Nothing I'm doing is fixing or detecting the problem..

DDS LOG:
__________________________________________________
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_29
Run by Jiahe at 18:13:09 on 2011-12-15
Microsoft Windows 7 Ultimate N 6.1.7600.0.936.86.1033.18.6143.4115 [GMT -8:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\spool\DRIVERS\x64\3\lxdxserv.exe
C:\Windows\system32\lxdxcoms.exe
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe
C:\Users\Jiahe\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\PPS.tv\PPStream\PPSAP.exe
C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Pandora\Pandora.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\WINPENJR\win32\Pphidpad.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.xunlei.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {889D2FEB-5411-4565-8998-1DD2C5261283} - No File
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
uRun: [Google Update] "C:\Users\Jiahe\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [PPLiveVA] C:\Program Files (x86)\PPLiveVA\PPLiveVA.exe /LoadModule PPVA.DLL /M REAL /S 0 /T 0
uRun: [PPAP] "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.EXE" -background
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [RGSC] C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
uRun: [PPS Accelerator] D:\PPS.tv\PPStream\ppsap.exe
mRun: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Jiahe\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\Users\Jiahe\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pandora.lnk - C:\Program Files (x86)\Pandora\Pandora.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: C:\Windows\system32\ikutm.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} - hxxp://game-web.qq.com/client/QQGame2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - hxxp://plato.ousd.k12.ca.us/pathways/pway_iis.dll/PWLN/02050119/fullcab/pwlninst.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
TCP: Interfaces\{2D58E29F-66A9-4CD1-8B42-887EAC930D96} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2D58E29F-66A9-4CD1-8B42-887EAC930D96}\74F6C6F6 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{7A97DFAE-1868-4272-B75A-8DE1BCD5EF17} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {889D2FEB-5411-4565-8998-1DD2C5261283} - No File
BHO-X64: XunleiBHO - No File
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
mRun-x64: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jiahe\AppData\Roaming\Mozilla\Firefox\Profiles\o83ynecc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: C:\Program Files (x86)\Common Files\Motive\npMotive.dll
FF - plugin: C:\Program Files (x86)\Common Files\Thunder Network\KanKan\npDapCtrlFirefox.2.0.5901.12.(474).dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Media Player\np-mswmp.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Jiahe\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-5-4 128384]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-8-4 2329480]
R2 lxdx_device;lxdx_device;C:\Windows\system32\lxdxcoms.exe -service --> C:\Windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxdxserv.exe [2009-12-15 29184]
R2 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2010-4-24 517632]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 lvpepf64;Volume Adapter;C:\Windows\system32\DRIVERS\lv302a64.sys --> C:\Windows\system32\DRIVERS\lv302a64.sys [?]
R3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\drivers\LVUSBS64.sys --> C:\Windows\system32\drivers\LVUSBS64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 netr7364;USB Wireless 802.11 b/g Adaptor Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-15 00:21:25 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-15 00:21:05 1197568 ----a-w- C:\Windows\System32\wininet.dll
2011-12-15 00:21:03 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-15 00:21:00 860672 ----a-w- C:\Program Files (x86)\Internet Explorer\iedvtool.dll
2011-12-15 00:21:00 696600 ----a-w- C:\Program Files\Internet Explorer\iexplore.exe
2011-12-15 00:21:00 673048 ----a-w- C:\Program Files (x86)\Internet Explorer\iexplore.exe
2011-12-13 00:27:09 357000 ----a-w- C:\ProgramData\i6qcOlkU2jbAqX.exe
2011-12-13 00:13:18 357000 ----a-w- C:\ProgramData\fg.exe
2011-12-07 05:00:45 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-02 01:41:45 -------- d-----w- C:\Users\Jiahe\AppData\Local\Skyrim
2011-12-02 01:01:35 -------- d-----w- C:\Program Files (x86)\The Elder Scrolls V Skyrim
2011-11-30 04:42:07 -------- d-----w- C:\Users\Jiahe\AppData\Local\APN
2011-11-30 04:41:47 -------- d-----w- C:\Program Files (x86)\The KMPlayer
.
==================== Find3M ====================
.
2011-11-24 05:00:47 3141632 ----a-w- C:\Windows\System32\win32k.sys
2011-11-05 05:23:10 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-11-05 05:17:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:34:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-11-05 04:30:11 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-05 04:07:32 482816 ----a-w- C:\Windows\System32\html.iec
2011-11-05 03:28:41 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-11-05 03:25:44 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:55:38 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-15 06:25:12 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-10-15 05:48:52 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-10-03 13:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-29 16:24:44 1897328 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 18:21:05.39 ===============
Thank you for your time!! Hope to get help soon!

