Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix report


  • This topic is locked This topic is locked
2 replies to this topic

#1 p1020

p1020

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 12 June 2013 - 07:25 AM

ComboFix 13-06-08.02 - Administrator 3/06/12 周三  18:10:29.1.8 - x64
Microsoft Windows 7 家庭普通版   6.1.7601.1.936.86.2052.18.8140.6677 [GMT 8:00]
执行位置: f:\download\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   被删除的档案   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Administrator\AppData\Roaming\004D5649544E41696E66
c:\users\manwei\AppData\Roaming\004D5649544E41696E66
c:\users\manwei\AppData\Roaming\08E0B9A5ACAA3D
.
.
(((((((((((((((((((((((((  2013-05-12 至 2013-06-12 的新的档案  )))))))))))))))))))))))))))))))
.
.
2020-07-26 10:33 . 2020-07-26 10:33 -------- d-----w- c:\programdata\Licenses
2013-06-12 10:14 . 2013-06-12 10:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-12 10:07 . 2013-06-12 10:07 -------- d-----w- c:\program files (x86)\Tweaking.com
2013-06-11 15:58 . 2013-06-11 15:58 -------- d-----w- c:\program files (x86)\Huorong
2013-06-11 15:44 . 2013-06-11 15:43 170440 ----a-w- c:\windows\system32\mfevtps.exe.b03a.deleteme
2013-06-11 15:42 . 2013-06-12 10:04 -------- d-----w- c:\program files (x86)\McAfee
2013-06-11 15:42 . 2013-06-12 10:03 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2013-06-11 14:52 . 2009-12-30 03:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2013-06-11 14:52 . 2013-06-11 14:52 -------- d-----w- c:\program files\VS Revo Group
2013-06-11 10:55 . 2013-06-11 10:53 2 ---ha-r- c:\windows\system32\npptools.dll
2013-06-11 09:24 . 2013-06-11 09:24 -------- d-----w- c:\program files (x86)\Real Codec
2013-06-10 17:52 . 2013-05-13 17:48 9460464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE446B7B-0224-4BCA-B7AA-8B23D958A76A}\mpengine.dll
2013-06-10 15:33 . 2013-06-10 15:36 -------- d-----w- c:\program files (x86)\Jetico
2013-06-06 04:50 . 2013-06-06 04:50 -------- d-----w- C:\found.001
2013-06-02 16:12 . 2013-06-02 16:12 -------- d-----w- c:\programdata\VS Revo Group
2013-06-02 16:03 . 2013-06-02 16:03 -------- d-----w- c:\program files\Unlocker
2013-06-02 15:11 . 2013-06-02 16:12 -------- d-----w- c:\program files (x86)\完美卸载
2013-06-02 13:42 . 2013-06-02 14:25 -------- d-----w- c:\program files\Microsoft Security Client
2013-06-02 08:23 . 2013-06-02 08:23 -------- d-----w- c:\programdata\TSLOG
2013-06-02 02:24 . 2013-06-02 02:24 -------- d-----w- C:\found.000
2013-06-01 10:02 . 2013-06-01 10:02 -------- d-----w- c:\programdata\CPA_VA
2013-06-01 09:40 . 2013-06-02 14:25 -------- d-----w- c:\programdata\Comodo
2013-05-31 12:20 . 2013-06-12 05:08 -------- d-----w- C:\QUARANTINE
2013-05-28 12:47 . 2013-06-01 10:02 -------- d-----w- c:\program files\COMODO
2013-05-28 12:43 . 2013-06-11 15:43 99352 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2013-05-28 12:43 . 2013-06-11 15:43 75656 ----a-w- c:\windows\SysWow64\MfeOtlkAddin.dll
2013-05-28 12:43 . 2013-06-11 15:43 23112 ----a-w- c:\windows\SysWow64\MFEOtlk.dll
2013-05-28 12:42 . 2013-06-11 15:44 -------- d-----w- c:\program files\Common Files\McAfee
2013-05-27 14:13 . 2008-01-21 07:16 1802240 ------w- c:\windows\SysWow64\Chart10W.dll
2013-05-27 14:13 . 2007-03-21 01:42 360448 ------w- c:\windows\SysWow64\YRWXls.ocx
2013-05-27 14:13 . 2005-09-02 03:43 475136 ------w- c:\windows\SysWow64\ChartChs.dll
2013-05-27 14:13 . 2005-07-12 02:17 176128 ------w- c:\windows\SysWow64\HAdo.dll
2013-05-27 14:13 . 2008-10-09 03:08 19227942 ------w- c:\windows\SysWow64\cell 5.3.8.0122.exe
2013-05-27 14:13 . 2008-01-21 07:10 1447936 ------w- c:\windows\SysWow64\CellWeb5.ocx
