Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to remove CBL blacklist due to Kelihos infection


  • This topic is locked This topic is locked
46 replies to this topic

#1 m618

m618

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 16 September 2016 - 04:06 AM

Dear Sir,

 

Thank you in advance for helping out.

I am not sure if it is safe to reveal my complete ip address so I put some ***.

If it's needed I will send you in private or secured message.

 

My ip has been listed on CBL (Spamhaus) blacklist since early August 2016.

I tried many things in below order:

1) Changed all mail accounts password.

2) Turned off mail server Open relay. 

3) Installed Kaspersky small office security to scan and deleted possible risky files (.dll .exe).

 

I delisted my ip for three times but it is relisted again.

Attached CBL lookup.pdf  is the most recent CBL lookup from http://www.abuseat.org/ . 

 

Please instruct me on what to do next to clean up this Kelihos virus, and delist from CBL, thank you.

 

 

On 9/14, 2016 I finally found a weird email, which shows one of our mail accounts (liao) is sending spam to itself !

Please see attached three pdf for more details.

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 17 September 2016 - 05:47 AM

Here is the most recent CBL lookup from http://www.abuseat.org/

 

IP Address 203.75.***.*** is listed in the CBL. It shows signs of being infected
with a spam sending trojan, malicious link or some other form of botnet.
 
It was last detected at 2016-09-14 10:00 GMT (+/- 30 minutes),
approximately 1 days, 22 hours, 30 minutes ago.
 
It has been relisted following a previous removal at 2016-09-08 02:37 GMT (8
days, 5 hours, 37 minutes ago)
 
This IP is infected (or NATting for a computer that is infected) with a spam-sending
botnet, most likely kelihos. In other words, it's participating in a botnet.
Cutwail is a complex infection and requires a number of steps to ensure that it's
eradicated.
 
First, cutwail spams out very high volumes, is one of the the largest vectors of
malware on the Internet, and almost every cutwail infection also has a copy of the
pushdo (DDOS by web transaction) malware and the zeus botnet. The zeus botnet
controls the cutwail/pushdo pair as well as does information stealing/keyboard
logging. Hence, this is a very severe threat - not just to the owner of the infected
computer, the other members of your internal network (if you have one) but the rest
of the Internet too.
 
Second, we have two methods for detecting cutwail. One of the methods is by
detecting the spams that cutwail sends. The other method does not work that way.
This means that even if you block outbound port 25 from non-mail-servers on your
local network, we can still detect a cutwail infection on your local network. This means
that if you implement port 25 restrictions, you should implement logging so that you
can detect what internal machines are being blocked by it and are thereby probably
cutwail infections.
 
If you simply remove the listing without ensuring that the infection is removed (or the
NAT secured), it will probably relist again.
 
This IP is infected (or NATting for a computer that is infected) with a
spam-sending infection. In other words, it's participating in a botnet. If you
simply remove the listing without ensuring that the infection is removed (or
the NAT secured), it will probably relist again.
 
How to resolve future problems and prevent relisting
 
Norton Power Eraser is a free tool and doesn't require installation. It just
needs to be downloaded and run. One of our team has tested the tool with
Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up
the system in each case. It probably works with many other infections.
Is this IP address a NAT gateway/firewall/router? In other words, is this IP
address shared with other computers? See NAT for further information about
NATs and how to secure them.
 
If this IP address is shared with other computers, only the administrator of this
IP address can prevent this happening again by following the instructions
in NAT to secure the NAT against future infections. In this way, no matter how
badly infected the network behind the NAT is, the network can't spam the 
Internet. The administrator can also refer to Advanced BOT detection for hints
and tips on how to find the infected computer behind a NAT.
What affect is this listing having on you?
 
