Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot reboot windows 7 after running combofix (tried frst64 and got output)


  • This topic is locked This topic is locked
4 replies to this topic

#1 wtb

wtb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 23 March 2012 - 02:46 AM

Hello. I basically got exactly the same problem with this thread http://www.bleepingcomputer.com/forums/topic447021.html/page__p__2639367__hl__boot__fromsearch__1#entry2639367
I followed the instructions and got the output from FRST64.exe as follows.
Since gringo_pr indicated the "solution script was written specifically for that user, for use on that particular machine. Running this on another machine may cause damage to your operating system", I am wondering if anyone would be kind enough to generate such a script for my case. Thanks so much.
BTW, combofix.txt and frst.txt could be found in the attachement.



can result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 23-03-2012 02:11:19
Running from I:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet004

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SunJavaUpdateSched] ; "C:\Program Files\Java\jre6\bin\jusched.exe" [x]
HKLM\...\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16334368 2009-07-23] (NVIDIA Corporation)
HKLM\...\Run: [Microsoft Pinyin IME Migration] ; C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL [60208 2006-10-26] (Microsoft Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [318464 2009-05-14] (Alps Electric Co., Ltd.)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [320056 2009-06-24] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [218408 2009-02-25] (CyberLink Corp.)
HKLM-x32\...\Run: [DpAgent] C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe [842816 2009-07-01] (DigitalPersona, Inc.)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized [523216 2011-09-09] (Cisco Systems, Inc.)
HKU\Administrator\...\Run: [PPS Accelerator] D:\PPS.tv\PPStream\ppsap.exe [x]
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default\...\Policies\system: [WallpaperStyle] 2
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default User\...\Policies\system: [WallpaperStyle] 2
HKU\senpeng\...\Run: [LightScribe Control Panel] ; C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-06-17] (Hewlett-Packard Company)
HKU\senpeng\...\Run: [Google Update] ; "C:\Users\senpeng\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-08-29] (Google Inc.)
HKU\senpeng\...\Policies\system: [WallpaperStyle] 2
HKU\senpeng\...\Policies\system: [DisableRegistryTools] 0
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 68.105.28.12
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 AcronisOSSReinstallSvc; "C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2217416 2007-02-22] ()
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 DokanMounter; C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [14848 2011-01-10] ()
2 DpHost; C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe [322624 2009-07-01] (DigitalPersona, Inc.)
2 hpsrv; C:\Windows\System32\Hpservice.exe [30520 2009-07-08] (Hewlett-Packard)
2 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [57617752 2009-03-30] (Microsoft Corporation)
4 MSSQLServerADHelper100; "C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [61976 2009-07-22] (Microsoft Corporation)
2 navap; C:\Windows\System32\mqdmmdfl.dll [6656 2009-07-13] (Oak Technology Inc.)
3 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-01-21] ()
4 sina_live_deamon; C:\Program Files (x86)\sina\Sina_live\2010\live_deamon.dll [210248 2011-02-15] (?????(??)????)
4 SOSOUpSvc; C:\Program Files\TENCENT\SOSOUpdate.exe /Service [120720 2012-01-13] (Tencent)
4 SQLAgent$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [427880 2009-03-30] (Microsoft Corporation)
4 SQLBrowser; "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [254808 2009-03-30] (Microsoft Corporation)
2 SQLWriter; "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [157720 2008-07-10] (Microsoft Corporation)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe [240128 2009-07-21] (IDT, Inc.)
4 UUSee Live Update Service; C:\Program Files (x86)\Common Files\uusee\UUSeeLUS.exe [157048 2011-09-18] ( )
2 vfsFPService; C:\Windows\system32\vfsFPService.exe [721712 2009-06-03] (Validity Sensors, Inc.)
2 vfsFPService; C:\Windows\SysWow64\vfsFPService.exe [599344 2009-06-03] (Validity Sensors, Inc.)
2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [87728 2011-10-13] (ShenZhen Xunlei Networking Technologies,LTD)

========================== Drivers (Whitelisted) =============

3 Accelerometer; C:\Windows\System32\Drivers\Accelerometer.sys [41272 2009-07-08] (Hewlett-Packard)
3 acsock; C:\Windows\System32\DRIVERS\acsock64.sys [106408 2011-09-09] (Cisco Systems, Inc.)
3 Alidevice; C:\Windows\SysWow64\Drivers\Alidevice.sys [6656 2010-07-01] (alipay.com)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
2 Dokan; C:\Windows\System32\Drivers\Dokan.sys [120408 2011-01-10] (Windows ® Win 7 DDK provider)
3 enecir; C:\Windows\System32\Drivers\enecir.sys [70656 2009-05-20] (ENE TECHNOLOGY INC.)
0 hpdskflt; C:\Windows\System32\Drivers\hpdskflt.sys [30008 2009-07-08] (Hewlett-Packard)
3 NETw1v64; C:\Windows\System32\Drivers\NETw1v64.sys [7058432 2009-07-20] (Intel Corporation)
4 RsFx0103; C:\Windows\System32\Drivers\RsFx0103.sys [311656 2009-03-30] (Microsoft Corporation)
0 snapman; C:\Windows\System32\Drivers\snapman.sys [198944 2009-11-23] (Acronis)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2009-11-23] (Duplex Secure Ltd.)
1 StarOpen; C:\Windows\SysWow64\Drivers\StarOpen.sys [5632 2009-11-30] ()
3 tcphoc; \??\C:\Program Files (x86)\Thunder Network\Thunder\XLDoctor\7.1.4.2104_1\Program\tcphoc.sys [8488 2010-12-21] ()
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 TesDrvPt; \??\C:\Windows\system32\TesDrvPt.sys [x]
1 yqmrhlim; \??\C:\Windows\system32\drivers\yqmrhlim.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: W700bus
NETSVC: navap

