Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

snowballBlack vs Scorpion Saver


  • This topic is locked This topic is locked
23 replies to this topic

#1 SnowballBlack

SnowballBlack

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 10:25 AM

I am SnowballBlack. I found the site as I was trying to remove scorpion saver virus. 
I have a few computer at home. One of them. I thought, is severe infected. Another is lightly infected and third one is totally fine in my opinions.  I'd been following Dawnbreak and Gringo_pr for a while. Unfortunately, I can not post at that thread. so have to start a new one. 


BC AdBot (Login to Remove)

 


#2 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 10:51 AM

Here are the results I got from the most severe infected laptop.

 

 

 

# AdwCleaner v3.013 - Report created 30/11/2013 at 00:11:32
# Updated 24/11/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Acerr - ACERR-PC
# Running from : G:\SUS\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\SoftSafe
Folder Deleted : C:\ProgramData\Tencent
Folder Deleted : C:\Program Files (x86)\Tencent
Folder Deleted : C:\Program Files (x86)\Common Files\Tencent
Folder Deleted : C:\Program Files\Tencent
Folder Deleted : C:\Users\Acerr\AppData\Local\Tencent
Folder Deleted : C:\Users\Acerr\AppData\LocalLow\Tencent
Folder Deleted : C:\Users\Acerr\AppData\Roaming\ParetoLogic
Folder Deleted : C:\Users\Acerr\AppData\Roaming\SogouExplorer
Folder Deleted : C:\Users\Acerr\AppData\Roaming\Tencent
Folder Deleted : C:\Users\Acerr\AppData\Roaming\yourfiledownloader
Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc
File Deleted : C:\Windows\System32\roboot64.exe
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbpkiefagocgkmemidfngdkamloieekf
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc
Key Deleted : HKCU\Software\Microsoft\Office\Powerpoint\Addins\babylonofficeaddin.officeaddin
Key Deleted : HKCU\Software\Microsoft\Office\Word\Addins\babylonofficeaddin.officeaddin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BabylonHelper.EXE
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\YourFile_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\YourFile_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\YourFileUpdater_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\YourFileUpdater_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{95734BDE-B702-45B9-86E5-27676729F904}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B7EA2226-F876-4BE4-B478-76EBAE2A668A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D0482C8E-BAEA-4943-911A-B661060F56A7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{64B00DAC-870D-4E6A-8D34-3A6E3E427A30}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0BF91075-F457-4A8B-99EF-140B52D2F22A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{37425600-CB21-49A0-8659-476FBAB0F8E8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{431FB0E5-2CBB-4602-9FE6-F1D64488ADD7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{5C9A230D-70A5-11D5-AFB0-0050DAC67890}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8911483C-C00A-4183-9FBC-6C9C00946C15}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{95734BDE-B702-45B9-86E5-27676729F904}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B7EA2226-F876-4BE4-B478-76EBAE2A668A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C3F058A9-407D-4CD1-8F66-B75605B54B69}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D0482C8E-BAEA-4943-911A-B661060F56A7}
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\TENCENT
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\ParetoLogic
Key Deleted : HKLM\Software\TENCENT
Key Deleted : HKLM\Software\YourFileDownloader
[x] Not Deleted : [x64] HKLM\SOFTWARE\IB Updater
Key Deleted : [x64] HKLM\SOFTWARE\ParetoLogic
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16428
 
 
-\\ Google Chrome v29.0.1547.66
 
[ File : C:\Users\Acerr\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [5009 octets] - [30/11/2013 00:06:58]
AdwCleaner[S0].txt - [4940 octets] - [30/11/2013 00:11:32]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5000 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Ultimate x64
Ran by Acerr on 11/30/2013 Sat at  0:22:04.99
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{C430996F-4AA8-4AA8-81DE-F54432CD5786}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Acerr\appdata\local\cre"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\niogeckbkdcabhnapjbkeiklablhjoca
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11/30/2013 Sat at  0:27:33.85
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 30 November 2013 - 10:52 AM



Hello SnowballBlack

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.



-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 10:53 AM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.11.30.02
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16428
Acerr :: ACERR-PC [administrator]
 
11/30/2013 2:34:05 AM
mbam-log-2013-11-30 (02-34-05).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 695234
Time elapsed: 3 hour(s), 29 minute(s), 18 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 6
C:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Users\Acerr\Desktop\Win8\amtlib(only for revice Photoshop CS5 x64.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Users\Acerr\Downloads\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Users\Acerr\Downloads\Windows7-Ultimate-Sp1-X86&X64-RTM-Genuine-Untuched(Dark4m)\Activator\Windows.7.Loader.v2.0.6-DAZ\Windows Loader.exe (Backdoor.Agent.DC) -> Quarantined and deleted successfully.
C:\Users\Acerr\Favorites\Downloads\quicken_home_and_business_2013_crack_downloader_99133 (2).exe (PUP.Optional.YourFileDownloader) -> Quarantined and deleted successfully.
C:\Users\Acerr\Favorites\Downloads\[YCBETA] OEM Activator v2.2.1 for Windows 7 and Windows Server 2013.zip (Trojan.Winload) -> Quarantined and deleted successfully.
 
(end)


