Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer sent spam emails


  • This topic is locked This topic is locked
23 replies to this topic

#1 dislab

dislab

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 15 February 2013 - 10:29 PM

Yesterday my gmail sent out about 40 emails by itself. The email subject is "Fwd:", and the content is just one link "http://www.teicosgroup.com/gcr4rv.php?s=lf". I can see those emails in the "sent mail" in my gmail. 
 
I suspect these emails were sent by my desktop, as it is the only place where my gmail is set up in outlook (the other place is my android phone). I didn't see any sent emails in outlook's sent folder. I have changed my gmail password. 
 
I have used Malwarebytes and Norton, no virus was detected. Your help is highly appreciated. 
 
 
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.7.2
Run by jli at 22:23:30 on 2013-02-15
Microsoft Windows XP Professional  5.1.2600.3.936.86.1033.18.2303.1429 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* 
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\jli\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\jli\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\jli\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\jli\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\jli\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\jli\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\jli\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k PPTVServiceGroup
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: VideoUrlSniffer Class: {00000ADA-7E0D-47C1-986C-F017D09C4304} - c:\program files\common files\thunder network\kankan\VideoUrlSniffer.2.0.1.99.(56).dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ??à×FLVêó?μDáì??°?????§3?: {0EA37B17-6B8B-4085-8257-F3A4AA69C27A} - c:\program files\thunder network\thunder\bho\XlBrowserAddin1.0.8.71.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\20.2.0.19\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\20.2.0.19\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ??à×?????§3?: {889D2FEB-5411-4565-8998-1DD2C5261283} - c:\program files\thunder network\thunder\bho\XunleiBHO7.2.9.3634.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\20.2.0.19\coieplg.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\20.2.0.19\coieplg.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\jli\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &使用&迅雷下载 - c:\program files\thunder network\thunder\bho\geturl.htm
IE: &使用&迅雷下载全部链接 - c:\program files\thunder network\thunder\bho\GetAllUrl.htm
IE: &使用&迅雷离线下载 - c:\program files\thunder network\thunder\bho\OfflineDownload.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: 使用光影编辑和美化 - c:\program files\neo imaging\NeoOpenNeo.htm
IE: 使用迅雷看看播放器播放 - c:\documents and settings\all users\application data\thunder network\xmp4\core\program\XmpIEMenu.htm
IE: 添加当前页到迅雷看看播放器标签 - c:\documents and settings\all users\application data\thunder network\xmp4\core\program\XmpIEMenuAddStoreTab.htm
IE: {14c1d00e-0b92-4379-880b-444fa2d740dd} - c:\documents and settings\all users\application data\thunder network\xmp4\core\program\XmpIEToolMenu.htm
IE: {24c1d00e-0b92-4379-880b-444fa2d740dd} - c:\documents and settings\all users\application data\thunder network\xmp4\core\program\XmpIEToolBar.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} - hxxps://insourcers.riahome.com/CABFiles/RSLoginModule.cab
DPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} - hxxps://insourcers.riahome.com/CABFiles/RSTabbedList.cab
DPF: {6C8E9E45-538C-473A-B83B-DA9AE1ED7604} - hxxps://insourcers.riahome.com/CABFiles/vspdf.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343528509624
DPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} - hxxps://insourcers.riahome.com/CABFiles/webnotifier.cab
DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxps://insourcers.riahome.com/CABFiles/vsprint7.cab
DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} - hxxps://insourcers.riahome.com/CABFiles/vsflex7L.cab
DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} - hxxps://insourcers.riahome.com/CABFiles/vsflex7.cab
DPF: {EBB0431C-10EB-432D-8C53-64BDBEDBD86B} - hxxps://insourcers.riahome.com/CABFiles/xmlgridRS.cab
DPF: {F4721362-90E1-11D4-B547-00105A80AE07} - hxxps://insourcers.riahome.com/CABFiles/RIAInRSImport.cab
DPF: {FE83D8C0-07C7-4915-A6B4-4A6B895E677F} - hxxps://insourcers.riahome.com/CABFiles/vsFlexXMLDSO.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{E78125AE-141A-4E8E-A542-044C6B497848} : DHCPNameServer = 192.168.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jli\application data\mozilla\firefox\profiles\xy180osi.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\jli\local settings\application data\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\common files\tencent\npqscall\npqscall.dll
FF - plugin: c:\program files\common files\tencent\txsso\1.2.1.89\bin\npSSOAxCtrlForPTLogin.dll
FF - plugin: c:\program files\common files\thunder network\kankan\npDapCtrl.3.1.0.6.(204).dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\internet explorer\pplite\plugin\1.0.1.2906\npplugin2.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\tencent\qqmusic\qzonemusic\npQzoneMusic.dll
FF - plugin: c:\program files\tencent\qzone\npQQPhotoDrawEx.dll
FF - plugin: c:\program files\thunder network\thunder\data\npxunlei1.0.0.1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_149.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1402000.013\symds.sys [2012-12-4 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1402000.013\symefa.sys [2012-12-4 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\bashdefs\20130208.001\BHDrvx86.sys [2013-2-12 997464]
R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\n360\1402000.013\ccsetx86.sys [2012-12-4 134304]
R1 Ext2Fsd;Linux ext2 file system driver;c:\windows\system32\drivers\ext2fsd.sys [2012-9-23 686360]
R1 QQProtect;QQProtect;c:\windows\system32\drivers\QQProtect.sys [2013-1-1 137632]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1402000.013\ironx86.sys [2012-12-4 175264]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\20.2.0.19\ccsvchst.exe [2012-12-4 143928]
R2 PPTVService;PPTVService;c:\windows\system32\svchost.exe -k PPTVServiceGroup [2004-8-3 14336]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2012-8-28 92632]
R2 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost -k xlserviceplatform --> c:\windows\system32\svchost -k XLServicePlatform [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-12-5 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\ipsdefs\20130215.001\IDSXpx86.sys [2013-2-15 373728]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\virusdefs\20130214.016\NAVENG.SYS [2013-2-15 93296]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_20.1.0.24\definitions\virusdefs\20130214.016\NAVEX15.SYS [2013-2-15 1603824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2012-6-15 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2012-6-15 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2012-6-15 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2012-6-15 25088]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-8-12 77624]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-8-12 181432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-02-09 18:54:22    57344    ----a-r-    c:\documents and settings\jli\application data\microsoft\installer\{87441a59-5e64-4096-a170-14efe67200c3}\ARPPRODUCTICON.exe
2013-02-09 18:51:11    --------    d-----w-    c:\program files\common files\Nikon
2013-02-09 18:51:04    --------    d-----w-    c:\program files\Nikon
2013-02-09 18:48:46    --------    d-----w-    c:\program files\MSXML 6.0
2013-02-05 03:49:43    465280    ----a-r-    c:\windows\system32\cpnprt2win32.cid
2013-02-05 03:49:34    --------    d-----w-    c:\program files\Coupons
2013-01-21 16:25:44    --------    d--h--w-    c:\windows\PIF
.
==================== Find3M  ====================
.
2013-02-08 15:33:21    74096    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-08 15:33:21    697712    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-01-26 03:55:44    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-07 01:19:45    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01    2027520    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-01-02 06:49:10    148992    ----a-w-    c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10    1292288    ----a-w-    c:\windows\system32\quartz.dll
2012-12-26 20:16:29    916480    ----a-w-    c:\windows\system32\wininet.dll
2012-12-26 20:16:28    43520    ------w-    c:\windows\system32\licmgr10.dll
2012-12-26 20:16:28    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2012-12-24 06:40:59    385024    ------w-    c:\windows\system32\html.iec
2012-12-24 03:05:15    137632    ----a-w-    c:\windows\system32\drivers\QQProtect.sys
2012-12-16 12:23:59    290560    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 21:49:28    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-12 03:13:02    505312    ----a-w-    c:\windows\system32\PPTVSvc.dll
2012-12-12 03:13:02    399968    ----a-w-    c:\windows\system32\PPTVLauncher.exe
2012-12-12 03:12:50    2299360    ----a-w-    c:\windows\system32\kindling.dll
2012-12-05 02:12:30    142496    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
.
============= FINISH: 22:24:06.80 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:03:45 PM

Posted 16 February 2013 - 06:00 PM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

 

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 dislab

dislab
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 16 February 2013 - 08:30 PM

Thanks for the quick response and detailed instructions! I have disabled my Norton and run ComboFix. Below is the log. Sorry that some characters in the log are in Chinese. If you need any translation, please let me know. 

 

 

 