============ One Month Created Files and Folders ==============

2012-03-22 12:08 - 2012-03-22 12:08 - 0000000 ____D C:\Windows\LastGood.Tmp
2012-03-22 12:08 - 2011-09-09 08:00 - 0026536 ____A (Cisco Systems, Inc.) C:\Windows\System32\Drivers\vpnva64.sys
2012-03-22 12:07 - 2012-03-22 12:07 - 2208256 ____A C:\Users\Administrator\Downloads\anyconnect-win-2.4.0202-pre-deploy-k9.msi
2012-03-20 08:59 - 2012-03-20 08:59 - 0058995 ____A C:\ComboFix.txt
2012-03-20 08:53 - 2012-03-20 08:53 - 0000000 __SHD C:\$RECYCLE.BIN
2012-03-20 08:51 - 2012-03-20 08:52 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-03-20 08:35 - 2012-03-20 09:00 - 0000000 ____D C:\ComboFix
2012-03-20 08:35 - 2012-03-20 08:59 - 0000000 ____D C:\Qoobox
2012-03-20 08:35 - 2012-03-20 08:57 - 0000000 ____D C:\Windows\ERDNT
2012-03-20 08:35 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-03-20 08:35 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-03-20 08:35 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-03-20 08:35 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-03-20 08:35 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-03-20 08:35 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-03-20 08:35 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-03-20 08:35 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-03-19 09:47 - 2012-03-19 09:47 - 0000000 ____D C:\Program Files (x86)\mfiles
2012-03-16 14:33 - 2012-03-16 14:33 - 0001315 ____A C:\Users\Administrator\Desktop\WinRDBI 4.3.160_06 (2).lnk
2012-03-15 21:02 - 2012-03-15 21:02 - 0000036 ____A C:\Users\Administrator\AppData\Roaming\CoreAVC.ini
2012-03-15 16:12 - 2012-03-20 08:52 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-03-10 14:30 - 2012-03-20 08:00 - 0000000 ____D C:\Users\Administrator\Tracing
2012-03-09 21:13 - 2012-03-09 21:13 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Baidu
2012-03-08 16:53 - 2012-03-08 16:53 - 0000000 ____D C:\Users\Administrator\Documents\Storm
2012-03-07 10:35 - 2012-03-07 10:35 - 0000040 ____A C:\Users\senpeng\Documents\.RData
2012-03-07 08:31 - 2012-03-07 08:31 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Macrovision
2012-03-06 14:33 - 2012-03-20 10:05 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\BitTorrent
2012-03-05 11:54 - 2012-03-20 08:53 - 0000000 ___RD C:\Users\Administrator\Dropbox
2012-03-05 11:54 - 2012-03-05 11:54 - 0001385 ____A C:\Users\Administrator\Desktop\Dropbox.lnk
2012-03-05 11:53 - 2012-03-21 14:23 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Dropbox
2012-03-05 11:53 - 2012-03-05 11:53 - 0001409 ____N C:\Users\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
2012-03-05 11:53 - 2012-03-05 11:53 - 0001409 ____N C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-03-04 16:37 - 2012-03-04 16:37 - 0000672 ____A C:\Users\senpeng\Desktop\ORPG???.lnk
2012-03-03 21:51 - 2012-03-03 21:51 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Real
2012-03-02 14:37 - 2012-03-02 14:37 - 0096170 ____A C:\Users\Administrator\logistic regression.xls
2012-03-01 10:41 - 2012-03-14 16:42 - 0002018 ___AH C:\Users\Administrator\Documents\Default.rdp
2012-03-01 10:40 - 2012-03-22 12:10 - 0000000 ____D C:\Users\Administrator\AppData\Local\Cisco
2012-02-29 17:30 - 2012-03-22 10:06 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\ppstream
2012-02-29 16:03 - 2012-02-17 12:24 - 0002417 ____A C:\Users\Administrator\Desktop\Google Chrome (2).lnk
2012-02-29 16:02 - 2012-03-22 13:43 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\MxBoost
2012-02-29 16:02 - 2010-03-26 21:31 - 0001671 ____A C:\Users\Administrator\Desktop\Maxthon.exe - Shortcut.lnk
2012-02-29 15:52 - 2012-02-05 18:52 - 0879880 ____A (Sysinternals - www.sysinternals.com) C:\Users\Administrator\Desktop\procexp64.exe
2012-02-29 13:27 - 2011-04-06 23:13 - 0002221 ____A C:\Users\Administrator\Desktop\??QQ.lnk
2012-02-29 13:24 - 2012-02-29 13:24 - 0000000 ____D C:\Users\Administrator\AppData\Local\Tencent
2012-02-29 13:23 - 2012-03-20 11:12 - 0000000 ____D C:\Users\Administrator\Documents\Tencent Files
2012-02-29 13:23 - 2012-03-05 17:45 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Tencent
2012-02-29 12:41 - 2012-02-29 12:41 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\kingsoft
2012-02-29 12:29 - 2012-02-29 12:44 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Notepad++
2012-02-29 11:40 - 2012-03-07 19:54 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\SSH
2012-02-29 11:40 - 2012-03-01 09:01 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\SAS
2012-02-29 11:40 - 2012-02-29 11:40 - 0000000 ____D C:\Users\Administrator\Documents\My SAS Files
2012-02-29 11:32 - 2012-03-20 13:37 - 0000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-994924427-635643427-1097806155-500UA.job
2012-02-29 11:32 - 2012-03-20 11:37 - 0000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-994924427-635643427-1097806155-500Core.job
2012-02-29 11:32 - 2012-03-12 18:37 - 0002443 ____A C:\Users\Administrator\Desktop\Google Chrome.lnk
2012-02-29 11:32 - 2012-03-03 22:26 - 0000000 ____D C:\Users\Administrator\AppData\Local\Google
2012-02-29 10:18 - 2012-02-29 10:18 - 0000017 ____A C:\Users\Administrator\AppData\Local\resmon.resmoncfg
2012-02-29 09:56 - 2012-02-29 09:56 - 0000000 ____D C:\Users\All Users\360safe
2012-02-29 09:56 - 2012-02-29 09:56 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\360safe
2012-02-29 09:56 - 2012-02-29 09:56 - 0000000 ____D C:\ProgramData\360safe
2012-02-29 09:51 - 2012-02-29 09:51 - 0000000 ____A C:\Windows\SysWOW64\nst601D.tmp
2012-02-29 09:51 - 2012-02-29 09:51 - 0000000 ____A C:\Windows\SysWOW64\nsj49A0.tmp
2012-02-29 09:51 - 2012-02-29 09:51 - 0000000 ____A C:\Windows\System32\nsy6127.tmp
2012-02-29 09:14 - 2012-02-29 09:14 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\AdobeUM
2012-02-29 09:14 - 2012-02-29 09:14 - 0000000 ____D C:\Users\Administrator\AppData\Local\Adobe
2012-02-29 08:41 - 2012-02-29 08:41 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\EndNote
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\DigitalPersona
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____D C:\Users\Administrator\AppData\Local\DigitalPersona
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____A C:\Users\Administrator\AppData\Local\QSwitch.txt
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____A C:\Users\Administrator\AppData\Local\DSwitch.txt
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____A C:\Users\Administrator\AppData\Local\AtStart.txt
2012-02-28 23:34 - 2012-02-28 22:40 - 0001013 ____A C:\Users\senpeng\Start Menu\Programs\Startup\Dropbox.lnk
2012-02-28 23:34 - 2012-02-28 22:40 - 0001013 ____A C:\Users\senpeng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-02-28 23:34 - 2009-11-12 22:17 - 0000892 ____N C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
2012-02-28 23:19 - 2012-02-28 23:34 - 0000000 ____D C:\Windows\pss
2012-02-28 23:02 - 2012-02-28 23:02 - 0000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-02-28 22:26 - 2012-03-22 14:04 - 1726886 ____A C:\Windows\ntbtlog.txt
2012-02-28 22:14 - 2012-02-28 22:14 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2012-02-28 22:14 - 2012-02-28 22:14 - 0000000 ____D C:\Users\Administrator\AppData\Local\Mozilla
2012-02-28 21:45 - 2012-02-28 21:45 - 0129752 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2012-02-28 21:44 - 2012-02-29 09:42 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Super Rabbit
2012-02-28 21:28 - 2012-02-28 21:28 - 3932214 ____A C:\Windows\Super Rabbit WallPage.BMP
2012-02-22 10:22 - 2012-03-08 22:09 - 0000000 ____D C:\R