The CBL is intended to be used only on inbound email from the Internet.
If you are being blocked from IRC, Chat, web sites, web email interfaces (eg:
you're using Internet Explorer or Firefox to send email) or anything other than
basic email with a mail reader like Exchange, Thunderbird etc, the provider of
this service is using the CBL against our recommendations. Contact the
provider and refer them to http://www.abuseat.org/tandc.html and refer them
to item 2 and 7.
 
If you are an end user: If you get an immediate popup indicating your email
was blocked when you attempt to send email, this means one of two things:
• You aren't using your provider's preferred configuration for sending email.
This is most frequent with roaming users (eg: you're using an Internet Cafe,
and are using your home provider to send email). A provider will normally give
you instructions on how your mail reader should authenticate to their mail
servers, perhaps on a different port (usually 587). Make sure that you comply
with the provider's instructions on mail reader configuration where it refers to
"SMTP relay server", "SMTP authentication" etc.
 
• If you are complying with your provider's instructions, your provider is
violating the CBL Terms and Conditions and blocking their own users. Contact
your provider and refer them to http://www.abuseat.org/tandc.html and refer
them to item 6 and 7.
 
If you get the blocking email message by return email (instead of by immediate
popup), your provider is listed in the CBL, not you. Contact your provider and
tell them that their IP address is listed by the CBL.
Note that the CBL is not responsible for how providers misuse the CBL. This is
their problem, not ours.
 
If your IP address changes periodically (such as with reconnecting to your
provider, connecting through an Internet Cafe etc), this is usually a dynamic
(DHCP) IP address, meaning that it's most likely not you that is infected. As
above, make sure that your mail reader is configured correctly as per your
provider. In this case, delisting the IP address will probably not do anything 
useful.
 
If this listing is of an unshared IP address, and the affected access is email,
then, the computer corresponding to this IP address at time of detection (see
above) is infected with a spambot, or, if it's a mail server, in some rare cases
this can be a severe misconfiguration or bug.
 
The first step is to run at least one (preferably more) reputable
anti-spam/spyware tools on your computer. If you're lucky, one of them will
find and remove the infection.
 
If you are unable to find it using anti-virus tools, you may want to take a close
look at the discussions of netstat or tcpview in the "Per-machine methods"
section of Finding BOTs in a LAN.
 
If the above does not help, you may have to resort to taking your computer to a
computer dealer/service company and have them clean it.
If all else fails, you may need to have your machine's software re-installed from
scratch.


#3 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 17 September 2016 - 06:08 AM

Attached is the result after running RogueKiller free version.

(couldn't upload the result directly onto the forum, crashed sever times when uploading)

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:44 AM

Posted 20 September 2016 - 08:57 AM

Greetings m618 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your Desktop. <<< Important
  • Right click on the icon and select Rename
  • Rename the icon frstenglish.exe or frst64english.exe depending on your operating system
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Edited by Oh My!, 20 September 2016 - 09:02 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 21 September 2016 - 02:26 AM

Hi Gary,
 
You can call me Hetty. Thank you so much for responding.
Below I have posted according to your instruction. Hope I have done it correctly.
 