2013-05-27 14:13 . 2007-08-09 06:02 315392 ------w- c:\windows\SysWow64\CellWChs.dll
2013-05-27 14:04 . 2013-06-02 14:44 -------- d-----w- c:\program files (x86)\Microsoft SQL Server
2013-05-27 12:38 . 2013-05-27 12:38 -------- d-----w- C:\VritualRoot
2013-05-27 04:52 . 2013-05-27 04:52 -------- d-----w- c:\programdata\Comodo Downloader
2013-05-26 14:20 . 2013-05-26 14:20 -------- d-----w- c:\program files (x86)\AviSynth 2.5
2013-05-26 14:20 . 2013-05-26 14:20 -------- d-----w- c:\program files (x86)\WMZHE
2013-05-26 10:41 . 2013-05-26 10:41 -------- d-----w- c:\programdata\Logs
2013-05-26 10:24 . 2013-05-26 10:58 -------- d-----w- c:\program files (x86)\HaoZip
2013-05-26 10:06 . 2013-05-26 10:06 -------- d-----w- c:\users\Public\Real
2013-05-25 14:46 . 2013-05-25 14:46 -------- d-----w- c:\programdata\Privacyware
2013-05-25 14:38 . 2013-05-03 08:15 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-25 08:08 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll
2013-05-25 08:08 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-25 08:08 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-05-24 19:26 . 2013-06-12 10:04 -------- d-----w- c:\programdata\McAfee
2013-05-24 19:20 . 2013-05-24 19:20 -------- d-----w- c:\program files (x86)\HopeSafe
2013-05-24 19:06 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
2013-05-24 19:06 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
2013-05-24 19:06 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2013-05-24 19:06 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2013-05-24 19:06 . 2010-09-30 10:41 100864 ----a-w- c:\windows\system32\fontsub.dll
2013-05-24 19:06 . 2010-09-30 06:47 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2013-05-24 19:04 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-05-24 19:04 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-05-24 19:04 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-05-24 19:04 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-05-24 19:04 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-05-24 14:27 . 2013-03-15 11:14 237840 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2013-05-24 14:26 . 2013-03-15 11:13 120080 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2013-05-24 14:26 . 2013-05-24 14:27 -------- dc----w- c:\windows\system32\DRVSTORE
2013-05-24 14:26 . 2013-05-24 14:26 -------- d-----w- c:\program files\Oracle
2013-05-24 13:33 . 2013-05-24 13:33 -------- d-----w- c:\program files (x86)\WinPcap
2013-05-24 06:56 . 2013-05-24 06:56 49240 ----a-w- c:\windows\system32\drivers\AntiLog64.sys
2013-05-24 06:56 . 2013-06-01 08:20 -------- d--h--w- c:\programdata\{F77494A7-3CA0-4C6C-A264-8A451A7D4299}
2013-05-24 06:42 . 2013-05-24 06:42 -------- d-----w- c:\program files (x86)\QuickTime
2013-05-24 06:42 . 2013-05-24 06:42 -------- d-----w- c:\program files (x86)\Common Files\TechSmith Shared
2013-05-24 06:42 . 2013-05-24 06:42 -------- d-----w- c:\programdata\TechSmith
2013-05-24 06:42 . 2013-05-24 06:42 -------- d-----w- c:\program files (x86)\TechSmith
2013-05-24 06:33 . 2013-06-02 14:44 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-05-24 05:42 . 2013-05-24 05:43 -------- d-----w- c:\programdata\360zip
2013-05-24 02:12 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll
2013-05-24 02:11 . 2012-06-02 05:50 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2013-05-24 02:09 . 2011-04-29 03:06 467456 ----a-w- c:\windows\system32\drivers\srv.sys
2013-05-24 02:09 . 2011-04-29 03:05 410112 ----a-w- c:\windows\system32\drivers\srv2.sys
2013-05-24 02:09 . 2011-04-29 03:05 168448 ----a-w- c:\windows\system32\drivers\srvnet.sys