============ 3 Months Modified Files and Folders =============

2012-03-23 02:11 - 2012-03-23 02:11 - 0000000 ____D C:\FRST
2012-03-23 01:04 - 2009-11-12 22:03 - 3195236352 __ASH C:\hiberfil.sys
2012-03-22 21:38 - 2009-12-06 20:46 - 0000000 ____D C:\psfile
2012-03-22 14:04 - 2012-02-28 22:26 - 1726886 ____A C:\Windows\ntbtlog.txt
2012-03-22 13:43 - 2012-02-29 16:02 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\MxBoost
2012-03-22 13:30 - 2011-12-29 19:51 - 0000000 ____D C:\Users\All Users\QvodPlayer
2012-03-22 13:30 - 2011-12-29 19:51 - 0000000 ____D C:\ProgramData\QvodPlayer
2012-03-22 12:10 - 2012-03-01 10:40 - 0000000 ____D C:\Users\Administrator\AppData\Local\Cisco
2012-03-22 12:08 - 2012-03-22 12:08 - 0000000 ____D C:\Windows\LastGood.Tmp
2012-03-22 12:07 - 2012-03-22 12:07 - 2208256 ____A C:\Users\Administrator\Downloads\anyconnect-win-2.4.0202-pre-deploy-k9.msi
2012-03-22 10:06 - 2012-02-29 17:30 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\ppstream
2012-03-22 10:05 - 2009-07-13 21:13 - 0872684 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-21 21:41 - 2009-11-24 10:48 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-03-21 14:23 - 2012-03-05 11:53 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Dropbox
2012-03-20 21:39 - 2009-07-13 20:45 - 0023024 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-20 21:39 - 2009-07-13 20:45 - 0023024 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-20 14:14 - 2009-07-13 21:08 - 0032612 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-20 13:39 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-20 13:37 - 2012-02-29 11:32 - 0000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-994924427-635643427-1097806155-500UA.job
2012-03-20 13:24 - 2010-08-29 14:25 - 0000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-994924427-635643427-1097806155-1000UA.job
2012-03-20 12:40 - 2010-06-08 12:02 - 0000342 ____A C:\Windows\Tasks\HPCeeScheduleForsenpeng.job
2012-03-20 12:22 - 2009-11-12 22:12 - 1360442 ____A C:\Windows\WindowsUpdate.log
2012-03-20 11:37 - 2012-02-29 11:32 - 0000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-994924427-635643427-1097806155-500Core.job
2012-03-20 11:12 - 2012-02-29 13:23 - 0000000 ____D C:\Users\Administrator\Documents\Tencent Files
2012-03-20 10:05 - 2012-03-06 14:33 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\BitTorrent
2012-03-20 09:45 - 2009-07-13 20:51 - 0204372 ____A C:\Windows\setupact.log
2012-03-20 09:00 - 2012-03-20 08:35 - 0000000 ____D C:\ComboFix
2012-03-20 08:59 - 2012-03-20 08:59 - 0058995 ____A C:\ComboFix.txt
2012-03-20 08:59 - 2012-03-20 08:35 - 0000000 ____D C:\Qoobox
2012-03-20 08:59 - 2009-07-13 19:20 - 0000000 __RHD C:\users\Default
2012-03-20 08:59 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-03-20 08:57 - 2012-03-20 08:35 - 0000000 ____D C:\Windows\ERDNT
2012-03-20 08:53 - 2012-03-20 08:53 - 0000000 __SHD C:\$RECYCLE.BIN
2012-03-20 08:53 - 2012-03-05 11:54 - 0000000 ___RD C:\Users\Administrator\Dropbox
2012-03-20 08:53 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-03-20 08:52 - 2012-03-20 08:51 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-03-20 08:52 - 2012-03-15 16:12 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-03-20 08:51 - 2012-03-20 08:51 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-03-20 08:51 - 2009-07-13 18:34 - 81264640 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-03-20 08:51 - 2009-07-13 18:34 - 4194304 ____A C:\Windows\System32\config\DEFAULT.bak
2012-03-20 08:51 - 2009-07-13 18:34 - 37486592 ____A C:\Windows\System32\config\SYSTEM.bak
2012-03-20 08:51 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-03-20 08:51 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\SAM.bak
2012-03-20 08:49 - 2009-12-06 16:08 - 0000000 ____D C:\Vagaa
2012-03-20 08:49 - 2009-11-25 09:39 - 0000000 ____D C:\Program Files (x86)\NamiRobot
2012-03-20 08:49 - 2009-11-23 10:48 - 0000000 ____D C:\users\senpeng
