Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Get-Answers-Fast redirect

  1. #1
    Junior Member
    Join Date
    Dec 2011
    Posts
    6

    Default Get-Answers-Fast redirect

    Hello, I would appreciate any help to cure my hijacked browser!! :/
    Nothing I'm doing is fixing or detecting the problem..

    DDS LOG:
    __________________________________________________
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_29
    Run by Jiahe at 18:13:09 on 2011-12-15
    Microsoft Windows 7 Ultimate N 6.1.7600.0.936.86.1033.18.6143.4115 [GMT -8:00]
    .
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
    C:\Windows\system32\spool\DRIVERS\x64\3\lxdxserv.exe
    C:\Windows\system32\lxdxcoms.exe
    C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
    C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe
    C:\Users\Jiahe\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\PPS.tv\PPStream\PPSAP.exe
    C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
    C:\Program Files (x86)\Pandora\Pandora.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
    C:\WINPENJR\win32\Pphidpad.exe
    C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\wuauclt.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Jiahe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\REGSVR32.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.xunlei.com
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe,
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {889D2FEB-5411-4565-8998-1DD2C5261283} - No File
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
    uRun: [Google Update] "C:\Users\Jiahe\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [PPLiveVA] C:\Program Files (x86)\PPLiveVA\PPLiveVA.exe /LoadModule PPVA.DLL /M REAL /S 0 /T 0
    uRun: [PPAP] "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.EXE" -background
    uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
    uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    uRun: [RGSC] C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
    uRun: [PPS Accelerator] D:\PPS.tv\PPStream\ppsap.exe
    mRun: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    StartupFolder: C:\Users\Jiahe\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
    StartupFolder: C:\Users\Jiahe\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pandora.lnk - C:\Program Files (x86)\Pandora\Pandora.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    LSP: C:\Windows\system32\ikutm.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} - hxxp://game-web.qq.com/client/QQGame2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - hxxp://plato.ousd.k12.ca.us/pathways/pway_iis.dll/PWLN/02050119/fullcab/pwlninst.cab
    DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
    TCP: Interfaces\{2D58E29F-66A9-4CD1-8B42-887EAC930D96} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{2D58E29F-66A9-4CD1-8B42-887EAC930D96}\74F6C6F6 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{7A97DFAE-1868-4272-B75A-8DE1BCD5EF17} : DhcpNameServer = 192.168.1.254
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
    BHO-X64: 0x1 - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: {889D2FEB-5411-4565-8998-1DD2C5261283} - No File
    BHO-X64: XunleiBHO - No File
    BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
    mRun-x64: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Jiahe\AppData\Roaming\Mozilla\Firefox\Profiles\o83ynecc.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: C:\Program Files (x86)\Common Files\Motive\npMotive.dll
    FF - plugin: C:\Program Files (x86)\Common Files\Thunder Network\KanKan\npDapCtrlFirefox.2.0.5901.12.(474).dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Program Files (x86)\Windows Media Player\np-mswmp.dll
    FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: C:\Users\Jiahe\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-5-4 128384]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-8-4 2329480]
    R2 lxdx_device;lxdx_device;C:\Windows\system32\lxdxcoms.exe -service --> C:\Windows\system32\lxdxcoms.exe -service [?]
    R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxdxserv.exe [2009-12-15 29184]
    R2 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2010-4-24 517632]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    R3 lvpepf64;Volume Adapter;C:\Windows\system32\DRIVERS\lv302a64.sys --> C:\Windows\system32\DRIVERS\lv302a64.sys [?]
    R3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\drivers\LVUSBS64.sys --> C:\Windows\system32\drivers\LVUSBS64.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 netr7364;USB Wireless 802.11 b/g Adaptor Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-12-15 00:21:25 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-12-15 00:21:05 1197568 ----a-w- C:\Windows\System32\wininet.dll
    2011-12-15 00:21:03 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-12-15 00:21:00 860672 ----a-w- C:\Program Files (x86)\Internet Explorer\iedvtool.dll
    2011-12-15 00:21:00 696600 ----a-w- C:\Program Files\Internet Explorer\iexplore.exe
    2011-12-15 00:21:00 673048 ----a-w- C:\Program Files (x86)\Internet Explorer\iexplore.exe
    2011-12-13 00:27:09 357000 ----a-w- C:\ProgramData\i6qcOlkU2jbAqX.exe
    2011-12-13 00:13:18 357000 ----a-w- C:\ProgramData\fg.exe
    2011-12-07 05:00:45 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-02 01:41:45 -------- d-----w- C:\Users\Jiahe\AppData\Local\Skyrim
    2011-12-02 01:01:35 -------- d-----w- C:\Program Files (x86)\The Elder Scrolls V Skyrim
    2011-11-30 04:42:07 -------- d-----w- C:\Users\Jiahe\AppData\Local\APN
    2011-11-30 04:41:47 -------- d-----w- C:\Program Files (x86)\The KMPlayer
    .
    ==================== Find3M ====================
    .
    2011-11-24 05:00:47 3141632 ----a-w- C:\Windows\System32\win32k.sys
    2011-11-05 05:23:10 57856 ----a-w- C:\Windows\System32\licmgr10.dll
    2011-11-05 05:17:42 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-11-05 04:34:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2011-11-05 04:30:11 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-11-05 04:07:32 482816 ----a-w- C:\Windows\System32\html.iec
    2011-11-05 03:28:41 386048 ----a-w- C:\Windows\SysWow64\html.iec
    2011-11-05 03:25:44 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-11-05 02:55:38 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-10-15 06:25:12 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-10-15 05:48:52 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-10-03 13:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-09-29 16:24:44 1897328 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    .
    ============= FINISH: 18:21:05.39 ===============
    Thank you for your time!! Hope to get help soon!

