Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Codec-c


  • This topic is locked This topic is locked
10 replies to this topic

#1 laughingcloud

laughingcloud

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 06 April 2012 - 03:19 PM

Hi, I've recently discovered the malware called codec-c on my computer after I started seeing ads all over the place on facebook timelines and newsfeed. I've removed the plugin from my browser and attempted to uninstall it from my control panel. After which my start menu options started disappearing. Can someone please help me remove this?

BC AdBot (Login to Remove)

 


#2 laughingcloud

laughingcloud
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 06 April 2012 - 03:23 PM

I've read the other posts on similar problem so I went ahead and ran the Defogger and DDS, here are the logs:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Xiaoyun at 16:09:18 on 2012-04-06
Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.3964.2124 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesApp64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Users\Xiaoyun\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\notepad.exe
C:\Users\Xiaoyun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Xiaoyun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xiaoyun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xiaoyun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Xiaoyun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xiaoyun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xiaoyun\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Xiaoyun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Xiaoyun\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uURLSearchHooks: Tencent SearchHook: {db8b2393-7a6c-4c76-88ce-6b1f6ff6ffe9} - C:\Program Files (x86)\TENCENT\SOSOAddr\ieaddr.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Codec-C Class: {daa4fc9e-7600-4f89-85e5-527606dc20ec} - C:\ProgramData\Codec-C\bhoclass.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
mRun: [<NO NAME>]
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: C:\Users\Xiaoyun\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Xiaoyun\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: myitlab.com
Trusted Zone: pearsoncmg.com
Trusted Zone: pearsoned.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 131.104.136.36 131.104.20.10
TCP: Interfaces\{5A75A111-85B8-4858-A00B-BBE7C64D0BB7} : DhcpNameServer = 131.104.136.36 131.104.20.10
TCP: Interfaces\{C0FBC0F0-0A80-410F-ACE2-73BDE7E708E0} : DhcpNameServer = 131.104.136.36 131.104.20.10
TCP: Interfaces\{C0FBC0F0-0A80-410F-ACE2-73BDE7E708E0}\2454C4C4230363 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C0FBC0F0-0A80-410F-ACE2-73BDE7E708E0}\75C414E4 : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~2\KuGou7\KUGOO3~1.OCX
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~2\KuGou7\KUGOO3~1.OCX
IFEO: changeoutput.exe - "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
IFEO: hdmictrlcfg.exe - "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
IFEO: pccompanion.exe - "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
BHO-X64: scriptproxy - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Codec-C Class: {DAA4FC9E-7600-4F89-85E5-527606DC20EC} - C:\ProgramData\Codec-C\bhoclass.dll
BHO-X64: Codec-C - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun-x64: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun-x64: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
mRun-x64: [(Default)]
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun-x64: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
IE-X64: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
IFEO-X64: changeoutput.exe - "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
IFEO-X64: hdmictrlcfg.exe - "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
IFEO-X64: pccompanion.exe - "C:\Program Files (x86)\TuneUp Utilities 2011\TUAutoReactivator64.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-3-18 44768]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2010-3-25 20792]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-8-25 103744]
R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2010-3-25 180968]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2010-3-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\system32\mfevtps.exe --> C:\Windows\system32\mfevtps.exe [?]
R2 NACAgent;Cisco NAC Agent;C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [2011-7-25 1105848]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe [2011-12-8 2028864]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys --> C:\Windows\system32\DRIVERS\FwLnk.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 PGEffect;Pangu effect driver;C:\Windows\system32\DRIVERS\pgeffect.sys --> C:\Windows\system32\DRIVERS\pgeffect.sys [?]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;C:\Program Files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesDriver64.sys [2011-6-6 11856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\system32\DRIVERS\ggflt.sys --> C:\Windows\system32\DRIVERS\ggflt.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S4 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2011-8-30 155344]
.
=============== File Associations ===============
.
chm.file="hh.exe" %1
inifile=C:\Windows\SysWow64\NOTEPAD.EXE %1
txtfile=C:\Windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2012-04-05 15:04:44 -------- d-----w- C:\Users\Xiaoyun\AppData\Roaming\Dropbox
2012-04-02 01:44:41 -------- d-----w- C:\QUARANTINE
2012-03-31 01:06:48 -------- d-----w- C:\wo99Cache
2012-03-24 01:39:50 78896 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2012-03-24 01:39:49 97576 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2012-03-24 01:39:49 84424 ----a-w- C:\Windows\System32\drivers\mfetdik.sys
2012-03-24 01:39:49 79504 ----a-w- C:\Windows\System32\mfevtps.exe
2012-03-24 01:39:49 469400 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2012-03-24 01:39:49 120096 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2012-03-24 01:38:16 -------- d-----w- C:\Program Files (x86)\Common Files\Cisco Systems
2012-03-24 01:38:01 -------- d-----w- C:\Program Files (x86)\McAfee
2012-03-24 01:38:01 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee
2012-03-24 01:17:59 -------- d-----w- C:\Program%20Files
2012-03-24 01:17:00 -------- d-----w- C:\Temp
2012-03-23 21:50:12 -------- d-----w- C:\ProgramData\Premium
2012-03-23 21:49:57 -------- d-----w- C:\ProgramData\Codec-C
2012-03-23 21:49:38 -------- d-----w- C:\ProgramData\InstallMate
2012-03-19 01:31:43 53080 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-03-14 20:09:56 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 20:09:55 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 20:09:54 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 13:57:06 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 13:57:02 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 13:57:01 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 13:56:32 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 13:56:32 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 13:56:31 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 13:56:29 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 13:56:28 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 13:56:28 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-14 13:56:28 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-13 02:08:51 -------- d-----w- C:\Users\Xiaoyun\AppData\Local\Ilivid Player
2012-03-13 02:08:44 -------- d--h--w- C:\ProgramData\{A37818CF-E0CC-4A13-B685-605AE2F01FD2}
2012-03-13 02:08:16 -------- d-----w- C:\Users\Xiaoyun\AppData\Local\PackageAware
2012-03-13 02:01:41 -------- d-----w- C:\Program Files\DivX
2012-03-13 02:00:02 -------- d-----w- C:\ProgramData\DivX
.
==================== Find3M ====================
.
2012-03-12 14:07:31 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-06 23:15:19 41184 ----a-w- C:\Windows\avastSS.scr
2012-03-06 23:04:06 819032 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-03-06 23:01:52 69976 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-01-13 19:17:52 770384 ----a-w- C:\Windows\SysWow64\msvcr100.dll
2012-01-13 19:17:52 421200 ----a-w- C:\Windows\SysWow64\msvcp100.dll
2012-01-13 15:53:15 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
============= FINISH: 16:11:18.99 ===============


.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 28/06/2011 6:52:22 PM
System Uptime: 06/04/2012 3:05:38 PM (1 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel® Core™2 Duo CPU T5800 @ 2.00GHz | CPU | 2000/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 282 GiB total, 96.059 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 7.493 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP109: 22/03/2012 8:43:39 AM - Scheduled Checkpoint
RP110: 23/03/2012 9:38:40 PM - Installed McAfee VirusScan Enterprise
RP111: 30/03/2012 9:00:37 PM - 已安装 wo99伴奏盒
RP112: 30/03/2012 9:10:56 PM - 已除去 wo99伴奏盒
RP113: 03/04/2012 8:10:00 PM - Windows Update
RP114: 05/04/2012 12:55:49 AM - Removed MAGIX Speed burnR (MSI)
RP115: 05/04/2012 12:58:11 AM - Removed MAGIX Screenshare
RP116: 05/04/2012 1:36:33 AM - Removed Firebird SQL Server - MAGIX Edition
RP117: 06/04/2012 3:25:22 PM - Removed Text-To-Speech-Runtime
.
==== Installed Programs ======================
.
.
?􉧇 ?? 7.0.0.5
Adobe Acrobat X Pro - English, Fran鏰is, Deutsch
Adobe AIR
Adobe Audition CS5.5
Adobe Community Help
Adobe Reader X (10.1.2)
Apple Application Support
Apple Software Update
avast! Free Antivirus
Cisco NAC Agent
Codec-C
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dropbox
Epson Easy Photo Print 2
Epson Event Manager
EPSON Scan
Google Chrome
Google Talk Plugin
HDMI Control Manager
iLivid
Inspiration 9
Java Auto Updater
Java™ 6 Update 31
Junk Mail filter update
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PPTV V3.1.1.0011
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
RealUpgrade 1.1
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Skype? 5.5
Sony Ericsson PC Companion 2.01.217
TOSHIBA Hardware Setup
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553092)
VC80CRTRedist - 8.0.50727.6195
VLC media player 1.1.10
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
μTorrent
搜狗拼音输入法 6.1正式版
腾讯QQ2011
酷狗7 版本 7.1.37.13918
.
==== Event Viewer Messages From Past Week ========
.
31/03/2012 1:21:19 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer KAITIE-HP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{5A75A111-85B8-4858-A00B-BBE7C64D0BB7}. The master browser is stopping or an election is being forced.
30/03/2012 9:12:02 PM, Error: Service Control Manager [7031] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
30/03/2012 3:32:40 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 9 time(s).
30/03/2012 2:18:51 AM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
06/04/2012 8:46:57 AM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 3 time(s).
06/04/2012 4:04:34 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
06/04/2012 3:08:49 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
05/04/2012 8:02:12 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
05/04/2012 11:57:34 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer OWNER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{5A75A111-85B8-4858-A00B-BBE7C64D0BB7}. The master browser is stopping or an election is being forced.
05/04/2012 10:10:49 AM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 2 time(s).
05/04/2012 10:10:44 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
04/04/2012 12:49:06 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
03/04/2012 6:16:10 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TuneUp.UtilitiesSvc service.
03/04/2012 4:30:38 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 12 time(s).
03/04/2012 10:19:33 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
02/04/2012 4:23:51 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 11 time(s).
01/04/2012 3:17:48 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 10 time(s).
.
==== End Of File ===========================

#3 laughingcloud

laughingcloud
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 06 April 2012 - 04:15 PM

Just to save some time I followed the instructions on the other posts and ran combofix, but this NIRKMD window keeps popping up that says:

Windows cannot find 'NIRKMD'. Make sure you typed the name correctly, then try again.

#4 laughingcloud

laughingcloud
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 06 April 2012 - 04:33 PM

I did receive the error message "Illegal operation attempted on a registery key that has been marked for deletion." a few times as a result of trying to open other files or programs, but after restarting my computer everything seemed normal. Here's the log from Combofix:


ComboFix 12-04-06.03 - Xiaoyun 06/04/2012 16:34:01.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.3964.2326 [GMT -4:00]
执行位置: c:\users\Xiaoyun\Desktop\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
Error: Cfiles.dat
.
((((((((((((((((((((((((((((((((((((((( Deleted Files )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\20111028104546_shengshisanguo4f111029zanting.swf
c:\favoritevideo\InvisibleFolder\20120217175210_youju37wan120219zantingA.swf
c:\favoritevideo\InvisibleFolder\20120222214917_pinganchexian120223zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120228170510_ximenzi120220zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120228170624_ximenzi120220zanting.swf
c:\favoritevideo\InvisibleFolder\20120301162350_Main_zanting.swf
c:\favoritevideo\InvisibleFolder\20120306143045_shenmozhetian120307zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120306143338_shenmozhetian120307zanting.swf
c:\favoritevideo\InvisibleFolder\20120306150100_shenmo20307chabo.swf
c:\favoritevideo\InvisibleFolder\20120307145121_guangyu120308zanting.swf
c:\favoritevideo\InvisibleFolder\20120307165433_ximenziguangfuxian120308zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120307165618_ximenzi120308zanting.swf
c:\favoritevideo\InvisibleFolder\20120307170947_biekexinjunwei120308zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120307173432_37wan120308zhuhuanchong15sa.swf
c:\favoritevideo\InvisibleFolder\20120307173534_37wan120308zhuhuanchong15sb.swf
c:\favoritevideo\InvisibleFolder\20120307180758_chuanqichuangshi120307zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120307181632_baidu120308zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120307183628_ximenzi120309zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120307184011_ximenzi120309zanting.swf
c:\favoritevideo\InvisibleFolder\20120308141031_baidu120309zanting.swf
c:\favoritevideo\InvisibleFolder\20120308151209_taohuayuan120309zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120308151421_taohuayuan120309zanting.swf
c:\favoritevideo\InvisibleFolder\20120308155607_longjiang120308zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120308162505_37wan120309zhuhuanchong15sa.swf
c:\favoritevideo\InvisibleFolder\20120308162613_37wan120309zhuhuanchong15sb.swf
c:\favoritevideo\InvisibleFolder\20120308162721_37wan120309zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120309112107_huanlong120310zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120309112603_huanlong120310zanting.swf
c:\favoritevideo\InvisibleFolder\20120309112953_huanlong120310chabo.swf
c:\favoritevideo\InvisibleFolder\20120309115331_tongyisucai120310zanting.swf
c:\favoritevideo\InvisibleFolder\20120309115400_tongyisucai120310zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120309122007_qitashichang120309qipao.swf
c:\favoritevideo\InvisibleFolder\20120309122019_dongnanya120309qipao.swf
c:\favoritevideo\InvisibleFolder\20120309122027_beimei120309qipao.swf
c:\favoritevideo\InvisibleFolder\20120309134714_qitashichang120309chabo.swf
c:\favoritevideo\InvisibleFolder\20120309134733_dongnanya120309chabo.swf
c:\favoritevideo\InvisibleFolder\20120309134747_beimei120309chabo.swf
c:\favoritevideo\InvisibleFolder\20120309134847_91wan120310zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120309135053_dongnanya120309zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120309135112_beimei120309zhu15s(0).swf
c:\favoritevideo\InvisibleFolder\20120309162401_longjiang120309zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120309183817_biekejunwei0309zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120309190320_maikaolin120310zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120311174858_jianeng120312zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120311180042_jianeng120212zanting.swf
c:\favoritevideo\InvisibleFolder\20120312140934_sanguo120313zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120312141127_sanguo120313zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120312141331_sanguo120313zhufuceng.swf
c:\favoritevideo\InvisibleFolder\20120312141940_tongyisucai120313zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120312172058_baidu120313zanting.swf
c:\favoritevideo\InvisibleFolder\20120313152123_TGC120313zanting.swf
c:\favoritevideo\InvisibleFolder\20120313172857_baiduyouxi120314zanting.swf
c:\favoritevideo\InvisibleFolder\20120314110951_sunnofangchan120314zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120314133215_sunnofangchan120314zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120314150755_moyu120319zanting.swf
c:\favoritevideo\InvisibleFolder\20120314175750_baiduyouxi120315zanting.swf
c:\favoritevideo\InvisibleFolder\20120314202659_dongfengrichan120315zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120314202804_dongfengrichan120315zhufuceng.swf
c:\favoritevideo\InvisibleFolder\20120314203732_kongzhongwang120315zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120314203852_kongzhongwang120315zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120314204142_shenzhoujuzi120215zanting.swf
c:\favoritevideo\InvisibleFolder\20120314210951_37wan120315zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120314211110_37wan120315zhuhuanchongb15s.swf
c:\favoritevideo\InvisibleFolder\20120315100031_sanguo120316zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120315100736_sanguo120316zanting.swf
c:\favoritevideo\InvisibleFolder\20120315100925_sanguo120316chabo.swf
c:\favoritevideo\InvisibleFolder\20120315145418_anhei120322zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120315145543_anhei120322zanting.swf
c:\favoritevideo\InvisibleFolder\20120315203318_zhengtu120316zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120315204111_zhengtu120316zanting.swf
c:\favoritevideo\InvisibleFolder\20120316161128_shenxiandao120319zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120316161512_shenxiandao120319zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120316161736_shenxiandao120319zhufuceng.swf
c:\favoritevideo\InvisibleFolder\20120316164437_suitangyanyi120320zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120316181833_zhengtu120316zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120316182021_zhengtu120317zanting15s.swf
c:\favoritevideo\InvisibleFolder\20120316182224_zhengtu120316zanting15s.swf
c:\favoritevideo\InvisibleFolder\20120316183831_400-300.swf
c:\favoritevideo\InvisibleFolder\20120316184718_37wan120317zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120316185155_37wan120319zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120316185318_37wan120319zhuhuanchong15sb.swf
c:\favoritevideo\InvisibleFolder\20120316185412_37wan120319zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120316190819_juzi120316zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120316211830_lianxiang120319zanting.swf
c:\favoritevideo\InvisibleFolder\20120319145002_chuanyang120319zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120319145514_lianxiang120319zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120319210351_moyu120320zanting.swf
c:\favoritevideo\InvisibleFolder\20120320100008_chuanqichuangshi120320zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120320115113_alibaba120320zhufuceng.swf
c:\favoritevideo\InvisibleFolder\20120320145216_mozhijingling120321zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120320145652_mozhijingling120321zanting.swf
c:\favoritevideo\InvisibleFolder\20120320154633_tengxundnf120321zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120320154857_tenxun120321zanting.swf
c:\favoritevideo\InvisibleFolder\20120320162317_37wan120321zanting.swf
c:\favoritevideo\InvisibleFolder\20120320165031_suitangyanyi120321zanting.swf
c:\favoritevideo\InvisibleFolder\20120320172623_longjiang120320zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120320172716_longjiang120320zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120320175639_baidurencai120321cha15s.swf
c:\favoritevideo\InvisibleFolder\20120320180044_baidurencai120321zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120320183211_baiduyouxi120321azanting.swf
c:\favoritevideo\InvisibleFolder\20120321112225_tongyisucaiL120322zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120321112242_tongyisucaiL120322zanting.swf
c:\favoritevideo\InvisibleFolder\20120321112852_sunnofangchan120321zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120321131817_cangqiaong120322zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120321133014_cangqiaong120322zanting.swf
c:\favoritevideo\InvisibleFolder\20120321133043_cangqiaong120322chabo.swf
c:\favoritevideo\InvisibleFolder\20120321133516_baidu120322zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120321133635_baidu120322zanting.swf
c:\favoritevideo\InvisibleFolder\20120321144217_woyu120322zantingnew.swf
c:\favoritevideo\InvisibleFolder\20120321163826_suitangyanyi120322zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120321170117_mozhijingling120321zhu15snew.swf
c:\favoritevideo\InvisibleFolder\20120321170415_mozhijingling120321zantingnew.swf
c:\favoritevideo\InvisibleFolder\20120321174105_biekexinjunwei120321zanting.swf
c:\favoritevideo\InvisibleFolder\20120321195305_maikaolin120321zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120322121052_tengxinfengbao120322zanting.swf
c:\favoritevideo\InvisibleFolder\20120322165656_tianyoulanqiu120323zanting.swf
c:\favoritevideo\InvisibleFolder\20120322170640_baiyang120323cha15s.swf
c:\favoritevideo\InvisibleFolder\20120322182100_biekejunwei120326zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120322183214_biekejunwei120326zanting.swf
c:\favoritevideo\InvisibleFolder\20120323143742_anhei120323zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120323144108_anhei120323zanting.swf
c:\favoritevideo\InvisibleFolder\20120323144218_fanrenxiuzhen120325zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120323144850_fanrenxiuzhen120325zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120323145046_fanrenxiuzhen120325fuceng.swf
c:\favoritevideo\InvisibleFolder\20120323150342_jinengixus120326zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120323150620_jianengixus120326zanting.swf
c:\favoritevideo\InvisibleFolder\20120323160748_tianyoulanqiu120323zanting.swf
c:\favoritevideo\InvisibleFolder\20120323162225_jianengpowershot120326zanting.swf
c:\favoritevideo\InvisibleFolder\20120323163831_aoyou120323zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120323173256_sanxingnote120323zanting.swf
c:\favoritevideo\InvisibleFolder\20120323173737_shuihu120324zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120323173916_shuihu120324zanting.swf
c:\favoritevideo\InvisibleFolder\20120323183442_37wan120326zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120326103129_shuihu120326zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120326143821_sanxing120326cha15s.swf
c:\favoritevideo\InvisibleFolder\20120326151523_baidu120327zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120326151637_baidu120327zanting.swf
c:\favoritevideo\InvisibleFolder\20120326151821_1fanliwang120326zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120326161306_yulongzaitian120328zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120326161638_yulongzaitian120328zanting.swf
c:\favoritevideo\InvisibleFolder\20120326173952_tongyisucaiM120328zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120326174035_tongyisucaiM120328zanting.swf
c:\favoritevideo\InvisibleFolder\20120326174827_feixian120328zhu15ws.swf
c:\favoritevideo\InvisibleFolder\20120326175018_feixian120328zanting.swf
c:\favoritevideo\InvisibleFolder\20120326175305_feixian120328chabo.swf
c:\favoritevideo\InvisibleFolder\20120327095708_chuanqi120327zanting.swf
c:\favoritevideo\InvisibleFolder\20120327103415_shuihu120327zanting.swf
c:\favoritevideo\InvisibleFolder\20120327161656_baidu120328zanting.swf
c:\favoritevideo\InvisibleFolder\20120327173850_maikaolin120327zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120328141614_zhengtu120331zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120328163838_37wan120329zanting.swf
c:\favoritevideo\InvisibleFolder\20120329101854_chuangshi120329zanting.swf
c:\favoritevideo\InvisibleFolder\20120329162451_baidu120330zanting.swf
c:\favoritevideo\InvisibleFolder\20120329180439_120120.jpg
c:\favoritevideo\InvisibleFolder\20120330142116_37wan120330zhu15sanew.swf
c:\favoritevideo\InvisibleFolder\20120330143116_doupocangqiong120331zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120330143753_doupocangqiong120331zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120330144017_doupocangqiong120331cha15s.swf
c:\favoritevideo\InvisibleFolder\20120331130512_qunaer120331zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120331131607_yulongzaitian120401zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120331140730_yulongzaitian120401zanting.swf
c:\favoritevideo\InvisibleFolder\20120331152307_youju37wan120405zanting.swf
c:\favoritevideo\InvisibleFolder\20120331152800_37wan120403zanting.swf
c:\favoritevideo\InvisibleFolder\20120331174113_kunlun120401zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120331174230_kunlun120401zanting.swf
c:\favoritevideo\InvisibleFolder\20120331184428_tengxinfengbao120331zanting.swf
c:\favoritevideo\InvisibleFolder\20120401114814_dongfeng308120401zanting.swf
c:\favoritevideo\InvisibleFolder\20120401133418_suitangyanyi120402zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120401161738_lining120405qipao.swf
c:\favoritevideo\InvisibleFolder\20120401162847_sanguo120403zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120401163328_sanguo120403zanting.swf
c:\favoritevideo\InvisibleFolder\20120401164122_sanguo120403chabo.swf
c:\favoritevideo\InvisibleFolder\20120401172107_maikaolin120401zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120401191211_kelaisile120401zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120401191415_kelaisile120401zanting.swf
c:\favoritevideo\InvisibleFolder\20120405104727_feixian120406zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120405131243_feixian120406zanting.swf
c:\favoritevideo\InvisibleFolder\20120405131446_feixian120406chabo.swf
c:\favoritevideo\InvisibleFolder\20120405140324_suunmofangchan120405zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120405172747_91wan120406zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120405181936_wendao120406zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120406103657_beiqi120406zanting.swf
c:\favoritevideo\InvisibleFolder\20120406145422_lining120406zanting.swf
c:\favoritevideo\InvisibleFolder\20120406164513_kongzhongwang120406zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120406185924_vip120406zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120406193018_jiamei120407fengxiongzanting.swf
c:\favoritevideo\InvisibleFolder\20120406193028_jiamei120407fengxiongqipao.swf
c:\favoritevideo\InvisibleFolder\20120406194759_yunying120406zhu15s.swf
c:\favoritevideo\InvisibleFolder\logclient.dll
c:\favoritevideo\InvisibleFolder\peer(0).dll
c:\favoritevideo\InvisibleFolder\peer(1).dll
c:\favoritevideo\InvisibleFolder\tipsbubble(0).dll
c:\favoritevideo\InvisibleFolder\tipsbubble.dll
c:\favoritevideo\InvisibleFolder\tipsdone.dll
c:\program files (x86)\Common Files\Tencent\Paycenter
c:\program files (x86)\Common Files\Tencent\Paycenter\qqcert.dll
c:\program files (x86)\Common Files\Tencent\Paycenter\qqedit.dll
c:\program files (x86)\SogouExplorer
c:\programdata\Codec-C
c:\programdata\Codec-C\background.html
c:\programdata\Codec-C\bhoclass.dll
c:\programdata\Codec-C\content.js
c:\programdata\Codec-C\data\content.js
c:\programdata\Codec-C\data\jsondb.js
c:\programdata\Codec-C\opnkkfjdnhgkjefnnohgfackfninikjo.crx
c:\programdata\Codec-C\settings.ini
c:\programdata\Codec-C\uninstall.exe
c:\users\Default\AppData\Roaming\SogouExplorer
c:\users\Default\AppData\Roaming\SogouExplorer\Bin\flash_wk.dll
c:\users\Default\AppData\Roaming\SogouExplorer\Bin\malurl.dat
c:\users\Default\AppData\Roaming\SogouExplorer\datapack1
c:\users\Default\AppData\Roaming\SogouExplorer\datapack2
c:\users\Default\AppData\Roaming\SogouExplorer\datapack3
c:\users\Default\AppData\Roaming\SogouExplorer\MetaSearch\metasearchupdate1
c:\users\Default\AppData\Roaming\SogouExplorer\MetaSearch\metasearchupdate2
c:\users\Default\AppData\Roaming\SogouExplorer\script.dat
c:\users\Default\AppData\Roaming\SogouExplorer\urlblack.dat
c:\users\Xiaoyun\AppData\Roaming\SogouExplorer
c:\users\Xiaoyun\AppData\Roaming\SogouExplorer\confdll.dll
.
.
((((((((((((((((((((((((( New Files from 2012-03-06 to 2012-04-06 )))))))))))))))))))))))))))))))
.
.
2012-04-06 20:48 . 2012-04-06 20:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-05 15:04 . 2012-04-06 20:44 -------- d-----w- c:\users\Xiaoyun\AppData\Roaming\Dropbox
2012-04-02 01:44 . 2012-04-06 20:30 -------- d-----w- C:\QUARANTINE
2012-03-31 01:06 . 2012-03-31 01:07 -------- d-----w- C:\wo99Cache
2012-03-24 01:39 . 2010-03-26 00:07 78896 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-03-24 01:39 . 2010-03-26 00:07 97576 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-03-24 01:39 . 2010-03-26 00:07 84424 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2012-03-24 01:39 . 2010-03-26 00:07 79504 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-24 01:39 . 2010-03-26 00:07 469400 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-03-24 01:39 . 2010-03-26 00:07 120096 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-03-24 01:38 . 2012-03-24 01:38 -------- d-----w- c:\program files (x86)\Common Files\Cisco Systems
2012-03-24 01:38 . 2012-03-24 01:39 -------- d-----w- c:\programdata\McAfee
2012-03-24 01:38 . 2012-03-24 01:38 -------- d-----w- c:\program files (x86)\McAfee
2012-03-24 01:38 . 2012-03-24 01:38 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2012-03-24 01:17 . 2012-03-24 01:17 -------- d-----w- C:\Program%20Files
2012-03-24 01:17 . 2012-03-24 01:35 -------- d-----w- C:\Temp
2012-03-23 21:50 . 2012-03-23 21:50 -------- d-----w- c:\programdata\Premium
2012-03-23 21:49 . 2012-03-23 21:50 -------- d-----w- c:\programdata\InstallMate
2012-03-19 01:31 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-03-14 20:09 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 20:09 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 20:09 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 13:57 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 13:57 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 13:57 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 13:56 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 13:56 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 13:56 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 13:56 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 13:56 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 13:56 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 13:56 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-13 02:08 . 2012-03-13 02:08 -------- d-----w- c:\users\Xiaoyun\AppData\Local\Ilivid Player
2012-03-13 02:08 . 2012-03-13 02:08 -------- d--h--w- c:\programdata\{A37818CF-E0CC-4A13-B685-605AE2F01FD2}
2012-03-13 02:08 . 2012-03-13 02:08 -------- d-----w- c:\users\Xiaoyun\AppData\Local\PackageAware
2012-03-13 02:01 . 2012-03-13 02:01 -------- d-----w- c:\program files\DivX
2012-03-13 02:00 . 2012-03-15 01:37 -------- d-----w- c:\programdata\DivX
.
.
.
(((((((((((((((((((((((((((((((((((((((( Files modified in past three months ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-12 14:07 . 2011-07-06 02:37 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-06 23:15 . 2011-06-29 01:42 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-06-29 01:42 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-03-06 23:15 . 2011-06-29 01:19 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:04 . 2011-06-29 01:43 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:04 . 2011-06-29 01:43 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:01 . 2011-06-29 01:43 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-06-29 01:43 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-06 23:01 . 2011-06-29 01:43 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-13 19:17 . 2012-01-04 02:49 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll
2012-01-13 19:17 . 2012-01-04 02:48 770384 ----a-w- c:\windows\SysWow64\msvcr100.dll
2012-01-13 15:53 . 2011-06-29 01:05 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Important Entry Point ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*NOTE* Blank legal default login will not be displayed
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"NACAgentUI"="c:\program files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2011-07-25 525752]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-03-26 124224]
.
c:\users\Xiaoyun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ SOGOUPY.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R4 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2011-06-29 155344]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2010-03-26 20792]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 NACAgent;Cisco NAC Agent;c:\program files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [2011-07-25 1105848]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe [2011-12-08 2028864]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesDriver64.sys [2011-06-06 11856]
.
.
慞roject Task Folder's Content
.
2012-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3508467117-2036912125-962069148-1000Core.job
- c:\users\Xiaoyun\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-21 15:57]
.
2012-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3508467117-2036912125-962069148-1000UA.job
- c:\users\Xiaoyun\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-21 15:57]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1573160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-29 7982112]
"HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2009-08-03 1032536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
------- Extra Scans -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: myitlab.com
Trusted Zone: pearsoncmg.com
Trusted Zone: pearsoned.com
TCP: DhcpNameServer = 131.104.136.36 131.104.20.10
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\progra~2\KuGou7\KUGOO3~1.OCX
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - c:\progra~2\KuGou7\KUGOO3~1.OCX
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
.
.
------- File Type -------
.
inifile=c:\windows\SysWow64\NOTEPAD.EXE %1
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{DAA4FC9E-7600-4F89-85E5-527606DC20EC} - c:\programdata\Codec-C\bhoclass.dll
AddRemove-{2EF17083-57D4-4D64-AE4F-55F32A2C4571} - c:\programdata\Codec-C\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3508467117-2036912125-962069148-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-3508467117-2036912125-962069148-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.eml.14"
.
[HKEY_USERS\S-1-5-21-3508467117-2036912125-962069148-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3508467117-2036912125-962069148-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.vcf.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe
.
**************************************************************************
.
Finished Time: 2012-04-06 17:15:52 - Computer has restarted
ComboFix-quarantined-files.txt 2012-04-06 21:15
.
Pre-Run: 120,041,738,240 bytes free
Post-Run: 119,685,152,768 bytes free
.
- - End Of File - - 0873B19BF1924A364C14C955E3B1135D

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 12 April 2012 - 08:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.

#6 laughingcloud

laughingcloud
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 12 April 2012 - 01:03 PM

Hi, after I ran combofix, when it was preparing the logs, I received a window that says "Windows cannot find NIRKMD. Make sure you typed the name correctlly, and then try again." To which I can only click OK in order to get rid of it. This happened five times but did not seem to stop Combofix from generating the log:


ComboFix 12-04-12.03 - Xiaoyun 12/04/2012 13:14:00.5.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.3964.2540 [GMT -4:00]
执行位置: c:\users\Xiaoyun\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
Error: Cfiles.dat
.
((((((((((((((((((((((((( 2012-03-12 至 2012-04-12 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-04-12 17:24 . 2012-04-12 17:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-11 01:06 . 2012-04-11 01:06 -------- d-----w- c:\program files\Common Files\Corel
2012-04-11 00:55 . 2012-04-11 01:07 -------- d-----w- c:\programdata\WordPerfect Office X5
2012-04-10 23:33 . 2012-04-11 00:18 88 --sh--r- c:\programdata\0D2D85329B.sys
2012-04-10 23:33 . 2012-04-11 01:08 3766 --sha-w- c:\programdata\KGyGaAvL.sys
2012-04-10 23:33 . 2012-04-11 01:29 -------- d-----w- c:\users\Xiaoyun\AppData\Roaming\Corel
2012-04-10 23:15 . 2012-04-11 01:28 -------- d-----w- c:\programdata\Corel
2012-04-10 23:11 . 2012-04-11 01:22 -------- d-----w- c:\programdata\Borland
2012-04-10 19:29 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-10 19:29 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-10 19:29 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-10 19:28 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-10 19:28 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-10 19:28 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-10 19:28 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-10 04:55 . 2012-04-10 04:56 -------- d-----w- c:\program files (x86)\Google
2012-04-10 04:19 . 2012-04-10 04:19 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-10 04:17 . 2012-04-10 04:17 -------- d-----w- c:\users\Xiaoyun\SyncFolder
2012-04-10 04:14 . 2012-04-12 00:52 -------- d-----w- c:\program files (x86)\JustCloud
2012-04-10 03:34 . 2012-04-10 03:34 -------- d-----w- c:\users\Xiaoyun\AppData\Roaming\WinPatrol
2012-04-10 03:34 . 2012-04-10 03:34 -------- d-----w- c:\program files (x86)\BillP Studios
2012-04-10 02:38 . 2012-04-10 02:38 -------- d-----w- c:\program files (x86)\Trend Micro
2012-04-10 02:27 . 2012-04-10 02:27 -------- d-----w- c:\users\Xiaoyun\AppData\Roaming\Malwarebytes
2012-04-10 02:27 . 2012-04-10 02:27 -------- d-----w- c:\programdata\Malwarebytes
2012-04-10 02:27 . 2012-04-10 02:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-10 02:27 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 02:18 . 2012-04-10 02:18 -------- d-----w- c:\program files\CCleaner
2012-04-10 01:35 . 2012-04-10 01:35 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-04-05 15:04 . 2012-04-12 00:56 -------- d-----w- c:\users\Xiaoyun\AppData\Roaming\Dropbox
2012-04-02 01:44 . 2012-04-10 03:18 -------- d-----w- C:\QUARANTINE
2012-03-31 01:06 . 2012-03-31 01:07 -------- d-----w- C:\wo99Cache
2012-03-24 01:39 . 2010-03-26 00:07 78896 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-03-24 01:39 . 2010-03-26 00:07 97576 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-03-24 01:39 . 2010-03-26 00:07 84424 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2012-03-24 01:39 . 2010-03-26 00:07 79504 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-24 01:39 . 2010-03-26 00:07 469400 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-03-24 01:39 . 2010-03-26 00:07 120096 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-03-24 01:38 . 2012-03-24 01:38 -------- d-----w- c:\program files (x86)\Common Files\Cisco Systems
2012-03-24 01:38 . 2012-04-10 02:05 -------- d-----w- c:\programdata\McAfee
2012-03-24 01:38 . 2012-03-24 01:38 -------- d-----w- c:\program files (x86)\McAfee
2012-03-24 01:38 . 2012-03-24 01:38 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2012-03-24 01:17 . 2012-03-24 01:17 -------- d-----w- C:\Program%20Files
2012-03-24 01:17 . 2012-03-24 01:35 -------- d-----w- C:\Temp
2012-03-23 21:50 . 2012-03-23 21:50 -------- d-----w- c:\programdata\Premium
2012-03-23 21:49 . 2012-04-10 03:34 -------- d-----w- c:\programdata\InstallMate
2012-03-19 01:31 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-03-14 13:57 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 13:57 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 13:57 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 13:56 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 13:56 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 13:56 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 13:56 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 13:56 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 13:56 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 13:56 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-10 04:19 . 2011-06-29 01:05 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-12 14:07 . 2011-07-06 02:37 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-06 23:15 . 2011-06-29 01:42 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-06-29 01:42 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-03-06 23:15 . 2011-06-29 01:19 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:04 . 2011-06-29 01:43 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:04 . 2011-06-29 01:43 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:01 . 2011-06-29 01:43 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-06-29 01:43 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-06 23:01 . 2011-06-29 01:43 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-13 19:17 . 2012-01-04 02:49 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll
2012-01-13 19:17 . 2012-01-04 02:48 770384 ----a-w- c:\windows\SysWow64\msvcr100.dll
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"NACAgentUI"="c:\program files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2011-07-25 525752]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-03-26 124224]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2012-03-25 329312]
.
c:\users\Xiaoyun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ SOGOUPY.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-10 116648]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 253600]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-10 116648]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R4 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2011-06-29 155344]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2010-03-26 20792]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 NACAgent;Cisco NAC Agent;c:\program files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [2011-07-25 1105848]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe [2011-12-08 2028864]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesDriver64.sys [2011-06-06 11856]
.
.
计划任务 文件夹 里的内容
.
2012-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 04:19]
.
2012-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-10 04:55]
.
2012-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-10 04:55]
.
2012-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3508467117-2036912125-962069148-1000Core.job
- c:\users\Xiaoyun\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-21 15:57]
.
2012-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3508467117-2036912125-962069148-1000UA.job
- c:\users\Xiaoyun\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-21 15:57]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Xiaoyun\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1573160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-29 7982112]
"HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2009-08-03 1032536]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\WinPatrol.exe" [2012-03-25 329312]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
------- 而外的扫描 -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Copy to &Lightning Note - c:\program files (x86)\Corel\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files (x86)\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: myitlab.com
Trusted Zone: pearsoncmg.com
Trusted Zone: pearsoned.com
TCP: DhcpNameServer = 131.104.136.36 131.104.20.10
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
.
.
------- 文件类型 -------
.
inifile=c:\windows\SysWow64\NOTEPAD.EXE %1
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{04cd1f3e-81d5-4904-a3ab-e0f99a7d769d} - (no file)
ShellIconOverlayIdentifiers-{04cd1f3e-81d5-4904-a3ab-e0f99a7d769d} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3508467117-2036912125-962069148-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-3508467117-2036912125-962069148-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.eml.14"
.
[HKEY_USERS\S-1-5-21-3508467117-2036912125-962069148-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3508467117-2036912125-962069148-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.vcf.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe
.
**************************************************************************
.
完成时间: 2012-04-12 13:49:48 - 电脑已重新启动
ComboFix-quarantined-files.txt 2012-04-12 17:49
ComboFix2.txt 2012-04-10 01:24
.
Pre-Run: 118,807,191,552 bytes free
Post-Run: 119,498,096,640 bytes free
.
- - End Of File - - A79C96F052E128C868C60D42BC3F0E82


And here's the log from the Security Check:


Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
McAfee VirusScan Enterprise
McAfee AntiSpyware Enterprise Module
McAfee Agent
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

McAfee AntiSpyware Enterprise Module
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
TuneUp Utilities 2011
Java™ 6 Update 31
Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

WinPatrol winpatrol.exe
McAfee VirusScan Enterprise x64 engineserver.exe
McAfee VirusScan Enterprise shstat.exe
McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise x64 mcshield.exe
McAfee VirusScan Enterprise x64 mfeann.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
BillP Studios WinPatrol WinPatrol.exe
``````````End of Log````````````

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 13 April 2012 - 08:38 AM

Your logs are clean.

Any remaining issues with this computer?

#8 laughingcloud

laughingcloud
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 April 2012 - 11:14 AM

It seems fine but the start menu programs are still gone

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 13 April 2012 - 12:49 PM

Download and run this file and run it.
On Windows 7 and vista Right click on the .exe file and run as an Administrator.


Download this .exe file to your desktop and run it.
Windows 7 64-bit US English
http://download.bleepingcomputer.com/grinler/fakehdd/win7-x64-sm-reset.exe

This will restore the default items only.
===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#10 laughingcloud

laughingcloud
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 April 2012 - 04:04 PM

Alright, thanks!

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 AM

Posted 19 April 2012 - 10:21 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users