ComboFix 13-02-15.01 - jli 6/2013 Sat  20:02:03.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.936.86.1033.18.2303.1380 [GMT -5:00]
执行位置: c:\documents and settings\jli\My Documents\Downloads\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
 * 成功创造新还原点
.
.
(((((((((((((((((((((((((((((((((((((((   被删除的档案   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Application Data
c:\documents and settings\All Users\Application Data\Application Data\PPLive\PPTV\cache\pluginad\AdConfig.ini
c:\documents and settings\All Users\Application Data\Overdrive
c:\windows\system32\kindling.dll.(old)
c:\windows\system32\SET136.tmp
c:\windows\system32\SET138.tmp
c:\windows\system32\SET13C.tmp
c:\windows\system32\SET13D.tmp
c:\windows\system32\SET144.tmp
.
.
(((((((((((((((((((((((((  2013-01-17 至 2013-02-17 的新的档案  )))))))))))))))))))))))))))))))
.
.
2013-02-11 02:36 . 2013-02-11 02:36    --------    d-----w-    c:\documents and settings\All Users\Application Data\Nikon
2013-02-09 18:54 . 2013-02-09 18:54    57344    ----a-r-    c:\documents and settings\jli\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2013-02-09 18:51 . 2013-02-09 18:54    --------    d-----w-    c:\program files\Common Files\Nikon
2013-02-09 18:51 . 2013-02-09 18:55    --------    d-----w-    c:\program files\Nikon
2013-02-09 18:49 . 2013-02-09 18:52    --------    d-----w-    c:\documents and settings\All Users\Application Data\Ultima_T15
2013-02-09 18:49 . 2013-02-09 18:52    --------    d-----w-    c:\documents and settings\All Users\Application Data\EnterNHelp
2013-02-09 18:48 . 2013-02-09 18:48    --------    d-----w-    c:\program files\MSXML 6.0
2013-02-05 03:49 . 2013-02-14 01:23    465280    ----a-r-    c:\windows\system32\cpnprt2win32.cid
2013-02-05 03:49 . 2013-02-05 03:49    --------    d-----w-    c:\program files\Coupons
2013-01-21 16:25 . 2013-01-21 16:25    --------    d--h--w-    c:\windows\PIF
.
.
.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-08 15:33 . 2012-06-13 00:03    74096    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-08 15:33 . 2012-06-13 00:03    697712    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-01-26 03:55 . 2004-08-04 04:56    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-07 01:19 . 2004-08-04 03:18    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2004-08-03 22:59    2027520    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-04 03:17    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-04 04:56    148992    ----a-w-    c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2004-08-04 04:56    1292288    ----a-w-    c:\windows\system32\quartz.dll
2012-12-26 20:16 . 2004-08-04 04:56    916480    ----a-w-    c:\windows\system32\wininet.dll
2012-12-26 20:16 . 2004-08-04 04:56    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2012-12-26 20:16 . 2004-08-04 04:56    43520    ------w-    c:\windows\system32\licmgr10.dll
2012-12-24 06:40 . 2004-08-04 02:59    385024    ------w-    c:\windows\system32\html.iec
2012-12-24 03:05 . 2013-01-01 13:32    137632    ----a-w-    c:\windows\system32\drivers\QQProtect.sys
2012-12-16 12:23 . 2004-08-04 04:56    290560    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 21:49 . 2012-07-28 19:18    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-12 03:13 . 2012-12-12 03:13    505312    ----a-w-    c:\windows\system32\PPTVSvc.dll
2012-12-12 03:13 . 2012-12-12 03:13    399968    ----a-w-    c:\windows\system32\PPTVLauncher.exe
2012-12-12 03:12 . 2012-06-18 03:38    2299360    ----a-w-    c:\windows\system32\kindling.dll
2012-12-11 01:09 . 2012-12-11 01:09    58816    ----a-r-    c:\documents and settings\jli\Application Data\Microsoft\Installer\{157D158A-2D7F-4AC6-A896-02C78CCFAD6C}\ARPPRODUCTICON.exe
2012-12-05 02:12 . 2012-12-05 02:12    142496    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-02-08 01:23 . 2013-02-08 01:23    262552    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   重要登入点   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{00000ADA-7E0D-47C1-986C-F017D09C4304}]
2012-08-28 02:33    530384    ----a-w-    c:\program files\Common Files\Thunder Network\Kankan\VideoUrlSniffer.2.0.1.99.(56).dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips]
@="{4562B511-62E9-4533-B7B2-56A8BB10B482}"
[HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}]
2012-12-03 12:03    255952    ----a-w-    c:\documents and settings\All Users\Application Data\Thunder Network\KanKan\reghelper\xappex.1.1.1.63.(998).dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2011-10-30 571392]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 03:24    620152    ----a-w-    c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28    59240    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B2C_AGENT]
2012-03-28 06:53    404568    ----a-w-    c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2012-07-30 14:21    822456    ----a-w-    c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
2005-02-08 08:00    98304    ----a-w-    c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ext2 Volume Manager]
2011-02-05 13:12    1211536    ----a-w-    c:\program files\Ext2Fsd\Ext2Mgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-04-30 02:25    116648    ----atw-    c:\documents and settings\jli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 02:32    208952    ----a-w-    c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12    3872080    ----a-w-    c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 02:31    59392    ----a-w-    c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 02:32    455168    ----a-w-    c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 02:32    455168    ----a-w-    c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]
2012-12-12 03:12    251896    ----a-w-    c:\program files\Common Files\PPLiveNetwork\PPAP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlinfoclient]
2012-05-17 11:45    36864    ----a-w-    c:\infoclient\InfoClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04    252848    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-08-11 14:35    296096    ----a-w-    c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2012-08-28 11:41    247768    ----a-w-    c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\jli\\Application Data\\PPLive\\PPLive\\PPLive.exe"=
"c:\\WINDOWS\\system32\\PPTVLauncher.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\NetMon\\net_monitor_i.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\NetMon\\lsp_check.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\LanSpeedViewer\\speed_viewer_i.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\LanSpeedViewer\\lsp_check.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderBhoStat.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\XBrowser.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\FCMiniDownloader\\MiniDownloader.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=
"c:\\Program Files\\Thunder Network\\Xmp\\Program\\XMP.exe"=
"c:\\Program Files\\Thunder Network\\Xmp\\Program\\ThunderLiveUD.exe"=
"c:\\Program Files\\Thunder Network\\Xmp\\Program\\XLBugReport.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\Kankan\\ThunderServiceLite.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\Kankan\\Xmp.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.131_1111\\ThunderPlatform.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.131_1111\\ThunderLiveUD.exe"=
"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.131_1111\\XLBugReport.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderExternal\\ThunderPlatform.exe"=
"c:\\Program Files\\Baofeng\\StormPlayer\\StormPlayer.exe"=
"c:\\Program Files\\Baofeng\\StormPlayer\\BaofengPlatform.exe"=
"c:\\Program Files\\Baofeng\\StormPlayer\\BaofengUpdate.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\nEO iMAGING\\LiveUpdate\\ThunderLiveUD.exe"=
"c:\\Program Files\\nEO iMAGING\\nEOiMAGING.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\PPLive\\PPLite\\PPLite.exe"=
"c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"=
"c:\\Documents and Settings\\jli\\Application Data\\Tencent\\QQ\\STemp\\SetupEx~0\\QQSetupEx.exe"=
"c:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"=
"c:\\Program Files\\Tencent\\QQ\\Bin\\auclt.exe"=
"c:\\Program Files\\Common Files\\Tencent\\QQDownload\\119\\Tencentdl.exe"=
"c:\\Documents and Settings\\jli\\Application Data\\Tencent\\QQ\\STemp\\QQPCDetector~0\\QQPCDetector.exe"=
"c:\\Program Files\\Tencent\\QQMusic\\QzoneMusic\\QzoneMusic.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"33674:UDP"= 33674:UDP:ThunderLAN(UDP)
"33673:TCP"= 33673:TCP:ThunderLAN(TCP)
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1402000.013\symds.sys [12/4/2012 11:47 PM 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1402000.013\symefa.sys [12/4/2012 11:47 PM 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130208.001\BHDrvx86.sys [2/12/2013 3:56 PM 997464]
R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1402000.013\ccsetx86.sys [12/4/2012 11:47 PM 134304]
R1 Ext2Fsd;Linux ext2 file system driver;c:\windows\system32\drivers\ext2fsd.sys [9/23/2012 10:31 AM 686360]
R1 QQProtect;QQProtect;c:\windows\system32\drivers\QQProtect.sys [1/1/2013 8:32 AM 137632]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1402000.013\ironx86.sys [12/4/2012 11:47 PM 175264]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 4:53 PM 13672]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\20.2.0.19\ccsvchst.exe [12/4/2012 11:47 PM 143928]
R2 PPTVService;PPTVService;c:\windows\System32\svchost.exe -k PPTVServiceGroup [8/3/2004 11:56 PM 14336]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/28/2012 6:41 AM 92632]
R2 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost -k XLServicePlatform --> c:\windows\system32\svchost -k XLServicePlatform [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/5/2012 11:17 AM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130215.001\IDSXpx86.sys [2/15/2013 10:17 PM 373728]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [6/15/2012 9:12 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [6/15/2012 9:12 PM 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [6/15/2012 9:12 PM 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [6/15/2012 9:12 PM 25088]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [8/12/2012 9:52 AM 77624]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [8/12/2012 9:52 AM 181432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
PPTVServiceGroup    REG_MULTI_SZ       PPTVService
XLServicePlatform    REG_MULTI_SZ       XLServicePlatform
.
 ‘计划任务’ 文件夹 里的内容
.
2013-02-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-13 15:33]
.
2013-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-26 02:05]
.
2013-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-26 02:05]
.
2013-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1647877149-682003330-1003Core.job
- c:\documents and settings\jli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-30 02:25]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1647877149-682003330-1003UA.job
- c:\documents and settings\jli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-30 02:25]
.
2013-02-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-1647877149-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-02-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-1647877149-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
IE: &使用&迅雷下载 - c:\program files\Thunder Network\Thunder\BHO\geturl.htm
IE: &使用&迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\BHO\GetAllUrl.htm
IE: &使用&迅雷离线下载 - c:\program files\Thunder Network\Thunder\BHO\OfflineDownload.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: 使用光影编辑和美化 - c:\program files\nEO iMAGING\NeoOpenNeo.htm
IE: 使用迅雷看看播放器播放 - c:\documents and settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\XmpIEMenu.htm
IE: 添加当前页到迅雷看看播放器标签 - c:\documents and settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\XmpIEMenuAddStoreTab.htm
IE: {{14c1d00e-0b92-4379-880b-444fa2d740dd} - c:\documents and settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\XmpIEToolMenu.htm
IE: {{24c1d00e-0b92-4379-880b-444fa2d740dd} - c:\documents and settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\XmpIEToolBar.htm
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1
DPF: {6C8E9E45-538C-473A-B83B-DA9AE1ED7604} - hxxps://insourcers.riahome.com/CABFiles/vspdf.cab
DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxps://insourcers.riahome.com/CABFiles/vsprint7.cab
DPF: {EBB0431C-10EB-432D-8C53-64BDBEDBD86B} - hxxps://insourcers.riahome.com/CABFiles/xmlgridRS.cab
DPF: {F4721362-90E1-11D4-B547-00105A80AE07} - hxxps://insourcers.riahome.com/CABFiles/RIAInRSImport.cab
DPF: {FE83D8C0-07C7-4915-A6B4-4A6B895E677F} - hxxps://insourcers.riahome.com/CABFiles/vsFlexXMLDSO.cab
FF - ProfilePath - c:\documents and settings\jli\Application Data\Mozilla\Firefox\Profiles\xy180osi.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\SAMSUNG\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\SAMSUNG\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\SAMSUNG\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\SAMSUNG\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-16 20:20
Windows 5.1.2600 Service Pack 3 NTFS
.
扫描被隐藏的进程 。。。  
.
扫描被隐藏的启动组 。。。 
.
扫描被隐藏的文件 。。。  
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1647877149-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*艔鳀N}廬
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Thunder Network\\Thunder\\BHO\\geturl.htm"
"Name"="xl_geturl"
"Contexts"=dword:00000022
.
[HKEY_USERS\S-1-5-21-1659004503-1647877149-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*艔鳀N}廻Q钀]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Thunder Network\\Thunder\\BHO\\GetAllUrl.htm"
"Name"="xl_getallurl"
"Contexts"=dword:000000f3
.
[HKEY_USERS\S-1-5-21-1659004503-1647877149-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\&*O(u&*艔鳀粂縹N}廬
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Thunder Network\\Thunder\\BHO\\OfflineDownload.htm"
"Name"="xl_offlinedownload"
"Contexts"=dword:00000022
.
[HKEY_USERS\S-1-5-21-1659004503-1647877149-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\磃螛q_髼5*]
"Order"=hex:08,00,00,00,02,00,00,00,7a,01,00,00,01,00,00,00,03,00,00,00,7e,00,
   00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,36,\
.
[HKEY_USERS\S-1-5-21-1659004503-1647877149-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\駛臇鄀Le2*€{SO-N噀Hr]
"Order"=hex:08,00,00,00,02,00,00,00,12,02,00,00,01,00,00,00,04,00,00,00,80,00,
   00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\
.
完成时间: 2013-02-16  20:24:02
ComboFix-quarantined-files.txt  2013-02-17 01:23
.
Pre-Run: 3,686,760,448 bytes free
Post-Run: 3,927,511,040 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E9AB50CDD69FAD58EF73A7A87D11D584


#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:03:45 PM

Posted 17 February 2013 - 04:31 AM

Good evening dislab,

 

Please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.


Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 dislab

dislab
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 17 February 2013 - 09:28 AM

Good morning, The Dark Knight! 

 

I have run Malwarebytes Anti-Rootkit and nothing was found. Here are the two logs. Please advise. Thanks!

 

1. system-log.txt:

 

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1020
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.393000 GHz
Memory total: 2414866432, free: 1577304064
 
------------ Kernel report ------------
     02/17/2013 09:14:34
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
PCIIde.sys
\WINDOWS\System32\Drivers\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
SYMDS.SYS
sr.sys
SYMEFA.SYS
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Mup.sys
agp440.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\atimpae.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\e1000325.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\system32\DRIVERS\fsvga.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\system32\drivers\N360\1402000.013\ccSetx86.sys
\SystemRoot\system32\drivers\N360\1402000.013\Ironx86.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\??\C:\WINDOWS\system32\drivers\QQProtect.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Ext2Fsd.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130215.001\IDSxpx86.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\drivers\N360\1402000.013\SRTSPX.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130208.001\BHDrvx86.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\atidrae.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\Drivers\N360\1402000.013\SRTSP.SYS
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130216.009\NAVEX15.SYS
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130216.009\NAVENG.SYS
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
\WINDOWS\system32\ntoskrnl.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff89d3eab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-c\
Lower Device Object: 0xffffffff89d28b00
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff89d77ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-4\
Lower Device Object: 0xffffffff89d45b00
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Downloaded database version: v2013.02.17.03
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff89d77ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89d42930, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89d77ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89d45b00, DeviceName: \Device\Ide\IdeDeviceP0T0L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe57a0388, 0xffffffff89d77ab8, 0xffffffff889559a0
Lower DeviceData: 0xffffffffe5a78460, 0xffffffff89d45b00, 0xffffffff88a09040
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 35493549
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 61432497
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 61432560  Numsec = 173003985
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 120034123776 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-234421648-234441648)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff89d3eab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89d23b70, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89d3eab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89d28b00, DeviceName: \Device\Ide\IdeDeviceP0T1L0-c\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffffe5a3e6e0, 0xffffffff89d3eab8, 0xffffffff88972040
Lower DeviceData: 0xffffffffe27fb808, 0xffffffff89d28b00, 0xffffffff88989040
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1639018D
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 312576642
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 160041885696 bytes
Sector size: 512 bytes
 
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================
 
 
 
 
 
2. mbar-log-2013-02-17 (09-26-11).txt
 
Malwarebytes Anti-Rootkit BETA 1.01.0.1020
www.malwarebytes.org
 
Database version: v2013.02.17.03
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
jli :: DISLAB [administrator]
 
2/17/2013 9:26:11 AM
mbar-log-2013-02-17 (09-26-11).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 25317
Time elapsed: 10 minute(s), 52 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 


#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:03:45 PM

Posted 17 February 2013 - 03:28 PM

Hello dislab,

 

Things look good.

 

Please download the Kaspersky Virus Removal Tool from here to your Desktop.

Double-click the Removal Tool.
Click the cog in the upper right corner:



Select down to and including your main drive.
Once done please select the Automatic Scan tab and press Start Scan.



Allow AVP to delete all infections found.
Once it has finished select the Report tab.
Select the Detected threats report from the left and press the Save button.
Save it to your Desktop and post the contents in your next reply.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 dislab

dislab
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 18 February 2013 - 09:40 AM

Hi, I have run Kaspersky and here is the report. It detects several things in the email, and all the others are in E: drive, which is never touched as it is a backup of old files that I know contain some virus. Thanks!

 

 

Kaspersky report:

 

 

 