  2. #2
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


    uTorrent <--I see this installed, this is most likely how you infected your system, your downloading that file from an unknown source and malware writers take advantage of this and not all but most of what you download is infected. I am going to ask you to to uninstall it via Programs and Features in the Control Panel.



    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Dec 2011
    Posts
    6

    Default

    aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-24 14:07:57
    -----------------------------
    14:07:57.591 OS Version: Windows x64 6.1.7600
    14:07:57.591 Number of processors: 2 586 0x170A
    14:07:57.591 ComputerName: XIUJUAN-PC UserName: Jiahe
    14:07:59.307 Initialize success
    14:07:59.447 AVAST engine defs: 11122401
    14:08:01.756 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    14:08:01.756 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8
    14:08:01.803 Disk 0 MBR read successfully
    14:08:01.803 Disk 0 MBR scan
    14:08:01.850 Disk 0 Windows 7 default MBR code
    14:08:01.850 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 597126 MB offset 63
    14:08:01.912 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13350 MB offset 1222915995
    14:08:01.912 Service scanning
    14:08:05.531 Disk 0 MBR has been saved successfully to "C:\Users\Jiahe\Desktop\MBR.dat"
    14:08:05.531 The log file has been saved successfully to "C:\Users\Jiahe\Desktop\aswMBR.txt"
    14:08:07.475 Modules scanning
    14:08:07.475 Disk 0 trace - called modules:
    14:08:07.537 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8006d12334]<<
    14:08:08.036 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006cfa060]
    14:08:08.036 3 CLASSPNP.SYS[fffff880013b843f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005c39050]
    14:08:08.036 \Driver\iaStorV[0xfffffa8005bc0a60] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8006d12334
    14:08:09.440 AVAST engine scan C:\Windows
    14:08:14.807 AVAST engine scan C:\Windows\system32
    14:10:58.560 AVAST engine scan C:\Windows\system32\drivers
    14:11:09.310 AVAST engine scan C:\Users\Jiahe
    14:22:55.276 AVAST engine scan C:\ProgramData
    14:27:03.769 Scan finished successfully
    14:36:38.303 Disk 0 MBR has been saved successfully to "C:\Users\Jiahe\Desktop\MBR.dat"
    14:36:38.303 The log file has been saved successfully to "C:\Users\Jiahe\Desktop\aswMBR.txt"

    heres the log

  4. #4
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi, hope your having a nice Xmas.


    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Junior Member
    Join Date
    Dec 2011
    Posts
    6

    Default

    umm..it won't let me open it.. =/
    merry christmas to you too!