ken545
2011-12-23, 01:14
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


uTorrent <--I see this installed, this is most likely how you infected your system, your downloading that file from an unknown source and malware writers take advantage of this and not all but most of what you download is infected. I am going to ask you to to uninstall it via Programs and Features in the Control Panel.



Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

brisk
2011-12-25, 00:38
aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-24 14:07:57
-----------------------------
14:07:57.591 OS Version: Windows x64 6.1.7600
14:07:57.591 Number of processors: 2 586 0x170A
14:07:57.591 ComputerName: XIUJUAN-PC UserName: Jiahe
14:07:59.307 Initialize success
14:07:59.447 AVAST engine defs: 11122401
14:08:01.756 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:08:01.756 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8
14:08:01.803 Disk 0 MBR read successfully
14:08:01.803 Disk 0 MBR scan
14:08:01.850 Disk 0 Windows 7 default MBR code
14:08:01.850 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 597126 MB offset 63
14:08:01.912 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13350 MB offset 1222915995
14:08:01.912 Service scanning
14:08:05.531 Disk 0 MBR has been saved successfully to "C:\Users\Jiahe\Desktop\MBR.dat"
14:08:05.531 The log file has been saved successfully to "C:\Users\Jiahe\Desktop\aswMBR.txt"
14:08:07.475 Modules scanning
14:08:07.475 Disk 0 trace - called modules:
14:08:07.537 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8006d12334]<<
14:08:08.036 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006cfa060]
14:08:08.036 3 CLASSPNP.SYS[fffff880013b843f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005c39050]
14:08:08.036 \Driver\iaStorV[0xfffffa8005bc0a60] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8006d12334
14:08:09.440 AVAST engine scan C:\Windows
14:08:14.807 AVAST engine scan C:\Windows\system32
14:10:58.560 AVAST engine scan C:\Windows\system32\drivers
14:11:09.310 AVAST engine scan C:\Users\Jiahe
14:22:55.276 AVAST engine scan C:\ProgramData
14:27:03.769 Scan finished successfully
14:36:38.303 Disk 0 MBR has been saved successfully to "C:\Users\Jiahe\Desktop\MBR.dat"
14:36:38.303 The log file has been saved successfully to "C:\Users\Jiahe\Desktop\aswMBR.txt"

heres the log

ken545
2011-12-25, 01:59
Hi, hope your having a nice Xmas.


Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

brisk
2011-12-25, 04:12
umm..it won't let me open it.. =/
merry christmas to you too!

brisk
2011-12-25, 04:13
when i double click it/run as admin, nothing pops up

ken545
2011-12-25, 12:15
Ok, while I am looking over your logs run this program

Please run the MGA Diagnostic Tool and post back the report it creates:
Download MGADiag (http://go.microsoft.com/fwlink/?linkid=56062) to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

