consrv.dll and jraid.dll have been found infected by tr/atraps.Gen & Google keeps redirecting

Hi guys,

Few days ago, my AV popped up and said my computer have been infected by Tr/atraps.Gen2 and I've runned a system scan and detected consrv.dll and Jraid.dll as trogens and removed them. After that I rebooted the machine and the machine boot loops. If I run a system repair, it brings the machine back to System restore point. I've tried several other AVs, such as AVG and avira, but the results are the same. And when i follow the instruction in http://www.bleepingcomputer.com/forums/topic34773.html , i just found out that im not able to enable my firewall.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by peterchen at 21:34:02 on 2012-05-09
Microsoft Windows 7 Ultimate 6.1.7601.1.936.86.1033.18.1783.244 [GMT 8:00]
.
AV: 360杀毒 *Disabled/Updated* {A0FD413B-F662-C08C-7B21-F57CED225A55}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\SysWOW64\svchost -k XLServicePlatform
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe
C:\Program Files (x86)\360\360Safe\safemon\360tray.exe
C:\Users\peterchen\AppData\Local\360Chrome\Chrome\Application\360chrome.exe
C:\Users\peterchen\AppData\Local\360Chrome\Chrome\Application\360chrome.exe
C:\Users\peterchen\AppData\Local\360Chrome\Chrome\Application\360chrome.exe
C:\Users\peterchen\AppData\Local\360Chrome\Chrome\Application\360chrome.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
E:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.116_1111\thunderplatform.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0c09&m=eme732&r=27361210g216l04e3z1l5r4711t398
uWindow Title = Windows Internet Explorer
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0c09&m=eme732&r=27361210g216l04e3z1l5r4711t398
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: 迅雷FLV视频嗅探及下载支持: {0ea37b17-6b8b-4085-8257-f3a4aa69c27a} - e:\Program Files (x86)\Thunder Network\Thunder\BHO\XlBrowserAddin1.0.6.69.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: 迅雷下载支持: {889d2feb-5411-4565-8998-1dd2c5261283} - e:\Program Files (x86)\Thunder Network\Thunder\BHO\XunleiBHO7.2.5.3364.dll
BHO: SafeMon Class: {b69f34dd-f0f9-42dc-9edd-957187da688d} - C:\Program Files (x86)\360\360Safe\safemon\safemon.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [360Safetray] "C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe" /start
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: OldEnableShellExecuteHooks = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableUIPI = 1 (0x1)
IE: &使用&迅雷下载 - e:\Program Files (x86)\Thunder Network\Thunder\BHO\geturl.htm
IE: &使用&迅雷下载全部链接 - e:\Program Files (x86)\Thunder Network\Thunder\BHO\GetAllUrl.htm
IE: &使用&迅雷离线下载 - e:\Program Files (x86)\Thunder Network\Thunder\BHO\OfflineDownload.htm
IE: 导出到 Microsoft Excel(&X) - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {0A155D3C-68E2-4215-A47A-E800A446447A}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {9FAFB576-6933-4CCC-AB3D-B988EC43D04E} - hxxp://rsdownload.rising.com.cn/rs2010/online/ravolctl.cab
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} - hxxps://online.westpac.com.au/wtpbs/wtBalanceSheet/portfoliomanagerwt.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{FAE6364B-2EEE-48CD-9479-3E2AE8299399} : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{FFE84B19-21BA-4129-B491-80CA1A275FB7} : DhcpNameServer = 10.1.1.1
TCP: Interfaces\{FFE84B19-21BA-4129-B491-80CA1A275FB7}\24967605F6E646131453935413 : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{FFE84B19-21BA-4129-B491-80CA1A275FB7}\24967605F6E646939333549313 : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{FFE84B19-21BA-4129-B491-80CA1A275FB7}\960586F6E656 : DhcpNameServer = 10.143.147.147 10.143.147.148
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - e:\PROGRA~1\KuGou7\KUGOO3~1.OCX
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - e:\PROGRA~1\KuGou7\KUGOO3~1.OCX
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: 迅雷FLV视频嗅探及下载支持: {0EA37B17-6B8B-4085-8257-F3A4AA69C27A} - e:\Program Files (x86)\Thunder Network\Thunder\BHO\XlBrowserAddin1.0.6.69.dll
BHO-X64: XlBrowserAddinBho.XlBrowserAddinBhoObject - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: 迅雷下载支持: {889D2FEB-5411-4565-8998-1DD2C5261283} - e:\Program Files (x86)\Thunder Network\Thunder\BHO\XunleiBHO7.2.5.3364.dll
BHO-X64: XunleiBHO - No File
BHO-X64: SafeMon Class: {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files (x86)\360\360Safe\safemon\safemon.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [360Safetray] "C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe" /start
IE-X64: {0A155D3C-68E2-4215-A47A-E800A446447A}
.
============= SERVICES / DRIVERS ===============
.
R1 360AntiHacker;360Safe Anti Hacker Service;C:\Windows\system32\Drivers\360AntiHacker64.sys --> C:\Windows\system32\Drivers\360AntiHacker64.sys [?]
R1 360Box64;360Box mini-filter driver;C:\Windows\system32\DRIVERS\360Box64.sys --> C:\Windows\system32\DRIVERS\360Box64.sys [?]
R1 360FsFlt;360FsFlt mini-filter driver;C:\Windows\system32\DRIVERS\360FsFlt.sys --> C:\Windows\system32\DRIVERS\360FsFlt.sys [?]
R1 360netmon;360netmon;C:\Windows\system32\DRIVERS\360netmon.sys --> C:\Windows\system32\DRIVERS\360netmon.sys [?]
R1 BAPIDRV;BAPIDRV;C:\Windows\system32\Drivers\BAPIDRV64.SYS --> C:\Windows\system32\Drivers\BAPIDRV64.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-7-26 321104]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [2010-9-19 868896]
R2 GREGService;GREGService;C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [2010-1-8 23584]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-7-26 13336]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-9-19 2320920]
R2 XLServicePlatform;XLServicePlatform;C:\Windows\system32\svchost -k XLServicePlatform --> C:\Windows\system32\svchost -k XLServicePlatform [?]
R2 ZhuDongFangYu;主动防御;C:\Program Files (x86)\360\360Safe\deepscan\ZhuDongFangYu.exe [2012-4-19 276312]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-29 257696]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]
S3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\androidusb.sys --> C:\Windows\system32\Drivers\androidusb.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TesSafe;TesSafe;\??\C:\Windows\system32\TesSafe.sys --> C:\Windows\system32\TesSafe.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2010-7-26 243232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 zghsmdm;ZTE General Handset USB Modem Proprietary;C:\Windows\system32\DRIVERS\zghsmdm.sys --> C:\Windows\system32\DRIVERS\zghsmdm.sys [?]
.
=============== File Associations ===============
.
chm.file="hh.exe" %1
inifile=C:\Windows\SysWow64\NOTEPAD.EXE %1
txtfile=C:\Windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2012-05-09 12:48:10 -------- d-----w- C:\Users\peterchen\AppData\Local\360Chrome
2012-05-09 12:41:15 -------- d-----w- C:\Users\peterchen\AppData\Roaming\360Desktop
2012-05-09 12:22:21 49512 ----a-w- C:\Windows\System32\drivers\360AntiHacker64.sys
2012-05-09 12:22:21 355928 ----a-w- C:\Windows\System32\drivers\360FsFlt.sys
2012-05-09 12:22:20 -------- d-sh--r- C:\360SANDBOX
2012-05-09 12:22:19 285024 ----a-w- C:\Windows\System32\drivers\360Box64.sys
2012-05-09 12:22:17 146776 ----a-w- C:\Windows\SysWow64\360SoftMgr.cpl
2012-05-09 12:22:16 59992 ----a-w- C:\Windows\System32\drivers\360netmon.sys
2012-05-09 12:22:13 -------- d-----w- C:\Users\peterchen\AppData\Roaming\360safe
2012-05-09 12:19:02 -------- d-----w- C:\Users\peterchen\AppData\Roaming\360inst
2012-05-09 10:51:32 -------- d-----w- C:\Users\peterchen\AppData\Local\AVG Secure Search
2012-05-09 10:51:02 -------- d-----w- C:\ProgramData\AVG Secure Search
2012-05-09 10:50:54 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
2012-05-09 10:50:53 -------- d-----w- C:\Program Files (x86)\AVG Secure Search
2012-05-09 10:50:40 -------- d--h--w- C:\ProgramData\Common Files
2012-05-09 10:50:31 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2012-05-09 10:45:40 -------- d--h--w- C:\$AVG
2012-05-09 10:45:38 -------- d-----w- C:\ProgramData\AVG2012
2012-05-09 10:41:33 -------- d-----w- C:\Program Files (x86)\AVG
2012-05-09 10:32:46 -------- d-----w- C:\ProgramData\MFAData
2012-05-09 07:40:49 -------- d-sh--w- C:\KRECYCLE
2012-05-09 07:34:42 -------- d-----w- C:\Program Files (x86)\Rising
2012-05-09 07:32:07 -------- d-----w- C:\Program Files (x86)\kingsoft
2012-05-09 07:28:32 608448 ----a-w- C:\Windows\SysWow64\COMCTL32.OCX
2012-05-09 07:28:31 260096 ----a-w- C:\Windows\SysWow64\RICHTX32.OCX
2012-05-09 07:28:31 211968 ----a-w- C:\Windows\SysWow64\TABCTL32.OCX
2012-05-09 07:28:31 117248 ----a-w- C:\Windows\SysWow64\MSINET.OCX
2012-05-09 07:28:31 110592 ----a-w- C:\Windows\SysWow64\MSWINSCK.OCX
2012-05-07 09:58:22 -------- d-sh--w- C:\found.001
2012-05-07 05:15:23 -------- d-----w- C:\Program Files (x86)\Avira
2012-05-07 05:03:33 171360 ----a-w- C:\Windows\System32\drivers\BAPIDRV64.SYS
2012-05-06 17:35:51 -------- d-----w- C:\Users\peterchen\AppData\Roaming\360SuperKiller
2012-05-06 08:30:36 -------- d-----w- C:\Users\peterchen\AppData\Roaming\Ylic
2012-05-06 08:30:34 -------- d-----w- C:\Users\peterchen\AppData\Roaming\Ukusa
2012-05-06 08:30:22 -------- d-----w- C:\Users\peterchen\AppData\Roaming\Ralonal
2012-05-06 08:30:22 -------- d-----w- C:\Users\peterchen\AppData\Roaming\Ataslup
2012-05-06 08:20:14 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-05-06 08:19:04 -------- d-----we C:\Windows\system64
2012-05-06 04:28:04 -------- d-----w- C:\Users\peterchen\AppData\Roaming\GarenaPlus
2012-05-06 04:18:32 -------- d-----w- C:\ProgramData\GarenaMessenger
2012-04-28 18:13:19 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2012-04-21 19:29:32 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{582CF93F-42F8-4097-AF13-E8BB86DC54AC}\offreg.dll
2012-04-21 12:58:31 -------- d-----w- C:\Program Files (x86)\Enigma Software Group
2012-04-21 12:58:09 -------- d-----w- C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-04-21 12:56:30 -------- d-----w- C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2012-04-21 10:54:50 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{582CF93F-42F8-4097-AF13-E8BB86DC54AC}\mpengine.dll
2012-04-21 10:04:32 -------- d-----w- C:\ProgramData\PC Tools
2012-04-21 09:33:11 -------- d-----w- C:\sh4ldr
2012-04-21 09:33:11 -------- d-----w- C:\Program Files\Enigma Software Group
2012-04-21 09:32:57 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-04-21 08:16:09 120600 ----a-w- C:\Windows\SysWow64\xunyount.dll
2012-04-17 19:29:34 -------- d-----w- C:\Program Files (x86)\Common Files\PPLiveNetwork
2012-04-11 01:58:41 -------- d-----w- C:\ProgramData\Windows
2012-04-11 01:28:22 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-11 01:28:22 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-11 01:28:21 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-11 01:11:44 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-11 01:11:42 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-11 01:11:41 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-11 01:11:34 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-11 01:11:34 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-11 01:11:33 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-11 01:11:33 5120 ----a-w- C:\Windows\System32\wmi.dll
.
==================== Find3M ====================
.
2012-05-06 07:01:01 163920 ----a-w- C:\Windows\System32\TesSafe.sys
2012-05-06 03:50:57 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-06 03:50:57 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-23 02:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-17 06:38:27 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
.
============= FINISH: 21:36:01.20 ===============