#5 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 10:54 AM

ComboFix 13-11-27.01 - Acerr 0/2013 Sat   1:41.5.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.936.86.1033.18.5815.4484 [GMT -5:00]
执行位置: c:\users\Acerr\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   被删除的档案   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- 早前运行的结果 -------
.
c:\windows\apppatch\AppLoc.exe
.
.
(((((((((((((((((((((((((((((((((((((((   驱动/服务   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_HZ_CommSrv
.
.
(((((((((((((((((((((((((  2013-10-28 至 2013-11-30 的新的档案  )))))))))))))))))))))))))))))))
.
.
2013-11-30 06:57 . 2013-11-30 06:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-11-30 06:57 . 2013-11-30 06:57 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-11-30 06:57 . 2013-11-30 06:57 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2013-11-30 06:57 . 2013-11-30 06:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-30 06:57 . 2013-11-30 06:57 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2013-11-30 06:57 . 2013-11-30 06:57 -------- d-----w- c:\users\AppData\AppData\Local\temp
2013-11-30 06:57 . 2013-11-30 06:57 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-11-30 06:57 . 2013-11-30 06:57 -------- d-----w- c:\users\Acerr\AppData\Local\temp
2013-11-30 05:21 . 2013-11-30 05:21 -------- d-----w- c:\windows\ERUNT
2013-11-30 05:06 . 2013-11-30 05:13 -------- d-----w- C:\AdwCleaner
2013-11-28 03:57 . 2013-11-28 03:58 -------- d-----w- C:\Sysinternals
2013-11-27 21:15 . 2013-11-27 21:15 -------- d-----w- c:\windows\Migration
2013-11-20 02:30 . 2013-09-28 01:09 497152 ----a-w- c:\windows\system32\drivers\afd.sys
2013-11-20 02:30 . 2013-10-05 20:25 1474048 ----a-w- c:\windows\system32\crypt32.dll
2013-11-20 02:30 . 2013-10-05 19:57 1168384 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-11-20 02:28 . 2013-10-04 02:24 1930752 ----a-w- c:\windows\system32\authui.dll
2013-11-20 02:28 . 2013-10-04 01:56 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2013-11-20 02:28 . 2013-10-04 02:28 190464 ----a-w- c:\windows\system32\SmartcardCredentialProvider.dll
2013-11-20 02:28 . 2013-10-04 02:25 197120 ----a-w- c:\windows\system32\credui.dll
2013-11-20 02:28 . 2013-10-04 01:58 152576 ----a-w- c:\windows\SysWow64\SmartcardCredentialProvider.dll
2013-11-20 02:28 . 2013-10-04 01:56 168960 ----a-w- c:\windows\SysWow64\credui.dll
2013-11-20 02:26 . 2013-09-25 01:58 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2013-11-20 02:26 . 2013-09-25 01:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2013-11-20 02:26 . 2013-09-25 01:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2013-11-20 02:26 . 2013-09-25 01:56 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll
2013-11-19 14:20 . 2013-10-03 02:23 404480 ----a-w- c:\windows\system32\gdi32.dll
2013-11-19 14:20 . 2013-10-03 02:00 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-20 02:37 . 2010-07-02 20:55 82896128 ----a-w- c:\windows\system32\MRT.exe
2013-11-06 01:34 . 2013-02-05 05:40 184888 ----a-w- c:\windows\SysWow64\drivers\QQProtect.sys
2013-10-18 21:48 . 2013-10-18 21:48 108968 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-10-18 21:48 . 2013-10-18 21:49 312744 ----a-w- c:\windows\system32\javaws.exe
2013-10-18 21:48 . 2013-10-18 21:48 189352 ----a-w- c:\windows\system32\javaw.exe
2013-10-18 21:48 . 2013-10-18 21:48 189352 ----a-w- c:\windows\system32\java.exe
2013-10-18 21:44 . 2013-10-18 21:45 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-14 23:00 . 2013-01-25 08:07 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
2013-10-02 12:51 . 2013-03-05 15:05 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-02 12:51 . 2013-03-05 15:05 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-12 02:21 . 2013-09-12 02:21 863344 ----a-w- c:\windows\SysWow64\msvcr110_clr0400.dll
2013-09-12 02:21 . 2013-09-12 02:21 501872 ----a-w- c:\windows\SysWow64\msvcp110_clr0400.dll
2013-09-12 02:21 . 2013-09-12 02:21 28776 ----a-w- c:\windows\SysWow64\aspnet_counters.dll
2013-09-12 02:21 . 2013-09-12 02:21 18000 ----a-w- c:\windows\SysWow64\msvcr100_clr0400.dll
2013-09-12 00:39 . 2013-09-12 00:39 855664 ----a-w- c:\windows\system32\msvcr110_clr0400.dll
2013-09-12 00:39 . 2013-09-12 00:39 614000 ----a-w- c:\windows\system32\msvcp110_clr0400.dll
2013-09-12 00:39 . 2013-09-12 00:39 30312 ----a-w- c:\windows\system32\aspnet_counters.dll
2013-09-12 00:39 . 2013-09-12 00:39 18000 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2013-09-08 02:30 . 2013-10-12 14:24 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:27 . 2013-10-12 14:24 327168 ----a-w- c:\windows\system32\mswsock.dll
2013-09-08 02:03 . 2013-10-12 14:24 231424 ----a-w- c:\windows\SysWow64\mswsock.dll
2013-09-05 16:50 . 2013-09-05 16:50 0 ----a-w- c:\windows\SysWow64\nshF4A2.tmp
2013-09-05 16:50 . 2013-09-05 16:50 0 ----a-w- c:\windows\system32\nssF4E2.tmp
2013-09-04 12:12 . 2013-10-14 20:12 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-09-04 12:11 . 2013-10-14 20:12 325120 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-09-04 12:11 . 2013-10-14 20:12 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-09-04 12:11 . 2013-10-14 20:12 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-09-04 12:11 . 2013-10-14 20:12 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-09-04 12:11 . 2013-10-14 20:12 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2013-09-04 12:11 . 2013-10-14 20:12 7808 ----a-w- c:\windows\system32\drivers\usbd.sys
2012-05-04 07:04 . 2012-05-04 07:04 2174976 ----a-w- c:\program files (x86)\Common Files\atimpenc.dll
.
.
(((((((((((((((((((((((((((((((((((((   重要登入点   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-04-26 06:50 208096 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-04-26 06:50 208096 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-04-26 06:50 208096 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToolboxFX"="c:\program files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" [BU]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [BU]
"MSN Toolbar"="c:\program files (x86)\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"InterPass3000_ICBC"=c:\program files (x86)\ICBCEbankTools\Feitian-InterPass3000\certd_nps3000_ICBC.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys;c:\windows\SYSNATIVE\drivers\hppdbulkio.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8192cu;300Mbps Wireless USB Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8192cu.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\DRIVERS\usb80236.sys;c:\windows\SYSNATIVE\DRIVERS\usb80236.sys [x]
R4 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
R4 HZ_CommSrv64;HDZB Comm Service 64 For V2.0;c:\windows\system32\HZ_CommSrv64.exe;c:\windows\SYSNATIVE\HZ_CommSrv64.exe [x]
R4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R4 ICBC Daemon Service;ICBC Daemon Service;c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe;c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0150.sys [x]
R4 RsFx0153;RsFx0153 Driver;c:\windows\system32\DRIVERS\RsFx0153.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0153.sys [x]
R4 RsMgrSvc;Rsd Service;c:\program files (x86)\Rising\RSD\RsMgrSvc.exe;c:\program files (x86)\Rising\RSD\RsMgrSvc.exe [x]
R4 RsRavMon;Rav Service;c:\program files (x86)\Rising\RAV\RavMonD.exe;c:\program files (x86)\Rising\RAV\RavMonD.exe [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE;c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
R4 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R4 WDMonitorCCB;WatchData ccb V3.2;c:\windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe;c:\windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe [x]
R4 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe;c:\windows\SYSNATIVE\inetsrv\wmsvc.exe [x]
R9 SjtWinIo;SJT I/O Driver   ;c:\windows\system32\DRIVERS\SjtWinIo.sys;c:\windows\SYSNATIVE\DRIVERS\SjtWinIo.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\1404000.028\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1404000.028\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\1404000.028\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1404000.028\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\BASHDefs\20131114.001\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\BASHDefs\20131114.001\BHDrvx64.sys [x]
S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360x64\1404000.028\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\N360x64\1404000.028\ccSetx64.sys [x]
S1 icbckeyflt2;icbckeyflt2;c:\windows\icbckeyflt_64.sys;c:\windows\icbckeyflt_64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\IPSDefs\20131128.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\IPSDefs\20131128.001\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\1404000.028\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1404000.028\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\1404000.028\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\N360x64\1404000.028\SYMNETS.SYS [x]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe;c:\program files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe [x]
S2 ProtectorA;ProtectorA;c:\windows\system32\drivers\ProtectorA.sys;c:\windows\SYSNATIVE\drivers\ProtectorA.sys [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ   w3svc was
apphost REG_MULTI_SZ   apphostsvc
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