  6. #6
    Junior Member
    Join Date
    Dec 2011
    Posts
    6

    Default

    when i double click it/run as admin, nothing pops up

  7. #7
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Ok, while I am looking over your logs run this program

    Please run the MGA Diagnostic Tool and post back the report it creates:
    • Download MGADiag to your desktop.
    • Double-click on MGADiag.exe to launch the program
    • Click "Continue"
    • Ensure that the "Windows" tab is selected (it should be by default).
    • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
    • Paste the MGA Diagnostic Report back here in your next reply.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  8. #8
    Junior Member
    Join Date
    Dec 2011
    Posts
    6

    Default

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE22
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-TVCR6-KDG67-97J8Q
    Windows Product Key Hash: AYpNlNvXX+S8zDWmY4X6Ucmxv1s=
    Windows Product ID: 00432-020-0000007-85477
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7600.2.00010100.0.0.028
    ID: {284F018D-696A-4AA5-975E-FE1E637515B1}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.9.1
    Signed By: Microsoft
    Product Name: Windows 7 Ultimate N
    Architecture: 0x00000009
    Build lab: 7600.win7_gdr.110622-1503
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 102
    Microsoft Office Visio Professional 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppcomapi.dll[Hr = 0x80070005]
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\user32.dll.mui[6.1.7600.16385], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{284F018D-696A-4AA5-975E-FE1E637515B1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.028</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-97J8Q</PKey><PID>00432-020-0000007-85477</PID><PIDType>5</PIDType><SID>S-1-5-21-2695929252-3145278133-2343186154</SID><SYSTEM><Manufacturer>HP-Pavilion</Manufacturer><Model>FQ587AA-ABA a6767c</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>5.35 </Version><SMBIOSVersion major="2" minor="5"/><Date>20081216000000.000000+000</Date></BIOS><HWID>9DBB3607018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>102</Result><Products><Product GUID="{91120000-0051-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Professional 2007</Name><Ver>12</Ver><Val>9F545EF262BB26C</Val><Hash>nVe+/WQViLp115BknMm0UEdhnf0=</Hash><Pid>84890-310-4573646-63604</Pid><PidType>10</PidType></Product></Products><Applications><App Id="53" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7600.16385

    Name: Windows(R) 7, UltimateN edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: fa3d0658-67f4-4a26-ba57-3fc6f39861f1
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00432-00170-020-000000-00-1033-7600.0000-3492009
    Installation ID: 008606536270951765146494501834681046142362959514359435
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 97J8Q
    License Status: Notification
    Notification Reason: 0xC004F009 (grace time expired).
    Remaining Windows rearm count: 3
    Trusted time: 12/27/2011 3:47:23 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE22
    HrOnline: N/A
    HealthStatus: 0x0000000000002800
    Event Time Stamp: 12:25:2011 21:21
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui


    HWID Data-->
    HWID Hash Current: MAAAAAEAAAABAAEAAQADAAAAAgABAAEAonZaY0hi+Pouv+JsmogIyq+nhIGgLkbK

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
    ACPI Table Name OEMID Value OEMTableID Value
    APIC HPQOEM SLIC-CPC
    FACP HPQOEM SLIC-CPC
    HPET HPQOEM SLIC-CPC
    MCFG HPQOEM SLIC-CPC
    OEMB HPQOEM SLIC-CPC
    GSCI HPQOEM SLIC-CPC
    SLIC HPQOEM SLIC-MPC
    SSDT HPQOEM SLIC-CPC

  9. #9
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Have you activated your copy of windows ?


    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  10. #10
    Junior Member
    Join Date
    Dec 2011
    Posts
    6