2012-03-20 08:48 - 2011-04-09 11:18 - 0002151 ____A C:\Users\Public\Desktop\??7.lnk
2012-03-20 08:00 - 2012-03-10 14:30 - 0000000 ____D C:\Users\Administrator\Tracing
2012-03-20 08:00 - 2009-11-23 10:56 - 0000187 ____A C:\Users\All Users\HPWALog.txt
2012-03-20 08:00 - 2009-11-23 10:56 - 0000187 ____A C:\ProgramData\HPWALog.txt
2012-03-19 09:47 - 2012-03-19 09:47 - 0000000 ____D C:\Program Files (x86)\mfiles
2012-03-19 09:47 - 2011-10-02 19:19 - 0000000 ____D C:\Users\Administrator\AppData\LocalLow
2012-03-19 09:47 - 2009-11-23 16:56 - 0000000 ____D C:\Program Files (x86)\Baidu
2012-03-19 01:17 - 2009-11-23 18:45 - 0000000 ____D C:\Users\All Users\Storm
2012-03-19 01:17 - 2009-11-23 18:45 - 0000000 ____D C:\ProgramData\Storm
2012-03-19 00:24 - 2010-08-29 14:25 - 0000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-994924427-635643427-1097806155-1000Core.job
2012-03-18 22:42 - 2011-12-29 20:52 - 0003821 ____A C:\Windows\SysWOW64\bdsecushr.dat
2012-03-18 21:35 - 2011-12-29 19:32 - 0000138 ____A C:\Windows\vsfilter.INI
2012-03-16 16:04 - 2011-10-02 19:20 - 0000000 ____D C:\Users\Administrator\Documents\PDF files
2012-03-16 14:33 - 2012-03-16 14:33 - 0001315 ____A C:\Users\Administrator\Desktop\WinRDBI 4.3.160_06 (2).lnk
2012-03-15 21:02 - 2012-03-15 21:02 - 0000036 ____A C:\Users\Administrator\AppData\Roaming\CoreAVC.ini
2012-03-14 16:42 - 2012-03-01 10:41 - 0002018 ___AH C:\Users\Administrator\Documents\Default.rdp
2012-03-12 18:37 - 2012-02-29 11:32 - 0002443 ____A C:\Users\Administrator\Desktop\Google Chrome.lnk
2012-03-10 14:30 - 2011-10-02 19:19 - 0000000 ____D C:\users\Administrator
2012-03-09 21:13 - 2012-03-09 21:13 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Baidu
2012-03-09 21:08 - 2012-02-05 09:41 - 0000000 ____D C:\Users\All Users\Vpn123
2012-03-09 21:08 - 2012-02-05 09:41 - 0000000 ____D C:\ProgramData\Vpn123
2012-03-08 23:37 - 2011-10-23 17:27 - 0000000 ___RD C:\Users\senpeng\Dropbox
2012-03-08 23:37 - 2011-10-23 17:24 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\Dropbox
2012-03-08 22:09 - 2012-02-22 10:22 - 0000000 ____D C:\R
2012-03-08 22:09 - 2009-11-23 11:43 - 0000000 ____D C:\??
2012-03-08 16:53 - 2012-03-08 16:53 - 0000000 ____D C:\Users\Administrator\Documents\Storm
2012-03-07 19:54 - 2012-02-29 11:40 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\SSH
2012-03-07 10:35 - 2012-03-07 10:35 - 0000040 ____A C:\Users\senpeng\Documents\.RData
2012-03-07 08:31 - 2012-03-07 08:31 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Macrovision
2012-03-05 17:45 - 2012-02-29 13:23 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Tencent
2012-03-05 16:26 - 2010-08-27 20:38 - 0000000 ____D C:\Download
2012-03-05 16:25 - 2010-08-27 20:38 - 0000000 ____D C:\Program Files (x86)\RaySource
2012-03-05 11:54 - 2012-03-05 11:54 - 0001385 ____A C:\Users\Administrator\Desktop\Dropbox.lnk
2012-03-05 11:53 - 2012-03-05 11:53 - 0001409 ____N C:\Users\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
2012-03-05 11:53 - 2012-03-05 11:53 - 0001409 ____N C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-03-05 08:17 - 2009-11-23 16:21 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\Maxthon2
2012-03-04 16:37 - 2012-03-04 16:37 - 0000672 ____A C:\Users\senpeng\Desktop\ORPG???.lnk
2012-03-03 22:26 - 2012-02-29 11:32 - 0000000 ____D C:\Users\Administrator\AppData\Local\Google
2012-03-03 22:05 - 2011-04-06 01:33 - 0000036 ____A C:\Windows\SysWOW64\mylk.dat
2012-03-03 21:51 - 2012-03-03 21:51 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Real
2012-03-02 14:37 - 2012-03-02 14:37 - 0096170 ____A C:\Users\Administrator\logistic regression.xls
2012-03-01 09:01 - 2012-02-29 11:40 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\SAS
2012-02-29 16:05 - 2011-12-25 13:49 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe
2012-02-29 13:36 - 2010-07-01 00:01 - 0000000 ____D C:\Program Files (x86)\AliWangWang
2012-02-29 13:24 - 2012-02-29 13:24 - 0000000 ____D C:\Users\Administrator\AppData\Local\Tencent