Status: Disinfected   (events: 57)    
2/17/2013 9:02:12 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Order before prices increase | Flowers for Mother's Day on May 13][Time:2012/05/02 07:52:31]/PlainBody    High    
2/17/2013 9:03:28 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Member Pricing on Last Minute Mother's Day Gifts][Time:2012/05/09 09:38:19]/PlainBody    High    
2/17/2013 9:13:59 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Vacation Planning Reminder][Time:2012/05/16 08:06:38]/PlainBody    High    
2/17/2013 9:20:29 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Corporate Pricing: 30% Off Brooks Brothers (Today Only)][Time:2012/05/23 09:23:24]/PlainBody    High    
2/17/2013 9:24:28 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Restaurant Certificates: $4 for members][Time:2012/05/31 08:20:25]/PlainBody    High    
2/17/2013 9:36:14 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:TODAY ONLY: $10 off $20 at Best Buy][Time:2012/06/14 07:18:43]/PlainBody    High    
2/17/2013 9:36:57 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Member computer purchase programs | Save $800][Time:2012/06/20 08:18:33]/PlainBody    High    
2/17/2013 9:41:26 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Restaurant Certificates: $4 for members][Time:2012/06/27 08:14:19]/PlainBody    High    
2/17/2013 9:49:47 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Member pricing on tickets][Time:2012/07/03 08:53:12]/PlainBody    High    
2/17/2013 9:51:34 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:UPDATE: new HDTV member pricing | save $320][Time:2012/07/11 07:50:17]/PlainBody    High    
2/17/2013 9:53:57 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Restaurant Certificates: $4 for members][Time:2012/07/19 07:51:47]/PlainBody    High    
2/17/2013 9:54:48 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Wear-To-Work | Corporate discounts on apparel][Time:2012/07/25 07:57:08]/PlainBody    High    
2/17/2013 9:55:36 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:TODAY ONLY: $25 Off Priceline][Time:2012/08/02 03:57:54]/PlainBody    High    
2/17/2013 9:56:54 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Apple, Sony and more | Back to School offers][Time:2012/08/08 08:15:28]/PlainBody    High    
2/17/2013 10:00:52 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Back to School offers | Walmart & more][Time:2012/08/15 07:42:24]/PlainBody    High    
2/17/2013 10:03:30 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Restaurant Certificates: $5 for members][Time:2012/08/20 10:11:14]/PlainBody    High    
2/17/2013 10:06:58 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Program Announcement: GE Appliance Store added][Time:2012/08/29 08:00:41]/PlainBody    High    
2/17/2013 10:11:41 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Corporate rates on cell phones][Time:2012/09/06 08:21:56]/PlainBody    High    
2/17/2013 10:15:43 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Member early-bird holiday travel savings][Time:2012/09/19 07:34:52]/PlainBody    High    
2/17/2013 10:16:51 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Expires Today: Restaurant Certificates, $5 for members][Time:2012/09/26 07:25:05]/PlainBody    High    
2/17/2013 10:18:06 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Travel savings for members][Time:2012/10/03 08:01:00]/PlainBody    High    
2/17/2013 10:19:24 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Best prices 6 weeks before][Time:2012/10/10 07:48:59]/PlainBody    High    
2/17/2013 10:21:10 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Corporate event: 30% Off Apparel (Today Only)][Time:2012/10/18 07:42:43]/PlainBody    High    
2/17/2013 10:23:54 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Restaurant Certificates: $4 for members][Time:2012/10/31 08:08:22]/PlainBody    High    
2/17/2013 10:30:06 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Preview member holiday fair][Time:2012/11/21 08:38:49]/PlainBody    High    
2/17/2013 10:37:34 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Holiday Fair Savings Reminder][Time:2012/11/30 10:18:36]/PlainBody    High    
2/17/2013 10:40:19 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Restaurant Certificates: $4 for members][Time:2012/12/05 08:33:32]/PlainBody    High    
2/17/2013 10:46:26 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Members, don't pay retail][Time:2012/12/11 08:30:34]/PlainBody    High    
2/17/2013 10:50:12 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Free Shipping Monday for members][Time:2012/12/17 08:12:12]/PlainBody    High    
2/17/2013 10:51:52 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Instant delivery: $5 restaurant certificates (member pricing)][Time:2012/12/20 08:20:47]/PlainBody    High    
2/17/2013 10:59:10 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Program Announcement: Your Member Perks Program][Time:2013/01/09 10:34:34]/PlainBody    High    
2/17/2013 11:01:47 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Reminder: Your 2013 travel advantages][Time:2013/01/16 08:46:07]/PlainBody    High    
2/17/2013 11:09:31 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Member computer purchase program][Time:2013/01/23 08:52:01]/PlainBody    High    
2/17/2013 11:12:21 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Restaurant Certificates: $4 for members][Time:2013/01/29 08:22:25]/PlainBody    High    
2/17/2013 11:13:43 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:For members: Valentine's Day Fair][Time:2013/02/05 08:12:42]/PlainBody    High    
2/17/2013 11:14:52 PM    Disinfected    Trojan program Trojan-Spy.HTML.Bankfraud.oy    Outlook\Personal Folders\Top of Personal Folders\user3@gmail\[From:Corporate Discount Program][Subject:Restaurant Certificates: $4 for members][Time:2013/02/12 08:34:37]/PlainBody    High    
2/17/2013 11:32:10 PM    Disinfected    virus Email-Worm.Win32.Bagle.ef    Outlook\Personal Folders\Top of Personal Folders\user1@school\2005\[From:postmaster@msk-spam-relay2.aeroflot.ru][Subject:Delivery Status Notification (Failure)][Time:2005/11/01 14:34:48]/ATT16243.eml (5.41 KB)/Business_dealing.zip/t_535475.exe    High    
2/17/2013 11:32:10 PM    Disinfected    virus Email-Worm.Win32.Bagle.ef    Outlook\Personal Folders\Top of Personal Folders\user1@school\2005\[From:postmaster@msk-spam-relay2.aeroflot.ru][Subject:Delivery Status Notification (Failure)][Time:2005/11/01 14:34:48]/ATT16243.eml (5.41 KB)/Business_dealing.zip    High    
2/17/2013 11:32:10 PM    Disinfected    virus Email-Worm.Win32.Bagle.ef    Outlook\Personal Folders\Top of Personal Folders\user1@school\2005\[From:postmaster@msk-spam-relay2.aeroflot.ru][Subject:Delivery Status Notification (Failure)][Time:2005/11/01 14:34:48]/ATT16243.eml (5.41 KB)    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.jefw    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/FDCT.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.jdxy    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/FFT.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.jdxo    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/MciAll.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.jdxi    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/dllfile/CDAudio.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.jdxd    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/dllfile/DSOut.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.jdug    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/dllfile/MIDIAudio.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.jdxf    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/dllfile/MPAudio.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.iijh    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/dllfile/WaveAudio.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.ijuv    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/dllfile/WavOut.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.jdsf    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHADO/dllfile/WordAudio.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.lquk    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHCVD/HttpFile.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.Menti.pegi    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHCVD/SysExplr.exe    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.ijbq    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHMPC/HttpFile.dll    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.Menti.pecm    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHTOOL/MPCMaker.exe    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program Trojan.Win32.FakeAV.nllh    E:\user1\D\Downloads\driver\D-contain-virus.zip/Downloads/Herosoft/STHTOOL/UniteMPEG.exe    High    
2/18/2013 8:03:19 AM    Disinfected    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\user1\D\Downloads\driver\D-contain-virus.zip    High    
2/18/2013 8:11:00 AM    Disinfected    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\Laptop\My Documents 1\My Documents\New Folder\H-backup.zip    High    
2/18/2013 8:11:00 AM    Disinfected    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\Laptop\My Documents\My Documents\New Folder\H-backup.zip    High    
Status: Deleted   (events: 38)    
2/18/2013 7:18:26 AM    Deleted    Trojan program Trojan-FakeAV.Win32.IPormor.af    E:\user1\D\Downloads\Iparmor-v5.46(1).rar//Iparmor_5.46.0805_LEOZEM.exe//data0001    High    
2/18/2013 7:18:26 AM    Deleted    Trojan program Trojan-FakeAV.Win32.IPormor.af    E:\user1\D\Downloads\Iparmor-v5.46(1).rar//Iparmor_5.46.0805_LEOZEM.exe    High    
2/18/2013 7:18:26 AM    Deleted    Trojan program Trojan-FakeAV.Win32.IPormor.af    E:\user1\D\Downloads\Iparmor-v5.46(1).rar    High    
2/18/2013 7:22:25 AM    Deleted    adware not-a-virus:AdWare.Win32.Cydoor    E:\user1\D\Downloads\driver\flashGet-v1.6.rar//fg160.exe//WISE0015.BIN/cd_clint.dll//PECompact    Medium    
2/18/2013 7:22:25 AM    Deleted    adware not-a-virus:AdWare.Win32.Cydoor    E:\user1\D\Downloads\driver\flashGet-v1.6.rar//fg160.exe//WISE0015.BIN/cd_clint.dll    Medium    
2/18/2013 7:22:25 AM    Deleted    adware not-a-virus:AdWare.Win32.Cydoor    E:\user1\D\Downloads\driver\flashGet-v1.6.rar//fg160.exe//WISE0015.BIN    Medium    
2/18/2013 7:22:25 AM    Deleted    adware not-a-virus:AdWare.Win32.Cydoor    E:\user1\D\Downloads\driver\flashGet-v1.6.rar//fg160.exe    Medium    
2/18/2013 7:22:25 AM    Deleted    adware not-a-virus:AdWare.Win32.Cydoor    E:\user1\D\Downloads\driver\flashGet-v1.6.rar    Medium    
2/18/2013 8:00:05 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jefw    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\FDCT.dll    High    
2/18/2013 8:00:19 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxo    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\MciAll.dll    High    
2/18/2013 8:00:27 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxy    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\FFT.dll    High    
2/18/2013 8:00:33 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxi    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\dllfile\CDAudio.dll    High    
2/18/2013 8:00:41 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxd    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\dllfile\DSOut.dll    High    
2/18/2013 8:00:53 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdug    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\dllfile\MIDIAudio.dll    High    
2/18/2013 8:01:07 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxf    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\dllfile\MPAudio.dll    High    
2/18/2013 8:01:51 AM    Deleted    Trojan program Trojan.Win32.FakeAV.iijh    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\dllfile\WaveAudio.dll    High    
2/18/2013 8:02:07 AM    Deleted    Trojan program Trojan.Win32.FakeAV.ijuv    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\dllfile\WavOut.dll    High    
2/18/2013 8:01:59 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdsf    E:\Laptop\user2\D\Downloads\Herosoft\STHADO\dllfile\WordAudio.dll    High    
2/18/2013 8:02:15 AM    Deleted    Trojan program Trojan.Win32.FakeAV.lquk    E:\Laptop\user2\D\Downloads\Herosoft\STHCVD\HttpFile.dll    High    
2/18/2013 8:02:29 AM    Deleted    Trojan program Trojan.Win32.Menti.pegi    E:\Laptop\user2\D\Downloads\Herosoft\STHCVD\SysExplr.exe    High    
2/18/2013 8:02:45 AM    Deleted    Trojan program Trojan.Win32.FakeAV.ijbq    E:\Laptop\user2\D\Downloads\Herosoft\STHMPC\HttpFile.dll    High    
2/18/2013 8:03:55 AM    Deleted    Trojan program Trojan.Win32.Menti.pecm    E:\Laptop\user2\D\Downloads\Herosoft\STHTOOL\MPCMaker.exe    High    
2/18/2013 8:03:59 AM    Deleted    Trojan program Trojan.Win32.FakeAV.nllh    E:\Laptop\user2\D\Downloads\Herosoft\STHTOOL\UniteMPEG.exe    High    
2/18/2013 8:20:09 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jefw    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032394.dll    High    
2/18/2013 8:20:19 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxo    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032395.dll    High    
2/18/2013 8:20:14 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxy    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032396.dll    High    
2/18/2013 8:20:23 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxi    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032397.dll    High    
2/18/2013 8:20:28 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxd    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032398.dll    High    
2/18/2013 8:20:33 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdug    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032399.dll    High    
2/18/2013 8:20:38 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdxf    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032400.dll    High    
2/18/2013 8:20:41 AM    Deleted    Trojan program Trojan.Win32.FakeAV.iijh    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032401.dll    High    
2/18/2013 8:20:48 AM    Deleted    Trojan program Trojan.Win32.FakeAV.jdsf    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032402.dll    High    
2/18/2013 8:20:51 AM    Deleted    Trojan program Trojan.Win32.FakeAV.ijuv    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032403.dll    High    
2/18/2013 8:20:56 AM    Deleted    Trojan program Trojan.Win32.FakeAV.lquk    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032404.dll    High    
2/18/2013 8:21:00 AM    Deleted    Trojan program Trojan.Win32.Menti.pegi    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032405.exe    High    
2/18/2013 8:21:04 AM    Deleted    Trojan program Trojan.Win32.FakeAV.ijbq    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032406.dll    High    
2/18/2013 8:21:10 AM    Deleted    Trojan program Trojan.Win32.Menti.pecm    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032407.exe    High    
2/18/2013 8:21:14 AM    Deleted    Trojan program Trojan.Win32.FakeAV.nllh    E:\System Volume Information\_restore{0FE8F77A-93A9-4605-B8F1-F5850C83C91B}\RP310\A0032408.exe    High    
Status: Quarantined   (events: 10)    
2/18/2013 7:27:29 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\user1\D\Downloads\driver\D-contain-virus.zip/Outlook Express/Hotmail - Sent Items.dbx    High    
2/18/2013 7:29:03 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\user1\D\Downloads\driver\D-contain-virus.zip/Outlook Express/tx-bcs.forsale.dbx    High    
2/18/2013 7:30:09 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\user1\D\Downloads\driver\D-contain-virus.zip/Outlook Express/soc.culture.japan.dbx    High    
2/18/2013 7:30:40 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\user1\D\Downloads\driver\D-contain-virus.zip/Outlook Express/soc.culture.japan.moderated.dbx    High    
2/18/2013 7:31:14 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\user1\D\Downloads\driver\D-contain-virus.zip/Outlook Express/alt.japanese.text.dbx    High    
2/18/2013 7:31:21 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\user1\D\Downloads\driver\D-contain-virus.zip/Outlook Express/alt.sex.fetish.fashion.dbx    High    
2/18/2013 8:08:58 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\Laptop\My Documents\My Documents\New Folder\Cultural Paradoxes Reflect.txt    High    
2/18/2013 8:09:33 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\Laptop\My Documents 1\My Documents\New Folder\Cultural Paradoxes Reflect.txt    High    
2/18/2013 8:10:44 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\Laptop\My Documents\My Documents\New Folder\H-backup.zip/Cultural Paradoxes Reflect.txt    High    
2/18/2013 8:10:44 AM    Quarantined    Trojan program HEUR:Trojan-Dropper.Script.Generic    E:\Laptop\My Documents 1\My Documents\New Folder\H-backup.zip/Cultural Paradoxes Reflect.txt    High    


#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:03:45 PM

Posted 18 February 2013 - 03:25 PM

Hey dislab,

 

Kaspersky found and removed some trojans and a worm, all or any of which could have been your initial issue.

 

Please run a free online scan with the ESET Online Scanner.
Note: You can use Internet Explorer or Mozilla Firefox for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

 

How is your computer running?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 dislab

dislab
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 19 February 2013 - 07:50 AM

The desktop has been fine even on the day when the spams were sent. I have deleted my email accounts in outlook. But I have no idea whether the virus is still there. It is just embarrassing if this happens again, as it sends emails to many including my boss.

 

 

I feel those detected by Kaspersky may not be the one that caused the spam emails, as those emails from "Corporate Discount Program" are actually legitimate emails from a website related to my employer.
 