brisk
2011-12-28, 01:50
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE22
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-TVCR6-KDG67-97J8Q
Windows Product Key Hash: AYpNlNvXX+S8zDWmY4X6Ucmxv1s=
Windows Product ID: 00432-020-0000007-85477
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7600.2.00010100.0.0.028
ID: {284F018D-696A-4AA5-975E-FE1E637515B1}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: Windows 7 Ultimate N
Architecture: 0x00000009
Build lab: 7600.win7_gdr.110622-1503
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 102
Microsoft Office Visio Professional 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppcomapi.dll[Hr = 0x80070005]
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\en-US\user32.dll.mui[6.1.7600.16385], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{284F018D-696A-4AA5-975E-FE1E637515B1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.028</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-97J8Q</PKey><PID>00432-020-0000007-85477</PID><PIDType>5</PIDType><SID>S-1-5-21-2695929252-3145278133-2343186154</SID><SYSTEM><Manufacturer>HP-Pavilion</Manufacturer><Model>FQ587AA-ABA a6767c</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>5.35 </Version><SMBIOSVersion major="2" minor="5"/><Date>20081216000000.000000+000</Date></BIOS><HWID>9DBB3607018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>102</Result><Products><Product GUID="{91120000-0051-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Professional 2007</Name><Ver>12</Ver><Val>9F545EF262BB26C</Val><Hash>nVe+/WQViLp115BknMm0UEdhnf0=</Hash><Pid>84890-310-4573646-63604</Pid><PidType>10</PidType></Product></Products><Applications><App Id="53" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7600.16385

Name: Windows(R) 7, UltimateN edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: fa3d0658-67f4-4a26-ba57-3fc6f39861f1
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00432-00170-020-000000-00-1033-7600.0000-3492009
Installation ID: 008606536270951765146494501834681046142362959514359435
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 97J8Q
License Status: Notification
Notification Reason: 0xC004F009 (grace time expired).
Remaining Windows rearm count: 3
Trusted time: 12/27/2011 3:47:23 PM

Windows Activation Technologies-->
HrOffline: 0x8004FE22
HrOnline: N/A
HealthStatus: 0x0000000000002800
Event Time Stamp: 12:25:2011 21:21
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui


HWID Data-->
HWID Hash Current: MAAAAAEAAAABAAEAAQADAAAAAgABAAEAonZaY0hi+Pouv+JsmogIyq+nhIGgLkbK

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC HPQOEM SLIC-CPC
FACP HPQOEM SLIC-CPC
HPET HPQOEM SLIC-CPC
MCFG HPQOEM SLIC-CPC
OEMB HPQOEM SLIC-CPC
GSCI HPQOEM SLIC-CPC
SLIC HPQOEM SLIC-MPC
SSDT HPQOEM SLIC-CPC

ken545
2011-12-28, 02:16
Have you activated your copy of windows ?