Hi strikerchen,

Welcome to the forum. We will remove this infection.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Hi,

I've done what u said and I do get this log.

Here is the log:

Scan result of Farbar Recovery Scan Tool Version: 09-05-2012
Ran by SYSTEM at 10-05-2012 12:39:05
Running from H:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [Acer ePower Management] C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [861216 2010-06-11] (Acer Incorporated)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324608 2010-06-09] (Alcor Micro Corp.)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11046504 2010-07-13] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [168216 2011-05-08] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [392472 2011-05-08] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [416024 2011-05-08] (Intel Corporation)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [968272 2010-06-21] (Dritek System Inc.)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [360Safetray] "C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe" /start [864856 2012-03-30] (360.cn)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
SubSystems: [Windows] ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ======

2 DsiWMIService; C:\Program Files (x86)\Launch Manager\dsiwmis.exe [321104 2010-06-21] (Dritek System Inc.)
2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [868896 2010-06-11] (Acer Incorporated)
2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
2 IAStorDataMgrSvc; "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe" [13336 2010-03-03] (Intel Corporation)
2 issuser; C:\Windows\System32\JRAID.dll [6656 2009-07-13] (Oak Technology Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-02-02] (Intel Corporation)
3 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [243232 2010-01-28] (Acer Group)
2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [87728 2012-01-04] (ShenZhen Xunlei Networking Technologies,LTD)
2 ZhuDongFangYu; "C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe" [276312 2012-04-19] (360.cn)