2012-02-29 12:44 - 2012-02-29 12:29 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Notepad++
2012-02-29 12:41 - 2012-02-29 12:41 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\kingsoft
2012-02-29 11:40 - 2012-02-29 11:40 - 0000000 ____D C:\Users\Administrator\Documents\My SAS Files
2012-02-29 10:18 - 2012-02-29 10:18 - 0000017 ____A C:\Users\Administrator\AppData\Local\resmon.resmoncfg
2012-02-29 10:05 - 2009-11-23 21:31 - 0000000 ____D C:\Program Files (x86)\SogouInput
2012-02-29 10:01 - 2009-08-24 10:31 - 0000000 ____D C:\Program Files (x86)\HP
2012-02-29 09:56 - 2012-02-29 09:56 - 0000000 ____D C:\Users\All Users\360safe
2012-02-29 09:56 - 2012-02-29 09:56 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\360safe
2012-02-29 09:56 - 2012-02-29 09:56 - 0000000 ____D C:\ProgramData\360safe
2012-02-29 09:55 - 2011-10-02 19:20 - 0002572 ____A C:\Windows\SysWOW64\DllHost.log
2012-02-29 09:55 - 2011-10-02 19:20 - 0000398 ____A C:\Windows\SysWOW64\performance.log
2012-02-29 09:51 - 2012-02-29 09:51 - 0000000 ____A C:\Windows\SysWOW64\nst601D.tmp
2012-02-29 09:51 - 2012-02-29 09:51 - 0000000 ____A C:\Windows\SysWOW64\nsj49A0.tmp
2012-02-29 09:51 - 2012-02-29 09:51 - 0000000 ____A C:\Windows\System32\nsy6127.tmp
2012-02-29 09:51 - 2010-12-20 20:21 - 0000000 ____D C:\Program Files (x86)\SogouExtension
2012-02-29 09:42 - 2012-02-28 21:44 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Super Rabbit
2012-02-29 09:24 - 2012-01-17 13:28 - 1145344 __ASH C:\Users\senpeng\Thumbs.db
2012-02-29 09:14 - 2012-02-29 09:14 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\AdobeUM
2012-02-29 09:14 - 2012-02-29 09:14 - 0000000 ____D C:\Users\Administrator\AppData\Local\Adobe
2012-02-29 09:01 - 2011-12-29 19:51 - 0001490 ____A C:\Users\Public\Desktop\??.lnk
2012-02-29 09:01 - 2010-04-18 00:55 - 0000000 ____D C:\Program Files\Tencent
2012-02-29 09:01 - 2009-12-31 16:54 - 0000000 ____D C:\QvodPlayer
2012-02-29 08:41 - 2012-02-29 08:41 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\EndNote
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\DigitalPersona
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____D C:\Users\Administrator\AppData\Local\DigitalPersona
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____A C:\Users\Administrator\AppData\Local\QSwitch.txt
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____A C:\Users\Administrator\AppData\Local\DSwitch.txt
2012-02-29 00:06 - 2012-02-29 00:06 - 0000000 ____A C:\Users\Administrator\AppData\Local\AtStart.txt
2012-02-28 23:34 - 2012-02-28 23:19 - 0000000 ____D C:\Windows\pss
2012-02-28 23:02 - 2012-02-28 23:02 - 0000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-02-28 22:53 - 2011-10-20 13:29 - 0002021 ____A C:\Users\senpeng\Desktop\IGV 2.0.lnk
2012-02-28 22:40 - 2012-02-28 23:34 - 0001013 ____A C:\Users\senpeng\Start Menu\Programs\Startup\Dropbox.lnk
2012-02-28 22:40 - 2012-02-28 23:34 - 0001013 ____A C:\Users\senpeng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-02-28 22:40 - 2011-10-23 17:27 - 0001033 ____A C:\Users\senpeng\Desktop\Dropbox.lnk
2012-02-28 22:14 - 2012-02-28 22:14 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2012-02-28 22:14 - 2012-02-28 22:14 - 0000000 ____D C:\Users\Administrator\AppData\Local\Mozilla
2012-02-28 22:08 - 2009-11-23 17:19 - 0000000 ____D C:\Users\senpeng\Documents\Tencent Files
2012-02-28 21:47 - 2009-12-12 18:37 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\Skype
2012-02-28 21:45 - 2012-02-28 21:45 - 0129752 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2012-02-28 21:28 - 2012-02-28 21:28 - 3932214 ____A C:\Windows\Super Rabbit WallPage.BMP
2012-02-28 20:47 - 2009-11-23 16:21 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\MxBoost
2012-02-26 22:44 - 2011-10-02 11:09 - 0000000 ____D C:\Users\senpeng\AppData\Local\Eclipse
2012-02-26 22:33 - 2010-04-18 18:16 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\PPStream
2012-02-23 08:14 - 2009-11-23 22:37 - 0002018 ___AH C:\Users\senpeng\Documents\Default.rdp