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

brisk
2011-12-28, 04:36
ComboFix 11-12-27.01 - Jiahe 7/2011 Tue 16:46:57.4.2 - x64
Microsoft Windows 7 Ultimate N 6.1.7600.0.936.86.1033.18.6143.3901 [GMT -8:00]
执行位置: c:\users\Jiahe\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* 成功创造新还原点
.
Error: Cfiles.dat
.
((((((((((((((((((((((((( 2011-11-28 至 2011-12-28 的新的档案 )))))))))))))))))))))))))))))))
.
.
2011-12-28 01:38 . 2011-12-28 01:38 -------- d-----w- c:\users\Xiujuan\AppData\Local\temp
2011-12-28 01:38 . 2011-12-28 01:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-27 23:47 . 2011-12-27 23:49 -------- d-----w- C:\MGADiagToolOutput
2011-12-26 21:39 . 2011-12-26 21:39 -------- d-----w- c:\programdata\Office Genuine Advantage
2011-12-26 05:25 . 2011-12-26 05:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-26 05:25 . 2011-12-26 05:25 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-23 01:28 . 2011-12-23 01:28 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2011-12-21 02:14 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-12-21 02:14 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-12-21 02:14 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-12-21 02:14 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-12-21 02:14 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-21 02:14 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
2011-12-21 02:14 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-12-21 02:14 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2011-12-21 02:14 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-12-21 02:13 . 2011-12-21 02:13 -------- d-----w- c:\programdata\AVAST Software
2011-12-21 02:13 . 2011-12-21 02:13 -------- d-----w- c:\program files\AVAST Software
2011-12-20 01:42 . 2011-12-20 01:42 -------- d-----w- c:\program files (x86)\ESET
2011-12-19 18:46 . 2011-12-27 21:01 4480 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-12-15 00:21 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 00:21 . 2011-11-05 05:26 1197568 ----a-w- c:\windows\system32\wininet.dll
2011-12-15 00:21 . 2011-11-05 04:35 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2011-12-15 00:21 . 2011-11-05 05:28 696600 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-12-15 00:21 . 2011-11-05 04:38 673048 ----a-w- c:\program files (x86)\Internet Explorer\iexplore.exe
2011-12-15 00:21 . 2011-11-05 04:33 860672 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
2011-12-07 05:00 . 2011-12-07 05:00 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-07 04:59 . 2011-12-07 04:59 -------- d-----w- c:\windows\system32\Macromed
2011-12-02 01:41 . 2011-12-02 01:41 -------- d-----w- c:\users\Jiahe\AppData\Local\Skyrim
2011-12-02 01:01 . 2011-12-02 01:42 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
2011-11-30 04:42 . 2011-11-30 04:42 -------- d-----w- c:\users\Jiahe\AppData\Local\APN
2011-11-30 04:41 . 2011-11-30 04:46 -------- d-----w- c:\program files (x86)\The KMPlayer
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 07:19 . 2009-12-16 05:36 54867776 ----a-w- c:\windows\system32\T.exe
2011-10-03 13:06 . 2011-02-12 01:33 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-09-29 16:24 . 2011-11-09 23:53 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-19_23.15.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:59 . 2011-12-27 20:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:59 . 2011-12-14 02:00 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:59 . 2011-12-14 02:00 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:59 . 2011-12-27 20:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:59 . 2011-12-14 02:00 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:59 . 2011-12-27 20:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-15 22:35 . 2011-12-27 21:12 70770 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:09 . 2011-12-27 21:12 44302 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-20 23:04 . 2011-12-27 21:12 30076 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2695929252-3145278133-2343186154-1003_UserData.bin
+ 2009-12-15 22:29 . 2011-12-26 18:06 18654 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2695929252-3145278133-2343186154-1000_UserData.bin
- 2011-04-03 20:20 . 2009-03-19 00:35 33856 c:\windows\system32\hamachi.sys
+ 2011-04-03 20:20 . 2009-03-19 01:35 33856 c:\windows\system32\hamachi.sys
+ 2009-12-16 06:30 . 2011-12-27 20:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-16 06:30 . 2011-12-19 18:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:51 . 2011-12-26 21:39 95552 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-12-16 06:30 . 2011-12-19 18:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-16 06:30 . 2011-12-27 20:54 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-16 06:30 . 2011-12-19 18:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-16 06:30 . 2011-12-27 20:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-16 06:30 . 2011-12-19 19:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-16 06:30 . 2011-12-28 01:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-16 06:30 . 2011-12-19 19:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-16 06:30 . 2011-12-28 01:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-12-19 18:40 . 2011-12-19 18:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-27 20:54 . 2011-12-27 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-27 20:54 . 2011-12-27 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-19 18:40 . 2011-12-19 18:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-09-27 05:40 . 2011-12-27 06:50 671576 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2011-12-19 18:24 362644 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-12-27 06:49 362644 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-12-23 01:27 . 2011-12-23 01:27 3819520 c:\windows\Installer\11c85.msi