Here is the log from ESET online scaner, two detected from E: drive. Thanks!

 

C:\Program Files\EsetOnlineScanner\log.txt

 

 

# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=c30caa4bf2c28047a0947958b3bda39c
# engine=13187
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-19 05:58:34
# local_time=2013-02-19 12:58:34 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=6657 16777214 0 14 16377195 16377195 0 0
# scanned=283142
# found=2
# cleaned=0
# scan_time=12037
sh=DF0BF1431A6065297CC884CEAA8D47D4F29A7AB9 ft=1 fh=d2c32a46837e9aba vn="probably a variant of Win32/Agent.LNARLWR trojan" ac=I fn="E:\jli\D\Downloads\Iparmor-v5.46\tu.exe"
sh=DF0BF1431A6065297CC884CEAA8D47D4F29A7AB9 ft=1 fh=d2c32a46837e9aba vn="probably a variant of Win32/Agent.LNARLWR trojan" ac=I fn="E:\WD80G\Retrospect Backup\Backup of Data (D)\Downloads\Iparmor-v5.46\tu.exe"


#10 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:03:45 PM

Posted 19 February 2013 - 03:02 PM

Hello dislab,

Please download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#11 dislab

dislab
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 19 February 2013 - 09:51 PM

Thanks! Here are two log files from OLT:

 

1. OTL.txt

 

 

OTL logfile created on: 2/19/2013 9:38:05 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\user1\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.25 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 46.05% Memory free
4.09 Gb Paging File | 2.74 Gb Available in Paging File | 66.86% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 4.66 Gb Free Space | 15.91% Space Free | Partition Type: NTFS
Drive D: | 29.28 Gb Total Space | 6.72 Gb Free Space | 22.97% Space Free | Partition Type: FAT32
Drive E: | 149.05 Gb Total Space | 39.81 Gb Free Space | 26.71% Space Free | Partition Type: NTFS
 
Computer Name: HOSTNAME1 | User Name: user1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/02/19 21:36:54 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user1\My Documents\Downloads\OTL.exe
PRC - [2013/01/25 21:35:08 | 001,248,208 | ---- | M] (Google Inc.) -- C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2012/10/10 21:29:14 | 000,143,928 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccsvchst.exe
PRC - [2012/09/28 23:21:19 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/08/28 06:41:08 | 000,092,632 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2012/07/25 07:05:38 | 000,198,608 | ---- | M] (深圳市迅雷网络技术有限公司) -- C:\Documents and Settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\xmp.exe
PRC - [2012/05/17 06:45:56 | 000,036,864 | ---- | M] () -- c:\InfoClient\InfoClient.exe
PRC - [2011/08/25 16:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013/02/13 15:29:48 | 012,638,576 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.6.602.167\pepflashplayer.dll
MOD - [2013/02/12 23:10:43 | 000,221,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.ServiceProce#\e4f82846ccd62422ce76269e71434b9a\System.ServiceProcess.ni.dll
MOD - [2013/02/12 23:03:46 | 013,198,336 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\256e88c5453292fbbd6013d4d701bcd6\System.Windows.Forms.ni.dll
MOD - [2013/01/25 21:35:06 | 000,460,240 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\ppgooglenaclpluginchrome.dll
MOD - [2013/01/25 21:35:04 | 004,012,496 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\pdf.dll
MOD - [2013/01/25 21:34:16 | 001,552,848 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\ffmpegsumo.dll
MOD - [2013/01/09 03:31:18 | 000,762,880 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\9e3739b4771f4a8242c63b1284f9f874\System.Runtime.Remoting.ni.dll
MOD - [2013/01/09 03:31:14 | 000,786,944 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\73dfd6d7522b243d1667d76ada75eedb\System.EnterpriseServices.ni.dll
MOD - [2013/01/09 03:31:12 | 000,646,656 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Transactions\9c09894406177133007709e7d365a240\System.Transactions.ni.dll
MOD - [2013/01/09 03:10:42 | 006,798,336 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Data\284b79d0ae2cdd7c7b8ce2171101dca1\System.Data.ni.dll
MOD - [2013/01/09 03:10:18 | 005,618,176 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\21db024ca58220c55bb81027eff223ac\System.Xml.ni.dll
MOD - [2013/01/09 03:10:17 | 001,667,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\76a04d2cedfe12188c5fc8ceeae8eeae\System.Drawing.ni.dll
MOD - [2013/01/09 03:10:05 | 000,980,480 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuration\c76a75cdbbd5cdbcba06e163235e4eac\System.Configuration.ni.dll
MOD - [2013/01/09 03:09:42 | 007,053,824 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Core\858d355eeaaf1def8ac3505fd9eb67ca\System.Core.ni.dll
MOD - [2013/01/09 03:09:13 | 009,093,120 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\a76e1d1e8c33f20b53f99d4c1d37ca15\System.ni.dll
MOD - [2013/01/09 03:08:57 | 014,413,312 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\75dbd3e66b6c699711e2c193fd9aef07\mscorlib.ni.dll
MOD - [2012/07/30 05:06:40 | 000,063,504 | ---- | M] () -- C:\Program Files\Thunder Network\Xmp\Program\XLBugHandler.dll
MOD - [2012/07/30 05:06:40 | 000,063,504 | ---- | M] () -- c:\Program Files\Common Files\Thunder Network\ServicePlatform\XLBugHandler.dll
MOD - [2012/05/30 09:51:08 | 000,699,280 | R--- | M] () -- C:\Program Files\Norton Security Suite\Engine\20.2.0.19\wincfi39.dll
MOD - [2012/05/17 06:45:56 | 000,999,424 | ---- | M] () -- c:\InfoClient\clibhlpr.dll
MOD - [2012/05/17 06:45:56 | 000,081,920 | ---- | M] () -- c:\InfoClient\WTCommlib.dll
MOD - [2012/05/17 06:45:56 | 000,036,864 | ---- | M] () -- c:\InfoClient\InfoClient.exe
MOD - [2008/04/13 19:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 19:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013/02/08 10:33:25 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/02/07 20:23:26 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/12/11 22:13:02 | 000,505,312 | ---- | M] (PPTV) [Auto | Running] -- C:\WINDOWS\system32\PPTVSvc.dll -- (PPTVService)
SRV - [2012/10/10 21:29:14 | 000,143,928 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe -- (N360)
SRV - [2012/09/28 23:21:19 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/08/28 06:41:08 | 000,092,632 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2012/07/30 05:08:08 | 000,088,080 | ---- | M] (ShenZhen Xunlei Networking Technologies,LTD) [Auto | Running] -- C:\Program Files\Common Files\Thunder Network\ServicePlatform\XLSP.dll -- (XLServicePlatform)
SRV - [2012/04/29 21:26:19 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/08/25 16:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\user1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2013/01/16 20:43:59 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130219.017\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/01/16 20:43:59 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20130219.017\NAVENG.SYS -- (NAVENG)
DRV - [2013/01/15 21:51:12 | 000,997,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130208.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/12/23 22:05:15 | 000,137,632 | ---- | M] (Tencent) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\QQProtect.sys -- (QQProtect)
DRV - [2012/12/04 21:41:50 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/12/04 21:41:50 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/12/04 21:12:30 | 000,142,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2012/12/02 17:32:04 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130216.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2012/10/08 20:00:02 | 000,586,400 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\N360\1402000.013\srtsp.sys -- (SRTSP)
DRV - [2012/10/03 20:40:36 | 000,927,904 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\1402000.013\symefa.sys -- (SymEFA)
DRV - [2012/10/03 20:40:20 | 000,368,288 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\1402000.013\symds.sys -- (SymDS)
DRV - [2012/10/03 20:19:14 | 000,134,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\1402000.013\ccsetx86.sys -- (ccSet_N360)
DRV - [2012/07/27 22:05:22 | 000,175,264 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\1402000.013\ironx86.sys -- (SymIRON)
DRV - [2012/07/22 20:34:24 | 000,394,656 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\1402000.013\symtdi.sys -- (SYMTDI)
DRV - [2012/05/25 00:36:56 | 000,032,888 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\1402000.013\srtspx.sys -- (SRTSPX)
DRV - [2011/10/04 05:22:16 | 000,181,432 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudmdm.sys -- (ssudmdm)
DRV - [2011/10/04 05:22:16 | 000,077,624 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudbus.sys -- (dg_ssudbus)
DRV - [2011/07/09 00:32:52 | 000,686,360 | ---- | M] (www.ext2fsd.com) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ext2fsd.sys -- (Ext2Fsd)
DRV - [2010/12/07 13:23:00 | 000,025,088 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandmodem.sys -- (ANDModem)
DRV - [2010/12/07 13:23:00 | 000,020,736 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lganddiag.sys -- (AndDiag)
DRV - [2010/12/07 13:23:00 | 000,020,096 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandgps.sys -- (AndGps)
DRV - [2010/12/07 13:22:58 | 000,014,336 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandbus.sys -- (Andbus)
DRV - [2001/08/23 07:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2001/08/17 07:49:00 | 000,075,136 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atimpae.sys -- (atirage3)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.2
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pptv.com/plugin: C:\Program Files\Internet Explorer\PPLite\plugin\1.0.1.2906\npplugin2.dll (PPLive Corporation)
FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall: C:\Program Files\Common Files\Tencent\NPQSCALL\npqscall.dll (Tencent)
FF - HKLM\Software\MozillaPlugins\@qq.com/QQPhotoDrawEx: C:\Program Files\Tencent\Qzone\npQQPhotoDrawEx.dll ()
FF - HKLM\Software\MozillaPlugins\@qq.com/QzoneMusic: C:\Program Files\Tencent\QQMusic\QzoneMusic\npQzoneMusic.dll (Tencent)
FF - HKLM\Software\MozillaPlugins\@qq.com/TXSSO: C:\Program Files\Common Files\Tencent\TXSSO\1.2.1.89\Bin\npSSOAxCtrlForPTLogin.dll (Tencent)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@xunlei.com/DapCtrl: C:\Program Files\Common Files\Thunder Network\KanKan\npDapCtrl.3.1.0.6.(204).dll (ShenZhen Thunder Networking Technologies Ltd.)
FF - HKLM\Software\MozillaPlugins\@xunlei.com/npxunlei;version=1.0.0.1: C:\Program Files\Thunder Network\Thunder\data\npxunlei1.0.0.1.dll ( )
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\user1\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\user1\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@xunlei.com/npxunlei;version=1.0.0.1: C:\Program Files\Thunder Network\Thunder\data\npxunlei1.0.0.1.dll ( )
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/08/11 09:37:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn\ [2012/12/04 21:15:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\ [2013/02/19 08:02:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/02/07 20:23:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/02/07 20:23:18 | 000,000,000 | ---D | M]
 