2013-05-24 02:09 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-24 02:09 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-05-24 02:09 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2013-05-24 02:09 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2013-05-24 02:09 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2013-05-24 02:09 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2013-05-24 02:09 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2013-05-24 02:09 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2013-05-24 02:09 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2013-05-24 02:03 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2013-05-24 02:03 . 2011-05-24 10:40 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2013-05-24 02:03 . 2011-05-24 10:40 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2013-05-24 02:03 . 2011-05-24 10:39 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2013-05-24 02:03 . 2011-05-24 10:37 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2013-05-24 02:02 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2013-05-24 02:02 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2013-05-24 02:02 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2013-05-24 02:02 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2013-05-24 01:56 . 2012-06-02 05:41 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-24 01:56 . 2012-06-02 05:41 140288 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-24 01:56 . 2012-06-02 05:41 1464320 ----a-w- c:\windows\system32\crypt32.dll
2013-05-24 01:56 . 2012-06-02 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-05-24 01:56 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-05-24 01:56 . 2012-06-02 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-05-24 01:56 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2013-05-24 01:56 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2013-05-23 15:00 . 2013-06-02 14:26 -------- d-----w- c:\users\Administrator
2013-05-23 10:44 . 2013-05-23 10:44 -------- d-----w- c:\program files (x86)\Common Files\Screaming Bee
2013-05-23 10:44 . 2013-05-23 10:52 -------- d-----w- c:\program files (x86)\Screaming Bee
2013-05-23 10:44 . 2013-05-23 10:46 -------- d-----w- c:\programdata\Screaming Bee
2013-05-23 09:26 . 2012-12-06 06:30 211336 ----a-w- c:\windows\system32\drivers\360FsFlt.sys
2013-05-23 09:26 . 2011-08-31 10:18 19800 ----a-w- c:\windows\system32\drivers\efimon.sys
2013-05-23 09:26 . 2013-05-23 09:26 -------- d-----r- C:\360SANDBOX
2013-05-23 09:20 . 2012-11-01 06:01 188808 ----a-w- c:\windows\system32\drivers\BAPIDRV64.SYS
2013-05-23 04:55 . 2013-05-23 04:55 39216 ----a-w- c:\windows\system32\drivers\hrfwdrv.sys
2013-05-23 04:10 . 2013-05-23 04:10 -------- d-----w- c:\program files (x86)\Common Files\MAGIX Services
2013-05-23 03:53 . 2013-05-23 03:53 -------- d-----w- c:\program files\Common Files\MAGIX Services
2013-05-23 03:53 . 2013-05-23 04:13 -------- d-----w- c:\programdata\MAGIX
2013-05-23 03:53 . 2013-05-23 04:10 -------- d-----w- c:\program files (x86)\MAGIX
2013-05-23 03:22 . 2013-05-23 03:22 -------- d-----w- c:\programdata\Adobe Systems
2013-05-23 03:21 . 2013-05-23 03:21 -------- d-----w- c:\program files (x86)\Common Files\Adobe Systems Shared
2013-05-23 03:19 . 2013-05-23 03:20 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-05-23 02:00 . 2013-05-24 14:38 271136 ----a-w- c:\windows\system32\drivers\TweakCubeVD.sys
2013-05-22 15:54 . 2013-05-22 15:54 -------- d-----w- c:\program files (x86)\VstPlugins
2013-05-22 15:54 . 2013-03-12 10:47 1431552 ----a-w- c:\windows\SysWow64\rewire.dll
2013-05-22 15:54 . 2013-05-23 03:15 -------- d-----w- c:\program files\Image-Line
.