- 2009-07-14 02:34 . 2011-12-19 21:29 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-12-27 21:07 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-12-20 06:59 . 2011-12-07 20:26 54867776 c:\windows\system32\MRT.exe
+ 2011-04-14 05:38 . 2011-12-27 06:49 37892622 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2695929252-3145278133-2343186154-1003-8192.dat
+ 2011-04-15 05:38 . 2011-12-27 06:50 43465536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2695929252-3145278133-2343186154-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PPHIDPAD"="c:\winpenjr\Win32\pphidpad.exe" [2001-10-02 45056]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 336384]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-16 1955208]
.
c:\users\Jiahe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
Pandora.lnk - c:\program files (x86)\Pandora\Pandora.exe [2010-4-14 95232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R3 ApolloProtect;ApolloProtect;c:\program files (x86)\FSSB\Apollo\Apollo.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 netr7364;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 tcphoc;tcphoc;c:\program files (x86)\Thunder Network\Thunder\XLDoctor\7.1.4.2104_1\Program\tcphoc.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-08-16 2329480]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-16 1039872]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [2009-10-17 29184]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 lvpepf64;Volume Adapter;c:\windows\system32\DRIVERS\lv302a64.sys [x]
S3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\drivers\LVUSBS64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
‘计划任务’ 文件夹 里的内容
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2695929252-3145278133-2343186154-1000Core.job
- c:\users\Xiujuan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-29 02:52]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2695929252-3145278133-2343186154-1000UA.job
- c:\users\Xiujuan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-29 02:52]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2695929252-3145278133-2343186154-1003Core1cc062b7133d26b.job
- c:\users\Jiahe\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-13 00:25]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2695929252-3145278133-2343186154-1003UA1cc20193d23e37b.job
- c:\users\Jiahe\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-13 00:25]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdxmon.exe"="c:\program files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe" [2009-10-26 672424]
"EzPrint"="c:\program files (x86)\Lexmark 3600-4600 Series\ezprint.exe" [2009-10-26 107176]
.
------- 而外的扫描 -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.xunlei.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\ikutm.dll
DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} - hxxp://game-web.qq.com/client/QQGame2.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\users\Jiahe\AppData\Roaming\Mozilla\Firefox\Profiles\o83ynecc.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2695929252-3145278133-2343186154-1003\Software\SecuROM\License information*]
"datasecu"=hex:a9,e7,38,0e,41,44,c3,4e,c5,82,46,07,e2,f0,b1,20,f0,0e,de,c8,4a,
b4,7e,dc,64,f6,d9,16,63,b8,af,3e,91,b4,29,0e,a6,5a,f8,27,f0,dc,8c,17,fa,3b,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AudioCD\shell\O(uQ*Q*q_髼璬>e\command]
@="\"c:\\Program Files (x86)\\Tencent\\QQPlayer\\QQPlayer.exe\" /disk \"%1\""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DVD\shell\O(uQ*Q*q_髼璬>e\command]
@="\"c:\\Program Files (x86)\\Tencent\\QQPlayer\\QQPlayer.exe\" /disk \"%1\""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\3*D*Kb橯迯{媠]
"DisplayName"="3D手写连笔王"
"UninstallString"="c:\\WINPENJR\\UNWISE.EXE c:\\WINPENJR\\INSTALL.LOG"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*8nb]
"DisplayName"="QQ游戏"
"UninstallString"="d:\\Program Files (x86)\\腾讯游戏\\QQGAME\\Uninstall.EXE"
"Publisher"="腾讯公司"
"DisplayIcon"="d:\\Program Files (x86)\\腾讯游戏\\QQGAME\\QQGame.EXE"
"DisplayVersion"="2.5.102.31"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
完成时间: 2011-12-27 17:58:06
ComboFix-quarantined-files.txt 2011-12-28 01:57
ComboFix2.txt 2011-12-20 23:40
ComboFix3.txt 2011-12-20 01:23
ComboFix4.txt 2011-12-19 23:33
.
Pre-Run: 53,023,784,960 bytes free
Post-Run: 52,952,182,784 bytes free
.
- - End Of File - - C104A0ADC403C01E14C22729F6DEABA5

ken545
2011-12-28, 10:58
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

c:\windows\system32\T.exe

If the site is busy you can try this one
http://virusscan.jotti.org/en




ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.




Are the redirects still present ????

ken545
2011-12-29, 00:59
http://forums.malwarebytes.org/index.php?showtopic=102153&st=0

Since your being helped here this thread will be closed. We Malware fighters are a small group of volunteers, we do this in our spare time, by posting on more than one forum for the same issue your just taking us away from helping someone else, thank you for wasting my time