PDA

View Full Version : Live player 3.2 Ads pops out every time I use google chrome



wanglanxiu
2013-06-05, 22:51
Hi, I tried to watch online sports and got this plug-in. Every time I use google chrome it pops out. I have't tried spybot, SparkTrust, Adwclean, and 360superkiller, but the problem is still on. Please help to remove this. Thanks.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16483 BrowserJavaVersion: 10.17.2
Run by wanglong at 15:16:57 on 2013-06-05
Microsoft Windows 7 Home Premium 6.1.7600.0.936.86.1033.18.2996.1183 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Program Files\Rising\RSD\RsMgrSvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files\alipay\alieditplus\AlipaySecSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\DatacardService\DCService.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Windows\system32\HPSIsvc.exe
C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN32\IcbcDaemon.exe
C:\Program Files\BOCOM\07USBKey\C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Windows\system32\lkads.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\lxdncoms.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\Explorer.EXE
C:\Program Files\BOCOM\07USBKey\C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\ngsrv\ngslotd.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\Program Files\alipay\SafeTransaction\AlipaySafeTran.exe
C:\Program Files\National Instruments\Shared\NI WebServer\SystemWebServer.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Common Files\Motive\pcCMService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Lenovo\Access Connections\AcSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\lkcitdl.exe
C:\Windows\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe
C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
C:\Windows\system32\nipxism.exe
C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe
C:\Program Files\National Instruments\Shared\NI Network Discovery\niDiscSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Program Files\alipay\SafeTransaction\Alipaybsm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Rising\RSD\popwndexe.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\National Instruments\Shared\NI Error Reporting\nierserver.exe
C:\Users\wanglong\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files\Tencent\QQ\Bin\QQProtect\Bin\QQProtect.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k HsfXAudioService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.hao123.com/?tn=29065018_55_hao_pg
uDefault_Page_URL = hxxp://lenovo.msn.com
uProxyServer = localhost:21320
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark 工具条: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: WebProtect: {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - c:\program files\cmbchina\webprotect\WebProtect.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: FlashCatchBHO Class: {88618A96-6D8A-42E7-B932-9073D5B2080F} - c:\program files\flashcatch\flashcatch.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: ICBC Anti-Phishing class: {BB4491A2-D11A-4c6b-91C0-B53246A3122B} - c:\program files\icbcebanktools\icbcantiphishing\icbc_win32\Icbc_AntiPhishing.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Lexmark 工具条: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: FlashCatch: {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - c:\program files\flashcatch\flashcatch.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Lexmark 工具条: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
TB: FlashCatch: {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - c:\program files\flashcatch\flashcatch.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RSDTRAY] "c:\program files\rising\rsd\popwndexe.exe"
mRun: [NI Update Service] "c:\program files\national instruments\shared\update service\NIUpdateService.exe" -startupTask
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\users\wanglong\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\wanglong\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\wanglong\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nierro~1.lnk - c:\program files\national instruments\shared\ni error reporting\nierserver.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:221
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: 转换为 Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: 转换为现有 PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: 转换选定的链接为 Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: 转换选定的链接为现有 PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: 转换选项为 Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: 转换选项为现有 PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: 转换链接目标为 Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: 转换链接目标为现有 PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: 95559.com.cn
Trusted Zone: alipay.com
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: alisoft.com
Trusted Zone: bankcomm.com
Trusted Zone: bankofchina.com