2012-02-22 18:58 - 2012-02-19 23:10 - 0000000 ____D C:\Program Files (x86)\????
2012-02-21 19:42 - 2011-05-08 17:04 - 0000204 ____A C:\Windows\struct~.ini
2012-02-21 18:20 - 2011-09-06 19:01 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\SSH
2012-02-21 15:50 - 2009-11-23 11:00 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\Adobe
2012-02-21 15:50 - 2009-08-24 09:51 - 0000000 ____D C:\Users\All Users\Adobe
2012-02-21 15:50 - 2009-08-24 09:51 - 0000000 ____D C:\ProgramData\Adobe
2012-02-21 15:47 - 2010-08-18 16:44 - 0000000 ____D C:\Users\senpeng\Desktop\useful documents
2012-02-20 21:02 - 2009-12-12 18:43 - 0000000 ____D C:\Users\senpeng\Documents\Webcam
2012-02-19 23:21 - 2012-02-19 23:21 - 0000944 ____A C:\Users\Public\Desktop\????.lnk
2012-02-19 23:21 - 2012-02-19 23:11 - 0000000 ____D C:\Windows\SysWOW64\dialconfig
2012-02-17 12:24 - 2012-02-29 16:03 - 0002417 ____A C:\Users\Administrator\Desktop\Google Chrome (2).lnk
2012-02-17 12:24 - 2011-12-25 14:15 - 0002417 ____A C:\Users\senpeng\Desktop\Google Chrome.lnk
2012-02-15 13:03 - 2011-09-09 10:36 - 0000000 ____D C:\Users\senpeng\Documents\Visual Studio 2010
2012-02-14 19:23 - 2012-02-14 19:23 - 0001985 ____A C:\Users\Public\Desktop\????.lnk
2012-02-14 19:23 - 2009-11-23 17:19 - 0000000 ____D C:\Program Files (x86)\Tencent
2012-02-14 19:23 - 2009-11-23 17:18 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\Tencent
2012-02-14 19:08 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-02-13 19:39 - 2009-11-29 01:43 - 0000000 ___RD C:\Users\Public\VCDownloads
2012-02-12 23:32 - 2010-11-04 18:54 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\BitTorrent
2012-02-12 13:04 - 2009-11-29 01:42 - 0000000 ____D C:\Program Files (x86)\easyMule2
2012-02-10 13:47 - 2009-11-23 19:38 - 0000000 ____D C:\Users\senpeng\AppData\Local\Microsoft Help
2012-02-08 19:57 - 2012-01-24 15:27 - 0001710 ____A C:\Users\senpeng\Desktop\Bitcasa.lnk
2012-02-06 20:43 - 2011-12-09 19:30 - 0000000 ____D C:\Users\All Users\Jlcm
2012-02-06 20:43 - 2011-12-09 19:30 - 0000000 ____D C:\ProgramData\Jlcm
2012-02-06 20:42 - 2012-02-06 20:42 - 0001984 ____H C:\Users\All Users\Start Menu\Programs\Startup\PPTV.lnk
2012-02-06 20:42 - 2012-02-06 20:42 - 0001056 ____A C:\Users\Public\Desktop\PPTV .lnk
2012-02-06 20:42 - 2011-12-09 17:02 - 0000000 ____D C:\Program Files (x86)\PPLive
2012-02-05 18:52 - 2012-02-29 15:52 - 0879880 ____A (Sysinternals - www.sysinternals.com) C:\Users\Administrator\Desktop\procexp64.exe
2012-02-05 18:52 - 2012-01-09 14:22 - 0879880 ____A (Sysinternals - www.sysinternals.com) C:\Users\senpeng\Desktop\procexp64.exe
2012-02-01 19:05 - 2012-02-01 19:03 - 0000000 ____D C:\Users\senpeng\AppData\Local\Cisco
2012-02-01 19:05 - 2012-02-01 19:01 - 0000000 ____D C:\Program Files (x86)\Cisco
2012-02-01 19:04 - 2012-02-01 19:01 - 0000000 ____D C:\Users\All Users\Cisco
2012-02-01 19:04 - 2012-02-01 19:01 - 0000000 ____D C:\ProgramData\Cisco
2012-02-01 08:49 - 2011-10-20 13:29 - 0000000 ____D C:\Users\senpeng\igv
2012-01-25 23:50 - 2012-01-25 23:42 - 0000000 ____D C:\Program Files (x86)\WinRDBI
2012-01-25 16:04 - 2012-01-24 15:30 - 0000000 ____D C:\Users\senpeng\Bitcasa
2012-01-24 15:28 - 2012-01-24 15:28 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\com.bitcasa.Bitcasa
2012-01-24 15:27 - 2012-01-24 15:27 - 0000000 ____D C:\Program Files (x86)\Dokan
2012-01-24 15:27 - 2012-01-24 15:26 - 0000000 ____D C:\Program Files\Bitcasa
2012-01-22 12:28 - 2009-11-24 10:48 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\Mozilla
2012-01-17 13:47 - 2012-01-17 13:45 - 0000000 ____D C:\SmartDraw 2010
2012-01-17 13:46 - 2012-01-17 13:25 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\SmartDraw
2012-01-17 13:45 - 2012-01-17 13:45 - 0000661 ____A C:\Users\senpeng\Desktop\SmartDraw 2010.lnk
2012-01-17 13:26 - 2012-01-17 13:26 - 0000000 ____D C:\Users\senpeng\Documents\SmartDraw
2012-01-17 13:25 - 2012-01-17 13:25 - 0000000 ____D C:\Users\senpeng\AppData\System