 
FRST.txt
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-09-2016
Ran by Administrator (administrator) on DC1 (21-09-2016 15:04:26)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: hetti & Administrator (Available Profiles: User & hetti & 401a & 503a & 503b & 505a & 506a & 507a & 508a & 602a & 605a & 606a & 607a & 608a & 609a & 610a & 611a & 611b & 612a & 613a & 615a & 615b & 615c & 616a & 617a & 618a & 619a & 621a & 698a & liao & duke & Administrator)
Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) Language: 中文 (繁體,台灣)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avp.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
() D:\SmartERP\DSCPatchAgent.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE
(TeamViewer GmbH) C:\Program Files (x86)\Teamviewer\Version7\TeamViewer_Service.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
() C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avpui.exe
(TeamViewer GmbH) C:\Program Files (x86)\Teamviewer\Version7\TeamViewer.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.31.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.31.5\GoogleCrashHandler64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Centered Systems) C:\Program Files (x86)\Second Copy\SecCopy.exe
(© 2015 Microsoft Corporation) C:\Users\Administrator\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Borland Software Corporation) D:\SmartERP\s_dsbin\scktsrvr.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(GodEngine Technology Inc.) C:\Program Files (x86)\SkyATA-101\SkyATA-101.exe
(John Long Team.) D:\RaidenServer\RaidenMAILD\RaidenMAILD.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe
(TeamViewer GmbH) C:\Program Files (x86)\Teamviewer\Version7\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\Teamviewer\Version7\tv_x64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-unity-helper.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe
(John Long Team.) D:\RaidenServer\RaidenMAILD\MAILDService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vprintproxy.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
() C:\Users\Administrator\Desktop\FSCapture_v53.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\FXSSVC.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avpui.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(GodEngine Technology Inc.) C:\Program Files (x86)\SkyATA-101\SkyATA-101.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Administrator\Desktop\frst64english.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2014-05-28] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7575768 2014-05-14] (Realtek Semiconductor)
HKLM\...\Run: [IME14 CHT Setup] => C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEKLMG.EXE [110776 2015-10-13] (Microsoft Corporation)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-06-27] (Intel Corporation)
HKLM-x32\...\Run: [IME14 CHT Setup] => C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE [81080 2015-10-13] (Microsoft Corporation)
HKLM-x32\...\Run: [vmware-tray.exe] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [112856 2014-06-12] (VMware, Inc.)
HKLM-x32\...\Run: [] => 0
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2015-09-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2015-09-24] (Adobe Systems Inc.)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1298504 2014-11-08] (CANON INC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
HKLM-x32\...\Run: [SkyATA-101] => C:\Program Files (x86)\SkyATA-101\SkyATA-101.exe [1503232 2016-05-04] (GodEngine Technology Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-21-452594280-1839335267-1421973757-1014\...\Run: [GoogleChromeAutoLaunch_EFC9DD0F477D5535F572FED29EDD537D] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [967496 2016-09-14] (Google Inc.)
HKU\S-1-5-21-452594280-1839335267-1421973757-1014\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-21-452594280-1839335267-1421973757-500\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2014-10-30] (Google Inc.)
HKU\S-1-5-21-452594280-1839335267-1421973757-500\...\Run: [Second Copy] => C:\Program Files (x86)\Second Copy\SecCopy.exe [2387968 2007-10-17] (Centered Systems)
HKU\S-1-5-21-452594280-1839335267-1421973757-500\...\Run: [BingSvc] => C:\Users\Administrator\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-452594280-1839335267-1421973757-500\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29494400 2016-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-452594280-1839335267-1421973757-500\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [477696 2010-11-21] (Microsoft Corporation)
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> 
Lsa: [Notification Packages] scecli rassfm
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{477C9AC1-BC70-42C0-9E0B-BDCFB1737503}: [NameServer] 172.16.1.3,168.95.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-452594280-1839335267-1421973757-1014\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.misumi.com.tw/
HKU\S-1-5-21-452594280-1839335267-1421973757-500\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