    Default

    ComboFix 11-12-27.01 - Jiahe 7/2011 Tue 16:46:57.4.2 - x64
    Microsoft Windows 7 Ultimate N 6.1.7600.0.936.86.1033.18.6143.3901 [GMT -8:00]
    执行位置: c:\users\Jiahe\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * 成功创造新还原点
    .
    Error: Cfiles.dat
    .
    ((((((((((((((((((((((((( 2011-11-28 至 2011-12-28 的新的档案 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-28 01:38 . 2011-12-28 01:38 -------- d-----w- c:\users\Xiujuan\AppData\Local\temp
    2011-12-28 01:38 . 2011-12-28 01:38 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-27 23:47 . 2011-12-27 23:49 -------- d-----w- C:\MGADiagToolOutput
    2011-12-26 21:39 . 2011-12-26 21:39 -------- d-----w- c:\programdata\Office Genuine Advantage
    2011-12-26 05:25 . 2011-12-26 05:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-26 05:25 . 2011-12-26 05:25 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2011-12-23 01:28 . 2011-12-23 01:28 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
    2011-12-21 02:14 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-12-21 02:14 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-12-21 02:14 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-12-21 02:14 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-12-21 02:14 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-21 02:14 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
    2011-12-21 02:14 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-12-21 02:14 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-21 02:14 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2011-12-21 02:13 . 2011-12-21 02:13 -------- d-----w- c:\programdata\AVAST Software
    2011-12-21 02:13 . 2011-12-21 02:13 -------- d-----w- c:\program files\AVAST Software
    2011-12-20 01:42 . 2011-12-20 01:42 -------- d-----w- c:\program files (x86)\ESET
    2011-12-19 18:46 . 2011-12-27 21:01 4480 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2011-12-15 00:21 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-15 00:21 . 2011-11-05 05:26 1197568 ----a-w- c:\windows\system32\wininet.dll
    2011-12-15 00:21 . 2011-11-05 04:35 981504 ----a-w- c:\windows\SysWow64\wininet.dll
    2011-12-15 00:21 . 2011-11-05 05:28 696600 ----a-w- c:\program files\Internet Explorer\iexplore.exe
    2011-12-15 00:21 . 2011-11-05 04:38 673048 ----a-w- c:\program files (x86)\Internet Explorer\iexplore.exe
    2011-12-15 00:21 . 2011-11-05 04:33 860672 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
    2011-12-07 05:00 . 2011-12-07 05:00 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-07 04:59 . 2011-12-07 04:59 -------- d-----w- c:\windows\system32\Macromed
    2011-12-02 01:41 . 2011-12-02 01:41 -------- d-----w- c:\users\Jiahe\AppData\Local\Skyrim
    2011-12-02 01:01 . 2011-12-02 01:42 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
    2011-11-30 04:42 . 2011-11-30 04:42 -------- d-----w- c:\users\Jiahe\AppData\Local\APN
    2011-11-30 04:41 . 2011-11-30 04:46 -------- d-----w- c:\program files (x86)\The KMPlayer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-15 07:19 . 2009-12-16 05:36 54867776 ----a-w- c:\windows\system32\T.exe
    2011-10-03 13:06 . 2011-02-12 01:33 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-09-29 16:24 . 2011-11-09 23:53 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-19_23.15.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-14 04:59 . 2011-12-27 20:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:59 . 2011-12-14 02:00 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:59 . 2011-12-14 02:00 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:59 . 2011-12-27 20:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:59 . 2011-12-14 02:00 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:59 . 2011-12-27 20:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-15 22:35 . 2011-12-27 21:12 70770 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:09 . 2011-12-27 21:12 44302 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-12-20 23:04 . 2011-12-27 21:12 30076 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2695929252-3145278133-2343186154-1003_UserData.bin
    + 2009-12-15 22:29 . 2011-12-26 18:06 18654 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2695929252-3145278133-2343186154-1000_UserData.bin
    - 2011-04-03 20:20 . 2009-03-19 00:35 33856 c:\windows\system32\hamachi.sys
    + 2011-04-03 20:20 . 2009-03-19 01:35 33856 c:\windows\system32\hamachi.sys
    + 2009-12-16 06:30 . 2011-12-27 20:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-12-16 06:30 . 2011-12-19 18:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:51 . 2011-12-26 21:39 95552 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2009-12-16 06:30 . 2011-12-19 18:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-12-16 06:30 . 2011-12-27 20:54 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-16 06:30 . 2011-12-19 18:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 06:30 . 2011-12-27 20:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-12-16 06:30 . 2011-12-19 19:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-16 06:30 . 2011-12-28 01:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-12-16 06:30 . 2011-12-19 19:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 06:30 . 2011-12-28 01:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-12-19 18:40 . 2011-12-19 18:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-27 20:54 . 2011-12-27 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-27 20:54 . 2011-12-27 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-12-19 18:40 . 2011-12-19 18:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-09-27 05:40 . 2011-12-27 06:50 671576 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2009-07-14 05:01 . 2011-12-19 18:24 362644 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-12-27 06:49 362644 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-12-23 01:27 . 2011-12-23 01:27 3819520 c:\windows\Installer\11c85.msi