start [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-05 13:31 1177552 ----a-w- c:\program files (x86)\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
 ‘计划任务’ 文件夹 里的内容
.
2013-11-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-05 12:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-04-26 06:50 232672 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-04-26 06:50 232672 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-04-26 06:50 232672 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll [BU]
.
------- 而外的扫描 -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = localhost;127.0.0.1
uInternet Settings,ProxyServer = proxy.med.yale.edu:3128
Trusted Zone: 95599.cn\easyabc
Trusted Zone: 95599.cn\www
Trusted Zone: 95599.sh.cn\www
Trusted Zone: abchina.com
Trusted Zone: abchina.com\www
Trusted Zone: bankofchina.com\www
Trusted Zone: boc.cn\ebs
Trusted Zone: boc.cn\www
Trusted Zone: ccb.cn\b2b
Trusted Zone: ccb.com\*
Trusted Zone: ccb.com\www
Trusted Zone: ccb.com.cn
Trusted Zone: ccb.com.cn\*
Trusted Zone: ccb.com.cn\ca2
Trusted Zone: ccb.com.cn\ca3
Trusted Zone: ccb.com.cn\ibsbjstar
Trusted Zone: ccb.com.cn\mybank
Trusted Zone: cebbank.com
Trusted Zone: com.cn\*.cfca
Trusted Zone: icbc.com.cn
Trusted Zone: intuit.com\ttlc
Trusted Zone: java.com\www
Trusted Zone: webex.com\interactivebrokers
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
DPF: {04409CCE-49CD-43BE-A49A-BE004D94711D} - hxxps://vip.icbc.com.cn/icbc/icbc_ftusbkey.cab
DPF: {8BBD6F34-9815-4208-B375-30EEE148D8FF} - hxxps://ebs.boc.cn/BocnetClient/common/cab/JITDSign.cab
DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - hxxps://vip.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
DPF: {ABCAFD04-FB3B-47E8-A52A-BC5176186D19} - hxxps://vip.icbc.com.cn/icbc/icbc_ftdv.cab
DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} - hxxps://vip.icbc.com.cn/icbc/ICBC_NetSign.dll
DPF: {BC878AFA-767A-47D8-B61E-AD96F210833A} - hxxps://vip.icbc.com.cn/icbc/newperbank/icbcEnvCtrl.cab
DPF: {BEEE2807-1709-4184-A05D-1B2DE01EE4CF} - hxxps://www.cebbank.com/per/js/PowerEnter.CAB
DPF: {C391E12A-EAF1-45F1-8425-6E513C0D553C} - hxxps://pbank.95559.com.cn/personbank/ocx/x32.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
   55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:51,66,7a,6c,4c,1d,38,12,57,36,90,
   43,f7,9e,4b,04,e0,be,4b,59,e7,b4,e8,87
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
   7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{687578B9-7132-4A7A-80E4-30EE31099E03}"=hex:51,66,7a,6c,4c,1d,38,12,d7,7b,66,
   6c,00,3f,14,0f,ff,f2,73,ae,34,57,da,17
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
   03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
   64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
   69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
   76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}"=hex:51,66,7a,6c,4c,1d,38,12,d8,cf,e9,
   98,0d,61,19,04,eb,fc,4e,6b,77,8d,c0,d5
"{AE7CD045-E861-484F-8273-0445EE161910}"=hex:51,66,7a,6c,4c,1d,38,12,2b,d3,6f,
   aa,53,a6,21,0d,fd,65,47,05,eb,48,5d,04
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
   b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7}"=hex:51,66,7a,6c,4c,1d,38,12,19,c7,a0,
   e8,38,54,d3,01,c4,41,3b,b9,ea,bd,0b,b3
"{F4971EE7-DAA0-4053-9964-665D8EE6A077}"=hex:51,66,7a,6c,4c,1d,38,12,89,1d,84,
   f0,92,94,3d,05,e6,72,25,1d,8b,b8,e4,63
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
   2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{336D0C35-8A85-403a-B9D2-65C292C39087}"=hex:51,66,7a,6c,4c,1d,3b,1b,08,11,74,
   1a,82,e9,65,3d,9d,e9,17,af,a2,b0,e5,ab
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:eb,11,58,e5,89,9b,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,b8,fd,15,65,7c,45,44,81,a4,73,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,b8,fd,15,65,7c,45,44,81,a4,73,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:4b,13,23,1c,6e,b7,4e,03,da,ef,b4,be,3f,01,21,95,cc,cb,2f,b3,db,
   c9,4a,14,f2,c8,96,e1,60,c1,30,3f,24,e7,e3,54,31,95,93,75,2b,fb,a5,98,21,d6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_175.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OOSE05.00.00.01PRO"="2603CA84E6172AC30353DB1E4261B7CC6C46C99EF737DBB0EE44184C5BC3BE1169DA2CC8729C8B0C9C007CA1D53923AF4932C02D182F5DB86B5AB6B043C05230750603655EC2BDC926F00A3F10C7E7986660F10B3FA329964543225C54BCF8F6F1B4DB4703A8054B4FBAE36F219FE9F61BE8B0E116BE67F49B403BC5519239EC656ACE52D67FEB95AAC66FA25A6953EA223A544EE7BB8232F2E1EB539E36604EBEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98089DB7CE019D40AA5CA6A0AC4980AC79335D575E7D6A3B98089B3A70D584AE60054F4FC7717F31CD4E57389206F2C1112CAF959343C52156446AA2D6DCF3BDD85B52B8973FD03C3BD4E6E77F5FAE9929C2A29F32124E584D0E13DC2AF59EBD9626457AE6714FA64940F901E4B9ADDA69AEAF90F0EE568667C37B573EC6B9B22D3F3214D545E554EB545EB2518A2EEBC1BD8C6DECA9133533DADD855B168CE1E8E7780B791C12EC48BCB9B2C56B817557224039B2344BACF0AF475D3DCFF3D747444A665A7965DE3C0681B8B89A10E3037129FDC6275AFA170198D993845F63FADE2EB0778604D656A103829479526851A7774AA03B2E73CD740A79826753976B21FEFA401127CC5A65DCD0360ED67A82A22F2F2A50CBABF40E233E2350E84C325D6CD8998A9C76408905E6EF0440CF8AA42BC2C2E9CA7D1C3CC2AF80BC4C9B9DC6F8E0DD85C5CF32ACC08D092645681254161E3DADD308094C99D79A4A3D65B1F67BAED83D189A904F2D13B9E7AE04F6BB71DE61E7A8AB36F2AF46663E8FCBA3E81DE2CB8D1D5A6F57B947325FDCA7484A12A769869C10CF475C8C4B802C37DDFE5F21EC767056950EAAFD12C6BF1D4CD0A19C041C949E39C44E42A51C8FD1007C9210631FC41B7EA1171171FA5F7178069A6855E00E8606490802C342C90C5B095FDC4DCE60F95AA16B5D59FED5757C06CF39F3AE1839819ADEE9EBC47F1777B23E353BF219060C05E6424778CFBEB74C66BFEA0555ECA7DE7C1DD41EE7EB8D6801CEB21CDF17ACA59D24AEAF12A53DBED531B986FD9BAB22DD41ABE8D0450EFEC75FACFEB44A84BFF66DF315F0C8D720E949D2795B0371D2D5028F6519221A2F8A249675ABFE16F3AE8973395787041E46421DC94EA613C50A8E9475B5450915945CD07B6FD913C9D569F8D14488EF455DE173064ACADDB074184324AD36E3B1044B3032BC43E4A9CE82473948B48287F8EAA5E0D57BD4AF6255171C20BFEA69CB397DDEE5E6A5DFD1CB936D8B38D23DB5A776B20D852B42758180AC3A719003B1F0F6EACDB4A49FEA430A104784AE1F84E51D739DFBCBCCA35C624A439EF92C51C2CCE1F061E67D7969C6E6C95095CC2A784344CC35D415B7A6960E115D82761B8124F4D9E4A1"
"OOSE06.00.00.01PRO"="8E23B151486E67DA37C3375A5D2E8E1A4E58731C7EB002B5C5EF8C2CD2CFD42D935CEAAFE18D281C61A6663DEE0EC9E78D09D6CE219DA2787A7EDBC777446F08B15F0C8296F1D074D19560F5612FA6B0D05381685CE5B93D0AE953AEEB393DB3221EE104576A19DEB6228FE7285085685A0B1B914BDA768E6C65F7750F2FDB7533CC6DD269C82CFB52A38ED90EB2402704C7FD5E5DCEFE9F2FE9001617A95EB74865E2F0E361A88C7DB2B178FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407FEBC9E127BECC74CA9C6AECB7A5D1407C038D530D6EB345272A135BF1DDED81DB0219A336CB829679B17F930080092542130568ECA03F8409DAE87F6A5A89262594D8383CC5697B5EA390264B7F84DEB5A9560A0758A52691A94625B49B4C95ED21D3E319B02CD6678017A223D9533BB3143180B74FE1FF895EF10306116E96CAF7E20D9A96D54FA594F667E7CC88D90E2AB4FF861B505A48E60CE5A5C2113CB5261743B588DE7DAF6033D306C49D31AFDBFC8BDE9C5DB04D88AD1633E6E1B1DF43DFBB8A19C7B529086EC151B93B66D63F741CCCE8C2D961D183E7A9ADB8968240A66D78F1B338F36C254AB28E49782CBD0E1BF642A3A3CD5B5AC719D0B9A1640C65E4540C7E9274E25C69748C18EB5414A4ED21581763B5493AD3D05DF4077FEF37C4E682CAC1193A20EA1C37063C723E59AE75E3B083D3B6641F722031EBC6898D0E7CE103D269130633576FC965EA32C4F825145CBCE8266DE605D630CFC59BC5EA64E0290A72DCAFA62CF35DBFE492BEA4C124CD0E176D06F572F329732826F1BC6D7D4CF3999ED74DC552E1697EE6EDC13DB48DA4B36E55163A662013B6842F327EC1F5AE0611FEA7C1FBC6379C38D0B457AEE61C4B56B56ADE5AFBC5A654A46C92539BF8BE26269BD597E1157CA9DCEFACFBC8FEBBC29C5052315F3B524A1E557ACC24687CFC4EEC0C451204BDA3A74E951F1C4C168EA585C285582D7A6E41A98429DE7092CD3F1C73458C8509D84BCF10793952CA5033CC655F5F8AFC1371DFDB86FD127D421583C11FA76C713205E1190E8C8F33BC414801ABD1B0F1EBC1E1978A2E45CF4457E2AD7E3C4740D3380EE9C7D59C63F0A75657E3B632DB7A041A27BE537898FDA35BF9803880133EA41D2F1A378379D2EE9799CBF7C23DF101C74D12B1371F87E4053778BC7F8FEF5312AE9ED08B8161371E021E0C76FBCBB3A8D9E2874BBDD55D6DAACF33DCB4108D585F13421A63D9C7B6751F65A7644DA1A1198570FF23904A6720476D64F9A5A271A89130DBB7AB36FF9019F7BFC45A530458C764687DE364E5B5E14B6BA032692C0C8EA4D1C0945282A1B3C282DE0DA6215D788B4CCF21AE1783010342BC5AB7A7656DF944CF8C0F1AC"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\-N齎鷁緥鰯L圗*飴*俀鰯塠hQ膥鯪塠艌z廭]
"DisplayName"="中国建设银行E路护航网银安全组件 1.0.2.14"
"UninstallString"="c:\\Program Files\\CCBComponents\\uninst.exe"
"DisplayIcon"="c:\\Program Files (x86)\\CCBComponents\\Detector\\index.ico"
"DisplayVersion"="1.0.2.14"
"URLInfoAbout"="http://www.ccb.com"
"Publisher"="China Construction Bank"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:4b,13,23,1c,6e,b7,4e,03,da,ef,b4,be,3f,01,21,95,cc,cb,2f,b3,db,
   c9,4a,14,f2,c8,96,e1,60,c1,30,3f,24,e7,e3,54,31,95,93,75,2b,fb,a5,98,21,d6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Management\YUCache\-N齎鷁緥鰯L圗*飴*俀鰯塠hQ膥鯪塠艌z廭]
"SlowInfoCache"=hex:6f,7b,d4,00,00,00,00,00,cc,1a,76,34,5f,1f,e4,40,64,a8,ec,
   30,5f,1f,e4,40,ff,ff,ff,ff,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Management\YUCache\'Yf擭2m *鷁L圦鰯]
"SlowInfoCache"=hex:fd,d2,0c,00,00,00,00,00,30,12,c8,2a,5f,1f,e4,40,3c,36,db,
   2a,5f,1f,e4,40,ff,ff,ff,ff,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
完成时间: 2013-11-30  02:00:53
ComboFix-quarantined-files.txt  2013-11-30 07:00
.
Pre-Run: 122,444,939,264 bytes free
Post-Run: 122,112,942,080 bytes free
.
- - End Of File - - AB4B96A2F6DA94020986919E1FFA463B