.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-01 18:06 . 2010-11-21 03:27 278800 ----a-w- c:\windows\system32\MpSigStub.exe
2013-03-15 11:14 . 2013-03-15 11:14 131856 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2013-03-15 11:13 . 2013-03-15 11:13 146704 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2013-03-15 11:13 . 2013-03-15 11:13 106256 ----a-w- c:\windows\system32\drivers\VBoxUSB.sys
2013-03-15 11:13 . 2013-03-15 11:13 204048 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
.
.
(((((((((((((((((((((((((((((((((((((   重要登入点   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{0EA37B17-6B8B-4085-8257-F3A4AA69C27A}]
2013-01-21 02:51 88520 ----a-w- d:\program files (x86)\Thunder Network\Thunder\BHO\XlBrowserAddin1.0.8.71.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips]
@="{4562B511-62E9-4533-B7B2-56A8BB10B482}"
[HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}]
2012-11-14 11:32 251856 ----a-w- c:\program files (x86)\Common Files\Thunder Network\Kankan\xappex.1.1.1.62.(790).dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCProtect"="c:\users\Administrator\AppData\Roaming\tweakcube3\winguard.exe" [2013-05-31 283560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HotKeyOSD"="c:\program files (x86)\Hotkey OSD Driver\HotKeyOSD.exe" [2011-02-16 345680]
"IME14 CHS Setup"="c:\progra~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE" [2010-01-20 80240]
"JeticoPFStartup"="c:\program files (x86)\Jetico\Jetico Personal Firewall\jpf.exe" [2010-12-15 537912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer7"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
   IME File REG_SZ         IMSC14.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804]
   IME File REG_SZ         IMSCE14.IME
.
R1 Spyshelter;Spyshelter;c:\program files (x86)\SpyShelter Premium\SpyShelter.sys;c:\program files (x86)\SpyShelter Premium\SpyShelter.sys [x]
R1 U46_AA;Service for ESI U46 Controller driver;c:\windows\system32\DRIVERS\U46DRV.sys;c:\windows\SYSNATIVE\DRIVERS\U46DRV.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 BaiduUpdater;Baidu Updater;c:\program files (x86)\Baidu\BaiduUpdate\bdupdate.exe;c:\program files (x86)\Baidu\BaiduUpdate\bdupdate.exe [x]
R3 Bcfilter;Jetico Personal Firewall Network Monitor;c:\windows\system32\DRIVERS\bcfilter.sys;c:\windows\SYSNATIVE\DRIVERS\bcfilter.sys [x]
R3 esihdrv;esihdrv;c:\users\ADMINI~1\AppData\Local\Temp\esihdrv.sys;c:\users\ADMINI~1\AppData\Local\Temp\esihdrv.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TweakCubeVD;TweakCubeVD;c:\windows\system32\drivers\TweakCubeVD.sys;c:\windows\SYSNATIVE\drivers\TweakCubeVD.sys [x]
R3 U46WDM1_01;Service for ESI- U46 Audio driver;c:\windows\system32\DRIVERS\U46wdm.sys;c:\windows\SYSNATIVE\DRIVERS\U46wdm.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]
S0 hrfwdrv;Huorong Network Security Firewall Core Kext;c:\windows\system32\DRIVERS\hrfwdrv.sys;c:\windows\SYSNATIVE\DRIVERS\hrfwdrv.sys [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S1 360FsFlt;360FsFlt mini-filter driver;c:\windows\system32\DRIVERS\360FsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\360FsFlt.sys [x]
S1 AntiLog32;AntiLog32;c:\windows\system32\drivers\AntiLog64.sys;c:\windows\SYSNATIVE\drivers\AntiLog64.sys [x]
S1 bc_hash_f;BC_HASH_Filter; [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S2 AntiArpNdisProt;AntiARP NDIS Protocol Driver;c:\windows\system32\DRIVERS\AntiArpNdisProt.sys;c:\windows\SYSNATIVE\DRIVERS\AntiArpNdisProt.sys [x]
S2 bcfsrm;Jetico Personal Firewall filesystem filter;c:\windows\system32\drivers\bcfsrm.sys;c:\windows\SYSNATIVE\drivers\bcfsrm.sys [x]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [x]