========================== Drivers (Whitelisted) =============

1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [49512 2012-04-09] (360.cn)
1 360Box64; C:\Windows\System32\Drivers\360Box64.sys [285024 2012-03-16] (360????)
1 360FsFlt; C:\Windows\System32\Drivers\360FsFlt.sys [355928 2012-03-08] (360.cn)
1 360netmon; C:\Windows\System32\Drivers\360netmon.sys [59992 2012-01-31] (360.cn)
3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [38424 2010-10-17] (Google Inc)
1 BAPIDRV; C:\Windows\System32\Drivers\BAPIDRV64.SYS [171360 2011-12-05] (360.cn)
0 BC; C:\Windows\SysWow64\Drivers\BC.sys [24984 2010-11-10] (Kingsoft Corporation)
3 ComputerZ_x64; C:\Windows\SysWow64\Drivers\ComputerZ_x64.sys [23912 2011-11-30] (360.cn)
3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [12228128 2011-04-14] (Intel Corporation)
3 NTIDrvr; C:\Windows\System32\Drivers\NTIDrvr.sys [18432 2010-04-19] (NTI Corporation)
3 tap0901; C:\Windows\System32\Drivers\tap0901.sys [31232 2011-03-20] (The OpenVPN Project)
3 TesSafe; \??\C:\Windows\system32\TesSafe.sys [163920 2012-05-09] (TENCENT)
3 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [17408 2010-07-08] (NTI Corporation)
3 UsbserFilt; C:\Windows\System32\DRIVERS\usbser_lowerfltjx64.sys [9216 2010-07-29] (Nokia)
3 zghsmdm; C:\Windows\System32\Drivers\zghsmdm.sys [122624 2011-01-12] (ZTE Incorporated)
3 ApolloProtect; \??\e:\Program Files (x86)\T2CN\????\Apollo\Apollo.sys [x]
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [x]
3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [x]
3 ksfmonsys; \??\e:\Program Files (x86)\KSafe\ksfmonsys64.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 TcHardWare; \??\e:\Program Files (x86)\Tencent\QQPCMgr\QQPCHW.sys [x]
3 tcphoc; \??\E:\Program Files (x86)\Thunder Network\Thunder\XLDoctor\7.1.3.2044_1\Program\tcphoc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]
3 X6va005; \??\C:\Users\PETERC~1\AppData\Local\Temp\0053ADF.tmp [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: issuser