#6 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 10:56 AM

Hello SnowballBlack

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  •  
  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.



Ok, I am doing a DDS now. 
I need to get some reports to get a base to start from so I need you to run these programs first.



-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
Gringo

 



#7 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 11:16 AM

Thank you very much , Gringo. I have to re-run DDS as there are more domains in the computer.
.

INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 30 November 2013 - 11:27 AM

no that that is fine no need to force it


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 11:38 AM

Here we are. forced.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by Acerr at 11:14:44 on 2013-11-30
#Option Extended Search is enabled.
Microsoft Windows 7 Ultimate   6.1.7601.1.936.86.1033.18.5815.3585 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\vds.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyServer = proxy.[fainted by SnowballBlack]
uProxyOverride = localhost;127.0.0.1
BHO: AutorunsDisabled - <orphaned>
BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ips\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - 
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: ICBC Anti-Phishing class: {BB4491A2-D11A-4c6b-91C0-B53246A3122B} - C:\Program Files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN32\Icbc_AntiPhishing.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coieplg.dll
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_8_800_175_ActiveX.exe -update activex
mRun: [ToolboxFX] "C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [MSN Toolbar] "C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:60
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: abchina.com
Trusted Zone: ccb.com.cn
Trusted Zone: cebbank.com
Trusted Zone: icbc.com.cn
DPF: {04409CCE-49CD-43BE-A49A-BE004D94711D} - hxxps://vip.icbc.com.cn/icbc/icbc_ftusbkey.cab
DPF: {8BBD6F34-9815-4208-B375-30EEE148D8FF} - hxxps://ebs.boc.cn/BocnetClient/common/cab/JITDSign.cab
DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - hxxps://vip.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
DPF: {ABCAFD04-FB3B-47E8-A52A-BC5176186D19} - hxxps://vip.icbc.com.cn/icbc/icbc_ftdv.cab
DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} - hxxps://vip.icbc.com.cn/icbc/ICBC_NetSign.dll
DPF: {BC878AFA-767A-47D8-B61E-AD96F210833A} - hxxps://vip.icbc.com.cn/icbc/newperbank/icbcEnvCtrl.cab
DPF: {BEEE2807-1709-4184-A05D-1B2DE01EE4CF} - hxxps://www.cebbank.com/per/js/PowerEnter.CAB
DPF: {C391E12A-EAF1-45F1-8425-6E513C0D553C} - hxxps://pbank.95559.com.cn/personbank/ocx/x32.cab
TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{11FE390A-11A2-4D37-8CB9-C425B2BC0F4D} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{11FE390A-11A2-4D37-8CB9-C425B2BC0F4D}\C496E6B683359737 : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{F411C880-68DF-46E5-9DF8-6FBA17AB7007} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - <orphaned>
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: AutorunsDisabled - <orphaned>
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {E038D538-7D30-490E-8DDC-5F80BAF93453} - hxxp://news.newone.com.cn/secure/TiYun.CAB
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1404000.028\symds64.sys [2013-6-10 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1404000.028\symefa64.sys [2013-6-10 1139800]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\BASHDefs\20131114.001\BHDrvx64.sys [2013-11-18 1524824]
R1 ccSet_N360;Norton 360 Settings Manager;C:\Windows\System32\drivers\N360x64\1404000.028\ccsetx64.sys [2013-6-10 169048]
R1 icbckeyflt2;icbckeyflt2;C:\Windows\icbckeyflt_64.sys [2012-11-16 39792]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\IPSDefs\20131128.001\IDSviA64.sys [2013-11-29 521816]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1404000.028\ironx64.sys [2013-6-10 224416]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1404000.028\symnets.sys [2013-6-10 433752]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccsvchst.exe [2013-6-10 144368]
R2 ProtectorA;ProtectorA;C:\Windows\System32\drivers\ProtectorA.sys [2012-12-7 22672]
R2 SSPORT;SSPORT;C:\Windows\System32\drivers\SSPORT.SYS [2010-6-30 11576]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-11-22 137648]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-2-26 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-8-31 317440]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2012-1-18 435240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-30 1255736]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-8-8 48488]
S3 HPFXBULKLEDM;HPFXBULKLEDM;C:\Windows\System32\drivers\hppdbulkio.sys [2010-5-6 22040]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-11-19 111616]
S3 ose64;Office 64 Source Engine;"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" --> C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-5 19456]
S3 RTL8192cu;300Mbps Wireless USB Adapter;C:\Windows\System32\drivers\RTL8192cu.sys [2013-1-26 926824]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-5 57856]
S3 usbrndis6;USB RNDIS6 Adapter;C:\Windows\System32\drivers\usb80236.sys [2013-3-14 19968]
S4 fsssvc;Windows Live Family Safety Service;"C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe" --> C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [?]
S4 HP LaserJet Service;HP LaserJet Service;"C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe" --> C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [?]
S4 HZ_CommSrv64;HDZB Comm Service 64 For V2.0;C:\Windows\System32\HZ_CommSrv64.exe [2012-10-12 17920]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-2-8 13336]
S4 ICBC Daemon Service;ICBC Daemon Service;C:\Program Files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [2011-12-26 554112]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" --> c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [?]
S4 RsFx0150;RsFx0150 Driver;C:\Windows\System32\drivers\RsFx0150.sys [2010-4-3 313696]
S4 RsFx0153;RsFx0153 Driver;C:\Windows\System32\drivers\RsFx0153.sys [2012-6-29 321992]
S4 RsMgrSvc;Rsd Service;"C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe" --> C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe [?]
S4 RsRavMon;Rav Service;"C:\Program Files (x86)\Rising\RAV\RavMonD.exe" --> C:\Program Files (x86)\Rising\RAV\RavMonD.exe [?]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS --> c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [?]
S4 UNS;Intel® Management & Security Application User Notification Service;"C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" --> C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [?]
S4 WDMonitorCCB;WatchData ccb V3.2;C:\Windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe [2012-10-28 62816]
S4 WMSVC;Web Management Service;C:\Windows\System32\inetsrv\WMSvc.exe [2009-7-13 10752]
SUnknown SjtWinIo;SJT I/O Driver;C:\Windows\System32\drivers\SjtWinIo.sys [2013-7-4 8704]
.
=============== File Associations ===============
.
FileExt: .reg: Applications\notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .chm: chm.file="C:\Windows\hh.exe" %1 [UserChoice]
.
=============== Created Last 60 ================
.
2013-11-30 07:32:56 -------- d-----w- C:\ProgramData\Malwarebytes
2013-11-30 07:32:55 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-11-30 07:32:54 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-11-30 07:01:07 -------- d-sh--w- C:\$RECYCLE.BIN
2013-11-30 07:00:55 -------- d-----w- C:\Users\Acerr\AppData\Local\temp
2013-11-30 06:39:27 -------- d-----w- C:\ComboFix
2013-11-30 05:35:30 98816 ----a-w- C:\Windows\sed.exe
2013-11-30 05:35:30 256000 ----a-w- C:\Windows\PEV.exe
2013-11-30 05:35:30 208896 ----a-w- C:\Windows\MBR.exe
2013-11-30 05:21:59 -------- d-----w- C:\Windows\ERUNT
2013-11-30 05:06:48 -------- d-----w- C:\AdwCleaner
2013-11-28 04:09:51 -------- d-----w- C:\Windows\pss
2013-11-28 03:57:26 -------- d-----w- C:\Sysinternals
2013-11-27 21:15:25 -------- d-----w- C:\Windows\Migration
2013-11-20 02:30:54 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-11-20 02:30:34 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-11-20 02:30:34 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-11-20 02:28:12 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-11-20 02:28:11 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-11-20 02:28:10 197120 ----a-w- C:\Windows\System32\credui.dll
2013-11-20 02:28:10 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2013-11-20 02:28:10 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2013-11-20 02:28:10 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2013-11-20 02:26:03 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-11-20 02:26:03 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-11-20 02:26:03 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-11-20 02:26:03 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-11-19 14:20:50 404480 ----a-w- C:\Windows\System32\gdi32.dll
2013-11-19 14:20:50 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-10-18 22:22:07 -------- d-----w- C:\Users\Acerr\AppData\Local\Apps
2013-10-18 21:48:48 108968 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-10-18 21:45:03 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-14 20:49:33 -------- d-----w- C:\ProgramData\Oracle
2013-10-14 20:12:30 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2013-10-14 20:12:30 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
2013-10-14 20:12:30 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-10-14 20:12:30 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2013-10-14 20:12:30 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2013-10-14 20:12:30 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2013-10-14 20:12:30 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2013-10-12 14:21:25 983488 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
.
==================== Find6M  ====================
.
2013-11-06 01:34:59 184888 ----a-w- C:\Windows\SysWow64\drivers\QQProtect.sys
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-02 12:51:34 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-02 12:51:34 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-09-25 02:26:40 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2013-09-25 02:26:40 154560 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-09-25 02:23:33 28672 ----a-w- C:\Windows\System32\sspisrv.dll
2013-09-25 02:23:33 135680 ----a-w- C:\Windows\System32\sspicli.dll
2013-09-25 02:23:01 28160 ----a-w- C:\Windows\System32\secur32.dll
2013-09-25 02:22:59 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-09-25 02:21:50 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-09-25 02:21:07 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2013-09-25 01:03:24 30720 ----a-w- C:\Windows\System32\lsass.exe
2013-09-12 02:21:54 863344 ----a-w- C:\Windows\SysWow64\msvcr110_clr0400.dll
2013-09-12 02:21:54 501872 ----a-w- C:\Windows\SysWow64\msvcp110_clr0400.dll
2013-09-12 02:21:54 28776 ----a-w- C:\Windows\SysWow64\aspnet_counters.dll
2013-09-12 02:21:54 18000 ----a-w- C:\Windows\SysWow64\msvcr100_clr0400.dll
2013-09-12 00:39:06 855664 ----a-w- C:\Windows\System32\msvcr110_clr0400.dll
2013-09-12 00:39:06 614000 ----a-w- C:\Windows\System32\msvcp110_clr0400.dll
2013-09-12 00:39:06 30312 ----a-w- C:\Windows\System32\aspnet_counters.dll
2013-09-12 00:39:06 18000 ----a-w- C:\Windows\System32\msvcr100_clr0400.dll
2013-09-08 02:30:37 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14 327168 ----a-w- C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58 231424 ----a-w- C:\Windows\SysWow64\mswsock.dll
2013-09-05 16:50:15 0 ----a-w- C:\Windows\SysWow64\nshF4A2.tmp
2013-09-05 16:50:15 0 ----a-w- C:\Windows\System32\nssF4E2.tmp
2013-08-31 06:57:36 0 ----a-w- C:\Windows\SysWow64\nsiC515.tmp
2013-08-31 06:57:36 0 ----a-w- C:\Windows\System32\nsdC545.tmp
2013-08-31 06:36:32 0 ----a-w- C:\Windows\SysWow64\nsy5821.tmp
2013-08-31 06:36:32 0 ----a-w- C:\Windows\System32\nso5832.tmp
2013-08-29 02:17:48 5549504 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-29 02:16:35 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-29 02:16:28 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-29 02:16:14 859648 ----a-w- C:\Windows\System32\tdh.dll
2013-08-29 02:13:28 878080 ----a-w- C:\Windows\System32\advapi32.dll
2013-08-29 01:51:45 3969472 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51:45 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50:31 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-29 01:50:30 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-29 01:50:16 619520 ----a-w- C:\Windows\SysWow64\tdh.dll
2013-08-29 01:48:17 640512 ----a-w- C:\Windows\SysWow64\advapi32.dll
2013-08-29 01:48:15 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-08-29 00:49:53 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-29 00:49:52 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-29 00:49:52 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-29 00:49:49 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-28 01:21:06 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-08-28 01:12:33 461312 ----a-w- C:\Windows\System32\scavengeui.dll
2013-08-05 02:25:45 155584 ----a-w- C:\Windows\System32\drivers\ataport.sys
2013-08-02 02:14:57 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-08-02 02:13:34 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-08-02 01:50:42 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\Windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\Windows\System32\smss.exe
2013-08-02 00:43:05 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-20 10:33:12 102608 ----a-w- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2013-07-20 10:33:08 124112 ----a-w- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-07-12 10:41:35 185344 ----a-w- C:\Windows\System32\drivers\usbvideo.sys
2013-07-12 10:41:12 100864 ----a-w- C:\Windows\System32\drivers\usbcir.sys
2013-07-12 10:40:58 109824 ----a-w- C:\Windows\System32\drivers\USBAUDIO.sys
2013-07-09 05:52:52 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-07-04 12:57:22 259584 ----a-w- C:\Windows\System32\WebClnt.dll
2013-07-04 12:50:46 102400 ----a-w- C:\Windows\System32\davclnt.dll
2013-07-04 12:50:39 633856 ----a-w- C:\Windows\System32\comctl32.dll
2013-07-04 12:18:29 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2013-07-04 11:57:28 205824 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2013-07-04 11:51:04 81920 ----a-w- C:\Windows\SysWow64\davclnt.dll
2013-07-04 11:50:56 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll
2013-07-04 10:11:35 140800 ----a-w- C:\Windows\System32\drivers\mrxdav.sys
2013-07-03 04:40:12 42496 ----a-w- C:\Windows\System32\drivers\usbscan.sys
2013-07-03 04:05:05 76800 ----a-w- C:\Windows\System32\drivers\hidclass.sys
2013-07-03 04:05:04 32896 ----a-w- C:\Windows\System32\drivers\hidparse.sys
2013-06-25 22:55:52 785624 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2013-06-15 04:32:16 39936 ----a-w- C:\Windows\System32\drivers\tssecsrv.sys
2013-06-10 21:21:47 177312 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-06-06 05:50:51 41472 ----a-w- C:\Windows\System32\lpk.dll
2013-06-06 05:49:52 100864 ----a-w- C:\Windows\System32\fontsub.dll
2013-06-06 05:49:07 14336 ----a-w- C:\Windows\System32\dciman32.dll
2013-06-06 05:47:21 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-06-06 04:57:01 25600 ----a-w- C:\Windows\SysWow64\lpk.dll
2013-06-06 04:51:29 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2013-06-06 04:50:56 10240 ----a-w- C:\Windows\SysWow64\dciman32.dll
.
============= FINISH: 11:14:58.91 ===============