Trusted Zone: boc.cn
Trusted Zone: boc.cn
Trusted Zone: icbc.com.cn
Trusted Zone: taobao.com
Trusted Zone: taobao.com
Trusted Zone: alipay.com
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
Trusted Zone: taobao.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{AB14D844-17A3-4739-92EC-368A40F265C9} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{AB14D844-17A3-4739-92EC-368A40F265C9}\26C61636B697 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AB14D844-17A3-4739-92EC-368A40F265C9}\554477962756C6563737 : DHCPNameServer = 131.238.74.7 131.238.74.8
TCP: Interfaces\{AB14D844-17A3-4739-92EC-368A40F265C9}\75847237 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AB14D844-17A3-4739-92EC-368A40F265C9}\8423440373 : DHCPNameServer = 202.96.134.133 202.96.128.166
TCP: Interfaces\{AB14D844-17A3-4739-92EC-368A40F265C9}\C67716E676368656E6 : DHCPNameServer = 207.69.188.186 207.69.188.187
TCP: Interfaces\{AB14D844-17A3-4739-92EC-368A40F265C9}\E4544574541425833333 : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Notification Packages = scecli ACGina
mASetup: aetsprov - c:\windows\system32\regsvr32.exe /s c:\windows\system32\aetsprov.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-4-21 24304]
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2012-12-18 15448]
R0 nipxibaf;National Instruments PXI Bridge Access Driver;c:\windows\system32\drivers\nipxibaf.sys [2013-1-14 62712]
R0 nipxibrc;National Instruments PXI Bridge Configuration Driver;c:\windows\system32\drivers\nipxibrc.sys [2013-1-14 46344]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-10-9 20520]
R1 CgbKeyFlt;CgbKeyFlt;c:\windows\CgbKeyFlt.sys [2011-12-31 33616]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2009-12-9 13480]
R1 QQProtect;QQProtect;c:\windows\system32\drivers\QQProtect.sys [2012-3-14 117920]
R2 AlipaySecSvc;Alipay security service;c:\program files\alipay\alieditplus\AlipaySecSvc.exe [2013-5-20 431456]
R2 CMB8100;CMB8100;c:\windows\system32\drivers\CertClient.dat [2010-6-4 11808]
R2 CMBProtector;CMBProtector;c:\windows\system32\drivers\CMBProtector.dat [2010-6-4 10272]
R2 DCService.exe;DCService.exe;c:\programdata\datacardservice\DCService.exe [2009-11-20 212992]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-4-21 132456]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2013-1-17 12408]
R2 nistreamk;nistreamk;c:\windows\system32\drivers\nistreamkl.sys [2012-6-6 19648]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2013-1-29 12424]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-4-21 48640]
R2 rsdsys;rsd protect;c:\windows\system32\drivers\protreg.sys [2013-6-4 21208]
R2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\drivers\TurboB.sys [2009-11-2 14808]
R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2010-4-21 126080]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-4-21 214696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-4-16 106656]
R3 GDBaseSmc;USB Chip Holder Service;c:\windows\system32\drivers\Chip_smc.sys [2010-1-17 20256]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-4-21 125696]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-4-21 209920]
R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2010-4-21 88832]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2012-3-6 22016]
R3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2010-10-18 7122944]
R3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2013-1-29 12424]
R3 R5BaseSmc;USB Token Holder Service;c:\windows\system32\drivers\smccard.sys [2010-1-20 20512]
R3 SmbDrvI;SmbDrvI;c:\windows\system32\drivers\Smb_driver_Intel.sys [2012-9-8 23608]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2009-10-8 38336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 EZUSB;AnchorChips General Purpose USB Driver (ezusb.sys);c:\windows\system32\drivers\ezusb.sys [2013-3-19 17424]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2010-10-5 87336]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2012-2-5 201168]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2013-1-30 39272]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2012-2-5 101120]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2011-5-15 17408]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2012-3-6 22016]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2013-1-14 26192]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2013-1-14 11960]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2013-1-14 23736]
S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2012-6-28 11976]
S3 niimaqdxk;niimaqdxk;c:\windows\system32\drivers\niimaqdxkl.sys [2013-2-15 11864]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2012-12-19 12600]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2012-12-19 12600]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2011-8-9 21144]
S3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2009-11-20 20848]
S3 PCDSRVC{C4B36920-79E24793-06000000}_0;PCDSRVC{C4B36920-79E24793-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\pcdsrvc.pkms [2009-11-20 20848]