[2012/06/24 14:09:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user1\Application Data\Mozilla\Extensions
[2012/06/24 14:09:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user1\Application Data\Mozilla\Extensions\home2@tomtom.com
[2012/10/22 19:29:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\xy180osi.default\extensions
[2013/02/07 20:23:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/02/07 20:23:26 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/10/19 18:18:49 | 000,248,192 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2012/10/19 18:18:57 | 000,248,192 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2012/09/13 05:21:32 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/11/14 14:00:20 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - Extension: YouTube = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: Website Blocker (Beta) = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hclgegipaehbigmbhdpfapmjadbaldib\0.1.9_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: Norton Identity Protection = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2013.2.0.18_0\
CHR - Extension: Gmail = C:\Documents and Settings\user1\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
 
O1 HOSTS File: ([2013/02/16 20:20:28 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (VideoUrlSniffer Class) - {00000ADA-7E0D-47C1-986C-F017D09C4304} - C:\Program Files\Common Files\Thunder Network\Kankan\VideoUrlSniffer.2.0.1.99.(56).dll (深圳市迅雷网络技术有限公司)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\20.2.0.19\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\20.2.0.19\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (ѸÀ×ÏÂÔØÖ§³Ö) - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\BHO\XunleiBHO7.2.9.3634.dll (深圳市迅雷网络技术有限公司)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.2.0.19\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\20.2.0.19\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Nikon Message Center 2] C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe (Nikon Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &使用&迅雷下载 - C:\Program Files\Thunder Network\Thunder\BHO\geturl.htm ()
O8 - Extra context menu item: &使用&迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\BHO\getAllurl.htm ()
O8 - Extra context menu item: &使用&迅雷离线下载 - C:\Program Files\Thunder Network\Thunder\BHO\OfflineDownload.htm ()
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: 使用光影编辑和美化 - C:\Program Files\nEO iMAGING\NeoOpenNeo.htm ()
O8 - Extra context menu item: 使用迅雷看看播放器播放 - C:\Documents and Settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\XmpIEMenu.htm ()
O8 - Extra context menu item: 添加当前页到迅雷看看播放器标签 - C:\Documents and Settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\XmpIEMenuAddStoreTab.htm ()
O9 - Extra 'Tools' menuitem : 启动迅雷看看播放器 - {14c1d00e-0b92-4379-880b-444fa2d740dd} - C:\Documents and Settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\XmpIEToolMenu.htm ()
O9 - Extra Button: 启动迅雷看看播放器 - {24c1d00e-0b92-4379-880b-444fa2d740dd} - C:\Documents and Settings\All Users\Application Data\Thunder Network\XMP4\Core\Program\XmpIEToolBar.htm ()
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} https://insourcers.riahome.com/CABFiles/RSLoginModule.cab (CLRMachineInfoCtl Class)
O16 - DPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} https://insourcers.riahome.com/CABFiles/RSTabbedList.cab (CLRTabbedList Class)
O16 - DPF: {6C8E9E45-538C-473A-B83B-DA9AE1ED7604} https://insourcers.riahome.com/CABFiles/vspdf.cab (:-) VideoSoft VSPDF 7.0)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343528509624 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} https://insourcers.riahome.com/CABFiles/webnotifier.cab (GRSNotifierCtrl Class)
O16 - DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} https://insourcers.riahome.com/CABFiles/vsprint7.cab (:-) VideoSoft VSPrinter 7.0)
O16 - DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} https://insourcers.riahome.com/CABFiles/vsflex7L.cab (:-) VideoSoft FlexGrid 7.0 (Light))
O16 - DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} https://insourcers.riahome.com/CABFiles/vsflex7.cab (:-) VideoSoft FlexGrid 7.0 (OLEDB))
O16 - DPF: {EBB0431C-10EB-432D-8C53-64BDBEDBD86B} https://insourcers.riahome.com/CABFiles/xmlgridRS.cab (XmlGridRS Class)
O16 - DPF: {F4721362-90E1-11D4-B547-00105A80AE07} https://insourcers.riahome.com/CABFiles/RIAInRSImport.cab (xmlWrapper Class)
O16 - DPF: {FE83D8C0-07C7-4915-A6B4-4A6B895E677F} https://insourcers.riahome.com/CABFiles/vsFlexXMLDSO.cab (VSFlexDSO Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E78125AE-141A-4E8E-A542-044C6B497848}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/04/29 17:48:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/02/18 21:33:16 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/02/17 09:13:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user1\Desktop\mbar
[2013/02/16 19:59:46 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/02/16 19:56:25 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/02/16 19:56:25 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/02/16 19:56:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/02/16 19:56:25 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/02/16 19:55:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/02/16 19:54:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/02/15 20:43:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2013/02/10 21:36:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2013/02/09 13:55:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Nikon Message Center 2
[2013/02/09 13:51:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ViewNX 2
[2013/02/09 13:51:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nikon
[2013/02/09 13:51:04 | 000,000,000 | ---D | C] -- C:\Program Files\Nikon
[2013/02/09 13:49:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2013/02/09 13:49:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2013/02/09 13:48:46 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2013/02/09 13:48:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Link to Nikon
[2013/02/07 20:23:14 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/02/04 22:49:43 | 000,465,280 | R--- | C] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2win32.cid
[2013/02/04 22:49:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
[2013/02/04 22:49:34 | 000,000,000 | ---D | C] -- C:\Program Files\Coupons
[2013/01/21 11:25:44 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\user1\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\user1\Local Settings\Application Data\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/02/19 21:33:06 | 000,000,536 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/02/19 21:26:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/19 20:49:01 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1647877149-682003330-1003UA.job
[2013/02/19 19:26:01 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/19 08:02:49 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-1647877149-682003330-1003.job
[2013/02/19 08:02:46 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-1647877149-682003330-1003.job
[2013/02/19 08:02:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/19 08:02:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/19 08:01:53 | 2414,940,160 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/19 04:49:01 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1647877149-682003330-1003Core.job
[2013/02/16 20:20:28 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/02/16 19:59:56 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013/02/15 21:23:18 | 000,002,296 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/02/15 20:46:47 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/14 23:00:40 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\user1\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2013/02/13 20:23:30 | 000,465,280 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2win32.cid
[2013/02/13 07:11:17 | 000,243,128 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/12 23:08:09 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/12 23:02:53 | 000,475,764 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/12 23:02:53 | 000,076,798 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/02/09 13:52:39 | 000,000,268 | RH-- | M] () -- C:\Documents and Settings\user1\Application Data\NetServices
[2013/02/09 13:52:39 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLes.DAT
[2013/02/09 13:52:39 | 000,000,012 | RH-- | M] () -- C:\Documents and Settings\All Users\Application Data\Pipe Organ
[2013/02/09 13:51:18 | 000,001,794 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ViewNX 2.lnk
[2013/02/09 13:50:36 | 000,000,268 | RH-- | M] () -- C:\Documents and Settings\All Users\Application Data\PDEs
[2013/02/09 13:50:36 | 000,000,268 | RH-- | M] () -- C:\Documents and Settings\All Users\Application Data\Organs
[2013/02/09 13:50:36 | 000,000,268 | RH-- | M] () -- C:\Documents and Settings\user1\Application Data\Noise Gate
[2013/02/09 13:50:36 | 000,000,268 | RH-- | M] () -- C:\Documents and Settings\user1\Application Data\Nature Sounds
[2013/02/09 13:50:36 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLev.DAT
[2013/02/09 13:50:36 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLet.DAT
[2013/02/09 13:50:36 | 000,000,012 | RH-- | M] () -- C:\Documents and Settings\All Users\Application Data\Plants
[2013/02/09 13:50:36 | 000,000,012 | RH-- | M] () -- C:\Documents and Settings\All Users\Application Data\Pianos and Keyboards
[2013/02/09 13:49:57 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLeo.DAT
[2013/02/09 13:49:47 | 000,000,268 | RH-- | M] () -- C:\Documents and Settings\user1\Application Data\Phaser
[2013/02/09 13:49:47 | 000,000,012 | RH-- | M] () -- C:\Documents and Settings\All Users\Application Data\Rock Kit
[2013/02/08 12:10:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/02/08 10:33:21 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/02/08 10:33:21 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/02/03 08:39:19 | 000,054,352 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2013/01/31 22:53:33 | 000,002,286 | ---- | M] () -- C:\Documents and Settings\user1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/01/31 22:53:33 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\user1\Desktop\Google Chrome.lnk
[2013/01/26 11:12:32 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\user1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/01/25 22:55:44 | 000,552,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaut32.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\user1\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\user1\Local Settings\Application Data\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/02/16 19:59:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013/02/16 19:59:51 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/02/16 19:56:25 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/02/16 19:56:25 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/02/16 19:56:25 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/02/16 19:56:25 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/02/16 19:56:25 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/02/15 22:05:18 | 2414,940,160 | -HS- | C] () -- C:\hiberfil.sys
[2013/02/09 13:52:39 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\user1\Application Data\NetServices
[2013/02/09 13:52:39 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLes.DAT
[2013/02/09 13:52:39 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Pipe Organ
[2013/02/09 13:51:18 | 000,001,794 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ViewNX 2.lnk
[2013/02/09 13:50:36 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\PDEs
[2013/02/09 13:50:36 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Organs
[2013/02/09 13:50:36 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\user1\Application Data\Noise Gate
[2013/02/09 13:50:36 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\user1\Application Data\Nature Sounds
[2013/02/09 13:50:36 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLev.DAT
[2013/02/09 13:50:36 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Plants
[2013/02/09 13:50:35 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLet.DAT
[2013/02/09 13:49:47 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\user1\Application Data\Phaser
[2013/02/09 13:49:47 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Rock Kit
[2013/02/09 13:49:47 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Pianos and Keyboards
[2013/02/09 13:49:46 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLeo.DAT
[2013/02/03 08:39:19 | 000,054,352 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2012/08/02 22:52:39 | 000,000,915 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\coreavc.ini
[2012/08/02 22:22:19 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\pub_store.dat
[2012/06/17 22:38:30 | 002,299,360 | ---- | C] () -- C:\WINDOWS\System32\kindling.dll
[2012/06/15 21:14:12 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\CommonDL.dll
[2012/06/15 21:14:12 | 000,002,413 | ---- | C] () -- C:\WINDOWS\System32\lgAxconfig.ini
[2012/05/31 06:48:30 | 000,002,296 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/28 22:37:20 | 000,968,696 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1659004503-1647877149-682003330-1003-0.dat
[2012/05/28 22:37:18 | 000,242,762 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/05/05 16:39:25 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2012/05/05 15:08:35 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\user1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/29 22:06:05 | 000,012,973 | ---- | C] () -- C:\Documents and Settings\user1\Application Data\Comma Separated Values (Windows).CAL
[2012/04/29 21:53:35 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2012/04/29 21:53:35 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2012/04/29 21:53:35 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2012/04/29 21:53:35 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2012/04/29 21:53:35 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2012/04/29 21:53:35 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2012/04/29 21:53:35 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2012/04/29 21:53:35 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2012/04/29 21:53:35 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2012/04/29 21:53:35 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2012/04/29 21:53:35 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2012/04/29 21:53:34 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2012/04/29 21:53:34 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2012/04/29 21:53:34 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2012/04/29 21:53:34 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2012/04/29 21:53:34 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2012/04/29 21:10:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/04/29 19:53:06 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/04/29 18:22:56 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2012/04/29 17:50:47 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/04/29 17:45:23 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/04/29 13:29:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/04/29 13:28:29 | 000,243,128 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
 