#10 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 11:39 AM

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate 
Boot Device: \Device\HarddiskVolume1
Install Date: 6/29/2010 8:01:14 PM
System Uptime: 11/30/2013 8:07:59 AM (3 hours ago)
.
Motherboard: Acer             |  | Aspire 5741     
Processor: Intel® Core™ i5 CPU       M 430  @ 2.27GHz | CPU | 2267/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 113.229 GiB free.
D: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {fainted by SnowballBlack}
Description: Microsoft Virtual WiFi Miniport Adapter
Device ID: {fainted by snowballBlack}\VWIFIMP\
Manufacturer: Microsoft
Name: Microsoft Virtual WiFi Miniport Adapter
PNP Device ID: {fainted by SnowballBalck}\VWIFIMP\
Service: vwifimp
.
==== System Restore Points ===================
.
RP1015: 10/18/2013 5:48:26 PM - Installed Java 7 Update 45 (64-bit)
RP1016: 11/19/2013 9:31:40 PM - Windows Update
RP1017: 11/27/2013 4:09:08 PM - Windows Update
RP1018: 11/27/2013 4:33:03 PM - Removed TuneUp Utilities 2012
RP1019: 11/27/2013 4:35:49 PM - Removed TuneUp Utilities Language Pack (en-US)
RP1020: 11/30/2013 12:36:01 AM - ComboFix created restore point
.
==== Installed Programs ======================
.
360安全浏览器6
64 Bit HP CIO Components Installer
ABBYY FineReader 11
Adobe Acrobat X Pro - English, Fran鏰is, Deutsch
Adobe AIR
Adobe Creative Suite 5 Master Collection
Adobe Digital Editions 2.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Media Player
Adobe Shockwave Player 12.0
BenVista PhotoZoom Pro 4.1.4
BOCNET Security Applet 2.1
Broadcom 802.11 Network Adapter
Broadcom NetLink Controller
Canon MP Navigator EX 4.0
CanoScan LiDE 210 Scanner Driver
Cisco EAP-FAST Module
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 64-Bit Edition
ePass2000-FT11 (仅用做移除)
Everything 1.2.1.371
GoldenDict
Google Chrome
Google Update Helper
hppLaserJetService
ICBC Infosec CertEnroll Plugins
ICBC Infosec NetSign Plugins
icbc_ft_usbkey_plugins
ICBCChromeExtension
ICBCEBankAssist
ICBCSetupInput
Intel® Graphics Media Accelerator Driver
iSpy
Java 7 Update 45
Java 7 Update 45 (64-bit)
Java Auto Updater
Malwarebytes Anti-Malware version 1.75.0.1300
MetaStock Professional 11.0
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft AppLocale
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Office 32-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 32-bit MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Outlook Hotmail Connector 64-bit
Microsoft ReportViewer 2010 Redistributable
Microsoft Silverlight
Microsoft SkyDrive
Microsoft SQL Server 2008 R2 (64-bit)
Microsoft SQL Server 2008 R2 Native Client
Microsoft SQL Server 2008 R2 RsFx Driver
Microsoft SQL Server 2008 R2 Setup (English)
Microsoft SQL Server 2008 Setup Support Files 
Microsoft SQL Server Browser
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Windows Application Compatibility Database
Microsoft_VC80_ATL_x86
Microsoft_VC80_ATL_x86_x64
Microsoft_VC80_CRT_x86
Microsoft_VC80_CRT_x86_x64
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFC_x86_x64
Microsoft_VC80_MFCLOC_x86
Microsoft_VC80_MFCLOC_x86_x64
Microsoft_VC90_ATL_x86
Microsoft_VC90_ATL_x86_x64
Microsoft_VC90_CRT_x86
Microsoft_VC90_CRT_x86_x64
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFC_x86_x64
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB2758694)
MSXML 4.0 SP3 Parser (KB973685)
Norton 360
O&O SafeErase Professional
Office Tab
Office Tab Free Edition (64-bit)
PDF Settings CS5
PowerISO
Quicken 2013
Realtek High Definition Audio Driver
Security Update for Microsoft Excel 2010 (KB2826033) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2760781) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 64-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2837597) 64-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition
Service Pack 2 for SQL Server 2008 R2 (KB2630458) (64-bit)
SQL Server 2008 R2 Database Engine Services
SQL Server 2008 R2 Management Studio
SQL Server 2008 R2 SP2 Common Files
SQL Server 2008 R2 SP2 Database Engine Services
SQL Server 2008 R2 SP2 Database Engine Shared
Sql Server Customer Experience Improvement Program
SumatraPDF
swMSM
thinkorswim from TD AMERITRADE
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
TurboTax 2011
TurboTax 2011 wctiper
TurboTax 2011 WinPerFedFormset
TurboTax 2011 WinPerReleaseEngine
TurboTax 2011 WinPerTaxSupport
TurboTax 2011 wrapper
TurboTax 2012
TurboTax 2012 wctiper
TurboTax 2012 WinPerFedFormset
TurboTax 2012 WinPerReleaseEngine
TurboTax 2012 WinPerTaxSupport
TurboTax 2012 wrapper
Ultimate Reference Suite
Update for Microsoft Access 2010 (KB2553446) 64-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 64-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2589298) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 64-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 64-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 64-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 64-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 64-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 64-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 64-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 64-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 64-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 64-Bit Edition
Update for Microsoft Word 2010 (KB2827323) 64-Bit Edition
USB-Shield program (Feitian)
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Language Selector
WinRAR 4.00 (64-bit)
Xilisoft Video Converter Ultimate
μTorrent
中国工商银行防钓鱼软件
中国建设银行E路护航网银安全组件 1.0.2.14
同花顺(v8.20.54 Build 2013.2.04)
腾讯QQ2012
.
==== Event Viewer Messages From Past Week ========
.
11/30/2013 8:47:17 AM, Error: Service Control Manager [7000]  - The Office 64 Source Engine service failed to start due to the following error:  The system cannot find the file specified.
11/30/2013 8:08:44 AM, Error: Service Control Manager [7000]  - The DgiVecp service failed to start due to the following error:  The system cannot find the device specified.
11/30/2013 12:32:23 AM, Error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The system cannot find the file specified.
11/30/2013 12:30:07 AM, Error: Service Control Manager [7001]  - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error:  The operation completed successfully.
11/30/2013 12:30:07 AM, Error: Service Control Manager [7001]  - The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:  The dependency service or group failed to start.
11/30/2013 12:30:02 AM, Error: Service Control Manager [7001]  - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/30/2013 1:57:29 AM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
11/30/2013 1:08:44 AM, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.
11/29/2013 7:53:34 AM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
11/29/2013 7:52:54 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD BHDrvx64 ccSet_N360 CSC DfsC discache eeCtrl icbckeyflt2 IDSVia64 NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr SRTSPX SymIM SymIRON SymNetS tdx vwififlt Wanarpv6 WfpLwf ws2ifsl
11/29/2013 7:52:53 AM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
11/29/2013 7:52:53 AM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/29/2013 7:52:53 AM, Error: Service Control Manager [7001]  - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
11/29/2013 7:52:53 AM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
11/29/2013 7:52:53 AM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
.
==== End Of File ===========================