HKU\S-1-5-21-452594280-1839335267-1421973757-500\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
HKU\S-1-5-21-452594280-1839335267-1421973757-500\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKU\S-1-5-21-452594280-1839335267-1421973757-1014 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-452594280-1839335267-1421973757-500 -> DefaultScope {9BD39880-B6A4-4229-9DC6-DF8A767AE0A3} URL = hxxp://www.google.com/search?hl=zh-tw&q={searchTerms}&rlz=1I7PLXB_zh-TWTW612
SearchScopes: HKU\S-1-5-21-452594280-1839335267-1421973757-500 -> {9BD39880-B6A4-4229-9DC6-DF8A767AE0A3} URL = hxxp://www.google.com/search?hl=zh-tw&q={searchTerms}&rlz=1I7PLXB_zh-TWTW612
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-28] (Google Inc.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: FGCatchUrl -> {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} -> C:\Program Files (x86)\FlashGet\jccatch.dll [2007-08-06] (www.flashget.com)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-08-13] (Oracle Corporation)
BHO-x32: Windows Live ID 登入協助程式 -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-28] (Google Inc.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-09-24] (Adobe Systems Incorporated)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-13] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-09-24] (Adobe Systems Incorporated)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-28] (Google Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-09-24] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-28] (Google Inc.)
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-1014 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-1014 -> Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-500 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-500 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-28] (Google Inc.)
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-500 -> Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9005hjhq.default-1453692251509
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_162.dll [2016-09-14] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_162.dll [2016-09-14] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1212152.dll [2014-05-30] (Adobe Systems, Inc.)
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-13] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-13] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tracker-software.com/PDF-XChange Editor Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Tracker Software\PDF Editor\npPDFXEditPlugin.x86.dll [2014-10-28] (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [No File]
FF Plugin HKU\S-1-5-21-452594280-1839335267-1421973757-500: @tracker-software.com/PDF-XChange Editor Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Tracker Software\PDF Editor\npPDFXEditPlugin.x86.dll [2014-10-28] (Tracker Software Products (Canada) Ltd.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np32dsw.dll [2008-08-06] (Adobe Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npcdt.dll [2005-12-16] (CDT Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npnul32.dll [2010-10-30] (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-23] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppl3260.dll [2008-09-11] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2014-10-29] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2014-10-29] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2014-10-29] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2014-10-29] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2014-10-29] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll [2013-03-06] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll [2005-10-30] (Apple Computer, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nprjplug.dll [2008-09-27] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nprpjplug.dll [2008-09-27] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np_gp.dll [2009-11-06] (NOS Microsystems Ltd.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npatgpc.dll [2015-06-24] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Users\Administrator\AppData\Roaming\mozilla\plugins\npatgpc.dll [2015-06-24] (Cisco WebEx LLC)
FF Extension: (Firefox Hotfix) - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9005hjhq.default-1453692251509\Extensions\firefox-hotfix@mozilla.org.xpi [2016-09-05]
FF Extension: (Skype Click to Call) - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2016-09-05] [not signed]
FF Extension: (Skype extension for Firefox) - C:\Program Files (x86)\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED} [2016-09-05] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2016-03-25] [not signed]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox-branding.js [2010-10-20]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox-l10n.js [2010-10-20]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox.js [2010-10-30]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\itms.js [2008-03-30]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\reporter.js [2010-10-20]
 