2012-01-16 09:20 - 2011-12-13 21:02 - 0000000 ____D C:\Program Files (x86)\????
2012-01-13 13:17 - 2010-03-18 08:15 - 0770384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr100.dll
2012-01-13 13:17 - 2010-03-18 08:15 - 0421200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp100.dll
2012-01-12 08:25 - 2012-01-10 20:58 - 0000000 ____D C:\Users\senpeng\AppData\Roaming\SAS
2012-01-11 16:05 - 2011-08-18 11:56 - 0000000 ____D C:\Users\senpeng\MY folder
2012-01-11 14:28 - 2012-01-11 14:28 - 0000000 ____D C:\Users\senpeng\AppData\Local\Microsoft_Corporation
2012-01-10 22:01 - 2009-11-23 10:48 - 0000000 ____D C:\Users\senpeng\AppData\LocalLow
2012-01-10 22:00 - 2009-08-24 08:28 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-01-10 21:59 - 2009-08-24 10:02 - 0000000 ____D C:\Program Files (x86)\CyberLink
2012-01-10 21:57 - 2009-08-24 08:27 - 0000000 ____D C:\Program Files (x86)\Hewlett-Packard
2012-01-10 21:54 - 2009-08-24 10:02 - 0000000 ____D C:\Users\All Users\CyberLink
2012-01-10 21:54 - 2009-08-24 10:02 - 0000000 ____D C:\ProgramData\CyberLink
2012-01-10 21:52 - 2009-08-24 09:10 - 0000000 ____D C:\Users\All Users\WildTangent
2012-01-10 21:52 - 2009-08-24 09:10 - 0000000 ____D C:\ProgramData\WildTangent
2012-01-10 21:52 - 2009-08-24 09:10 - 0000000 ____D C:\Program Files (x86)\HP Games
2012-01-10 21:32 - 2009-11-23 22:04 - 0002177 ____A C:\Users\senpeng\Desktop\360????.lnk
2012-01-10 21:22 - 2009-07-13 20:45 - 0555816 ____A C:\Windows\System32\FNTCACHE.DAT
2012-01-10 21:16 - 2012-01-10 20:40 - 0000000 ____D C:\Users\All Users\SAS
2012-01-10 21:16 - 2012-01-10 20:40 - 0000000 ____D C:\ProgramData\SAS
2012-01-10 21:16 - 2009-11-23 10:54 - 0129752 ____A C:\Users\senpeng\AppData\Local\GDIPFONTCACHEV1.DAT
2012-01-10 21:09 - 2012-01-10 20:52 - 0000000 ____D C:\Program Files\InstallShield Installation Information
2012-01-10 21:09 - 2012-01-10 20:44 - 0000000 ____D C:\Program Files\SAS
2012-01-10 21:08 - 2012-01-10 21:08 - 0001783 ____A C:\Users\senpeng\Documents\Enterprise Guide Sample.lnk
2012-01-10 20:59 - 2011-09-09 10:10 - 0878900 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-01-10 20:52 - 2012-01-10 20:52 - 0000000 ____D C:\Users\senpeng\Documents\My SAS Files
2012-01-10 20:51 - 2012-01-10 20:51 - 0009488 ____A C:\Windows\SysWOW64\jupdate-1.5.0_12-b04.log
2012-01-10 20:51 - 2009-08-24 10:54 - 0000000 ____D C:\Program Files (x86)\Java
2012-01-10 20:50 - 2012-01-10 20:50 - 0000000 ____D C:\Users\senpeng\AppData\Local\Sun
2012-01-10 20:48 - 2012-01-10 20:48 - 0000000 ____D C:\Program Files (x86)\SAS
2012-01-10 20:48 - 2012-01-10 20:48 - 0000000 ____D C:\Program Files (x86)\Microsoft WSE
2012-01-10 20:44 - 2012-01-10 20:40 - 0000000 ____D C:\Users\senpeng\AppData\Local\SAS
2012-01-10 19:17 - 2009-08-24 09:11 - 0000000 ____D C:\HP
2012-01-10 12:29 - 2009-11-23 19:38 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-01-10 12:29 - 2009-11-23 19:38 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-01-10 12:24 - 2011-04-09 11:19 - 0000000 ____D C:\Users\All Users\Xunlei
2012-01-10 12:24 - 2011-04-09 11:19 - 0000000 ____D C:\ProgramData\Xunlei
2012-01-08 19:09 - 2012-01-08 19:09 - 0000000 ____D C:\Windows\Sun
2012-01-01 11:36 - 2010-01-16 19:32 - 0000000 ____D C:\Users\senpeng\Desktop\jdwonloader
2011-12-25 14:14 - 2011-12-25 13:46 - 0000000 ____D C:\Users\senpeng\AppData\Local\Deployment
2011-12-25 14:13 - 2009-11-30 23:22 - 0000000 ____A C:\Users\All Users\LauncherAccess.dt
2011-12-25 14:13 - 2009-11-30 23:22 - 0000000 ____A C:\ProgramData\LauncherAccess.dt
2011-12-25 13:50 - 2009-11-24 10:48 - 0001142 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2011-12-25 13:49 - 2011-12-25 13:49 - 0000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia
2011-12-25 13:46 - 2011-12-25 13:46 - 0000000 ____D C:\Users\senpeng\AppData\Local\Apps\2.0
2011-12-25 13:20 - 2009-11-23 18:59 - 0000000 ____D C:\Users\All Users\Thunder Network
2011-12-25 13:20 - 2009-11-23 18:59 - 0000000 ____D C:\ProgramData\Thunder Network