========== ZeroAccess Check ==========
 
[2012/10/07 14:11:10 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2012/02/28 13:50:30 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Custom Scans ==========
 
< %SYSTEMDRIVE%\*.* >
[2012/04/29 17:48:26 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/10/30 12:46:37 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2013/02/16 19:59:56 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/07/04 18:54:43 | 000,751,747 | ---- | M] () -- C:\brothers.JPG
[2004/08/03 23:00:02 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2013/02/16 20:24:03 | 000,024,285 | ---- | M] () -- C:\ComboFix.txt
[2012/04/29 17:48:26 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2013/02/19 08:01:53 | 2414,940,160 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/29 17:48:26 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/04/29 17:48:26 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/03 21:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2012/04/29 19:03:14 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2013/02/19 08:01:52 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2012/05/12 07:12:22 | 000,180,041 | ---- | M] () -- C:\plane.JPG
[2012/05/16 22:34:30 | 000,000,352 | ---- | M] () -- C:\sprint-bill.txt
[2012/05/06 21:09:07 | 000,012,974 | ---- | M] () -- C:\VolumeC.txt
[2012/05/06 21:19:12 | 000,007,134 | ---- | M] () -- C:\VolumeD.txt
[2012/05/06 22:25:55 | 000,009,466 | ---- | M] () -- C:\VolumeE.txt
 
< %systemroot%\*. /mp /s >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-02-13 04:12:21
 
< End of report >
 
 
2. Extras.txt
 

OTL Extras logfile created on: 2/19/2013 9:38:05 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\user1\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.25 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 46.05% Memory free
4.09 Gb Paging File | 2.74 Gb Available in Paging File | 66.86% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 4.66 Gb Free Space | 15.91% Space Free | Partition Type: NTFS
Drive D: | 29.28 Gb Total Space | 6.72 Gb Free Space | 22.97% Space Free | Partition Type: FAT32
Drive E: | 149.05 Gb Total Space | 39.81 Gb Free Space | 26.71% Space Free | Partition Type: NTFS
 
Computer Name: HOSTNAME1  | User Name: user1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"33674:UDP" = 33674:UDP:*:Enabled:ThunderLAN(UDP)
"33673:TCP" = 33673:TCP:*:Enabled:ThunderLAN(TCP)
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server -- (Intuit Inc.)
"C:\Documents and Settings\user1\Application Data\PPLive\PPLive\PPLive.exe" = C:\Documents and Settings\user1\Application Data\PPLive\PPLive\PPLive.exe:*:Enabled:PPLive -- (PPLive Corporation)
"C:\WINDOWS\system32\PPTVLauncher.exe" = C:\WINDOWS\system32\PPTVLauncher.exe:*:Enabled:PPTVLauncher -- (PPLive Corporation)
"C:\Program Files\Thunder Network\Thunder\NetMon\net_monitor_i.exe" = C:\Program Files\Thunder Network\Thunder\NetMon\net_monitor_i.exe:*:Enabled:NetMonI7.2.9.3634 -- (Thunder Networking Technologies,LTD)
"C:\Program Files\Thunder Network\Thunder\NetMon\lsp_check.exe" = C:\Program Files\Thunder Network\Thunder\NetMon\lsp_check.exe:*:Enabled:LspCheck7.2.9.3634 -- (Thunder Networking Technologies,LTD)
"C:\Program Files\Thunder Network\Thunder\LanSpeedViewer\speed_viewer_i.exe" = C:\Program Files\Thunder Network\Thunder\LanSpeedViewer\speed_viewer_i.exe:*:Enabled:LanSpeed7.2.9.3634 -- (Thunder Networking Technologies,LTD)
"C:\Program Files\Thunder Network\Thunder\LanSpeedViewer\lsp_check.exe" = C:\Program Files\Thunder Network\Thunder\LanSpeedViewer\lsp_check.exe:*:Enabled:LanSpeedCheck7.2.9.3634 -- (Thunder Networking Technologies,LTD)
"C:\Program Files\Thunder Network\Thunder\Program\ThunderBhoStat.exe" = C:\Program Files\Thunder Network\Thunder\Program\ThunderBhoStat.exe:*:Enabled:ThunderBhoStat7.2.9.3634 -- (ShenZhen Xunlei Networking Technologies,LTD)
"C:\Program Files\Thunder Network\Thunder\Program\XBrowser.exe" = C:\Program Files\Thunder Network\Thunder\Program\XBrowser.exe:*:Enabled:Thunder7.2.9.3634 -- (ShenZhen Xunlei Networking Technologies,LTD)
"C:\Program Files\Thunder Network\Thunder\Program\ThunderLiveUD.exe" = C:\Program Files\Thunder Network\Thunder\Program\ThunderLiveUD.exe:*:Enabled:Thunder LiveUpdate7.2.9.3634 -- ()
"C:\Program Files\Thunder Network\Thunder\FCMiniDownloader\MiniDownloader.exe" = C:\Program Files\Thunder Network\Thunder\FCMiniDownloader\MiniDownloader.exe:*:Enabled:FCMiniDownloader7.2.9.3634 -- (深圳市迅雷网络技术有限公司)
"C:\Program Files\Thunder Network\Thunder\Program\Thunder.exe" = C:\Program Files\Thunder Network\Thunder\Program\Thunder.exe:*:Enabled:Thunder7.2.9.3634 -- (深圳市迅雷网络技术有限公司)
"C:\Program Files\Thunder Network\Xmp\Program\XMP.exe" = C:\Program Files\Thunder Network\Xmp\Program\XMP.exe:*:Enabled:??à×?′?′2¥·??÷ -- (深圳市迅雷网络技术有限公司)
"C:\Program Files\Thunder Network\Xmp\Program\ThunderLiveUD.exe" = C:\Program Files\Thunder Network\Xmp\Program\ThunderLiveUD.exe:*:Enabled:ThunderLiveUD -- ()
"C:\Program Files\Thunder Network\Xmp\Program\XLBugReport.exe" = C:\Program Files\Thunder Network\Xmp\Program\XLBugReport.exe:*:Enabled:XLBugReport -- ()
"C:\Program Files\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe" = C:\Program Files\Common Files\Thunder Network\Kankan\ThunderServiceLite.exe:*:Enabled:?′?′????·t?? -- (ShenZhen Thunder Networking Technologies,Ltd.)
"C:\Program Files\Common Files\Thunder Network\Kankan\Xmp.exe" = C:\Program Files\Common Files\Thunder Network\Kankan\Xmp.exe:*:Enabled:??à×?′?′2¥·??÷ -- (深圳市迅雷网络技术有限公司)
"C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.131_1111\ThunderPlatform.exe" = C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.131_1111\ThunderPlatform.exe:*:Enabled:ThunderPlatform1.1.2.131 -- (ShenZhen Xunlei Networking Technologies,LTD)
"C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.131_1111\ThunderLiveUD.exe" = C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.131_1111\ThunderLiveUD.exe:*:Enabled:ThunderLiveUD1.1.2.131 -- ()
"C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.131_1111\XLBugReport.exe" = C:\Program Files\Common Files\Thunder Network\TP\Ver1\1.1.2.131_1111\XLBugReport.exe:*:Enabled:XLBugReport1.1.2.131 -- ()
"C:\Program Files\Thunder Network\Thunder\Program\ThunderExternal\ThunderPlatform.exe" = C:\Program Files\Thunder Network\Thunder\Program\ThunderExternal\ThunderPlatform.exe:*:Enabled:ThunderPlatform7.2.9.3634 -- (ShenZhen Xunlei Networking Technologies,LTD)
"C:\Program Files\Baofeng\StormPlayer\StormPlayer.exe" = C:\Program Files\Baofeng\StormPlayer\StormPlayer.exe:*:Enabled:±?·?ó°ò? -- (北京暴风科技股份有限公司)
"C:\Program Files\Baofeng\StormPlayer\BaofengPlatform.exe" = C:\Program Files\Baofeng\StormPlayer\BaofengPlatform.exe:*:Enabled:±?·?ó°ò???ì¨?DD? -- (北京暴风科技股份有限公司)
"C:\Program Files\Baofeng\StormPlayer\BaofengUpdate.exe" = C:\Program Files\Baofeng\StormPlayer\BaofengUpdate.exe:*:Enabled:±?·?ó°ò?éy????ì¨ -- (北京暴风科技股份有限公司)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\nEO iMAGING\LiveUpdate\ThunderLiveUD.exe" = C:\Program Files\nEO iMAGING\LiveUpdate\ThunderLiveUD.exe:*:Enabled:NeoLiveUpdate -- (Thunder Networking Technologies,LTD)
"C:\Program Files\nEO iMAGING\nEOiMAGING.exe" = C:\Program Files\nEO iMAGING\nEOiMAGING.exe:*:Enabled:Neoimaging -- (nEO Software)
"C:\Program Files\TeamViewer\Version7\TeamViewer.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service -- (TeamViewer GmbH)
"C:\Program Files\PPLive\PPLite\PPLite.exe" = C:\Program Files\PPLive\PPLite\PPLite.exe:*:Enabled:PPLive -- (Microsoft)
"C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe" = C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe:*:Enabled:PPLive -- (PPLive Corporation)
"C:\Documents and Settings\user1\Application Data\Tencent\QQ\STemp\SetupEx~0\QQSetupEx.exe" = C:\Documents and Settings\user1\Application Data\Tencent\QQ\STemp\SetupEx~0\QQSetupEx.exe:*:Enabled:QQSetupEX -- (Tencent)
"C:\Program Files\Tencent\QQ\Bin\QQ.exe" = C:\Program Files\Tencent\QQ\Bin\QQ.exe:*:Enabled:ìú??QQ2012 -- (Tencent)
"C:\Program Files\Tencent\QQ\Bin\auclt.exe" = C:\Program Files\Tencent\QQ\Bin\auclt.exe:*:Enabled:QQUpdate -- (Tencent)
"C:\Program Files\Common Files\Tencent\QQDownload\119\Tencentdl.exe" = C:\Program Files\Common Files\Tencent\QQDownload\119\Tencentdl.exe:*:Enabled:¨?¨2??2¨2??¤?????á¨|?t -- (Tencent)
"C:\Documents and Settings\user1\Application Data\Tencent\QQ\STemp\QQPCDetector~0\QQPCDetector.exe" = C:\Documents and Settings\user1\Application Data\Tencent\QQ\STemp\QQPCDetector~0\QQPCDetector.exe:*:Enabled:Tencent Download Components -- (Tencent)
"C:\Program Files\Tencent\QQMusic\QzoneMusic\QzoneMusic.exe" = C:\Program Files\Tencent\QQMusic\QzoneMusic\QzoneMusic.exe:*:Enabled:QzoneMusic -- (Tencent)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}" = 腾讯QQ2012
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{157D158A-2D7F-4AC6-A896-02C78CCFAD6C}" = ONESOURCE 2011 Client
"{1D0C8FEA-F9E6-4272-8465-58903F1946D0}" = TurboTax 2011 wnyiper
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2A3A4BD6-6CE0-4E2A-80D2-1D0FF6ACBFBA}" = LG United Mobile Driver
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{33286280-8617-11E1-8FF6-B8AC6F97B88E}" = Google Earth Plug-in
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5CAD3393-EEC0-44CE-9F93-BCAA365B77FB}" = Nikon Movie Editor
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9017CEAF-BE5A-4F73-8A0E-C87E26971E55}" = TomTom HOME
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{B014EE44-9197-4513-9613-71E6EB1B514E}" = Nikon Message Center 2
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CAF5B770-082F-40C4-853D-3973BB81BDAA}" = TurboTax 2011 WinPerTaxSupport
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{DCED0AD4-784D-4667-B4A0-6FE953FAC4BB}" = TurboTax 2011 wnjiper
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E463E171-4082-4744-A466-F7CBE8502789}" = TurboTax 2011 WinPerReleaseEngine
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E64C137C-D0B7-467A-B47F-460AAB30F0A3}" = ViewNX 2
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EE556A3E-EB37-4392-9637-BAA8EC2F47FA}" = TurboTax 2011 wrapper
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{FAD3D68B-2F9C-459B-AA79-C04B9090FD72}" = TurboTax 2011 WinPerFedFormset
"7-Zip" = 7-Zip 9.20
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Coupon Printer for Windows5.0.0.2" = Coupon Printer for Windows
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.61.3
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ESET Online Scanner" = ESET Online Scanner v3
"Ext2Fsd_is1" = Ext2Fsd 0.51
"Heroes of Might and Magic II" = Heroes of Might and Magic II
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 18.0.2 (x86 en-US)" = Mozilla Firefox 18.0.2 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"N360" = Norton Security Suite
"PPLite" = PPLite 1.0.0.105
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 15.0" = RealPlayer
"StormPlayer" = 暴风影音5
"TeamViewer 7" = TeamViewer 7
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"thunder_is1" = 迅雷7
"TurboTax 2011" = TurboTax 2011
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"光影魔术手_is1" = 光影魔术手 3.1.2.104
"英雄无敌2简体中文版" = 英雄无敌2简体中文版
"迅雷看看播放器" = 迅雷看看播放器
"迅雷看看高清播放组件" = 迅雷看看高清播放组件
"齐鲁证券消息服务MS" = 齐鲁证券消息服务MS
"齐鲁证券通达信" = 齐鲁证券通达信
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 10/28/2012 9:21:23 AM | Computer Name = HOSTNAME1  | Source = Application Error | ID = 1000
Description = Faulting application acrobat.exe, version 8.0.0.456, faulting module
 acrobat.dll, version 8.0.0.456, fault address 0x009fb328.
 