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 30 November 2013 - 11:41 AM



Hello SnowballBlack

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 02:18 PM

Good aftenoon, Gringo,

 

Really appreciate your helps. 

 

Above  (post #2,) were what I'd done with ADwcleaner and JRK sequentially. Now I am posting the redo results under your instructions. It is good to see there are cleaner. 

 

[x64] HKLM\SOFTWARE\IB Updater is a trusted reg  entry.  So I did not delete it.

 

by the way, FYI. ComboFix and DDS are incompatible with win 8.1 (my other PC's OS).

 

 

 

 

 

 

 

 

 

 

 

# AdwCleaner v3.013 - Report created 30/11/2013 at 13:57:51
# Updated 24/11/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Acerr - ACERR-PC
# Running from : G:\SUS\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
[x] Not Deleted : [x64] HKLM\SOFTWARE\IB Updater
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16428
 
 
-\\ Google Chrome v29.0.1547.66
 
[ File : C:\Users\Acerr\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [5009 octets] - [30/11/2013 00:06:58]
AdwCleaner[R1].txt - [1001 octets] - [30/11/2013 13:53:03]
AdwCleaner[R2].txt - [1061 octets] - [30/11/2013 13:56:16]
AdwCleaner[S0].txt - [5132 octets] - [30/11/2013 00:11:32]
AdwCleaner[S1].txt - [986 octets] - [30/11/2013 13:57:51]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1045 octets] ##########
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Ultimate x64
Ran by Acerr on 11/30/2013 Sat at 14:03:51.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11/30/2013 Sat at 14:10:17.01
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 30 November 2013 - 08:22 PM


Hello SnowballBlack

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 SnowballBlack

SnowballBlack
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 30 November 2013 - 09:19 PM

Hi, Gringo,
 
Here is the log from Combofix, . There is no problem running the program. Norton 360 got to turn off as required by Combofix. It generates 50 projects in solving the problem. I have no knowledge  to interpret the log and figure out impacts.This program modifies host file, so, if one who need to excise 127.0.0.1 in host file, should back it up first before running it. 
 
I did see the computer shut down fast. Previously I always need one more click to force it shut down as a ghost  program continues running. That's making me believe there are spywares infected the machine. So did I see it starts faster. But an associate symptom is still there. The machine need more minutes to be ready to perform. I mean, as the window starts up, the HD is rolling very busily. You could not open any apps( eg, browser, or office). I also notice it calls HD more than other computer does. Sometime, I have to test stop rundll32 to make app open. I usually blame it were  processes like SearchIndexer.exe, SearchProtocolHost.exe, SearchFilterHost.exe cause the intolerant slowness. Unfortunately there is no way I can remove the files, and I might need to find staffs faster from my HD.   
 
Would be very delighted hearing your suggestions.
 
 
 
ComboFix 13-11-27.01 - Acerr 0/2013 Sat  20:35:43.6.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.936.86.1033.18.5815.4108 [GMT -5:00]
执行位置: c:\users\Acerr\Desktop\ComboFix.exe
Command switches used :: c:\users\Acerr\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   被删除的档案   )))))))))))))))))))))))))))))))))))))))))))))))))  Deleted files ( I am Chinese origin, so no problem to read)
.
.
c:\users\Acerr\Favorites\Downloads\Stock trading books and notes\技术分析技巧\Desktop_.ini
.
.
(((((((((((((((((((((((((  2013-10-28 至 2013-11-30 的新的档案  )))))))))))))))))))))))))))))))  new files from 2013-10-28 to 2013-11-30
.
.
2013-11-30 20:48 . 2013-11-30 20:48 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-11-30 20:48 . 2013-11-30 20:48 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-11-30 20:48 . 2013-11-30 20:48 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2013-11-30 20:48 . 2013-11-30 20:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-30 20:48 . 2013-11-30 20:48 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2013-11-30 20:48 . 2013-11-30 20:48 -------- d-----w- c:\users\AppData\AppData\Local\temp
2013-11-30 20:48 . 2013-11-30 20:48 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-11-30 20:48 . 2013-11-30 20:48 -------- d-----w- c:\users\Acerr\AppData\Local\temp
2013-11-30 18:47 . 2013-11-30 18:50 -------- d-----w- c:\program files (x86)\GUM4AC5.tmp
2013-11-30 18:02 . 2013-11-30 18:02 -------- d-----w- c:\program files\CCleaner
2013-11-30 07:32 . 2013-11-30 07:32 -------- d-----w- c:\programdata\Malwarebytes
2013-11-30 07:32 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-30 07:32 . 2013-11-30 07:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-11-30 05:21 . 2013-11-30 05:21 -------- d-----w- c:\windows\ERUNT
2013-11-30 05:06 . 2013-11-30 18:57 -------- d-----w- C:\AdwCleaner
2013-11-28 03:57 . 2013-11-28 03:58 -------- d-----w- C:\Sysinternals
2013-11-27 21:15 . 2013-11-27 21:15 -------- d-----w- c:\windows\Migration
2013-11-20 02:30 . 2013-09-28 01:09 497152 ----a-w- c:\windows\system32\drivers\afd.sys
2013-11-20 02:30 . 2013-10-05 20:25 1474048 ----a-w- c:\windows\system32\crypt32.dll
2013-11-20 02:30 . 2013-10-05 19:57 1168384 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-11-20 02:28 . 2013-10-04 02:24 1930752 ----a-w- c:\windows\system32\authui.dll
2013-11-20 02:28 . 2013-10-04 01:56 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2013-11-20 02:28 . 2013-10-04 02:28 190464 ----a-w- c:\windows\system32\SmartcardCredentialProvider.dll
2013-11-20 02:28 . 2013-10-04 02:25 197120 ----a-w- c:\windows\system32\credui.dll
2013-11-20 02:28 . 2013-10-04 01:58 152576 ----a-w- c:\windows\SysWow64\SmartcardCredentialProvider.dll
2013-11-20 02:28 . 2013-10-04 01:56 168960 ----a-w- c:\windows\SysWow64\credui.dll
2013-11-20 02:26 . 2013-09-25 01:58 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2013-11-20 02:26 . 2013-09-25 01:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2013-11-20 02:26 . 2013-09-25 01:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2013-11-20 02:26 . 2013-09-25 01:56 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll
2013-11-19 14:20 . 2013-10-03 02:23 404480 ----a-w- c:\windows\system32\gdi32.dll
2013-11-19 14:20 . 2013-10-03 02:00 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   )))))))))))))))))))))))))))))))))))))))))))))))))))) Modified files within last 3 months
.
2013-11-30 18:47 . 2013-03-05 15:05 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-11-30 18:47 . 2013-03-05 15:05 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-11-20 02:37 . 2010-07-02 20:55 82896128 ----a-w- c:\windows\system32\MRT.exe
2013-11-06 01:34 . 2013-02-05 05:40 184888 ----a-w- c:\windows\SysWow64\drivers\QQProtect.sys
2013-10-18 21:48 . 2013-10-18 21:48 108968 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-10-18 21:48 . 2013-10-18 21:49 312744 ----a-w- c:\windows\system32\javaws.exe
2013-10-18 21:48 . 2013-10-18 21:48 189352 ----a-w- c:\windows\system32\javaw.exe
2013-10-18 21:48 . 2013-10-18 21:48 189352 ----a-w- c:\windows\system32\java.exe
2013-10-18 21:44 . 2013-10-18 21:45 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-14 23:00 . 2013-01-25 08:07 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
2013-09-12 02:21 . 2013-09-12 02:21 863344 ----a-w- c:\windows\SysWow64\msvcr110_clr0400.dll
2013-09-12 02:21 . 2013-09-12 02:21 501872 ----a-w- c:\windows\SysWow64\msvcp110_clr0400.dll
2013-09-12 02:21 . 2013-09-12 02:21 28776 ----a-w- c:\windows\SysWow64\aspnet_counters.dll
2013-09-12 02:21 . 2013-09-12 02:21 18000 ----a-w- c:\windows\SysWow64\msvcr100_clr0400.dll
2013-09-12 00:39 . 2013-09-12 00:39 855664 ----a-w- c:\windows\system32\msvcr110_clr0400.dll
2013-09-12 00:39 . 2013-09-12 00:39 614000 ----a-w- c:\windows\system32\msvcp110_clr0400.dll
2013-09-12 00:39 . 2013-09-12 00:39 30312 ----a-w- c:\windows\system32\aspnet_counters.dll
2013-09-12 00:39 . 2013-09-12 00:39 18000 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2013-09-08 02:30 . 2013-10-12 14:24 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:27 . 2013-10-12 14:24 327168 ----a-w- c:\windows\system32\mswsock.dll
2013-09-08 02:03 . 2013-10-12 14:24 231424 ----a-w- c:\windows\SysWow64\mswsock.dll
2013-09-05 16:50 . 2013-09-05 16:50 0 ----a-w- c:\windows\SysWow64\nshF4A2.tmp
2013-09-05 16:50 . 2013-09-05 16:50 0 ----a-w- c:\windows\system32\nssF4E2.tmp
2013-09-04 12:12 . 2013-10-14 20:12 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-09-04 12:11 . 2013-10-14 20:12 325120 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-09-04 12:11 . 2013-10-14 20:12 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-09-04 12:11 . 2013-10-14 20:12 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-09-04 12:11 . 2013-10-14 20:12 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-09-04 12:11 . 2013-10-14 20:12 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2013-09-04 12:11 . 2013-10-14 20:12 7808 ----a-w- c:\windows\system32\drivers\usbd.sys
2012-05-04 07:04 . 2012-05-04 07:04 2174976 ----a-w- c:\program files (x86)\Common Files\atimpenc.dll
.
.
(((((((((((((((((((((((((((((((((((((   重要登入点   )))))))))))))))))))))))))))))))))))))))))))))))))) Important entries 
.
.
*注意* 空白与合法缺省登录将不会被显示  "Notice" Blank and legitimate default login will not be displayed 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-04-26 06:50 208096 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-04-26 06:50 208096 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-04-26 06:50 208096 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToolboxFX"="c:\program files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" [BU]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"InterPass3000_ICBC"=c:\program files (x86)\ICBCEbankTools\Feitian-InterPass3000\certd_nps3000_ICBC.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys;c:\windows\SYSNATIVE\drivers\hppdbulkio.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8192cu;300Mbps Wireless USB Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8192cu.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\DRIVERS\usb80236.sys;c:\windows\SYSNATIVE\DRIVERS\usb80236.sys [x]
R4 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
R4 HZ_CommSrv64;HDZB Comm Service 64 For V2.0;c:\windows\system32\HZ_CommSrv64.exe;c:\windows\SYSNATIVE\HZ_CommSrv64.exe [x]
R4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R4 ICBC Daemon Service;ICBC Daemon Service;c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe;c:\program files (x86)\ICBCEbankTools\ICBCAntiPhishing\ICBC_WIN64\IcbcDaemon_64.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0150.sys [x]
R4 RsFx0153;RsFx0153 Driver;c:\windows\system32\DRIVERS\RsFx0153.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0153.sys [x]
R4 RsMgrSvc;Rsd Service;c:\program files (x86)\Rising\RSD\RsMgrSvc.exe;c:\program files (x86)\Rising\RSD\RsMgrSvc.exe [x]
R4 RsRavMon;Rav Service;c:\program files (x86)\Rising\RAV\RavMonD.exe;c:\program files (x86)\Rising\RAV\RavMonD.exe [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE;c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
R4 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R4 WDMonitorCCB;WatchData ccb V3.2;c:\windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe;c:\windows\SysWOW64\WatchData\Watchdata CCB OCL CSP v3.2\WDKeyMonitorCCB.exe [x]
R4 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe;c:\windows\SYSNATIVE\inetsrv\wmsvc.exe [x]
R9 SjtWinIo;SJT I/O Driver   ;c:\windows\system32\DRIVERS\SjtWinIo.sys;c:\windows\SYSNATIVE\DRIVERS\SjtWinIo.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\1404000.028\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1404000.028\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\1404000.028\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1404000.028\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\BASHDefs\20131114.001\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\BASHDefs\20131114.001\BHDrvx64.sys [x]
S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360x64\1404000.028\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\N360x64\1404000.028\ccSetx64.sys [x]
S1 icbckeyflt2;icbckeyflt2;c:\windows\icbckeyflt_64.sys;c:\windows\icbckeyflt_64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\IPSDefs\20131128.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.1.22\Definitions\IPSDefs\20131128.001\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\1404000.028\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1404000.028\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\1404000.028\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\N360x64\1404000.028\SYMNETS.SYS [x]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe;c:\program files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe [x]
S2 ProtectorA;ProtectorA;c:\windows\system32\drivers\ProtectorA.sys;c:\windows\SYSNATIVE\drivers\ProtectorA.sys [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ   w3svc was
apphost REG_MULTI_SZ   apphostsvc
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
start [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-05 13:31 1177552 ----a-w- c:\program files (x86)\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
 ‘计划任务’ 文件夹 里的内容 Contents in the folder 'scheduled tasks' 
.
2013-11-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-05 18:47]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-04-26 06:50 232672 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-04-26 06:50 232672 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-04-26 06:50 232672 ----a-w- c:\users\Acerr\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll [BU]
.
------- 而外的扫描 ------- other scanning results 
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = localhost;127.0.0.1
uInternet Settings,ProxyServer = proxy.med.yale.edu:3128
Trusted Zone: 95599.cn\easyabc
Trusted Zone: 95599.cn\www
Trusted Zone: 95599.sh.cn\www
Trusted Zone: abchina.com
Trusted Zone: abchina.com\www
Trusted Zone: bankofchina.com\www
Trusted Zone: boc.cn\ebs
Trusted Zone: boc.cn\www
Trusted Zone: ccb.cn\b2b
Trusted Zone: ccb.com\*
Trusted Zone: ccb.com\www
Trusted Zone: ccb.com.cn
Trusted Zone: ccb.com.cn\*
Trusted Zone: ccb.com.cn\ca2
Trusted Zone: ccb.com.cn\ca3
Trusted Zone: ccb.com.cn\ibsbjstar
Trusted Zone: ccb.com.cn\mybank
Trusted Zone: cebbank.com
Trusted Zone: com.cn\*.cfca
Trusted Zone: icbc.com.cn
Trusted Zone: intuit.com\ttlc
Trusted Zone: java.com\www
Trusted Zone: webex.com\interactivebrokers
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
DPF: {04409CCE-49CD-43BE-A49A-BE004D94711D} - hxxps://vip.icbc.com.cn/icbc/icbc_ftusbkey.cab
DPF: {8BBD6F34-9815-4208-B375-30EEE148D8FF} - hxxps://ebs.boc.cn/BocnetClient/common/cab/JITDSign.cab
DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - hxxps://vip.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
DPF: {ABCAFD04-FB3B-47E8-A52A-BC5176186D19} - hxxps://vip.icbc.com.cn/icbc/icbc_ftdv.cab
DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} - hxxps://vip.icbc.com.cn/icbc/ICBC_NetSign.dll
DPF: {BC878AFA-767A-47D8-B61E-AD96F210833A} - hxxps://vip.icbc.com.cn/icbc/newperbank/icbcEnvCtrl.cab
DPF: {BEEE2807-1709-4184-A05D-1B2DE01EE4CF} - hxxps://www.cebbank.com/per/js/PowerEnter.CAB
DPF: {C391E12A-EAF1-45F1-8425-6E513C0D553C} - hxxps://pbank.95559.com.cn/personbank/ocx/x32.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
   55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:51,66,7a,6c,4c,1d,38,12,57,36,90,
   43,f7,9e,4b,04,e0,be,4b,59,e7,b4,e8,87
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
   7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{687578B9-7132-4A7A-80E4-30EE31099E03}"=hex:51,66,7a,6c,4c,1d,38,12,d7,7b,66,
   6c,00,3f,14,0f,ff,f2,73,ae,34,57,da,17
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
   03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
   64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
   69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
   76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}"=hex:51,66,7a,6c,4c,1d,38,12,d8,cf,e9,
   98,0d,61,19,04,eb,fc,4e,6b,77,8d,c0,d5
"{AE7CD045-E861-484F-8273-0445EE161910}"=hex:51,66,7a,6c,4c,1d,38,12,2b,d3,6f,
   aa,53,a6,21,0d,fd,65,47,05,eb,48,5d,04
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
   b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7}"=hex:51,66,7a,6c,4c,1d,38,12,19,c7,a0,
   e8,38,54,d3,01,c4,41,3b,b9,ea,bd,0b,b3
"{F4971EE7-DAA0-4053-9964-665D8EE6A077}"=hex:51,66,7a,6c,4c,1d,38,12,89,1d,84,
   f0,92,94,3d,05,e6,72,25,1d,8b,b8,e4,63
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
   2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{336D0C35-8A85-403a-B9D2-65C292C39087}"=hex:51,66,7a,6c,4c,1d,3b,1b,08,11,74,
   1a,82,e9,65,3d,9d,e9,17,af,a2,b0,e5,ab
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:eb,11,58,e5,89,9b,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,b8,fd,15,65,7c,45,44,81,a4,73,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,b8,fd,15,65,7c,45,44,81,a4,73,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:4b,13,23,1c,6e,b7,4e,03,da,ef,b4,be,3f,01,21,95,cc,cb,2f,b3,db,
   c9,4a,14,f2,c8,96,e1,60,c1,30,3f,24,e7,e3,54,31,95,93,75,2b,fb,a5,98,21,d6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OOSE05.00.00.01PRO"="2603CA84E6172AC30353DB1E4261B7CC6C46C99EF737DBB0EE44184C5BC3BE1169DA2CC8729C8B0C9C007CA1D53923AF4932C02D182F5DB86B5AB6B043C05230750603655EC2BDC926F00A3F10C7E7986660F10B3FA329964543225C54BCF8F6F1B4DB4703A8054B4FBAE36F219FE9F61BE8B0E116BE67F49B403BC5519239EC656ACE52D67FEB95AAC66FA25A6953EA223A544EE7BB8232F2E1EB539E36604EBEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98089DB7CE019D40AA5CA6A0AC4980AC79335D575E7D6A3B98089B3A70D584AE60054F4FC7717F31CD4E57389206F2C1112CAF959343C52156446AA2D6DCF3BDD85B52B8973FD03C3BD4E6E77F5FAE9929C2A29F32124E584D0E13DC2AF59EBD9626457AE6714FA64940F901E4B9ADDA69AEAF90F0EE568667C37B573EC6B9B22D3F3214D545E554EB545EB2518A2EEBC1BD8C6DECA9133533DADD855B168CE1E8E7780B791C12EC48BCB9B2C56B817557224039B2344BACF0AF475D3DCFF3D747444A665A7965DE3C0681B8B89A10E3037129FDC6275AFA170198D993845F63FADE2EB0778604D656A103829479526851A7774AA03B2E73CD740A79826753976B21FEFA401127CC5A65DCD0360ED67A82A22F2F2A50CBABF40E233E2350E84C325D6CD8998A9C76408905E6EF0440CF8AA42BC2C2E9CA7D1C3CC2AF80BC4C9B9DC6F8E0DD85C5CF32ACC08D092645681254161E3DADD308094C99D79A4A3D65B1F67BAED83D189A904F2D13B9E7AE04F6BB71DE61E7A8AB36F2AF46663E8FCBA3E81DE2CB8D1D5A6F57B947325FDCA7484A12A769869C10CF475C8C4B802C37DDFE5F21EC767056950EAAFD12C6BF1D4CD0A19C041C949E39C44E42A51C8FD1007C9210631FC41B7EA1171171FA5F7178069A6855E00E8606490802C342C90C5B095FDC4DCE60F95AA16B5D59FED5757C06CF39F3AE1839819ADEE9EBC47F1777B23E353BF219060C05E6424778CFBEB74C66BFEA0555ECA7DE7C1DD41EE7EB8D6801CEB21CDF17ACA59D24AEAF12A53DBED531B986FD9BAB22DD41ABE8D0450EFEC75FACFEB44A84BFF66DF315F0C8D720E949D2795B0371D2D5028F6519221A2F8A249675ABFE16F3AE8973395787041E46421DC94EA613C50A8E9475B5450915945CD07B6FD913C9D569F8D14488EF455DE173064ACADDB074184324AD36E3B1044B3032BC43E4A9CE82473948B48287F8EAA5E0D57BD4AF6255171C20BFEA69CB397DDEE5E6A5DFD1CB936D8B38D23DB5A776B20D852B42758180AC3A719003B1F0F6EACDB4A49FEA430A104784AE1F84E51D739DFBCBCCA35C624A439EF92C51C2CCE1F061E67D7969C6E6C95095CC2A784344CC35D415B7A6960E115D82761B8124F4D9E4A1"
"OOSE06.00.00.01PRO"="8E23B151486E67DA37C3375A5D2E8E1A4E58731C7EB002B5C5EF8C2CD2CFD42D935CEAAFE18D281C61A6663DEE0EC9E78D09D6CE219DA2787A7EDBC777446F08B15F0C8296F1D074D19560F5612FA6B0D05381685CE5B93D0AE953AEEB393DB3221EE104576A19DEB6228FE7285085685A0B1B914BDA768E6C65F7750F2FDB7533CC6DD269C82CFB52A38ED90EB2402704C7FD5E5DCEFE9F2FE9001617A95EB74865E2F0E361A88C7DB2B178FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407FEBC9E127BECC74CA9C6AECB7A5D1407C038D530D6EB345272A135BF1DDED81DB0219A336CB829679B17F930080092542130568ECA03F8409DAE87F6A5A89262594D8383CC5697B5EA390264B7F84DEB5A9560A0758A52691A94625B49B4C95ED21D3E319B02CD6678017A223D9533BB3143180B74FE1FF895EF10306116E96CAF7E20D9A96D54FA594F667E7CC88D90E2AB4FF861B505A48E60CE5A5C2113CB5261743B588DE7DAF6033D306C49D31AFDBFC8BDE9C5DB04D88AD1633E6E1B1DF43DFBB8A19C7B529086EC151B93B66D63F741CCCE8C2D961D183E7A9ADB8968240A66D78F1B338F36C254AB28E49782CBD0E1BF642A3A3CD5B5AC719D0B9A1640C65E4540C7E9274E25C69748C18EB5414A4ED21581763B5493AD3D05DF4077FEF37C4E682CAC1193A20EA1C37063C723E59AE75E3B083D3B6641F722031EBC6898D0E7CE103D269130633576FC965EA32C4F825145CBCE8266DE605D630CFC59BC5EA64E0290A72DCAFA62CF35DBFE492BEA4C124CD0E176D06F572F329732826F1BC6D7D4CF3999ED74DC552E1697EE6EDC13DB48DA4B36E55163A662013B6842F327EC1F5AE0611FEA7C1FBC6379C38D0B457AEE61C4B56B56ADE5AFBC5A654A46C92539BF8BE26269BD597E1157CA9DCEFACFBC8FEBBC29C5052315F3B524A1E557ACC24687CFC4EEC0C451204BDA3A74E951F1C4C168EA585C285582D7A6E41A98429DE7092CD3F1C73458C8509D84BCF10793952CA5033CC655F5F8AFC1371DFDB86FD127D421583C11FA76C713205E1190E8C8F33BC414801ABD1B0F1EBC1E1978A2E45CF4457E2AD7E3C4740D3380EE9C7D59C63F0A75657E3B632DB7A041A27BE537898FDA35BF9803880133EA41D2F1A378379D2EE9799CBF7C23DF101C74D12B1371F87E4053778BC7F8FEF5312AE9ED08B8161371E021E0C76FBCBB3A8D9E2874BBDD55D6DAACF33DCB4108D585F13421A63D9C7B6751F65A7644DA1A1198570FF23904A6720476D64F9A5A271A89130DBB7AB36FF9019F7BFC45A530458C764687DE364E5B5E14B6BA032692C0C8EA4D1C0945282A1B3C282DE0DA6215D788B4CCF21AE1783010342BC5AB7A7656DF944CF8C0F1AC"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\-N齎鷁緥鰯L圗*飴*俀鰯塠hQ膥鯪塠艌z廭]
"DisplayName"="中国建设银行E路护航网银安全组件 1.0.2.14"
"UninstallString"="c:\\Program Files\\CCBComponents\\uninst.exe"
"DisplayIcon"="c:\\Program Files (x86)\\CCBComponents\\Detector\\index.ico"
"DisplayVersion"="1.0.2.14"
"URLInfoAbout"="http://www.ccb.com"
"Publisher"="China Construction Bank"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:4b,13,23,1c,6e,b7,4e,03,da,ef,b4,be,3f,01,21,95,cc,cb,2f,b3,db,
   c9,4a,14,f2,c8,96,e1,60,c1,30,3f,24,e7,e3,54,31,95,93,75,2b,fb,a5,98,21,d6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Management\YUCache\-N齎鷁緥鰯L圗*飴*俀鰯塠hQ膥鯪塠艌z廭]
"SlowInfoCache"=hex:6f,7b,d4,00,00,00,00,00,cc,1a,76,34,5f,1f,e4,40,64,a8,ec,
   30,5f,1f,e4,40,ff,ff,ff,ff,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Management\YUCache\'Yf擭2m *鷁L圦鰯]
"SlowInfoCache"=hex:fd,d2,0c,00,00,00,00,00,30,12,c8,2a,5f,1f,e4,40,3c,36,db,
   2a,5f,1f,e4,40,ff,ff,ff,ff,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
完成时间: 2013-11-30  20:52:00
ComboFix-quarantined-files.txt  2013-11-30 20:52
ComboFix2.txt  2013-11-30 21:00
.
Pre-Run: 123,387,797,504 bytes free
Post-Run: 123,067,899,904 bytes free
.
- - End Of File - - E8F28E96763E90A64408FEE0109A96AD


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 30 November 2013 - 09:34 PM


Hello SnowballBlack

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users