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2009-11-12 23:02] - [2009-11-12 23:02] - 2868736 ____A (Microsoft Corporation) 6D4F9E4B640B413C6F73414327484C80

C:\Windows\SysWOW64\explorer.exe
[2009-11-12 23:02] - [2009-11-12 23:02] - 2613248 ____A (Microsoft Corporation) FC89FACA0473641CB625EDA9277D0885

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 4062.95 MB
Available physical RAM: 3415.59 MB
Total Pagefile: 4061.15 MB
Available Pagefile: 3408.16 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (BOOTCAMP) (Fixed) (Total:132.13 GB) (Free:24.67 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: () (Fixed) (Total:100.01 GB) (Free:55.52 GB) NTFS
3 Drive e: () (Fixed) (Total:217.59 GB) (Free:29.57 GB) NTFS
4 Drive g: (RECOVERY) (Fixed) (Total:15.83 GB) (Free:2.6 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
6 Drive i: () (Removable) (Total:3.92 GB) (Free:3.92 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 4020 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 132 GB 200 MB
Partition 3 Primary 15 GB 132 GB
Partition 0 Extended 317 GB 148 GB
Partition 4 Logical 100 GB 148 GB
Partition 5 Logical 217 GB 248 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C BOOTCAMP NTFS Partition 132 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G RECOVERY NTFS Partition 15 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D NTFS Partition 100 GB Healthy

======================================================================================================

Disk: 0
Partition 5
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 E NTFS Partition 217 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 4019 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 I FAT32 Removable 4019 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-10 12:11

======================= End Of Log ==========================

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:00 PM

Posted 23 March 2012 - 07:36 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
1 yqmrhlim; \??\C:\Windows\system32\drivers\yqmrhlim.sys [x]
cmd: bootrec /FixMbr
cmd: bootrec /fixboot

end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Restart your computer, let me know if you can boot normally now.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 wtb

wtb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 23 March 2012 - 09:32 PM

Dear CatByte,

Thank you so much for your kind help. It worked!!!!!!!!!!! My PC could reboot normally now. Here I attached the fixlog.txt.

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012
Ran by SYSTEM at 2012-03-23 22:21:53 R:1
Running from I:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet004\Control\Session Manager\SubSystems\\Windows Value was restored.
yqmrhlim service deleted successfully.

========= bootrec /FixMbr =========

 h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


========= bootrec /fixboot =========

 h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


==== End of Fixlog ====

Thanks again and wish you have a good weekend!

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:00 PM

Posted 23 March 2012 - 09:46 PM

very good :thumbup2:

Please delete the copy of ComboFix that you have on the desktop and download a fresh copy from the link below, disable your security programs and run ComboFix, post the fresh log

Link 1

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:00 PM

Posted 29 March 2012 - 09:48 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users