============ One Month Created Files and Folders ==============

2012-05-10 12:38 - 2012-05-10 12:39 - 0000000 ____D C:\FRST
2012-05-09 05:37 - 2012-05-09 05:37 - 0019600 ____A C:\Users\peterchen\Desktop\DDS.txt
2012-05-09 05:37 - 2012-05-09 05:37 - 0014130 ____A C:\Users\peterchen\Desktop\Attach.txt
2012-05-09 05:33 - 2012-05-09 05:31 - 0607260 ____R (Swearware) C:\Users\peterchen\Desktop\dds.scr
2012-05-09 05:30 - 2012-05-09 05:31 - 0607260 ____R (Swearware) C:\Users\peterchen\Downloads\dds.scr
2012-05-09 05:29 - 2012-05-09 05:29 - 0000480 ____A C:\Users\peterchen\Desktop\defogger_disable.log
2012-05-09 05:29 - 2012-05-09 05:29 - 0000000 ____A C:\Users\peterchen\defogger_reenable
2012-05-09 05:26 - 2012-05-09 05:26 - 0050477 ____A C:\Users\peterchen\Desktop\Defogger.exe
2012-05-09 04:48 - 2012-05-09 04:48 - 0002400 ____A C:\Users\peterchen\Desktop\360Chrome.lnk
2012-05-09 04:48 - 2012-05-09 04:48 - 0000000 ____D C:\Users\peterchen\AppData\Local\360Chrome
2012-05-09 04:41 - 2012-05-09 04:49 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360Desktop
2012-05-09 04:33 - 2012-05-09 04:33 - 0000000 ____D C:\Windows\Tasks\360Disabled
2012-05-09 04:22 - 2012-05-09 20:28 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360safe
2012-05-09 04:22 - 2012-05-09 04:22 - 0000000 _RSHD C:\360SANDBOX
2012-05-09 04:22 - 2012-04-09 03:32 - 0049512 ____A (360.cn) C:\Windows\System32\Drivers\360AntiHacker64.sys
2012-05-09 04:22 - 2012-03-16 03:38 - 0285024 ____A (360????) C:\Windows\System32\Drivers\360Box64.sys
2012-05-09 04:22 - 2012-03-08 00:01 - 0355928 ____A (360.cn) C:\Windows\System32\Drivers\360FsFlt.sys
2012-05-09 04:22 - 2012-01-31 01:48 - 0059992 ____A (360.cn) C:\Windows\System32\Drivers\360netmon.sys
2012-05-09 04:22 - 2011-11-11 03:31 - 0146776 ____A (360.cn) C:\Windows\SysWOW64\360SoftMgr.cpl
2012-05-09 04:21 - 2012-05-09 04:49 - 0002138 ____A C:\Users\peterchen\Desktop\360????.lnk
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\Users\peterchen\AppData\Local\AVG Secure Search
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\Users\All Users\AVG Secure Search
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\ProgramData\AVG Secure Search
2012-05-09 02:50 - 2012-05-09 20:03 - 0000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-05-09 02:50 - 2012-05-09 20:02 - 0000000 ____D C:\Windows\SysWOW64\Drivers\AVG
2012-05-09 02:45 - 2012-05-09 20:02 - 0000000 ____D C:\Users\All Users\AVG2012
2012-05-09 02:45 - 2012-05-09 20:02 - 0000000 ____D C:\ProgramData\AVG2012
2012-05-09 02:45 - 2012-05-09 02:45 - 0000000 ___HD C:\$AVG
2012-05-09 02:41 - 2012-05-09 19:59 - 0000000 ____D C:\Program Files (x86)\AVG
2012-05-09 02:32 - 2012-05-09 20:00 - 0000000 ____D C:\Users\All Users\MFAData
2012-05-09 02:32 - 2012-05-09 20:00 - 0000000 ____D C:\ProgramData\MFAData
2012-05-09 02:26 - 2012-05-09 02:26 - 3877872 ____A (AVG Technologies) C:\Users\peterchen\Desktop\avg_free_stb_all_2012_2171_cnet.exe
2012-05-08 23:40 - 2012-05-08 23:40 - 0000000 __SHD C:\KRECYCLE
2012-05-08 23:34 - 2012-05-08 23:34 - 0000000 ____D C:\Program Files (x86)\Rising
2012-05-08 23:32 - 2012-05-08 23:32 - 0000000 ____D C:\Program Files (x86)\kingsoft
2012-05-08 23:28 - 2001-01-16 15:01 - 0260096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RICHTX32.OCX
2012-05-08 23:28 - 2000-12-05 08:00 - 0211968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\TABCTL32.OCX
2012-05-08 23:28 - 2000-12-05 08:00 - 0110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSWINSCK.OCX
2012-05-08 23:28 - 2000-05-22 00:58 - 0608448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\COMCTL32.OCX
2012-05-08 23:28 - 2000-05-21 08:00 - 0117248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSINET.OCX
2012-05-08 23:20 - 2012-05-08 23:20 - 0000000 ____A C:\Users\All Users\rebootpending.txt
2012-05-08 23:20 - 2012-05-08 23:20 - 0000000 ____A C:\ProgramData\rebootpending.txt
2012-05-07 01:58 - 2012-05-07 01:58 - 0000000 __SHD C:\found.001
2012-05-06 21:15 - 2012-05-09 19:59 - 0000000 ____D C:\Program Files (x86)\Avira
2012-05-06 21:03 - 2011-12-05 00:07 - 0171360 ____A (360.cn) C:\Windows\System32\Drivers\BAPIDRV64.SYS
2012-05-06 09:35 - 2012-05-06 09:35 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360SuperKiller
2012-05-06 03:46 - 2012-05-06 03:46 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_User_wpdcomp_01_09_00.Wdf
2012-05-06 00:31 - 2012-05-09 07:00 - 0000342 ____A C:\Windows\Tasks\At48.job
2012-05-06 00:31 - 2012-05-09 06:00 - 0000342 ____A C:\Windows\Tasks\At47.job
2012-05-06 00:31 - 2012-05-09 05:00 - 0000342 ____A C:\Windows\Tasks\At46.job
2012-05-06 00:31 - 2012-05-09 02:00 - 0000342 ____A C:\Windows\Tasks\At43.job
2012-05-06 00:31 - 2012-05-09 01:00 - 0000342 ____A C:\Windows\Tasks\At42.job
2012-05-06 00:31 - 2012-05-09 00:00 - 0000342 ____A C:\Windows\Tasks\At41.job
2012-05-06 00:31 - 2012-05-08 11:00 - 0000342 ____A C:\Windows\Tasks\At28.job
2012-05-06 00:31 - 2012-05-06 21:00 - 0000342 ____A C:\Windows\Tasks\At38.job
2012-05-06 00:31 - 2012-05-06 04:00 - 0000342 ____A C:\Windows\Tasks\At45.job
2012-05-06 00:31 - 2012-05-06 03:00 - 0000342 ____A C:\Windows\Tasks\At44.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At40.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At39.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At37.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At36.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At35.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At34.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At33.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At32.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At31.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At30.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At29.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At27.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At26.job
2012-05-06 00:30 - 2012-05-09 07:00 - 0000340 ____A C:\Windows\Tasks\At24.job
2012-05-06 00:30 - 2012-05-09 06:03 - 0000340 ____A C:\Windows\Tasks\At23.job
2012-05-06 00:30 - 2012-05-09 05:00 - 0000340 ____A C:\Windows\Tasks\At22.job
2012-05-06 00:30 - 2012-05-09 02:00 - 0000340 ____A C:\Windows\Tasks\At19.job
2012-05-06 00:30 - 2012-05-09 01:00 - 0000340 ____A C:\Windows\Tasks\At18.job
2012-05-06 00:30 - 2012-05-09 00:00 - 0000340 ____A C:\Windows\Tasks\At17.job
2012-05-06 00:30 - 2012-05-08 11:00 - 0000340 ____A C:\Windows\Tasks\At4.job
2012-05-06 00:30 - 2012-05-06 21:00 - 0000340 ____A C:\Windows\Tasks\At14.job
2012-05-06 00:30 - 2012-05-06 12:10 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ylic
2012-05-06 00:30 - 2012-05-06 11:02 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ukusa
2012-05-06 00:30 - 2012-05-06 11:02 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ataslup
2012-05-06 00:30 - 2012-05-06 04:00 - 0000340 ____A C:\Windows\Tasks\At21.job
2012-05-06 00:30 - 2012-05-06 03:00 - 0000340 ____A C:\Windows\Tasks\At20.job
2012-05-06 00:30 - 2012-05-06 02:33 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ralonal
2012-05-06 00:30 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At25.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At9.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At8.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At7.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At6.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At5.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At3.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At2.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At16.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At15.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At13.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At12.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At11.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At10.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At1.job
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default User\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:20 - 2012-05-09 20:21 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-06 00:19 - 2012-05-06 00:19 - 0000000 ____D C:\Windows\system64
2012-05-05 20:28 - 2012-05-07 12:21 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\GarenaPlus
2012-05-05 20:18 - 2012-05-07 12:21 - 0000000 ____D C:\Users\All Users\GarenaMessenger
2012-05-05 20:18 - 2012-05-07 12:21 - 0000000 ____D C:\ProgramData\GarenaMessenger
2012-04-29 07:12 - 2012-04-29 07:12 - 0000000 ____D C:\Users\peterchen\Desktop\LOLBox
2012-04-28 10:13 - 2012-04-28 10:12 - 0525544 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-04-28 10:13 - 2012-04-28 10:12 - 0191264 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-04-28 10:13 - 2012-04-28 10:12 - 0172320 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-04-28 10:13 - 2012-04-28 10:12 - 0172320 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-04-28 10:12 - 2012-04-28 10:12 - 0000000 ____D C:\Program Files\Java
2012-04-27 04:51 - 2012-04-27 04:51 - 0000795 ____A C:\Users\Public\Desktop\QQ??.lnk
2012-04-23 19:12 - 2012-05-06 11:36 - 0000262 ____A C:\spyhunter.log
2012-04-23 11:13 - 2012-05-06 03:38 - 0010569 ____A C:\sh4_service.log
2012-04-21 04:58 - 2012-05-09 02:09 - 0000000 ____D C:\Program Files (x86)\Enigma Software Group
2012-04-21 04:58 - 2012-04-21 04:58 - 0000000 ____D C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-04-21 04:58 - 2012-04-21 04:58 - 0000000 ____A C:\autoexec.bat
2012-04-21 04:56 - 2012-05-09 04:13 - 0000000 ____D C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2012-04-21 02:32 - 2012-04-21 02:32 - 0000412 ____A C:\rkill.log
2012-04-21 02:04 - 2012-04-21 05:31 - 0000000 ____D C:\Users\All Users\PC Tools
2012-04-21 02:04 - 2012-04-21 05:31 - 0000000 ____D C:\ProgramData\PC Tools
2012-04-21 01:33 - 2012-05-06 21:18 - 0000000 ____D C:\sh4ldr
2012-04-21 01:33 - 2012-04-21 01:33 - 0000000 ____D C:\Program Files\Enigma Software Group
2012-04-21 01:29 - 2012-04-21 02:28 - 0073556 ____A C:\Windows\ntbtlog.txt
2012-04-21 00:16 - 2012-04-07 01:46 - 0120600 ____A (????????????) C:\Windows\SysWOW64\xunyount.dll
2012-04-15 21:04 - 2012-05-06 03:06 - 0015041 ____A C:\Users\peterchen\Desktop\???.docx
2012-04-12 05:50 - 2012-04-12 05:51 - 0000000 ____D C:\Users\peterchen\Desktop\uni doc
2012-04-10 17:28 - 2012-03-05 22:53 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-10 17:28 - 2012-03-05 21:59 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-04-10 17:28 - 2012-03-05 21:59 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-10 17:21 - 2012-02-27 23:34 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-10 17:21 - 2012-02-27 23:02 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-10 17:21 - 2012-02-27 22:56 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-04-10 17:21 - 2012-02-27 22:50 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-10 17:21 - 2012-02-27 22:49 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-04-10 17:21 - 2012-02-27 22:48 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-04-10 17:21 - 2012-02-27 22:48 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-10 17:21 - 2012-02-27 22:47 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-04-10 17:21 - 2012-02-27 22:45 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-10 17:21 - 2012-02-27 22:43 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-10 17:21 - 2012-02-27 22:43 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-10 17:21 - 2012-02-27 22:42 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-10 17:21 - 2012-02-27 22:39 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-10 17:21 - 2012-02-27 17:52 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-04-10 17:21 - 2012-02-27 17:27 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-04-10 17:21 - 2012-02-27 17:18 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-04-10 17:21 - 2012-02-27 17:12 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-04-10 17:21 - 2012-02-27 17:11 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-04-10 17:21 - 2012-02-27 17:11 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-04-10 17:21 - 2012-02-27 17:09 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-04-10 17:21 - 2012-02-27 17:08 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-04-10 17:21 - 2012-02-27 17:06 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-04-10 17:21 - 2012-02-27 17:04 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-04-10 17:21 - 2012-02-27 17:03 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-04-10 17:21 - 2012-02-27 17:03 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-04-10 17:21 - 2012-02-27 16:59 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-04-10 17:11 - 2012-02-29 22:46 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-04-10 17:11 - 2012-02-29 22:38 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-04-10 17:11 - 2012-02-29 22:33 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-04-10 17:11 - 2012-02-29 22:28 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-04-10 17:11 - 2012-02-29 21:37 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-04-10 17:11 - 2012-02-29 21:33 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-04-10 17:11 - 2012-02-29 21:29 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll

============ 3 Months Modified Files and Folders =============

2012-05-10 12:39 - 2012-05-10 12:38 - 0000000 ____D C:\FRST
2012-05-09 20:32 - 2011-04-19 15:52 - 1391294 ____A C:\Windows\WindowsUpdate.log
2012-05-09 20:29 - 2011-06-18 01:37 - 0355328 ____A C:\Windows\System32\prfh0804.dat
2012-05-09 20:29 - 2011-06-18 01:37 - 0101428 ____A C:\Windows\System32\prfc0804.dat
2012-05-09 20:29 - 2009-07-13 21:13 - 1169296 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-09 20:29 - 2009-07-13 20:45 - 0028928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-09 20:29 - 2009-07-13 20:45 - 0028928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-09 20:28 - 2012-05-09 04:22 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360safe
2012-05-09 20:27 - 2012-04-08 17:32 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360mobilemgr
2012-05-09 20:27 - 2010-12-03 02:41 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\PPStream
2012-05-09 20:21 - 2012-05-06 00:20 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-09 20:20 - 2011-08-11 23:37 - 0062042 ____A C:\Windows\setupact.log
2012-05-09 20:20 - 2010-09-18 20:32 - 1402060800 __ASH C:\hiberfil.sys
2012-05-09 20:20 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-09 20:03 - 2012-05-09 02:50 - 0000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-05-09 20:03 - 2011-12-28 20:08 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360Login
2012-05-09 20:03 - 2010-12-03 03:20 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360se
2012-05-09 20:02 - 2012-05-09 02:50 - 0000000 ____D C:\Windows\SysWOW64\Drivers\AVG
2012-05-09 20:02 - 2012-05-09 02:45 - 0000000 ____D C:\Users\All Users\AVG2012
2012-05-09 20:02 - 2012-05-09 02:45 - 0000000 ____D C:\ProgramData\AVG2012
2012-05-09 20:01 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-05-09 20:00 - 2012-05-09 02:32 - 0000000 ____D C:\Users\All Users\MFAData
2012-05-09 20:00 - 2012-05-09 02:32 - 0000000 ____D C:\ProgramData\MFAData
2012-05-09 20:00 - 2011-10-10 20:27 - 0000000 ____D C:\Windows\System32\SPReview
2012-05-09 20:00 - 2011-10-10 20:27 - 0000000 ____D C:\Windows\System32\EventProviders
2012-05-09 20:00 - 2011-06-18 01:34 - 0000000 ____D C:\Windows\SysWOW64\XPSViewer
2012-05-09 20:00 - 2011-03-19 17:18 - 0000000 ____D C:\Windows\System32\Macromed
2012-05-09 20:00 - 2010-09-18 21:29 - 0000000 ____D C:\Windows\NAPP_Dism_Log
2012-05-09 20:00 - 2010-07-25 18:20 - 0000000 ____D C:\Windows\SysWOW64\Macromed
2012-05-09 20:00 - 2010-07-25 18:13 - 0000000 ____D C:\Windows\oem
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\winrm
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\WCN
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\slmgr
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\winrm
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\WCN
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\slmgr
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\Printing_Admin_Scripts
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\SysWOW64\WindowsPowerShell
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\WindowsPowerShell
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\WinBioPlugIns
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Performance
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-05-09 20:00 - 2009-07-13 20:45 - 0000000 ____D C:\Windows\Setup
2012-05-09 20:00 - 2009-07-13 20:45 - 0000000 ____D C:\Windows\ServiceProfiles
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 __RSD C:\Windows\Media
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Web
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Vss
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\zh-CN
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\spp
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Speech
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\NetworkList
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\MUI
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Msdtc
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\InstallShield
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\IME
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Dism
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\com
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\zh-CN
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sysprep
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\spp
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\spool
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Speech
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\SMI
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\oobe
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NetworkList
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\MUI
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Msdtc
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\migwiz
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\IME
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Dism
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\com
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Speech
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\servicing
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\security
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\schemas
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Resources
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PLA
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\IME
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Help
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Globalization
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Branding
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-05-09 19:59 - 2012-05-09 02:41 - 0000000 ____D C:\Program Files (x86)\AVG
2012-05-09 19:59 - 2012-05-06 21:15 - 0000000 ____D C:\Program Files (x86)\Avira
2012-05-09 19:59 - 2011-12-20 02:56 - 0000000 ____D C:\Program Files (x86)\AliWangWang
2012-05-09 19:59 - 2010-07-25 18:19 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-05-09 08:10 - 2011-06-16 04:56 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\KuGou7
2012-05-09 08:09 - 2012-03-27 09:10 - 0000000 ____D C:\Kugou
2012-05-09 08:04 - 2012-02-18 04:32 - 0000000 ___HD C:\KuGouCache
2012-05-09 07:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At48.job
2012-05-09 07:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At24.job
2012-05-09 06:47 - 2011-01-17 19:56 - 0163920 ____A (TENCENT) C:\Windows\System32\TesSafe.sys
2012-05-09 06:09 - 2010-12-03 01:27 - 0000000 ____D C:\Users\peterchen\AppData\Local\CrashDumps
2012-05-09 06:03 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At23.job
2012-05-09 06:02 - 2011-08-11 23:37 - 0733370 ____A C:\Windows\PFRO.log
2012-05-09 06:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At47.job
2012-05-09 05:37 - 2012-05-09 05:37 - 0019600 ____A C:\Users\peterchen\Desktop\DDS.txt
2012-05-09 05:37 - 2012-05-09 05:37 - 0014130 ____A C:\Users\peterchen\Desktop\Attach.txt
2012-05-09 05:31 - 2012-05-09 05:33 - 0607260 ____R (Swearware) C:\Users\peterchen\Desktop\dds.scr
2012-05-09 05:31 - 2012-05-09 05:30 - 0607260 ____R (Swearware) C:\Users\peterchen\Downloads\dds.scr
2012-05-09 05:29 - 2012-05-09 05:29 - 0000480 ____A C:\Users\peterchen\Desktop\defogger_disable.log
2012-05-09 05:29 - 2012-05-09 05:29 - 0000000 ____A C:\Users\peterchen\defogger_reenable
2012-05-09 05:29 - 2010-12-03 00:56 - 0000000 ____D C:\users\peterchen
2012-05-09 05:26 - 2012-05-09 05:26 - 0050477 ____A C:\Users\peterchen\Desktop\Defogger.exe
2012-05-09 05:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At46.job
2012-05-09 05:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At22.job
2012-05-09 04:49 - 2012-05-09 04:41 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360Desktop
2012-05-09 04:49 - 2012-05-09 04:21 - 0002138 ____A C:\Users\peterchen\Desktop\360????.lnk
2012-05-09 04:48 - 2012-05-09 04:48 - 0002400 ____A C:\Users\peterchen\Desktop\360Chrome.lnk
2012-05-09 04:48 - 2012-05-09 04:48 - 0000000 ____D C:\Users\peterchen\AppData\Local\360Chrome
2012-05-09 04:33 - 2012-05-09 04:33 - 0000000 ____D C:\Windows\Tasks\360Disabled
2012-05-09 04:33 - 2010-12-03 05:53 - 0000000 ____D C:\Users\All Users\360safe
2012-05-09 04:33 - 2010-12-03 05:53 - 0000000 ____D C:\ProgramData\360safe
2012-05-09 04:22 - 2012-05-09 04:22 - 0000000 _RSHD C:\360SANDBOX
2012-05-09 04:21 - 2011-11-20 20:54 - 0000000 ____D C:\Program Files (x86)\360
2012-05-09 04:13 - 2012-04-21 04:56 - 0000000 ____D C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2012-05-09 04:09 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\Users\peterchen\AppData\Local\AVG Secure Search
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\Users\All Users\AVG Secure Search
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\ProgramData\AVG Secure Search
2012-05-09 02:45 - 2012-05-09 02:45 - 0000000 ___HD C:\$AVG
2012-05-09 02:26 - 2012-05-09 02:26 - 3877872 ____A (AVG Technologies) C:\Users\peterchen\Desktop\avg_free_stb_all_2012_2171_cnet.exe
2012-05-09 02:12 - 2011-10-02 04:51 - 0000000 ____D C:\Users\All Users\QvodPlayer
2012-05-09 02:12 - 2011-10-02 04:51 - 0000000 ____D C:\ProgramData\QvodPlayer
2012-05-09 02:12 - 2010-12-03 01:20 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Tencent
2012-05-09 02:09 - 2012-04-21 04:58 - 0000000 ____D C:\Program Files (x86)\Enigma Software Group
2012-05-09 02:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At43.job
2012-05-09 02:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At19.job
2012-05-09 01:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At42.job
2012-05-09 01:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At18.job
2012-05-09 00:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At41.job
2012-05-09 00:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At17.job
2012-05-08 23:40 - 2012-05-08 23:40 - 0000000 __SHD C:\KRECYCLE
2012-05-08 23:40 - 2011-10-05 01:07 - 0000000 ____D C:\Users\All Users\KRSHistory
2012-05-08 23:40 - 2011-10-05 01:07 - 0000000 ____D C:\ProgramData\KRSHistory
2012-05-08 23:34 - 2012-05-08 23:34 - 0000000 ____D C:\Program Files (x86)\Rising
2012-05-08 23:32 - 2012-05-08 23:32 - 0000000 ____D C:\Program Files (x86)\kingsoft
2012-05-08 23:22 - 2010-12-03 01:21 - 0000000 ____D C:\Users\peterchen\Documents\Tencent Files
2012-05-08 23:20 - 2012-05-08 23:20 - 0000000 ____A C:\Users\All Users\rebootpending.txt
2012-05-08 23:20 - 2012-05-08 23:20 - 0000000 ____A C:\ProgramData\rebootpending.txt
2012-05-08 11:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At28.job
2012-05-08 11:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At4.job
2012-05-07 12:21 - 2012-05-05 20:28 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\GarenaPlus
2012-05-07 12:21 - 2012-05-05 20:18 - 0000000 ____D C:\Users\All Users\GarenaMessenger
2012-05-07 12:21 - 2012-05-05 20:18 - 0000000 ____D C:\ProgramData\GarenaMessenger
2012-05-07 12:21 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\GroupPolicy
2012-05-07 12:16 - 2010-07-25 17:59 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-05-07 01:58 - 2012-05-07 01:58 - 0000000 __SHD C:\found.001
2012-05-06 21:18 - 2012-04-21 01:33 - 0000000 ____D C:\sh4ldr
2012-05-06 21:02 - 2010-12-03 00:56 - 0000000 ____D C:\Users\peterchen\AppData\LocalLow
2012-05-06 21:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At38.job
2012-05-06 21:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At14.job
2012-05-06 12:10 - 2012-05-06 00:30 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ylic
2012-05-06 11:36 - 2012-04-23 19:12 - 0000262 ____A C:\spyhunter.log