    - 2009-07-14 02:34 . 2011-12-19 21:29 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2009-07-14 02:34 . 2011-12-27 21:07 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2011-12-20 06:59 . 2011-12-07 20:26 54867776 c:\windows\system32\MRT.exe
    + 2011-04-14 05:38 . 2011-12-27 06:49 37892622 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2695929252-3145278133-2343186154-1003-8192.dat
    + 2011-04-15 05:38 . 2011-12-27 06:50 43465536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2695929252-3145278133-2343186154-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *注意* 空白与合法缺省登录将不会被显示
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "PPHIDPAD"="c:\winpenjr\Win32\pphidpad.exe" [2001-10-02 45056]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 336384]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-10 421736]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    "LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-16 1955208]
    .
    c:\users\Jiahe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
    Pandora.lnk - c:\program files (x86)\Pandora\Pandora.exe [2010-4-14 95232]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R3 ApolloProtect;ApolloProtect;c:\program files (x86)\FSSB\Apollo\Apollo.sys [x]
    R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 netr7364;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
    R3 tcphoc;tcphoc;c:\program files (x86)\Thunder Network\Thunder\XLDoctor\7.1.4.2104_1\Program\tcphoc.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-08-16 2329480]
    S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-16 1039872]
    S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [2009-10-17 29184]
    S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 lvpepf64;Volume Adapter;c:\windows\system32\DRIVERS\lv302a64.sys [x]
    S3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\drivers\LVUSBS64.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 18:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    ‘计划任务’ 文件夹 里的内容
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2695929252-3145278133-2343186154-1000Core.job
    - c:\users\Xiujuan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-29 02:52]
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2695929252-3145278133-2343186154-1000UA.job
    - c:\users\Xiujuan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-29 02:52]
    .
    2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2695929252-3145278133-2343186154-1003Core1cc062b7133d26b.job
    - c:\users\Jiahe\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-13 00:25]
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2695929252-3145278133-2343186154-1003UA1cc20193d23e37b.job
    - c:\users\Jiahe\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-13 00:25]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "lxdxmon.exe"="c:\program files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe" [2009-10-26 672424]
    "EzPrint"="c:\program files (x86)\Lexmark 3600-4600 Series\ezprint.exe" [2009-10-26 107176]
    .
    ------- 而外的扫描 -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.xunlei.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\windows\system32\ikutm.dll
    DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} - hxxp://game-web.qq.com/client/QQGame2.cab
    DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
    FF - ProfilePath - c:\users\Jiahe\AppData\Roaming\Mozilla\Firefox\Profiles\o83ynecc.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2695929252-3145278133-2343186154-1003\Software\SecuROM\License information*]
    "datasecu"=hex:a9,e7,38,0e,41,44,c3,4e,c5,82,46,07,e2,f0,b1,20,f0,0e,de,c8,4a,
    b4,7e,dc,64,f6,d9,16,63,b8,af,3e,91,b4,29,0e,a6,5a,f8,27,f0,dc,8c,17,fa,3b,\
    "rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AudioCD\shell\O(uQ*Q*q_髼璬>e\command]
    @="\"c:\\Program Files (x86)\\Tencent\\QQPlayer\\QQPlayer.exe\" /disk \"%1\""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DVD\shell\O(uQ*Q*q_髼璬>e\command]
    @="\"c:\\Program Files (x86)\\Tencent\\QQPlayer\\QQPlayer.exe\" /disk \"%1\""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\3*D*Kb橯迯{媠]
    "DisplayName"="3D手写连笔王"
    "UninstallString"="c:\\WINPENJR\\UNWISE.EXE c:\\WINPENJR\\INSTALL.LOG"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Q*Q*8nb]
    "DisplayName"="QQ游戏"
    "UninstallString"="d:\\Program Files (x86)\\腾讯游戏\\QQGAME\\Uninstall.EXE"
    "Publisher"="腾讯公司"
    "DisplayIcon"="d:\\Program Files (x86)\\腾讯游戏\\QQGAME\\QQGame.EXE"
    "DisplayVersion"="2.5.102.31"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    完成时间: 2011-12-27 17:58:06
    ComboFix-quarantined-files.txt 2011-12-28 01:57
    ComboFix2.txt 2011-12-20 23:40
    ComboFix3.txt 2011-12-20 01:23
    ComboFix4.txt 2011-12-19 23:33
    .
    Pre-Run: 53,023,784,960 bytes free
    Post-Run: 52,952,182,784 bytes free
    .
    - - End Of File - - C104A0ADC403C01E14C22729F6DEABA5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •