Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

consrv.dll and jraid.dll have been found infected by tr/atraps.Gen & Google keeps redirecting


  • This topic is locked This topic is locked
19 replies to this topic

#1 strikerchen

strikerchen

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 09 May 2012 - 08:56 AM

Hi guys,

Few days ago, my AV popped up and said my computer have been infected by Tr/atraps.Gen2 and I've runned a system scan and detected consrv.dll and Jraid.dll as trogens and removed them. After that I rebooted the machine and the machine boot loops. If I run a system repair, it brings the machine back to System restore point. I've tried several other AVs, such as AVG and avira, but the results are the same. And when i follow the instruction in http://www.bleepingcomputer.com/forums/topic34773.html , i just found out that im not able to enable my firewall.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by peterchen at 21:34:02 on 2012-05-09
Microsoft Windows 7 Ultimate 6.1.7601.1.936.86.1033.18.1783.244 [GMT 8:00]
.
AV: 360杀毒 *Disabled/Updated* {A0FD413B-F662-C08C-7B21-F57CED225A55}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\SysWOW64\svchost -k XLServicePlatform
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe
C:\Program Files (x86)\360\360Safe\safemon\360tray.exe
C:\Users\peterchen\AppData\Local\360Chrome\Chrome\Application\360chrome.exe
C:\Users\peterchen\AppData\Local\360Chrome\Chrome\Application\360chrome.exe
C:\Users\peterchen\AppData\Local\360Chrome\Chrome\Application\360chrome.exe
C:\Users\peterchen\AppData\Local\360Chrome\Chrome\Application\360chrome.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
E:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
c:\program files (x86)\common files\thunder network\tp\ver1\1.1.2.116_1111\thunderplatform.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0c09&m=eme732&r=27361210g216l04e3z1l5r4711t398
uWindow Title = Windows Internet Explorer
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0c09&m=eme732&r=27361210g216l04e3z1l5r4711t398
mStart Page = about:blank
uInternet Settings,ProxyOverride = local
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: 迅雷FLV视频嗅探及下载支持: {0ea37b17-6b8b-4085-8257-f3a4aa69c27a} - e:\Program Files (x86)\Thunder Network\Thunder\BHO\XlBrowserAddin1.0.6.69.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: 迅雷下载支持: {889d2feb-5411-4565-8998-1dd2c5261283} - e:\Program Files (x86)\Thunder Network\Thunder\BHO\XunleiBHO7.2.5.3364.dll
BHO: SafeMon Class: {b69f34dd-f0f9-42dc-9edd-957187da688d} - C:\Program Files (x86)\360\360Safe\safemon\safemon.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [360Safetray] "C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe" /start
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: OldEnableShellExecuteHooks = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableUIPI = 1 (0x1)
IE: &使用&迅雷下载 - e:\Program Files (x86)\Thunder Network\Thunder\BHO\geturl.htm
IE: &使用&迅雷下载全部链接 - e:\Program Files (x86)\Thunder Network\Thunder\BHO\GetAllUrl.htm
IE: &使用&迅雷离线下载 - e:\Program Files (x86)\Thunder Network\Thunder\BHO\OfflineDownload.htm
IE: 导出到 Microsoft Excel(&X) - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {0A155D3C-68E2-4215-A47A-E800A446447A}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {9FAFB576-6933-4CCC-AB3D-B988EC43D04E} - hxxp://rsdownload.rising.com.cn/rs2010/online/ravolctl.cab
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} - hxxps://online.westpac.com.au/wtpbs/wtBalanceSheet/portfoliomanagerwt.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{FAE6364B-2EEE-48CD-9479-3E2AE8299399} : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{FFE84B19-21BA-4129-B491-80CA1A275FB7} : DhcpNameServer = 10.1.1.1
TCP: Interfaces\{FFE84B19-21BA-4129-B491-80CA1A275FB7}\24967605F6E646131453935413 : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{FFE84B19-21BA-4129-B491-80CA1A275FB7}\24967605F6E646939333549313 : DhcpNameServer = 10.0.0.138
TCP: Interfaces\{FFE84B19-21BA-4129-B491-80CA1A275FB7}\960586F6E656 : DhcpNameServer = 10.143.147.147 10.143.147.148
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - e:\PROGRA~1\KuGou7\KUGOO3~1.OCX
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - e:\PROGRA~1\KuGou7\KUGOO3~1.OCX
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: 迅雷FLV视频嗅探及下载支持: {0EA37B17-6B8B-4085-8257-F3A4AA69C27A} - e:\Program Files (x86)\Thunder Network\Thunder\BHO\XlBrowserAddin1.0.6.69.dll
BHO-X64: XlBrowserAddinBho.XlBrowserAddinBhoObject - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: 迅雷下载支持: {889D2FEB-5411-4565-8998-1DD2C5261283} - e:\Program Files (x86)\Thunder Network\Thunder\BHO\XunleiBHO7.2.5.3364.dll
BHO-X64: XunleiBHO - No File
BHO-X64: SafeMon Class: {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files (x86)\360\360Safe\safemon\safemon.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [360Safetray] "C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe" /start
IE-X64: {0A155D3C-68E2-4215-A47A-E800A446447A}
.
============= SERVICES / DRIVERS ===============
.
R1 360AntiHacker;360Safe Anti Hacker Service;C:\Windows\system32\Drivers\360AntiHacker64.sys --> C:\Windows\system32\Drivers\360AntiHacker64.sys [?]
R1 360Box64;360Box mini-filter driver;C:\Windows\system32\DRIVERS\360Box64.sys --> C:\Windows\system32\DRIVERS\360Box64.sys [?]
R1 360FsFlt;360FsFlt mini-filter driver;C:\Windows\system32\DRIVERS\360FsFlt.sys --> C:\Windows\system32\DRIVERS\360FsFlt.sys [?]
R1 360netmon;360netmon;C:\Windows\system32\DRIVERS\360netmon.sys --> C:\Windows\system32\DRIVERS\360netmon.sys [?]
R1 BAPIDRV;BAPIDRV;C:\Windows\system32\Drivers\BAPIDRV64.SYS --> C:\Windows\system32\Drivers\BAPIDRV64.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-7-26 321104]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [2010-9-19 868896]
R2 GREGService;GREGService;C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [2010-1-8 23584]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-7-26 13336]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-9-19 2320920]
R2 XLServicePlatform;XLServicePlatform;C:\Windows\system32\svchost -k XLServicePlatform --> C:\Windows\system32\svchost -k XLServicePlatform [?]
R2 ZhuDongFangYu;主动防御;C:\Program Files (x86)\360\360Safe\deepscan\ZhuDongFangYu.exe [2012-4-19 276312]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-29 257696]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]
S3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\androidusb.sys --> C:\Windows\system32\Drivers\androidusb.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TesSafe;TesSafe;\??\C:\Windows\system32\TesSafe.sys --> C:\Windows\system32\TesSafe.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2010-7-26 243232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 zghsmdm;ZTE General Handset USB Modem Proprietary;C:\Windows\system32\DRIVERS\zghsmdm.sys --> C:\Windows\system32\DRIVERS\zghsmdm.sys [?]
.
=============== File Associations ===============
.
chm.file="hh.exe" %1
inifile=C:\Windows\SysWow64\NOTEPAD.EXE %1
txtfile=C:\Windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2012-05-09 12:48:10 -------- d-----w- C:\Users\peterchen\AppData\Local\360Chrome
2012-05-09 12:41:15 -------- d-----w- C:\Users\peterchen\AppData\Roaming\360Desktop
2012-05-09 12:22:21 49512 ----a-w- C:\Windows\System32\drivers\360AntiHacker64.sys
2012-05-09 12:22:21 355928 ----a-w- C:\Windows\System32\drivers\360FsFlt.sys
2012-05-09 12:22:20 -------- d-sh--r- C:\360SANDBOX
2012-05-09 12:22:19 285024 ----a-w- C:\Windows\System32\drivers\360Box64.sys
2012-05-09 12:22:17 146776 ----a-w- C:\Windows\SysWow64\360SoftMgr.cpl
2012-05-09 12:22:16 59992 ----a-w- C:\Windows\System32\drivers\360netmon.sys
2012-05-09 12:22:13 -------- d-----w- C:\Users\peterchen\AppData\Roaming\360safe
2012-05-09 12:19:02 -------- d-----w- C:\Users\peterchen\AppData\Roaming\360inst
2012-05-09 10:51:32 -------- d-----w- C:\Users\peterchen\AppData\Local\AVG Secure Search
2012-05-09 10:51:02 -------- d-----w- C:\ProgramData\AVG Secure Search
2012-05-09 10:50:54 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
2012-05-09 10:50:53 -------- d-----w- C:\Program Files (x86)\AVG Secure Search
2012-05-09 10:50:40 -------- d--h--w- C:\ProgramData\Common Files
2012-05-09 10:50:31 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2012-05-09 10:45:40 -------- d--h--w- C:\$AVG
2012-05-09 10:45:38 -------- d-----w- C:\ProgramData\AVG2012
2012-05-09 10:41:33 -------- d-----w- C:\Program Files (x86)\AVG
2012-05-09 10:32:46 -------- d-----w- C:\ProgramData\MFAData
2012-05-09 07:40:49 -------- d-sh--w- C:\KRECYCLE
2012-05-09 07:34:42 -------- d-----w- C:\Program Files (x86)\Rising
2012-05-09 07:32:07 -------- d-----w- C:\Program Files (x86)\kingsoft
2012-05-09 07:28:32 608448 ----a-w- C:\Windows\SysWow64\COMCTL32.OCX
2012-05-09 07:28:31 260096 ----a-w- C:\Windows\SysWow64\RICHTX32.OCX
2012-05-09 07:28:31 211968 ----a-w- C:\Windows\SysWow64\TABCTL32.OCX
2012-05-09 07:28:31 117248 ----a-w- C:\Windows\SysWow64\MSINET.OCX
2012-05-09 07:28:31 110592 ----a-w- C:\Windows\SysWow64\MSWINSCK.OCX
2012-05-07 09:58:22 -------- d-sh--w- C:\found.001
2012-05-07 05:15:23 -------- d-----w- C:\Program Files (x86)\Avira
2012-05-07 05:03:33 171360 ----a-w- C:\Windows\System32\drivers\BAPIDRV64.SYS
2012-05-06 17:35:51 -------- d-----w- C:\Users\peterchen\AppData\Roaming\360SuperKiller
2012-05-06 08:30:36 -------- d-----w- C:\Users\peterchen\AppData\Roaming\Ylic
2012-05-06 08:30:34 -------- d-----w- C:\Users\peterchen\AppData\Roaming\Ukusa
2012-05-06 08:30:22 -------- d-----w- C:\Users\peterchen\AppData\Roaming\Ralonal
2012-05-06 08:30:22 -------- d-----w- C:\Users\peterchen\AppData\Roaming\Ataslup
2012-05-06 08:20:14 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-05-06 08:19:04 -------- d-----we C:\Windows\system64
2012-05-06 04:28:04 -------- d-----w- C:\Users\peterchen\AppData\Roaming\GarenaPlus
2012-05-06 04:18:32 -------- d-----w- C:\ProgramData\GarenaMessenger
2012-04-28 18:13:19 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2012-04-21 19:29:32 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{582CF93F-42F8-4097-AF13-E8BB86DC54AC}\offreg.dll
2012-04-21 12:58:31 -------- d-----w- C:\Program Files (x86)\Enigma Software Group
2012-04-21 12:58:09 -------- d-----w- C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-04-21 12:56:30 -------- d-----w- C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2012-04-21 10:54:50 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{582CF93F-42F8-4097-AF13-E8BB86DC54AC}\mpengine.dll
2012-04-21 10:04:32 -------- d-----w- C:\ProgramData\PC Tools
2012-04-21 09:33:11 -------- d-----w- C:\sh4ldr
2012-04-21 09:33:11 -------- d-----w- C:\Program Files\Enigma Software Group
2012-04-21 09:32:57 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-04-21 08:16:09 120600 ----a-w- C:\Windows\SysWow64\xunyount.dll
2012-04-17 19:29:34 -------- d-----w- C:\Program Files (x86)\Common Files\PPLiveNetwork
2012-04-11 01:58:41 -------- d-----w- C:\ProgramData\Windows
2012-04-11 01:28:22 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-11 01:28:22 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-11 01:28:21 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-11 01:11:44 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-11 01:11:42 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-11 01:11:41 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-11 01:11:34 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-11 01:11:34 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-11 01:11:33 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-11 01:11:33 5120 ----a-w- C:\Windows\System32\wmi.dll
.
==================== Find3M ====================
.
2012-05-06 07:01:01 163920 ----a-w- C:\Windows\System32\TesSafe.sys
2012-05-06 03:50:57 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-06 03:50:57 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-23 02:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-17 06:38:27 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
.
============= FINISH: 21:36:01.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 09 May 2012 - 03:17 PM

Hi strikerchen,

Welcome to the forum. We will remove this infection.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#3 strikerchen

strikerchen
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 09 May 2012 - 11:48 PM

Hi,

I've done what u said and I do get this log.

Here is the log:

Scan result of Farbar Recovery Scan Tool Version: 09-05-2012
Ran by SYSTEM at 10-05-2012 12:39:05
Running from H:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [Acer ePower Management] C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [861216 2010-06-11] (Acer Incorporated)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324608 2010-06-09] (Alcor Micro Corp.)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11046504 2010-07-13] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [168216 2011-05-08] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [392472 2011-05-08] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [416024 2011-05-08] (Intel Corporation)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [968272 2010-06-21] (Dritek System Inc.)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [360Safetray] "C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe" /start [864856 2012-03-30] (360.cn)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
SubSystems: [Windows] ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ======

2 DsiWMIService; C:\Program Files (x86)\Launch Manager\dsiwmis.exe [321104 2010-06-21] (Dritek System Inc.)
2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [868896 2010-06-11] (Acer Incorporated)
2 GREGService; C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
2 IAStorDataMgrSvc; "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe" [13336 2010-03-03] (Intel Corporation)
2 issuser; C:\Windows\System32\JRAID.dll [6656 2009-07-13] (Oak Technology Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-02-02] (Intel Corporation)
3 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [243232 2010-01-28] (Acer Group)
2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [87728 2012-01-04] (ShenZhen Xunlei Networking Technologies,LTD)
2 ZhuDongFangYu; "C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe" [276312 2012-04-19] (360.cn)

========================== Drivers (Whitelisted) =============

1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [49512 2012-04-09] (360.cn)
1 360Box64; C:\Windows\System32\Drivers\360Box64.sys [285024 2012-03-16] (360????)
1 360FsFlt; C:\Windows\System32\Drivers\360FsFlt.sys [355928 2012-03-08] (360.cn)
1 360netmon; C:\Windows\System32\Drivers\360netmon.sys [59992 2012-01-31] (360.cn)
3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [38424 2010-10-17] (Google Inc)
1 BAPIDRV; C:\Windows\System32\Drivers\BAPIDRV64.SYS [171360 2011-12-05] (360.cn)
0 BC; C:\Windows\SysWow64\Drivers\BC.sys [24984 2010-11-10] (Kingsoft Corporation)
3 ComputerZ_x64; C:\Windows\SysWow64\Drivers\ComputerZ_x64.sys [23912 2011-11-30] (360.cn)
3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [12228128 2011-04-14] (Intel Corporation)
3 NTIDrvr; C:\Windows\System32\Drivers\NTIDrvr.sys [18432 2010-04-19] (NTI Corporation)
3 tap0901; C:\Windows\System32\Drivers\tap0901.sys [31232 2011-03-20] (The OpenVPN Project)
3 TesSafe; \??\C:\Windows\system32\TesSafe.sys [163920 2012-05-09] (TENCENT)
3 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [17408 2010-07-08] (NTI Corporation)
3 UsbserFilt; C:\Windows\System32\DRIVERS\usbser_lowerfltjx64.sys [9216 2010-07-29] (Nokia)
3 zghsmdm; C:\Windows\System32\Drivers\zghsmdm.sys [122624 2011-01-12] (ZTE Incorporated)
3 ApolloProtect; \??\e:\Program Files (x86)\T2CN\????\Apollo\Apollo.sys [x]
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
3 esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [x]
3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [x]
3 ksfmonsys; \??\e:\Program Files (x86)\KSafe\ksfmonsys64.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 TcHardWare; \??\e:\Program Files (x86)\Tencent\QQPCMgr\QQPCHW.sys [x]
3 tcphoc; \??\E:\Program Files (x86)\Thunder Network\Thunder\XLDoctor\7.1.3.2044_1\Program\tcphoc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]
3 X6va005; \??\C:\Users\PETERC~1\AppData\Local\Temp\0053ADF.tmp [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: issuser

============ One Month Created Files and Folders ==============

2012-05-10 12:38 - 2012-05-10 12:39 - 0000000 ____D C:\FRST
2012-05-09 05:37 - 2012-05-09 05:37 - 0019600 ____A C:\Users\peterchen\Desktop\DDS.txt
2012-05-09 05:37 - 2012-05-09 05:37 - 0014130 ____A C:\Users\peterchen\Desktop\Attach.txt
2012-05-09 05:33 - 2012-05-09 05:31 - 0607260 ____R (Swearware) C:\Users\peterchen\Desktop\dds.scr
2012-05-09 05:30 - 2012-05-09 05:31 - 0607260 ____R (Swearware) C:\Users\peterchen\Downloads\dds.scr
2012-05-09 05:29 - 2012-05-09 05:29 - 0000480 ____A C:\Users\peterchen\Desktop\defogger_disable.log
2012-05-09 05:29 - 2012-05-09 05:29 - 0000000 ____A C:\Users\peterchen\defogger_reenable
2012-05-09 05:26 - 2012-05-09 05:26 - 0050477 ____A C:\Users\peterchen\Desktop\Defogger.exe
2012-05-09 04:48 - 2012-05-09 04:48 - 0002400 ____A C:\Users\peterchen\Desktop\360Chrome.lnk
2012-05-09 04:48 - 2012-05-09 04:48 - 0000000 ____D C:\Users\peterchen\AppData\Local\360Chrome
2012-05-09 04:41 - 2012-05-09 04:49 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360Desktop
2012-05-09 04:33 - 2012-05-09 04:33 - 0000000 ____D C:\Windows\Tasks\360Disabled
2012-05-09 04:22 - 2012-05-09 20:28 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360safe
2012-05-09 04:22 - 2012-05-09 04:22 - 0000000 _RSHD C:\360SANDBOX
2012-05-09 04:22 - 2012-04-09 03:32 - 0049512 ____A (360.cn) C:\Windows\System32\Drivers\360AntiHacker64.sys
2012-05-09 04:22 - 2012-03-16 03:38 - 0285024 ____A (360????) C:\Windows\System32\Drivers\360Box64.sys
2012-05-09 04:22 - 2012-03-08 00:01 - 0355928 ____A (360.cn) C:\Windows\System32\Drivers\360FsFlt.sys
2012-05-09 04:22 - 2012-01-31 01:48 - 0059992 ____A (360.cn) C:\Windows\System32\Drivers\360netmon.sys
2012-05-09 04:22 - 2011-11-11 03:31 - 0146776 ____A (360.cn) C:\Windows\SysWOW64\360SoftMgr.cpl
2012-05-09 04:21 - 2012-05-09 04:49 - 0002138 ____A C:\Users\peterchen\Desktop\360????.lnk
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\Users\peterchen\AppData\Local\AVG Secure Search
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\Users\All Users\AVG Secure Search
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\ProgramData\AVG Secure Search
2012-05-09 02:50 - 2012-05-09 20:03 - 0000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-05-09 02:50 - 2012-05-09 20:02 - 0000000 ____D C:\Windows\SysWOW64\Drivers\AVG
2012-05-09 02:45 - 2012-05-09 20:02 - 0000000 ____D C:\Users\All Users\AVG2012
2012-05-09 02:45 - 2012-05-09 20:02 - 0000000 ____D C:\ProgramData\AVG2012
2012-05-09 02:45 - 2012-05-09 02:45 - 0000000 ___HD C:\$AVG
2012-05-09 02:41 - 2012-05-09 19:59 - 0000000 ____D C:\Program Files (x86)\AVG
2012-05-09 02:32 - 2012-05-09 20:00 - 0000000 ____D C:\Users\All Users\MFAData
2012-05-09 02:32 - 2012-05-09 20:00 - 0000000 ____D C:\ProgramData\MFAData
2012-05-09 02:26 - 2012-05-09 02:26 - 3877872 ____A (AVG Technologies) C:\Users\peterchen\Desktop\avg_free_stb_all_2012_2171_cnet.exe
2012-05-08 23:40 - 2012-05-08 23:40 - 0000000 __SHD C:\KRECYCLE
2012-05-08 23:34 - 2012-05-08 23:34 - 0000000 ____D C:\Program Files (x86)\Rising
2012-05-08 23:32 - 2012-05-08 23:32 - 0000000 ____D C:\Program Files (x86)\kingsoft
2012-05-08 23:28 - 2001-01-16 15:01 - 0260096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RICHTX32.OCX
2012-05-08 23:28 - 2000-12-05 08:00 - 0211968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\TABCTL32.OCX
2012-05-08 23:28 - 2000-12-05 08:00 - 0110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSWINSCK.OCX
2012-05-08 23:28 - 2000-05-22 00:58 - 0608448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\COMCTL32.OCX
2012-05-08 23:28 - 2000-05-21 08:00 - 0117248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSINET.OCX
2012-05-08 23:20 - 2012-05-08 23:20 - 0000000 ____A C:\Users\All Users\rebootpending.txt
2012-05-08 23:20 - 2012-05-08 23:20 - 0000000 ____A C:\ProgramData\rebootpending.txt
2012-05-07 01:58 - 2012-05-07 01:58 - 0000000 __SHD C:\found.001
2012-05-06 21:15 - 2012-05-09 19:59 - 0000000 ____D C:\Program Files (x86)\Avira
2012-05-06 21:03 - 2011-12-05 00:07 - 0171360 ____A (360.cn) C:\Windows\System32\Drivers\BAPIDRV64.SYS
2012-05-06 09:35 - 2012-05-06 09:35 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360SuperKiller
2012-05-06 03:46 - 2012-05-06 03:46 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_User_wpdcomp_01_09_00.Wdf
2012-05-06 00:31 - 2012-05-09 07:00 - 0000342 ____A C:\Windows\Tasks\At48.job
2012-05-06 00:31 - 2012-05-09 06:00 - 0000342 ____A C:\Windows\Tasks\At47.job
2012-05-06 00:31 - 2012-05-09 05:00 - 0000342 ____A C:\Windows\Tasks\At46.job
2012-05-06 00:31 - 2012-05-09 02:00 - 0000342 ____A C:\Windows\Tasks\At43.job
2012-05-06 00:31 - 2012-05-09 01:00 - 0000342 ____A C:\Windows\Tasks\At42.job
2012-05-06 00:31 - 2012-05-09 00:00 - 0000342 ____A C:\Windows\Tasks\At41.job
2012-05-06 00:31 - 2012-05-08 11:00 - 0000342 ____A C:\Windows\Tasks\At28.job
2012-05-06 00:31 - 2012-05-06 21:00 - 0000342 ____A C:\Windows\Tasks\At38.job
2012-05-06 00:31 - 2012-05-06 04:00 - 0000342 ____A C:\Windows\Tasks\At45.job
2012-05-06 00:31 - 2012-05-06 03:00 - 0000342 ____A C:\Windows\Tasks\At44.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At40.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At39.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At37.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At36.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At35.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At34.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At33.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At32.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At31.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At30.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At29.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At27.job
2012-05-06 00:31 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At26.job
2012-05-06 00:30 - 2012-05-09 07:00 - 0000340 ____A C:\Windows\Tasks\At24.job
2012-05-06 00:30 - 2012-05-09 06:03 - 0000340 ____A C:\Windows\Tasks\At23.job
2012-05-06 00:30 - 2012-05-09 05:00 - 0000340 ____A C:\Windows\Tasks\At22.job
2012-05-06 00:30 - 2012-05-09 02:00 - 0000340 ____A C:\Windows\Tasks\At19.job
2012-05-06 00:30 - 2012-05-09 01:00 - 0000340 ____A C:\Windows\Tasks\At18.job
2012-05-06 00:30 - 2012-05-09 00:00 - 0000340 ____A C:\Windows\Tasks\At17.job
2012-05-06 00:30 - 2012-05-08 11:00 - 0000340 ____A C:\Windows\Tasks\At4.job
2012-05-06 00:30 - 2012-05-06 21:00 - 0000340 ____A C:\Windows\Tasks\At14.job
2012-05-06 00:30 - 2012-05-06 12:10 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ylic
2012-05-06 00:30 - 2012-05-06 11:02 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ukusa
2012-05-06 00:30 - 2012-05-06 11:02 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ataslup
2012-05-06 00:30 - 2012-05-06 04:00 - 0000340 ____A C:\Windows\Tasks\At21.job
2012-05-06 00:30 - 2012-05-06 03:00 - 0000340 ____A C:\Windows\Tasks\At20.job
2012-05-06 00:30 - 2012-05-06 02:33 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ralonal
2012-05-06 00:30 - 2012-05-06 02:24 - 0000342 ____A C:\Windows\Tasks\At25.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At9.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At8.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At7.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At6.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At5.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At3.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At2.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At16.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At15.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At13.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At12.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At11.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At10.job
2012-05-06 00:30 - 2012-05-06 02:24 - 0000340 ____A C:\Windows\Tasks\At1.job
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default User\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:20 - 2012-05-09 20:21 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-06 00:19 - 2012-05-06 00:19 - 0000000 ____D C:\Windows\system64
2012-05-05 20:28 - 2012-05-07 12:21 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\GarenaPlus
2012-05-05 20:18 - 2012-05-07 12:21 - 0000000 ____D C:\Users\All Users\GarenaMessenger
2012-05-05 20:18 - 2012-05-07 12:21 - 0000000 ____D C:\ProgramData\GarenaMessenger
2012-04-29 07:12 - 2012-04-29 07:12 - 0000000 ____D C:\Users\peterchen\Desktop\LOLBox
2012-04-28 10:13 - 2012-04-28 10:12 - 0525544 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-04-28 10:13 - 2012-04-28 10:12 - 0191264 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-04-28 10:13 - 2012-04-28 10:12 - 0172320 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-04-28 10:13 - 2012-04-28 10:12 - 0172320 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-04-28 10:12 - 2012-04-28 10:12 - 0000000 ____D C:\Program Files\Java
2012-04-27 04:51 - 2012-04-27 04:51 - 0000795 ____A C:\Users\Public\Desktop\QQ??.lnk
2012-04-23 19:12 - 2012-05-06 11:36 - 0000262 ____A C:\spyhunter.log
2012-04-23 11:13 - 2012-05-06 03:38 - 0010569 ____A C:\sh4_service.log
2012-04-21 04:58 - 2012-05-09 02:09 - 0000000 ____D C:\Program Files (x86)\Enigma Software Group
2012-04-21 04:58 - 2012-04-21 04:58 - 0000000 ____D C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-04-21 04:58 - 2012-04-21 04:58 - 0000000 ____A C:\autoexec.bat
2012-04-21 04:56 - 2012-05-09 04:13 - 0000000 ____D C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2012-04-21 02:32 - 2012-04-21 02:32 - 0000412 ____A C:\rkill.log
2012-04-21 02:04 - 2012-04-21 05:31 - 0000000 ____D C:\Users\All Users\PC Tools
2012-04-21 02:04 - 2012-04-21 05:31 - 0000000 ____D C:\ProgramData\PC Tools
2012-04-21 01:33 - 2012-05-06 21:18 - 0000000 ____D C:\sh4ldr
2012-04-21 01:33 - 2012-04-21 01:33 - 0000000 ____D C:\Program Files\Enigma Software Group
2012-04-21 01:29 - 2012-04-21 02:28 - 0073556 ____A C:\Windows\ntbtlog.txt
2012-04-21 00:16 - 2012-04-07 01:46 - 0120600 ____A (????????????) C:\Windows\SysWOW64\xunyount.dll
2012-04-15 21:04 - 2012-05-06 03:06 - 0015041 ____A C:\Users\peterchen\Desktop\???.docx
2012-04-12 05:50 - 2012-04-12 05:51 - 0000000 ____D C:\Users\peterchen\Desktop\uni doc
2012-04-10 17:28 - 2012-03-05 22:53 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-10 17:28 - 2012-03-05 21:59 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-04-10 17:28 - 2012-03-05 21:59 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-10 17:21 - 2012-02-27 23:34 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-10 17:21 - 2012-02-27 23:02 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-10 17:21 - 2012-02-27 22:56 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-04-10 17:21 - 2012-02-27 22:50 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-10 17:21 - 2012-02-27 22:49 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-04-10 17:21 - 2012-02-27 22:48 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-04-10 17:21 - 2012-02-27 22:48 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-10 17:21 - 2012-02-27 22:47 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-04-10 17:21 - 2012-02-27 22:45 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-10 17:21 - 2012-02-27 22:43 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-10 17:21 - 2012-02-27 22:43 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-10 17:21 - 2012-02-27 22:42 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-10 17:21 - 2012-02-27 22:39 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-10 17:21 - 2012-02-27 17:52 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-04-10 17:21 - 2012-02-27 17:27 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-04-10 17:21 - 2012-02-27 17:18 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-04-10 17:21 - 2012-02-27 17:12 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-04-10 17:21 - 2012-02-27 17:11 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-04-10 17:21 - 2012-02-27 17:11 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-04-10 17:21 - 2012-02-27 17:09 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-04-10 17:21 - 2012-02-27 17:08 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-04-10 17:21 - 2012-02-27 17:06 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-04-10 17:21 - 2012-02-27 17:04 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-04-10 17:21 - 2012-02-27 17:03 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-04-10 17:21 - 2012-02-27 17:03 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-04-10 17:21 - 2012-02-27 16:59 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-04-10 17:11 - 2012-02-29 22:46 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-04-10 17:11 - 2012-02-29 22:38 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-04-10 17:11 - 2012-02-29 22:33 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-04-10 17:11 - 2012-02-29 22:28 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-04-10 17:11 - 2012-02-29 21:37 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-04-10 17:11 - 2012-02-29 21:33 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-04-10 17:11 - 2012-02-29 21:29 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll

============ 3 Months Modified Files and Folders =============

2012-05-10 12:39 - 2012-05-10 12:38 - 0000000 ____D C:\FRST
2012-05-09 20:32 - 2011-04-19 15:52 - 1391294 ____A C:\Windows\WindowsUpdate.log
2012-05-09 20:29 - 2011-06-18 01:37 - 0355328 ____A C:\Windows\System32\prfh0804.dat
2012-05-09 20:29 - 2011-06-18 01:37 - 0101428 ____A C:\Windows\System32\prfc0804.dat
2012-05-09 20:29 - 2009-07-13 21:13 - 1169296 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-09 20:29 - 2009-07-13 20:45 - 0028928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-09 20:29 - 2009-07-13 20:45 - 0028928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-09 20:28 - 2012-05-09 04:22 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360safe
2012-05-09 20:27 - 2012-04-08 17:32 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360mobilemgr
2012-05-09 20:27 - 2010-12-03 02:41 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\PPStream
2012-05-09 20:21 - 2012-05-06 00:20 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-09 20:20 - 2011-08-11 23:37 - 0062042 ____A C:\Windows\setupact.log
2012-05-09 20:20 - 2010-09-18 20:32 - 1402060800 __ASH C:\hiberfil.sys
2012-05-09 20:20 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-09 20:03 - 2012-05-09 02:50 - 0000000 ____D C:\Program Files (x86)\AVG Secure Search
2012-05-09 20:03 - 2011-12-28 20:08 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360Login
2012-05-09 20:03 - 2010-12-03 03:20 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360se
2012-05-09 20:02 - 2012-05-09 02:50 - 0000000 ____D C:\Windows\SysWOW64\Drivers\AVG
2012-05-09 20:02 - 2012-05-09 02:45 - 0000000 ____D C:\Users\All Users\AVG2012
2012-05-09 20:02 - 2012-05-09 02:45 - 0000000 ____D C:\ProgramData\AVG2012
2012-05-09 20:01 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-05-09 20:00 - 2012-05-09 02:32 - 0000000 ____D C:\Users\All Users\MFAData
2012-05-09 20:00 - 2012-05-09 02:32 - 0000000 ____D C:\ProgramData\MFAData
2012-05-09 20:00 - 2011-10-10 20:27 - 0000000 ____D C:\Windows\System32\SPReview
2012-05-09 20:00 - 2011-10-10 20:27 - 0000000 ____D C:\Windows\System32\EventProviders
2012-05-09 20:00 - 2011-06-18 01:34 - 0000000 ____D C:\Windows\SysWOW64\XPSViewer
2012-05-09 20:00 - 2011-03-19 17:18 - 0000000 ____D C:\Windows\System32\Macromed
2012-05-09 20:00 - 2010-09-18 21:29 - 0000000 ____D C:\Windows\NAPP_Dism_Log
2012-05-09 20:00 - 2010-07-25 18:20 - 0000000 ____D C:\Windows\SysWOW64\Macromed
2012-05-09 20:00 - 2010-07-25 18:13 - 0000000 ____D C:\Windows\oem
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\winrm
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\WCN
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\slmgr
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\winrm
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\WCN
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\slmgr
2012-05-09 20:00 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\Printing_Admin_Scripts
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\SysWOW64\WindowsPowerShell
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\WindowsPowerShell
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\WinBioPlugIns
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Performance
2012-05-09 20:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-05-09 20:00 - 2009-07-13 20:45 - 0000000 ____D C:\Windows\Setup
2012-05-09 20:00 - 2009-07-13 20:45 - 0000000 ____D C:\Windows\ServiceProfiles
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 __RSD C:\Windows\Media
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Web
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Vss
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\zh-CN
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\spp
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Speech
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\NetworkList
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\MUI
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Msdtc
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\InstallShield
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\IME
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Dism
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\com
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\zh-CN
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sysprep
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\spp
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\spool
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Speech
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\SMI
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\oobe
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NetworkList
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\MUI
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Msdtc
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\migwiz
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\IME
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Dism
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\com
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Speech
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\servicing
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\security
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\schemas
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Resources
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PLA
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\IME
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Help
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Globalization
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Branding
2012-05-09 20:00 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-05-09 19:59 - 2012-05-09 02:41 - 0000000 ____D C:\Program Files (x86)\AVG
2012-05-09 19:59 - 2012-05-06 21:15 - 0000000 ____D C:\Program Files (x86)\Avira
2012-05-09 19:59 - 2011-12-20 02:56 - 0000000 ____D C:\Program Files (x86)\AliWangWang
2012-05-09 19:59 - 2010-07-25 18:19 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-05-09 08:10 - 2011-06-16 04:56 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\KuGou7
2012-05-09 08:09 - 2012-03-27 09:10 - 0000000 ____D C:\Kugou
2012-05-09 08:04 - 2012-02-18 04:32 - 0000000 ___HD C:\KuGouCache
2012-05-09 07:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At48.job
2012-05-09 07:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At24.job
2012-05-09 06:47 - 2011-01-17 19:56 - 0163920 ____A (TENCENT) C:\Windows\System32\TesSafe.sys
2012-05-09 06:09 - 2010-12-03 01:27 - 0000000 ____D C:\Users\peterchen\AppData\Local\CrashDumps
2012-05-09 06:03 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At23.job
2012-05-09 06:02 - 2011-08-11 23:37 - 0733370 ____A C:\Windows\PFRO.log
2012-05-09 06:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At47.job
2012-05-09 05:37 - 2012-05-09 05:37 - 0019600 ____A C:\Users\peterchen\Desktop\DDS.txt
2012-05-09 05:37 - 2012-05-09 05:37 - 0014130 ____A C:\Users\peterchen\Desktop\Attach.txt
2012-05-09 05:31 - 2012-05-09 05:33 - 0607260 ____R (Swearware) C:\Users\peterchen\Desktop\dds.scr
2012-05-09 05:31 - 2012-05-09 05:30 - 0607260 ____R (Swearware) C:\Users\peterchen\Downloads\dds.scr
2012-05-09 05:29 - 2012-05-09 05:29 - 0000480 ____A C:\Users\peterchen\Desktop\defogger_disable.log
2012-05-09 05:29 - 2012-05-09 05:29 - 0000000 ____A C:\Users\peterchen\defogger_reenable
2012-05-09 05:29 - 2010-12-03 00:56 - 0000000 ____D C:\users\peterchen
2012-05-09 05:26 - 2012-05-09 05:26 - 0050477 ____A C:\Users\peterchen\Desktop\Defogger.exe
2012-05-09 05:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At46.job
2012-05-09 05:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At22.job
2012-05-09 04:49 - 2012-05-09 04:41 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360Desktop
2012-05-09 04:49 - 2012-05-09 04:21 - 0002138 ____A C:\Users\peterchen\Desktop\360????.lnk
2012-05-09 04:48 - 2012-05-09 04:48 - 0002400 ____A C:\Users\peterchen\Desktop\360Chrome.lnk
2012-05-09 04:48 - 2012-05-09 04:48 - 0000000 ____D C:\Users\peterchen\AppData\Local\360Chrome
2012-05-09 04:33 - 2012-05-09 04:33 - 0000000 ____D C:\Windows\Tasks\360Disabled
2012-05-09 04:33 - 2010-12-03 05:53 - 0000000 ____D C:\Users\All Users\360safe
2012-05-09 04:33 - 2010-12-03 05:53 - 0000000 ____D C:\ProgramData\360safe
2012-05-09 04:22 - 2012-05-09 04:22 - 0000000 _RSHD C:\360SANDBOX
2012-05-09 04:21 - 2011-11-20 20:54 - 0000000 ____D C:\Program Files (x86)\360
2012-05-09 04:13 - 2012-04-21 04:56 - 0000000 ____D C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2012-05-09 04:09 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\Users\peterchen\AppData\Local\AVG Secure Search
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\Users\All Users\AVG Secure Search
2012-05-09 02:51 - 2012-05-09 02:51 - 0000000 ____D C:\ProgramData\AVG Secure Search
2012-05-09 02:45 - 2012-05-09 02:45 - 0000000 ___HD C:\$AVG
2012-05-09 02:26 - 2012-05-09 02:26 - 3877872 ____A (AVG Technologies) C:\Users\peterchen\Desktop\avg_free_stb_all_2012_2171_cnet.exe
2012-05-09 02:12 - 2011-10-02 04:51 - 0000000 ____D C:\Users\All Users\QvodPlayer
2012-05-09 02:12 - 2011-10-02 04:51 - 0000000 ____D C:\ProgramData\QvodPlayer
2012-05-09 02:12 - 2010-12-03 01:20 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Tencent
2012-05-09 02:09 - 2012-04-21 04:58 - 0000000 ____D C:\Program Files (x86)\Enigma Software Group
2012-05-09 02:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At43.job
2012-05-09 02:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At19.job
2012-05-09 01:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At42.job
2012-05-09 01:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At18.job
2012-05-09 00:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At41.job
2012-05-09 00:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At17.job
2012-05-08 23:40 - 2012-05-08 23:40 - 0000000 __SHD C:\KRECYCLE
2012-05-08 23:40 - 2011-10-05 01:07 - 0000000 ____D C:\Users\All Users\KRSHistory
2012-05-08 23:40 - 2011-10-05 01:07 - 0000000 ____D C:\ProgramData\KRSHistory
2012-05-08 23:34 - 2012-05-08 23:34 - 0000000 ____D C:\Program Files (x86)\Rising
2012-05-08 23:32 - 2012-05-08 23:32 - 0000000 ____D C:\Program Files (x86)\kingsoft
2012-05-08 23:22 - 2010-12-03 01:21 - 0000000 ____D C:\Users\peterchen\Documents\Tencent Files
2012-05-08 23:20 - 2012-05-08 23:20 - 0000000 ____A C:\Users\All Users\rebootpending.txt
2012-05-08 23:20 - 2012-05-08 23:20 - 0000000 ____A C:\ProgramData\rebootpending.txt
2012-05-08 11:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At28.job
2012-05-08 11:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At4.job
2012-05-07 12:21 - 2012-05-05 20:28 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\GarenaPlus
2012-05-07 12:21 - 2012-05-05 20:18 - 0000000 ____D C:\Users\All Users\GarenaMessenger
2012-05-07 12:21 - 2012-05-05 20:18 - 0000000 ____D C:\ProgramData\GarenaMessenger
2012-05-07 12:21 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\GroupPolicy
2012-05-07 12:16 - 2010-07-25 17:59 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-05-07 01:58 - 2012-05-07 01:58 - 0000000 __SHD C:\found.001
2012-05-06 21:18 - 2012-04-21 01:33 - 0000000 ____D C:\sh4ldr
2012-05-06 21:02 - 2010-12-03 00:56 - 0000000 ____D C:\Users\peterchen\AppData\LocalLow
2012-05-06 21:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At38.job
2012-05-06 21:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At14.job
2012-05-06 12:10 - 2012-05-06 00:30 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ylic
2012-05-06 11:36 - 2012-04-23 19:12 - 0000262 ____A C:\spyhunter.log
2012-05-06 11:02 - 2012-05-06 00:30 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ukusa
2012-05-06 11:02 - 2012-05-06 00:30 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ataslup
2012-05-06 09:35 - 2012-05-06 09:35 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360SuperKiller
2012-05-06 08:15 - 2011-01-30 19:03 - 0000000 ____D C:\360Rec
2012-05-06 04:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At45.job
2012-05-06 04:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At21.job
2012-05-06 03:46 - 2012-05-06 03:46 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_User_wpdcomp_01_09_00.Wdf
2012-05-06 03:38 - 2012-04-23 11:13 - 0010569 ____A C:\sh4_service.log
2012-05-06 03:06 - 2012-04-15 21:04 - 0015041 ____A C:\Users\peterchen\Desktop\???.docx
2012-05-06 03:00 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At44.job
2012-05-06 03:00 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At20.job
2012-05-06 02:50 - 2010-12-03 01:20 - 0000030 ____A C:\Windows\QQPlayer.INI
2012-05-06 02:33 - 2012-05-06 00:30 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\Ralonal
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At40.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At39.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At37.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At36.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At35.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At34.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At33.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At32.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At31.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At30.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At29.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At27.job
2012-05-06 02:24 - 2012-05-06 00:31 - 0000342 ____A C:\Windows\Tasks\At26.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000342 ____A C:\Windows\Tasks\At25.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At9.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At8.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At7.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At6.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At5.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At3.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At2.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At16.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At15.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At13.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At12.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At11.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At10.job
2012-05-06 02:24 - 2012-05-06 00:30 - 0000340 ____A C:\Windows\Tasks\At1.job
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default User\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:30 - 2012-05-06 00:30 - 0000174 ___SH C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-05-06 00:19 - 2012-05-06 00:19 - 0000000 ____D C:\Windows\system64
2012-05-05 19:50 - 2012-03-29 05:33 - 0419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-05 19:50 - 2011-05-16 16:18 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-05 12:44 - 2011-11-20 16:29 - 0000000 ____D C:\Users\peterchen\AppData\Local\PMB Files
2012-05-05 07:24 - 2011-04-22 08:02 - 0000000 ____D C:\Windows\Minidump
2012-04-29 07:12 - 2012-04-29 07:12 - 0000000 ____D C:\Users\peterchen\Desktop\LOLBox
2012-04-28 11:22 - 2012-01-06 22:55 - 0000000 ____D C:\Program Files (x86)\????????
2012-04-28 10:12 - 2012-04-28 10:13 - 0525544 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-04-28 10:12 - 2012-04-28 10:13 - 0191264 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-04-28 10:12 - 2012-04-28 10:13 - 0172320 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-04-28 10:12 - 2012-04-28 10:13 - 0172320 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-04-28 10:12 - 2012-04-28 10:12 - 0000000 ____D C:\Program Files\Java
2012-04-27 06:26 - 2011-10-24 22:44 - 0000000 ____D C:\Users\peterchen\riotsGamesLogs
2012-04-27 04:51 - 2012-04-27 04:51 - 0000795 ____A C:\Users\Public\Desktop\QQ??.lnk
2012-04-22 00:33 - 2012-02-13 02:30 - 0000000 ____D C:\Users\peterchen\Desktop\??
2012-04-21 05:31 - 2012-04-21 02:04 - 0000000 ____D C:\Users\All Users\PC Tools
2012-04-21 05:31 - 2012-04-21 02:04 - 0000000 ____D C:\ProgramData\PC Tools
2012-04-21 04:58 - 2012-04-21 04:58 - 0000000 ____D C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-04-21 04:58 - 2012-04-21 04:58 - 0000000 ____A C:\autoexec.bat
2012-04-21 02:32 - 2012-04-21 02:32 - 0000412 ____A C:\rkill.log
2012-04-21 02:28 - 2012-04-21 01:29 - 0073556 ____A C:\Windows\ntbtlog.txt
2012-04-21 02:04 - 2011-03-24 00:27 - 0000000 ____D C:\Users\peterchen\AppData\Local\ElevatedDiagnostics
2012-04-21 01:33 - 2012-04-21 01:33 - 0000000 ____D C:\Program Files\Enigma Software Group
2012-04-21 00:15 - 2010-12-03 01:44 - 0000000 ____D C:\Windows\SysWOW64\dialconfig
2012-04-19 03:18 - 2011-03-04 19:07 - 0000000 ____D C:\Users\peterchen\AppData\Local\NokiaAccount
2012-04-19 03:17 - 2011-12-20 02:55 - 0000000 ____D C:\Program Files (x86)\Tudou
2012-04-19 03:11 - 2010-09-18 20:48 - 0000000 ____D C:\Program Files (x86)\Windows Live
2012-04-19 03:08 - 2012-01-02 02:22 - 0000000 ____D C:\Users\All Users\Baidu
2012-04-19 03:08 - 2012-01-02 02:22 - 0000000 ____D C:\ProgramData\Baidu
2012-04-19 03:01 - 2010-12-08 15:56 - 0000000 ____D C:\Users\All Users\PPLive
2012-04-19 03:01 - 2010-12-08 15:56 - 0000000 ____D C:\ProgramData\PPLive
2012-04-17 05:38 - 2011-04-12 00:51 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-17 05:38 - 2011-04-12 00:51 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-16 10:28 - 2012-01-02 02:22 - 0002356 ____A C:\Windows\SysWOW64\bdsecushr.dat
2012-04-12 05:51 - 2012-04-12 05:50 - 0000000 ____D C:\Users\peterchen\Desktop\uni doc
2012-04-09 03:32 - 2012-05-09 04:22 - 0049512 ____A (360.cn) C:\Windows\System32\Drivers\360AntiHacker64.sys
2012-04-07 18:32 - 2012-04-07 18:32 - 0000000 __SHD C:\found.000
2012-04-07 01:46 - 2012-04-21 00:16 - 0120600 ____A (????????????) C:\Windows\SysWOW64\xunyount.dll
2012-04-06 03:08 - 2012-01-02 02:23 - 0000138 ____A C:\Windows\vsfilter.INI
2012-04-05 18:56 - 2011-01-01 20:34 - 0000000 ____D C:\Users\peterchen\AppData\Local\Microsoft Games
2012-04-04 08:43 - 2011-12-20 02:43 - 0000000 ____D C:\Program Files (x86)\PPStream
2012-04-04 06:59 - 2012-03-27 17:55 - 0000000 ____D C:\Program Files (x86)\TENCENT
2012-04-04 06:59 - 2012-03-04 04:28 - 0000000 ____D C:\Program Files\TENCENT
2012-03-29 00:02 - 2012-03-29 00:02 - 0000000 ____D C:\Program Files\china-drm
2012-03-29 00:02 - 2012-03-29 00:02 - 0000000 ____D C:\china-drm
2012-03-28 11:00 - 2011-06-18 01:18 - 57249312 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-03-28 08:13 - 2009-07-13 20:45 - 0383896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-25 10:12 - 2012-03-25 10:12 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\alipay
2012-03-20 00:05 - 2009-07-13 21:08 - 0032576 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-16 03:38 - 2012-05-09 04:22 - 0285024 ____A (360????) C:\Windows\System32\Drivers\360Box64.sys
2012-03-14 09:16 - 2011-11-20 16:29 - 0000000 ____D C:\Users\All Users\PMB Files
2012-03-14 09:16 - 2011-11-20 16:29 - 0000000 ____D C:\ProgramData\PMB Files
2012-03-10 21:40 - 2011-11-21 02:00 - 0000000 ____D C:\Users\peterchen\Documents\????
2012-03-08 00:01 - 2012-05-09 04:22 - 0355928 ____A (360.cn) C:\Windows\System32\Drivers\360FsFlt.sys
2012-03-05 23:51 - 2012-03-05 23:51 - 0000000 ____D C:\Users\All Users\Blizzard Entertainment
2012-03-05 23:51 - 2012-03-05 23:51 - 0000000 ____D C:\ProgramData\Blizzard Entertainment
2012-03-05 22:53 - 2012-04-10 17:28 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-05 21:59 - 2012-04-10 17:28 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-05 21:59 - 2012-04-10 17:28 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-05 21:50 - 2011-04-17 14:29 - 0000000 ____D C:\Users\peterchen\AppData\Roaming\360chrome
2012-03-04 03:59 - 2012-03-04 03:58 - 0000102 ____H C:\Windows\SysWOW64\update.jpg
2012-02-29 22:46 - 2012-04-10 17:11 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-10 17:11 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-10 17:11 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-10 17:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-10 17:11 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-10 17:11 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-10 17:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-27 23:34 - 2012-04-10 17:21 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-10 17:21 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-10 17:21 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-10 17:21 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-10 17:21 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-10 17:21 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-10 17:21 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-10 17:21 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-10 17:21 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-10 17:21 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-10 17:21 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-10 17:21 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-10 17:21 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 17:52 - 2012-04-10 17:21 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-10 17:21 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-10 17:21 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-10 17:21 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-10 17:21 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-10 17:21 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-10 17:21 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-10 17:21 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-10 17:21 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-10 17:21 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-10 17:21 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-10 17:21 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-10 17:21 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-22 18:18 - 2011-01-13 03:11 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-22 03:47 - 2012-02-22 03:47 - 0375296 ____A C:\Users\peterchen\Desktop\??10000.doc
2012-02-22 03:47 - 2012-02-22 03:46 - 0338432 ____A C:\Users\peterchen\Desktop\??10000??.doc
2012-02-17 09:14 - 2012-02-17 08:13 - 0000089 ____A C:\Windows\lexicon_20120217.patch
2012-02-17 07:13 - 2012-02-16 08:03 - 0000089 ____A C:\Windows\lexicon_20120216.patch
2012-02-16 22:38 - 2012-03-28 07:41 - 1112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-02-16 22:38 - 2012-03-28 07:41 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-28 07:41 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-28 07:41 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-28 07:41 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-16 07:03 - 2012-02-15 08:11 - 0000089 ____A C:\Windows\lexicon_20120215.patch
2012-02-16 01:03 - 2011-11-20 00:42 - 0000025 ____A C:\Users\peterchen\AppData\Roaming\CoreAVC.ini
2012-02-15 07:11 - 2012-02-14 17:17 - 0000089 ____A C:\Windows\lexicon_20120214.patch
2012-02-14 07:49 - 2012-02-13 09:34 - 0000089 ____A C:\Windows\lexicon_20120213.patch
2012-02-13 06:31 - 2012-02-12 08:27 - 0000089 ____A C:\Windows\lexicon_20120212.patch
2012-02-13 02:55 - 2012-02-13 02:55 - 0001119 ____A C:\Users\peterchen\Desktop\LOL??.lnk
2012-02-13 02:44 - 2011-12-31 01:55 - 0000000 ____D C:\Users\peterchen\Desktop\????? ????
2012-02-12 07:27 - 2012-02-11 08:04 - 0000089 ____A C:\Windows\lexicon_20120211.patch

========================= Known DLLs (Whitelisted) ============

[2011-10-10 20:18] - [2010-11-20 05:25] - 0014336 ____A (Microsoft Corporation) C:\Windows\System32\browseui.dll
[2011-10-10 20:18] - [2010-11-20 04:18] - 0010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browseui.dll
[2009-07-13 16:18] - [2009-07-13 17:41] - 0083456 ____A (Microsoft Corporation) C:\Windows\System32\msacm32.dll
[2009-07-13 16:03] - [2009-07-13 17:15] - 0072192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msacm32.dll
[2009-07-13 15:21] - [2009-07-13 17:41] - 0006656 ____A (Microsoft Corporation) C:\Windows\System32\shimeng.dll
[2009-07-13 15:12] - [2009-07-13 17:16] - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shimeng.dll
[2009-07-13 15:55] - [2009-07-13 17:41] - 0332288 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
[2009-07-13 15:39] - [2009-07-13 17:11] - 0245760 ____A (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\System32\mfc40.dll IS MISSING <==== ATTENTION!
[2011-10-10 20:21] - [2010-11-20 04:19] - 0954752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc40.dll
[2011-10-10 20:20] - [2010-11-20 05:26] - 2067456 ____A (Microsoft Corporation) C:\Windows\System32\d3d9.dll
[2011-10-10 20:20] - [2010-11-20 04:18] - 1828352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d9.dll
[2009-07-13 15:59] - [2009-07-13 17:26] - 1297408 ____A (Microsoft Corporation) C:\Windows\System32\comres.dll
[2009-07-13 15:44] - [2009-07-13 17:04] - 1297408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\comres.dll
[2009-07-13 15:41] - [2009-07-13 17:40] - 0569344 ____A (Microsoft Corporation) C:\Windows\System32\ddraw.dll
[2009-07-13 15:27] - [2009-07-13 17:15] - 0531968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ddraw.dll
[2009-07-13 16:18] - [2009-07-13 17:40] - 0540672 ____A (Microsoft Corporation) C:\Windows\System32\dsound.dll
[2009-07-13 16:03] - [2009-07-13 17:15] - 0453632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dsound.dll

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 34%
Total physical RAM: 1782.81 MB
Available physical RAM: 1173.96 MB
Total Pagefile: 1782.81 MB
Available Pagefile: 1165.95 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (eMachines) (Fixed) (Total:142.55 GB) (Free:99.81 GB) NTFS
2 Drive d: (New Volume) (Fixed) (Total:142.44 GB) (Free:29.56 GB) NTFS
3 Drive f: (PQSERVICE) (Fixed) (Total:13 GB) (Free:0.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: (HP v250w) (Removable) (Total:7.59 GB) (Free:2.42 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 2048 KB
Disk 1 Online 7788 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 13 GB 1024 KB
Partition 2 Primary 100 MB 13 GB
Partition 3 Primary 142 GB 13 GB
Partition 0 Extended 142 GB 155 GB
Partition 4 Logical 142 GB 155 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F PQSERVICE NTFS Partition 13 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C eMachines NTFS Partition 142 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D New Volume NTFS Partition 142 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7783 MB 5340 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H HP v250w FAT32 Removable 7783 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-28 22:52

======================= End Of Log ==========================

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 10 May 2012 - 09:10 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
C:\Windows\System32\consrv.dll
2 issuser; C:\Windows\System32\JRAID.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\JRAID.dll
NETSVC: issuse
3 X6va005; \??\C:\Users\PETERC~1\AppData\Local\Temp\0053ADF.tmp [x]
cmd: del /a/f/q C:\Windows\Tasks\At*.job
end

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

#5 strikerchen

strikerchen
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 10 May 2012 - 09:36 AM

Hi , everything went successfully

this is the log

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 09-05-2012
Ran by SYSTEM at 2012-05-10 22:31:35 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
C:\Windows\System32\consrv.dll moved successfully.
issuser service deleted successfully.
C:\Windows\System32\JRAID.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs issuse Deleted successfully.
X6va005 service deleted successfully.

========= del /a/f/q C:\Windows\Tasks\At*.job =========


========= End of CMD: =========


==== End of Fixlog ====

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 10 May 2012 - 09:52 AM

Good. :thumbup2:

We taken care of the main infection.

  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Please download MiniRegTool64.zip and unzip it.
    • Run the tool.
    • Copy and paste the following into the edit box:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5
    • Check Export keys radio button.
    • Press Go button and post the result.


#7 strikerchen

strikerchen
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 10 May 2012 - 10:19 AM

Hi

the log from MBAM

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.10.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
peterchen :: PETERCHEN-PC [administrator]

Protection: Enabled

2012/5/10 23:13:50
mbam-log-2012-05-10 (23-13-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 31409
Time elapsed: 58 second(s) [aborted]

Memory Processes Detected: 1
C:\Program Files (x86)\360\360Safe\360leakfixer.exe (Trojan.Agent) -> 3332 -> Delete on reboot.

Memory Modules Detected: 2
C:\Program Files (x86)\360\360Safe\safemon\BootLeakFixer.tpi (Trojan.Agent) -> Delete on reboot.
C:\Program Files (x86)\360\360Safe\leakrepair.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files (x86)\360\360Safe\safemon\BootLeakFixer.tpi (Trojan.Agent) -> Delete on reboot.
C:\Program Files (x86)\360\360Safe\360leakfixer.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files (x86)\360\360Safe\leakrepair.dll (Trojan.Agent) -> Delete on reboot.

(end)

and the log from miniregtool

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
"Num_Catalog_Entries"=dword:00000006
"Serial_Access_Num"=dword:0000003a
"Num_Catalog_Entries64"=dword:00000006

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 10 May 2012 - 10:57 AM

We are going to repair the winsock entries that are altered by this malware.

  • Please download Attached File  Fix-WS.reg   764bytes   4 downloads
    Double-click it and confirm the prompt to allow to merge.
  • Important: Restart.
  • Please download system64.bat
    Important: right-click and select "Run as administrator".
    A command window and then a log file (log00.txt) will open.
    Please post the content to your reply.
  • Important: Restart.
  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • List Winsock Entries
Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

#9 strikerchen

strikerchen
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 10 May 2012 - 11:17 AM

hi

the log from system64.bat

Start

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

C:\Windows\system64 found.
C:\Windows\system64 deleted successfully.
End

and the log from minitoolbox

MiniToolBox by Farbar Version: 18-01-2012
Ran by peterchen (administrator) on 11-05-2012 at 00:16:33
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

**** End of log ****

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 10 May 2012 - 11:24 AM

That part looks good.

We need a full system checkup.

  • Make sure you update Java to the latest version.
  • To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
    • Make sure all the options are checked.
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.
  • ESET Online Scanner:

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    Vista and Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

    • Please go here then click on: Posted Image

      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

    • Select the option YES, I accept the Terms of Use then click on: Posted Image
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats and the option Scan archives are checked.
    • Now click on Advanced Settings and select the following:
    • Enable Anti-Stealth Technology
    • Now click on: Posted Image
    • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
    • Now click on: Posted Image
    • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    • Copy and paste that log as a reply to this topic.
    Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also please tell me how is the system running.

#11 strikerchen

strikerchen
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 10 May 2012 - 12:17 PM

ok, the ESET has detected 2 trogens so far, win64/sirefef.W and win64/sirefef.G

I will post the log as soon as i finish the scan

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 10 May 2012 - 12:43 PM

Those two files could be the ones we moved to the quarantine folder of FRST. Please take your time and post the log when ready. :thumbup2:

Also tell me how is the computer running.

#13 strikerchen

strikerchen
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 10 May 2012 - 02:29 PM

oh god, i finally finish the scanning, it took me almost 3hours

here is the log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-10 07:23:56
# local_time=2012-05-11 03:23:56 (+0800, W. Australia Standard Time)
# country="People's Republic of China"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1797 16774142 0 7 0 9590819 0 0
# compatibility_mode=5893 16776574 66 94 759331 88297953 0 0
# compatibility_mode=8192 67108863 100 0 476 476 0 0
# scanned=235494
# found=8
# cleaned=8
# scan_time=9751
C:\FRST\Quarantine\consrv.dll Win64/Sirefef.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\FRST\Quarantine\JRAID.dll Win64/Sirefef.W trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\peterchen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\45c49568-38809c94 Java/Exploit.Agent.NBN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\peterchen\AppData\Roaming\QvodPlayer\QvodUpdate5.exe probably a variant of Win32/Adware.TencentAd application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\peterchen\Desktop\加速器合集 圣诞节版\加速器合集-By_d-iao\加速器合集-By_d-iao.exe a variant of Win32/Packed.VMProtect.AAN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\assembly\temp\U\80000000.@ Win64/Sirefef.W trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\assembly\temp\U\80000032.@ a variant of Win32/Sirefef.EU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\assembly\temp\U\80000064.@ Win64/Sirefef.AC trojan (cleaned by deleting - quarantined) 0000000000000000

oh, btw the system is running faster

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 AM

Posted 10 May 2012 - 02:58 PM

It looks good. :thumbup2:

  • Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
  • You may delete any tool or log we used from your computer.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
  • Go to Start => Right-click "Computer" and select "Properties".
  • In the left pane select "System Protection".
  • Press "Configure".
  • Select "Delete". Then press "Continue" close and "OK".
  • Select your drive (drive C) and press "Create".
    Fill in a name for the restore point and press "Create".
    After finished press "Close".

Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.


#15 strikerchen

strikerchen
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 10 May 2012 - 03:05 PM

OK

thanks a lot, u guys are amazingggggggggggggg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users