2012-05-06 11:02 - 2012-05-06 00:30 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ukusa
2012-05-06 11:02 - 2012-05-06 00:30 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ataslup
2012-05-06 09:35 - 2012-05-06 09:35 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360SuperKiller
2012-05-06 08:15 - 2011-01-30 19:03 - 0000000 ____D C:\360Rec
2012-05-06 04:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At45.job
2012-05-06 04:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At21.job
2012-05-06 03:46 - 2012-05-06 03:46 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_User_wpdcomp_01_09_00.Wdf
2012-05-06 03:38 - 2012-04-23 11:13 - 0010569 ____A C:\sh4_service.log
2012-05-06 03:06 - 2012-04-15 21:04 - 0015041 ____A C:\Users\peterchen\Desktop\???.docx
2012-05-06 03:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At44.job
2012-05-06 03:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At20.job
2012-05-06 02:50 - 2010-12-03 01:20 - 0000030 ____A C:\Windows\QQPlayer.INI
2012-05-06 02:33 - 2012-05-06 00:30 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ralonal
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At40.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At39.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At37.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At36.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At35.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At34.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At33.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At32.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At31.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At30.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At29.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At27.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At26.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000342 ____A C:\Windows\Tasks\At25.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At9.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At8.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At7.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At6.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At5.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At3.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At2.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At16.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At15.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At13.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At12.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At11.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At10.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At1.job
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default User\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:19 - 2012-05-06 00:19 - 0000000 ____D C:\Windows\system64
2012-05-05 19:50 - 2012-03-29 05:33 - 0419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-05 19:50 - 2011-05-16 16:18 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-05 12:44 - 2011-11-20 16:29 - 0000000 ____D C:\Users\peterchen\AppData\Local\PMB Files
2012-05-05 07:24 - 2011-04-22 08:02 - 0000000 ____D C:\Windows\Minidump
2012-04-29 07:12 - 2012-04-29 07:12 - 0000000 ____D C:\Users\peterchen\Desktop\LOLBox
2012-04-28 11:22 - 2012-01-06 22:55 - 0000000 ____D C:\Program Files (x86)\????????
2012-04-28 10:12 - 2012-04-28 10:13 - 0525544 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-04-28 10:12 - 2012-04-28 10:13 - 0191264 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-04-28 10:12 - 2012-04-28 10:13 - 0172320 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-04-28 10:12 - 2012-04-28 10:13 - 0172320 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-04-28 10:12 - 2012-04-28 10:12 - 0000000 ____D C:\Program Files\Java
2012-04-27 06:26 - 2011-10-24 22:44 - 0000000 ____D C:\Users\peterchen\riotsGamesLogs
2012-04-27 04:51 - 2012-04-27 04:51 - 0000795 ____A C:\Users\Public\Desktop\QQ??.lnk
2012-04-22 00:33 - 2012-02-13 02:30 - 0000000 ____D C:\Users\peterchen\Desktop\??
2012-04-21 05:31 - 2012-04-21 02:04 - 0000000 ____D C:\Users\All Users\PC Tools
2012-04-21 05:31 - 2012-04-21 02:04 - 0000000 ____D C:\ProgramData\PC Tools
2012-04-21 04:58 - 2012-04-21 04:58 - 0000000 ____D C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-04-21 04:58 - 2012-04-21 04:58 - 0000000 ____A C:\autoexec.bat
2012-04-21 02:32 - 2012-04-21 02:32 - 0000412 ____A C:\rkill.log
2012-04-21 02:28 - 2012-04-21 01:29 - 0073556 ____A C:\Windows\ntbtlog.txt
2012-04-21 02:04 - 2011-03-24 00:27 - 0000000 ____D C:\Users\peterchen\AppData\Local\ElevatedDiagnostics
2012-04-21 01:33 - 2012-04-21 01:33 - 0000000 ____D C:\Program Files\Enigma Software Group
2012-04-21 00:15 - 2010-12-03 01:44 - 0000000 ____D C:\Windows\SysWOW64\dialconfig
2012-04-19 03:18 - 2011-03-04 19:07 - 0000000 ____D C:\Users\peterchen\AppData\Local\NokiaAccount
2012-04-19 03:17 - 2011-12-20 02:55 - 0000000 ____D C:\Program Files (x86)\Tudou
2012-04-19 03:11 - 2010-09-18 20:48 - 0000000 ____D C:\Program Files (x86)\Windows Live
2012-04-19 03:08 - 2012-01-02 02:22 - 0000000 ____D C:\Users\All Users\Baidu
2012-04-19 03:08 - 2012-01-02 02:22 - 0000000 ____D C:\ProgramData\Baidu
2012-04-19 03:01 - 2010-12-08 15:56 - 0000000 ____D C:\Users\All Users\PPLive
2012-04-19 03:01 - 2010-12-08 15:56 - 0000000 ____D C:\ProgramData\PPLive
2012-04-17 05:38 - 2011-04-12 00:51 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-17 05:38 - 2011-04-12 00:51 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-16 10:28 - 2012-01-02 02:22 - 0002356 ____A C:\Windows\SysWOW64\bdsecushr.dat
2012-04-12 05:51 - 2012-04-12 05:50 - 0000000 ____D C:\Users\peterchen\Desktop\uni doc
2012-04-09 03:32 - 2012-05-09 04:22 - 0049512 ____A (360.cn) C:\Windows\System32\Drivers\360AntiHacker64.sys
2012-04-07 18:32 - 2012-04-07 18:32 - 0000000 __SHD C:\found.000
2012-04-07 01:46 - 2012-04-21 00:16 - 0120600 ____A (????????????) C:\Windows\SysWOW64\xunyount.dll
2012-04-06 03:08 - 2012-01-02 02:23 - 0000138 ____A C:\Windows\vsfilter.INI
2012-04-05 18:56 - 2011-01-01 20:34 - 0000000 ____D C:\Users\peterchen\AppData\Local\Microsoft Games
2012-04-04 08:43 - 2011-12-20 02:43 - 0000000 ____D C:\Program Files (x86)\PPStream
2012-04-04 06:59 - 2012-03-27 17:55 - 0000000 ____D C:\Program Files (x86)\TENCENT
2012-04-04 06:59 - 2012-03-04 04:28 - 0000000 ____D C:\Program Files\TENCENT
2012-03-29 00:02 - 2012-03-29 00:02 - 0000000 ____D C:\Program Files\china-drm
2012-03-29 00:02 - 2012-03-29 00:02 - 0000000 ____D C:\china-drm
2012-03-28 11:00 - 2011-06-18 01:18 - 57249312 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-03-28 08:13 - 2009-07-13 20:45 - 0383896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-25 10:12 - 2012-03-25 10:12 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\alipay
2012-03-20 00:05 - 2009-07-13 21:08 - 0032576 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-16 03:38 - 2012-05-09 04:22 - 0285024 ____A (360????) C:\Windows\System32\Drivers\360Box64.sys
2012-03-14 09:16 - 2011-11-20 16:29 - 0000000 ____D C:\Users\All Users\PMB Files
2012-03-14 09:16 - 2011-11-20 16:29 - 0000000 ____D C:\ProgramData\PMB Files
2012-03-10 21:40 - 2011-11-21 02:00 - 0000000 ____D C:\Users\peterchen\Documents\????
2012-03-08 00:01 - 2012-05-09 04:22 - 0355928 ____A (360.cn) C:\Windows\System32\Drivers\360FsFlt.sys
2012-03-05 23:51 - 2012-03-05 23:51 - 0000000 ____D C:\Users\All Users\Blizzard Entertainment
2012-03-05 23:51 - 2012-03-05 23:51 - 0000000 ____D C:\ProgramData\Blizzard Entertainment
2012-03-05 22:53 - 2012-04-10 17:28 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-05 21:59 - 2012-04-10 17:28 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-05 21:59 - 2012-04-10 17:28 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-05 21:50 - 2011-04-17 14:29 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360chrome
2012-03-04 03:59 - 2012-03-04 03:58 - 0000102 ____H C:\Windows\SysWOW64\update.jpg
2012-02-29 22:46 - 2012-04-10 17:11 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-10 17:11 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-10 17:11 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-10 17:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-10 17:11 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-10 17:11 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-10 17:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-27 23:34 - 2012-04-10 17:21 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-10 17:21 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-10 17:21 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-10 17:21 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-10 17:21 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-10 17:21 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-10 17:21 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-10 17:21 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-10 17:21 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-10 17:21 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-10 17:21 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-10 17:21 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-10 17:21 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 17:52 - 2012-04-10 17:21 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-10 17:21 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-10 17:21 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-10 17:21 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-10 17:21 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-10 17:21 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-10 17:21 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-10 17:21 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-10 17:21 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-10 17:21 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-10 17:21 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-10 17:21 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-10 17:21 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-22 18:18 - 2011-01-13 03:11 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-22 03:47 - 2012-02-22 03:47 - 0375296 ____A C:\Users\peterchen\Desktop\??10000.doc
2012-02-22 03:47 - 2012-02-22 03:46 - 0338432 ____A C:\Users\peterchen\Desktop\??10000??.doc
2012-02-17 09:14 - 2012-02-17 08:13 - 0000089 ____A C:\Windows\lexicon_20120217.patch
2012-02-17 07:13 - 2012-02-16 08:03 - 0000089 ____A C:\Windows\lexicon_20120216.patch
2012-02-16 22:38 - 2012-03-28 07:41 - 1112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-02-16 22:38 - 2012-03-28 07:41 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-28 07:41 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-28 07:41 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-28 07:41 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-16 07:03 - 2012-02-15 08:11 - 0000089 ____A C:\Windows\lexicon_20120215.patch
2012-02-16 01:03 - 2011-11-20 00:42 - 0000025 ____A C:\Users\peterchen\AppData\Roaming\CoreAVC.ini
2012-02-15 07:11 - 2012-02-14 17:17 - 0000089 ____A C:\Windows\lexicon_20120214.patch
2012-02-14 07:49 - 2012-02-13 09:34 - 0000089 ____A C:\Windows\lexicon_20120213.patch
2012-02-13 06:31 - 2012-02-12 08:27 - 0000089 ____A C:\Windows\lexicon_20120212.patch
2012-02-13 02:55 - 2012-02-13 02:55 - 0001119 ____A C:\Users\peterchen\Desktop\LOL??.lnk
2012-02-13 02:44 - 2011-12-31 01:55 - 0000000 ____D C:\Users\peterchen\Desktop\????? ????
2012-02-12 07:27 - 2012-02-11 08:04 - 0000089 ____A C:\Windows\lexicon_20120211.patch