S3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [2010-4-21 816792]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-06-05 18:53:07 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-06-05 18:52:27 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-06-05 18:52:16 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-06-05 18:51:32 -------- d-----w- c:\users\wanglong\appdata\local\Programs
2013-06-05 18:31:51 -------- d-----w- c:\programdata\Tencent
2013-06-05 18:30:18 -------- d-----w- c:\users\wanglong\appdata\local\Tencent
2013-06-05 16:06:09 -------- d-----w- c:\programdata\PXISA
2013-06-05 15:57:17 -------- d-----w- c:\program files\cameralink
2013-06-05 15:38:35 -------- d-----w- c:\programdata\IVI Foundation
2013-06-05 15:38:35 -------- d-----w- c:\program files\IVI Foundation
2013-06-05 14:46:07 -------- d-----w- C:\National Instruments Downloads
2013-06-05 04:24:51 97 ----a-w- c:\windows\DeleteOnReboot.bat
2013-06-05 03:39:34 -------- d-----r- C:\RavBin
2013-06-05 03:34:50 21208 ------w- c:\windows\system32\drivers\protreg.sys
2013-06-05 03:33:59 -------- d-----w- c:\program files\Rising
2013-06-05 03:33:58 -------- d-----w- c:\programdata\Rising
2013-06-04 23:35:12 -------- d-----w- c:\users\wanglong\appdata\roaming\DriverCure
2013-06-04 23:35:11 -------- d-----w- c:\users\wanglong\appdata\roaming\SparkTrust
2013-06-04 23:30:48 -------- d-----w- c:\programdata\SparkTrust
2013-06-04 19:57:50 -------- d-----w- c:\users\wanglong\appdata\roaming\360SuperKiller
2013-06-04 19:53:58 -------- d-----w- c:\users\wanglong\appdata\roaming\SosClient
2013-06-03 21:04:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2013-06-03 21:04:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2013-06-03 21:04:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2013-06-03 21:04:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2013-06-03 21:04:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2013-06-03 04:24:47 -------- d-----w- c:\programdata\360safe
2013-06-03 04:23:45 2594632 ----a-r- c:\program files\common files\microsoft shared\vba\vba6\VBE6.DLL
2013-06-03 04:21:43 -------- d-----w- c:\users\wanglong\appdata\roaming\360Login
2013-06-03 04:20:00 -------- d-----w- c:\program files\360
2013-05-31 01:06:21 1210728 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-05-26 02:16:26 -------- d-----w- C:\a
2013-05-13 16:05:54 -------- d-----w- C:\A9R2908.tmp
2013-05-13 16:05:24 -------- d-----w- C:\A9R2907.tmp
2013-05-13 16:05:24 -------- d-----w- C:\A9R2906.tmp
2013-05-13 16:05:22 -------- d-----w- C:\A9R2905.tmp
2013-05-07 16:21:42 -------- d-----w- c:\users\wanglong\appdata\local\{1438690B-C617-4B45-839D-655904D1B333}
.
==================== Find3M ====================
.
2013-06-05 03:31:01 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2013-05-15 03:31:36 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-15 03:31:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-01 07:59:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2013-05-01 07:59:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
2013-04-04 22:11:34 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-04-04 22:02:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-04 22:02:17 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-04-04 21:58:51 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-04-04 21:57:45 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-04-04 21:54:28 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-03-26 13:41:34 415792 ----a-w- C:\UCLiveCore.dll
2013-03-26 13:41:28 215088 ----a-w- C:\live_deamon.dll
2013-03-22 20:37:43 34013072 ----a-w- c:\windows\system32\PersonalBankMain.ocx
2013-03-21 20:28:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-03-19 05:06:09 3958120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:06:09 3902312 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:54:22 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:50:03 69632 ----a-w- c:\windows\system32\smss.exe
2013-03-14 16:44:22 0 ----a-w- c:\windows\system32\nsf7552.tmp
2013-03-14 15:39:41 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-14 15:39:41 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-14 15:39:41 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-11 07:27:42 2972272 ----a-w- c:\windows\system32\SogouPY.ime
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD25 rev.02.0 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x83A37000]<< >>UNKNOWN [0x8CBD1000]<< >>UNKNOWN [0x8CBC0000]<< >>UNKNOWN [0x8BF99000]<< >>UNKNOWN [0x83A00000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x83A72718] -> \Device\Harddisk0\DR0[0x88F16030]
\Driver\Disk[0x86578058] -> IRP_MJ_CREATE -> 0x8CBD539F
3 [0x8CBD559E] -> ntkrnlpa!IofCallDriver[0x83A72718] -> [0x872E6B98]
\Driver\ACPI[0x8658C030] -> IRP_MJ_CREATE -> 0x8BFA24AA
kernel: MBR read successfully
_asm { JMP 0x10; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:18:02.51 ===============