S2 hkosdservice;Hotkey OSD Service;c:\program files (x86)\Hotkey OSD Driver\hkosdsvis.exe;c:\program files (x86)\Hotkey OSD Driver\hkosdsvis.exe [x]
S2 ImeDictUpdateService;Microsoft IME Dictionary Update;c:\program files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE;c:\program files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE [x]
S2 Jetico Personal Firewall server;Jetico Personal Firewall server;c:\program files (x86)\Jetico\Jetico Personal Firewall\jpfsrv.exe;c:\program files (x86)\Jetico\Jetico Personal Firewall\jpfsrv.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
S2 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost;c:\windows\SYSNATIVE\svchost [x]
S3 BcfilterMP;BcfilterMP;c:\windows\system32\DRIVERS\bcfilter.sys;c:\windows\SYSNATIVE\DRIVERS\bcfilter.sys [x]
S3 IntcDAud;英特尔® 显示器音频;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys;c:\windows\SYSNATIVE\drivers\ScreamingBAudio64.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
S3 VUSB3HUB;VIA USB 3 Root Hub Service;c:\windows\system32\DRIVERS\ViaHub3.sys;c:\windows\SYSNATIVE\DRIVERS\ViaHub3.sys [x]
S3 xhcdrv;VIA USB eXtensible Host Controller Service;c:\windows\system32\DRIVERS\xhcdrv.sys;c:\windows\SYSNATIVE\DRIVERS\xhcdrv.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
XLServicePlatform REG_MULTI_SZ   XLServicePlatform
.
 ‘计划任务’ 文件夹 里的内容
.
2013-06-12 c:\windows\Tasks\WpsNotifyTask_Administrator.job
- c:\users\Administrator\AppData\Local\Kingsoft\WPS Office\8.1.0.3602\wtoolex\wpsnotify.exe [2013-05-23 15:16]
.
2013-06-12 c:\windows\Tasks\WpsNotifyTask_manwei.job
- c:\users\manwei\AppData\Local\Kingsoft\WPS Office\8.1.0.3602\wtoolex\wpsnotify.exe [2013-05-22 11:49]
.
2013-06-12 c:\windows\Tasks\WpsUpdateTask_Administrator.job
- c:\users\Administrator\AppData\Local\Kingsoft\WPS Office\8.1.0.3602\wtoolex\wpsupdate.exe [2013-05-23 15:16]
.
2013-06-12 c:\windows\Tasks\魔方守护.job
- c:\users\manwei\AppData\Roaming\tweakcube3\winguard.exe [2013-05-22 14:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{004B0726-A010-4ABF-8556-FCDB7F1FCA1E}]
2013-01-21 02:51 628680 ----a-w- d:\program files (x86)\Thunder Network\Thunder\BHO\XunleiBHO647.2.13.3882.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-12-12 13263072]
"VIAxHCUtl"="c:\via_xhci\usb3Monitor.exe" [2011-07-12 331776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-13 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-13 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-13 418328]
"IME14 CHS Setup"="c:\progra~1\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE" [2010-01-20 109424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- 而外的扫描 -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.hao123.com/?tn=12092018_15_hao_pg
mStart Page = hxxp://www.baidu.com/index.php?tn=antiarp_pg
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 221.7.128.68 221.7.136.68
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ESI- U46 Audio Driver Setup - c:\program files (x86)\ESI\U46\uninst.exe Software\ESI\U46\Setup
AddRemove-{3108C217-BE83-42E4-AE9E-A56A2A92E549} - c:\program files\InstallShield Installation Information\{3108C217-BE83-42E4-AE9E-A56A2A92E549}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2587678939-107502809-1894528617-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{0EA37B17-6B8B-4085-8257-F3A4AA69C27A}"=hex:51,66,7a,6c,4c,1d,3b,1b,07,67,b4,
   1f,bb,3e,ed,05,97,5f,b8,e4,ab,2a,80,63
"{889D2FEB-5411-4565-8998-1DD2C5261283}"=hex:51,66,7a,6c,4c,1d,3b,1b,fb,33,8a,
   99,21,01,0d,00,9c,90,56,92,c4,65,50,9a
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,3b,1b,b0,c9,a5,
   6c,71,27,11,0b,a3,85,28,49,f1,5f,10,28
.