========================= Known DLLs (Whitelisted) ============

[2011-10-10 20:18] - [2010-11-20 05:25] - 0014336 ____A (Microsoft Corporation) C:\Windows\System32\browseui.dll
[2011-10-10 20:18] - [2010-11-20 04:18] - 0010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browseui.dll
[2009-07-13 16:18] - [2009-07-13 17:41] - 0083456 ____A (Microsoft Corporation) C:\Windows\System32\msacm32.dll
[2009-07-13 16:03] - [2009-07-13 17:15] - 0072192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msacm32.dll
[2009-07-13 15:21] - [2009-07-13 17:41] - 0006656 ____A (Microsoft Corporation) C:\Windows\System32\shimeng.dll
[2009-07-13 15:12] - [2009-07-13 17:16] - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shimeng.dll
[2009-07-13 15:55] - [2009-07-13 17:41] - 0332288 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
[2009-07-13 15:39] - [2009-07-13 17:11] - 0245760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\System32\mfc40.dll IS MISSING <==== ATTENTION!
[2011-10-10 20:21] - [2010-11-20 04:19] - 0954752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc40.dll
[2011-10-10 20:20] - [2010-11-20 05:26] - 2067456 ____A (Microsoft Corporation) C:\Windows\System32\d3d9.dll
[2011-10-10 20:20] - [2010-11-20 04:18] - 1828352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d9.dll
[2009-07-13 15:59] - [2009-07-13 17:26] - 1297408 ____A (Microsoft Corporation) C:\Windows\System32\comres.dll
[2009-07-13 15:44] - [2009-07-13 17:04] - 1297408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\comres.dll
[2009-07-13 15:41] - [2009-07-13 17:40] - 0569344 ____A (Microsoft Corporation) C:\Windows\System32\ddraw.dll
[2009-07-13 15:27] - [2009-07-13 17:15] - 0531968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ddraw.dll
[2009-07-13 16:18] - [2009-07-13 17:40] - 0540672 ____A (Microsoft Corporation) C:\Windows\System32\dsound.dll
[2009-07-13 16:03] - [2009-07-13 17:15] - 0453632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dsound.dll