Error - 10/28/2012 9:23:43 AM | Computer Name = HOSTNAME1  | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
 dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
 
Error - 10/28/2012 9:27:39 AM | Computer Name = HOSTNAME1  | Source = Application Hang | ID = 1002
Description = Hanging application Acrobat.exe, version 8.0.0.456, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 10/28/2012 9:29:01 AM | Computer Name = HOSTNAME1  | Source = Application Hang | ID = 1002
Description = Hanging application Acrobat.exe, version 8.0.0.456, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 10/28/2012 9:29:32 AM | Computer Name = HOSTNAME1  | Source = Application Hang | ID = 1002
Description = Hanging application Acrobat.exe, version 8.0.0.456, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 10/28/2012 9:29:55 AM | Computer Name = HOSTNAME1  | Source = Application Hang | ID = 1002
Description = Hanging application Acrobat.exe, version 8.0.0.456, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 10/30/2012 3:35:21 PM | Computer Name = HOSTNAME1  | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.62.0.87, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 10/30/2012 3:35:46 PM | Computer Name = HOSTNAME1  | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.62.0.87, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 11/10/2012 8:58:42 PM | Computer Name = HOSTNAME1  | Source = Application Error | ID = 1000
Description = Faulting application acrobat.exe, version 8.0.0.456, faulting module
 acrobat.dll, version 8.0.0.456, fault address 0x00731bdf.
 
Error - 11/15/2012 6:50:21 PM | Computer Name = HOSTNAME1  | Source = LoadPerf | ID = 3006
Description = Unable to read the performance counter strings of the 004 language
 ID.  The Win32 status returned by the call is the first DWORD in Data section.
 
[ System Events ]
Error - 2/15/2013 11:00:12 PM | Computer Name = HOSTNAME1  | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 2/15/2013 11:04:50 PM | Computer Name = HOSTNAME1  | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 2/15/2013 11:05:52 PM | Computer Name = HOSTNAME1  | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   i8042prt
 
Error - 2/16/2013 8:47:54 PM | Computer Name = HOSTNAME1  | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   i8042prt
 
Error - 2/17/2013 9:10:21 AM | Computer Name = HOSTNAME1  | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   i8042prt
 
Error - 2/17/2013 10:11:07 AM | Computer Name = HOSTNAME1  | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   i8042prt
 
Error - 2/17/2013 5:41:53 PM | Computer Name = HOSTNAME1  | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   i8042prt
 
Error - 2/19/2013 9:02:34 AM | Computer Name = HOSTNAME1  | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
 while processing the file '' on the volume 'HarddiskVolume1'.  It has stopped monitoring
 the volume.
 
Error - 2/19/2013 9:02:34 AM | Computer Name = HOSTNAME1  | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
 while processing the file '' on the volume 'HarddiskVolume6'.  It has stopped monitoring
 the volume.
 
Error - 2/19/2013 9:02:42 AM | Computer Name = HOSTNAME1  | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   i8042prt  PCIIde
 
 
< End of report >
 


#12 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:03:45 PM

Posted 20 February 2013 - 01:56 AM

Good afternoon dislab,

 

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL

    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

    :Commands
    [EmptyTemp]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

=====

 

Then, please run a free online scan with the ESET Online Scanner.
Note: You can use Internet Explorer or Mozilla Firefox for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

 

=====

 

In your reply please post the contents of both logs.
 


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 dislab

dislab
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 20 February 2013 - 10:46 PM

OLT required a reboot to complete the cleaning. I stopped ESET after it finished C: and nothing was found. Here are the two logs. Thanks!
 
 
1. OLT log
 
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: user1
->Temp folder emptied: 1955876 bytes
->Temporary Internet Files folder emptied: 13455781 bytes
->FireFox cache emptied: 301824494 bytes
->Google Chrome cache emptied: 303728359 bytes
->Flash cache emptied: 117022 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 594.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 02202013_210419
 
Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_1ac.dat not found!
 
PendingFileRenameOperations files...
 
Registry entries deleted on Reboot...
 
 
2. ESET scaner
 
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=c30caa4bf2c28047a0947958b3bda39c
# engine=13187
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-19 05:58:34
# local_time=2013-02-19 12:58:34 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=6657 16777214 0 14 16377195 16377195 0 0
# scanned=283142
# found=2
# cleaned=0
# scan_time=12037
sh=DF0BF1431A6065297CC884CEAA8D47D4F29A7AB9 ft=1 fh=d2c32a46837e9aba vn="probably a variant of Win32/Agent.LNARLWR trojan" ac=I fn="E:\jli\D\Downloads\Iparmor-v5.46\tu.exe"
sh=DF0BF1431A6065297CC884CEAA8D47D4F29A7AB9 ft=1 fh=d2c32a46837e9aba vn="probably a variant of Win32/Agent.LNARLWR trojan" ac=I fn="E:\WD80G\Retrospect Backup\Backup of Data (D)\Downloads\Iparmor-v5.46\tu.exe"
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=c30caa4bf2c28047a0947958b3bda39c
# engine=13203
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-21 03:42:51
# local_time=2013-02-20 10:42:51 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=6657 16777214 0 14 16541852 16541852 0 0
# scanned=83954
# found=0
# cleaned=0
# scan_time=5111


#14 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:03:45 PM

Posted 21 February 2013 - 02:37 AM

Good afternoon dislab,

Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#15 dislab

dislab
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 21 February 2013 - 08:39 PM

SecurityCheck results are here. Thanks!

 

 

 Results of screen317's Security Check version 0.99.59  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Please wait while WMIC compiles updated MOF files.d 
ECHO is off.
ECHO is off.
ECHO is off.
ECHO is off.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.70.0.1100  
 JavaFX 2.1.1    
 Java 7 Update 7  
 Java version out of Date! 
 Adobe Flash Player     11.5.502.149  
 Mozilla Firefox 18.0.2 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users