[HKEY_USERS\S-1-5-21-2587678939-107502809-1894528617-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:de,4d,2a,67,56,59,ce,01
.
[HKEY_USERS\S-1-5-21-2587678939-107502809-1894528617-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="DragonHTML"
.
[HKEY_USERS\S-1-5-21-2587678939-107502809-1894528617-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="DragonHTML"
.
[HKEY_USERS\S-1-5-21-2587678939-107502809-1894528617-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmvb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"
.
[HKEY_USERS\S-1-5-21-2587678939-107502809-1894528617-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="DragonHTML"
.
[HKEY_USERS\S-1-5-21-2587678939-107502809-1894528617-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="DragonHTML"
.
[HKEY_USERS\S-1-5-21-2587678939-107502809-1894528617-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="DragonHTML"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\S*a*m*p*l*i*3*.*噀ch\DefaultIcon]
@="c:\\PROGRA~2\\MAGIX\\SAMPLI~1\\Sam.exe,1"
.
[HKEY_LOCAL_MACHINE\software\Classes\S*a*m*p*l*i*3*.*噀ch\shell\open\command]
@="c:\\PROGRA~2\\MAGIX\\SAMPLI~1\\Sam.exe \"%1\""
.
[HKEY_LOCAL_MACHINE\software\Classes\S*a*m*p*l*i*4*.*噀ch\DefaultIcon]
@="c:\\PROGRA~2\\MAGIX\\SAMPLI~1\\Sam.exe,1"
.
[HKEY_LOCAL_MACHINE\software\Classes\S*a*m*p*l*i*4*.*噀ch\shell\open\command]
@="c:\\PROGRA~2\\MAGIX\\SAMPLI~1\\Sam.exe \"%1\""
.
[HKEY_LOCAL_MACHINE\software\Classes\S*a*m*p*l*i*5*.*噀ch\DefaultIcon]
@="c:\\PROGRA~2\\MAGIX\\SAMPLI~1\\Sam.exe,1"
.
[HKEY_LOCAL_MACHINE\software\Classes\S*a*m*p*l*i*5*.*噀ch\shell\open\command]
@="c:\\PROGRA~2\\MAGIX\\SAMPLI~1\\Sam.exe \"%1\""
.
[HKEY_LOCAL_MACHINE\software\Classes\S*a*m*p*l*i*6*.*噀ch\DefaultIcon]
@="c:\\PROGRA~2\\MAGIX\\SAMPLI~1\\Sam.exe,1"
.
[HKEY_LOCAL_MACHINE\software\Classes\S*a*m*p*l*i*6*.*噀ch\shell\open\command]
@="c:\\PROGRA~2\\MAGIX\\SAMPLI~1\\Sam.exe \"%1\""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="??捁楴敶?汐杵湩愠摮??敗?汐杵湩 v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="??捁楴敶?汐杵湩愠摮??敗?汐杵湩 v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
完成时间: 2013-06-12  18:18:05
ComboFix-quarantined-files.txt  2013-06-12 10:18
.
Pre-Run: 10 个目录 29,910,310,912 可用字节
Post-Run: 19 个目录 29,985,898,496 可用字节
.
- - End Of File - - 802BC9844E87D6EFC4337C8874BBFE85
A36C5E4F47E84449FF07ED3517B43A31
 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 15 June 2013 - 09:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem you are having with this computer.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 21 June 2013 - 08:00 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users