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-06-05 15:21:34
-----------------------------
15:21:34.228 OS Version: Windows 6.1.7600
15:21:34.228 Number of processors: 4 586 0x2502
15:21:34.228 ComputerName: WANGLONG-THINK UserName: wanglong
15:21:35.809 Initialize success
15:24:03.310 AVAST engine defs: 13060501
15:27:31.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:27:31.197 Disk 0 Vendor: WDC_WD25 02.0 Size: 238475MB BusType: 3
15:27:31.327 Disk 0 MBR read successfully
15:27:31.337 Disk 0 MBR scan
15:27:31.367 Disk 0 unknown MBR code
15:27:31.387 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
15:27:31.427 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 73653 MB offset 2459712
15:27:31.457 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10003 MB offset 153301680
15:27:31.467 Disk 0 Partition - 00 05 Extended 153614 MB offset 173789280
15:27:31.497 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 153614 MB offset 173789343
15:27:31.507 Disk 0 scanning sectors +488391120
15:27:31.627 Disk 0 scanning C:\Windows\system32\drivers
15:27:54.072 Service scanning
15:28:46.231 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
15:28:49.812 Service Teefer2 C:\Windows\system32\DRIVERS\teefer2.sys **LOCKED** 32
15:28:58.494 Service WPS C:\Windows\system32\drivers\wpsdrvnt.sys **LOCKED** 32
15:28:58.574 Service WpsHelper C:\Windows\system32\drivers\WpsHelper.sys **LOCKED** 32
15:29:00.135 Modules scanning
15:29:16.779 Disk 0 trace - called modules:
15:29:16.809 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys spps.sys >>UNKNOWN [0x864df938]<<
15:29:16.819 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88f16030]
15:29:16.829 3 CLASSPNP.SYS[8cbd559e] -> nt!IofCallDriver -> [0x872e6b98]
15:29:16.839 5 ACPI.sys[8bfa23b2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x87306028]
15:29:18.100 AVAST engine scan C:\Windows
15:29:22.190 AVAST engine scan C:\Windows\system32
15:36:24.111 AVAST engine scan C:\Windows\system32\drivers
15:36:53.327 AVAST engine scan C:\Users\wanglong
15:40:35.705 Disk 0 MBR has been saved successfully to "C:\Users\wanglong\Desktop\MBR.dat"
15:40:35.725 The log file has been saved successfully to "C:\Users\wanglong\Desktop\aswMBR.txt"

OCD
2013-06-25, 03:55
Hello wanglanxiu,

I apologize for the delay in replying to your inquiry. If you still need help please continue.

=========================

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

1. Security Check

Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Save it to your Desktop.
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"

Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.


=========================

2. aswMBR

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) and save it to your desktop.
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"

When asked if you want to download Avast's virus definitions please select Yes.
Click Scan
Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.


=========================


3. OTL

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Make sure all other windows are closed and to let it run uninterrupted.
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under Custom Scan paste this in

%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s >
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
services.*
/md5stop
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
BASESERVICES
DRIVES
CREATERESTOREPOINT


Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
You may need two posts to fit them both in.


=========================

In your next post please provide the following:


checkup.txt
aswMBR.txt
attach MBR.zip
OTL.txt
Extras.txt

OCD
2013-06-29, 06:12
Hi wanglanxiu,

Just checking in to see if you still need help?

OCD
2013-07-01, 06:33
This thread has been closed due to inactivity. If it has been three days or more since your last post it will not be re-opened.

If you still require help, please start a new topic and include fresh DDS and aswMBR logs, along with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.