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 34%
Total physical RAM: 1782.81 MB
Available physical RAM: 1173.96 MB
Total Pagefile: 1782.81 MB
Available Pagefile: 1165.95 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (eMachines) (Fixed) (Total:142.55 GB) (Free:99.81 GB) NTFS
2 Drive d: (New Volume) (Fixed) (Total:142.44 GB) (Free:29.56 GB) NTFS
3 Drive f: (PQSERVICE) (Fixed) (Total:13 GB) (Free:0.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: (HP v250w) (Removable) (Total:7.59 GB) (Free:2.42 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 2048 KB
Disk 1 Online 7788 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 13 GB 1024 KB
Partition 2 Primary 100 MB 13 GB
Partition 3 Primary 142 GB 13 GB
Partition 0 Extended 142 GB 155 GB
Partition 4 Logical 142 GB 155 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F PQSERVICE NTFS Partition 13 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C eMachines NTFS Partition 142 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D New Volume NTFS Partition 142 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7783 MB 5340 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H HP v250w FAT32 Removable 7783 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-28 22:52

======================= End Of Log ==========================

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
C:\Windows\System32\consrv.dll
2 issuser; C:\Windows\System32\JRAID.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\JRAID.dll
NETSVC: issuse
3 X6va005; \??\C:\Users\PETERC~1\AppData\Local\Temp\0053ADF.tmp [x]
cmd: del /a/f/q C:\Windows\Tasks\At*.job
end

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Hi , everything went successfully

this is the log

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 09-05-2012
Ran by SYSTEM at 2012-05-10 22:31:35 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
C:\Windows\System32\consrv.dll moved successfully.
issuser service deleted successfully.
C:\Windows\System32\JRAID.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs issuse Deleted successfully.
X6va005 service deleted successfully.

========= del /a/f/q C:\Windows\Tasks\At*.job =========


========= End of CMD: =========


==== End of Fixlog ====

Good.

We taken care of the main infection.

• Please download Malwarebytes' Anti-Malware from one of these locations:
  malwarebytes.org
  majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
  Extra Note:
  If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
  
• Please download MiniRegTool64.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:
    
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5
  • Check Export keys radio button.
  • Press Go button and post the result.

Hi

the log from MBAM

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.10.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
peterchen :: PETERCHEN-PC [administrator]

Protection: Enabled

2012/5/10 23:13:50
mbam-log-2012-05-10 (23-13-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 31409
Time elapsed: 58 second(s) [aborted]

Memory Processes Detected: 1
C:\Program Files (x86)\360\360Safe\360leakfixer.exe (Trojan.Agent) -> 3332 -> Delete on reboot.

Memory Modules Detected: 2
C:\Program Files (x86)\360\360Safe\safemon\BootLeakFixer.tpi (Trojan.Agent) -> Delete on reboot.
C:\Program Files (x86)\360\360Safe\leakrepair.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files (x86)\360\360Safe\safemon\BootLeakFixer.tpi (Trojan.Agent) -> Delete on reboot.
C:\Program Files (x86)\360\360Safe\360leakfixer.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files (x86)\360\360Safe\leakrepair.dll (Trojan.Agent) -> Delete on reboot.

(end)

and the log from miniregtool

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
"Num_Catalog_Entries"=dword:00000006
"Serial_Access_Num"=dword:0000003a
"Num_Catalog_Entries64"=dword:00000006

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

We are going to repair the winsock entries that are altered by this malware.

• Please download  Fix-WS.reg   764bytes   4 downloads
  Double-click it and confirm the prompt to allow to merge.
  
• Important: Restart.
  
• Please download system64.bat
  Important: right-click and select "Run as administrator".
  A command window and then a log file (log00.txt) will open.
  Please post the content to your reply.
  
• Important: Restart.
  
• Please download MiniToolBox and save it to your desktop and run it.
  
  Checkmark following checkboxes:
  
• List Winsock Entries

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

hi

the log from system64.bat

Start

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

C:\Windows\system64 found.
C:\Windows\system64 deleted successfully.
End

and the log from minitoolbox

MiniToolBox by Farbar Version: 18-01-2012
Ran by peterchen (administrator) on 11-05-2012 at 00:16:33
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

**** End of log ****

That part looks good.

We need a full system checkup.

• Make sure you update Java to the latest version.
  
• To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
  • Make sure all the options are checked.
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
  You can also view these instructions along with screenshots here.
  
• ESET Online Scanner:
  
  Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  
  Vista and Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  
  
  • Please go here then click on:
    

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on:
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats and the option Scan archives are checked.
  • Now click on Advanced Settings and select the following:
  • Enable Anti-Stealth Technology
  • Now click on:
  • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
  Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also please tell me how is the system running.

ok, the ESET has detected 2 trogens so far, win64/sirefef.W and win64/sirefef.G

I will post the log as soon as i finish the scan

Those two files could be the ones we moved to the quarantine folder of FRST. Please take your time and post the log when ready.

Also tell me how is the computer running.

oh god, i finally finish the scanning, it took me almost 3hours

here is the log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-10 07:23:56
# local_time=2012-05-11 03:23:56 (+0800, W. Australia Standard Time)
# country="People's Republic of China"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1797 16774142 0 7 0 9590819 0 0
# compatibility_mode=5893 16776574 66 94 759331 88297953 0 0
# compatibility_mode=8192 67108863 100 0 476 476 0 0
# scanned=235494
# found=8
# cleaned=8
# scan_time=9751
C:\FRST\Quarantine\consrv.dll Win64/Sirefef.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\FRST\Quarantine\JRAID.dll Win64/Sirefef.W trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\peterchen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\45c49568-38809c94 Java/Exploit.Agent.NBN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\peterchen\AppData\Roaming\QvodPlayer\QvodUpdate5.exe probably a variant of Win32/Adware.TencentAd application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\peterchen\Desktop\加速器合集 圣诞节版\加速器合集-By_d-iao\加速器合集-By_d-iao.exe a variant of Win32/Packed.VMProtect.AAN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\assembly\temp\U\80000000.@ Win64/Sirefef.W trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\assembly\temp\U\80000032.@ a variant of Win32/Sirefef.EU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\assembly\temp\U\80000064.@ Win64/Sirefef.AC trojan (cleaned by deleting - quarantined) 0000000000000000

oh, btw the system is running faster

It looks good.

• Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
  
• You may delete any tool or log we used from your computer.
  
• Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
• Go to Start => Right-click "Computer" and select "Properties".
• In the left pane select "System Protection".
• Press "Configure".
• Select "Delete". Then press "Continue" close and "OK".
• Select your drive (drive C) and press "Create".
  Fill in a name for the restore point and press "Create".
  After finished press "Close".

Recommendations:

• I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  
• I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
  SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
• Download and install it.
• Update it manually by clicking on Updates in the left pane and then Check for Updates.
• Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
• The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

OK

thanks a lot, u guys are amazingggggggggggggg