Chrome: 
=======
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=zh-tw
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default [2016-09-21]
CHR Extension: (Google 投影片) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-06-24]
CHR Extension: (Google 文件) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-24]
CHR Extension: (Google 雲端硬碟) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-25]
CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-01]
CHR Extension: (Adblock Plus) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-09-01]
CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-25]
CHR Extension: (Google 試算表) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-06-24]
CHR Extension: (Google 文件離線版) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-29]
CHR Extension: (IE Tab) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd [2016-09-20]
CHR Extension: (Cisco WebEx Extension) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2015-06-24]
CHR Extension: (Chrome 線上應用程式商店付款系統) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-29]
CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-24]
CHR Extension: (Chrome Media Router) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-20]
CHR HKU\S-1-5-21-452594280-1839335267-1421973757-500\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVP15.0.2; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avp.exe [194000 2016-04-01] (Kaspersky Lab ZAO)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)
S2 dg623; C:\Windows\SysWOW64\dg623\dg623.dll [104816 2014-03-06] (MyDrivers.com)
S3 digiwinvnc_service; C:\DigiWinVNC\winvnc2.exe [2124800 2014-08-11] (UltraVNC) [File not signed]
R2 DSCPatchService; D:\SmartERP\DSCPatchAgent.exe [694656 2009-07-03] ()
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Corporation)
R2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-06-01] (Microsoft Corporation)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-05-28] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [328296 2014-10-15] (Intel Corporation)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [84616 2013-06-28] ()
R2 ImeDictUpdateService; C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE [83312 2010-10-20] (Microsoft Corporation)
S2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2014-10-30] () [File not signed]
R3 MAILDSrv; D:\RaidenServer\RaidenMAILD\MAILDService.exe [9439416 2016-08-16] (John Long Team.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2014-04-28] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2014-04-28] (Hewlett-Packard) [File not signed]
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Corporation)
R3 TermService; C:\Windows\System32\termsrv.dll [683520 2014-11-12] (Microsoft Corporation) [File not signed]
R2 vmware-converter-agent; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [480472 2014-06-10] (VMware, Inc.)
R2 vmware-converter-server; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [480472 2014-06-10] (VMware, Inc.)
R2 vmware-converter-worker; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [480472 2014-06-10] (VMware, Inc.)
R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [14407384 2014-06-12] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 DGPNPSEV; D:\SoftWare\DriverGenius2013\DgService.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 bmdrvr; C:\Windows\SysWow64\drivers\bmdrvr.sys [75344 2013-02-22] (VMware, Inc.)
R0 cm_km_w; C:\Windows\System32\DRIVERS\cm_km_w.sys [247016 2016-04-01] (Kaspersky Lab UK Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2014-05-28] (Intel Corporation)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-11] (Intel Corporation)
S3 IPFirewallLite; C:\Windows\SysWOW64\drivers\IPFWLite.sys [18827 2007-10-20] () [File not signed]
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD.sys [44744 2014-02-03] ()
R0 KAVBootC; C:\Windows\System32\drivers\kavbootc64.sys [31848 2014-03-29] (Kingsoft Corporation)
R0 KAVBootC; C:\Windows\SysWOW64\drivers\kavbootc64.sys [31848 2014-03-29] (Kingsoft Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [478392 2016-04-01] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [64368 2016-04-01] (Kaspersky Lab ZAO)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [159960 2016-04-01] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [237480 2016-09-05] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [843696 2016-09-05] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [49240 2016-09-05] (AO Kaspersky Lab)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [24944 2016-04-01] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [65208 2016-04-01] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [89272 2016-04-01] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [190648 2016-04-01] (Kaspersky Lab ZAO)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12904 2011-03-18] (UVNC BVBA)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R0 RAMDiskVE; C:\Windows\System32\Drivers\RAMDiskVE.sys [86768 2014-10-29] (Dataram, Inc.)
S3 RTL8023x64; C:\Windows\System32\DRIVERS\Rtnic64.sys [51712 2009-06-11] (Realtek Semiconductor Corporation                           )
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Corporation)
R3 SrvHsfPCIe; C:\Windows\System32\DRIVERS\VSTBS36.SYS [287744 2009-06-11] (Conexant Systems, Inc.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2016-09-17] ()
R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [32472 2014-06-12] (VMware, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [73296 2013-10-08] (VMware, Inc.)
R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [33872 2013-02-22] (VMware, Inc.)
S3 ALSysIO; \??\C:\Users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [X]
S2 DgSafe; \??\C:\Windows\system32\drivers\DgSafe.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVCx32: dg623 -> C:\Windows\SysWOW64\dg623\dg623.dll (MyDrivers.com)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-21 15:04 - 2016-09-21 15:04 - 00000000 ____D C:\FRST
2016-09-21 10:29 - 2016-09-21 10:29 - 00000000 ____D D:\Users\hetti\AppData\Local\{CA3B05A6-C03A-4694-975D-5372F5F20639}
2016-09-20 13:26 - 2016-09-20 13:27 - 00000000 ____D D:\Users\liao\AppData\Local\{9DBC9929-9CDF-4CB7-A67B-692CB94F99A6}
2016-09-20 08:55 - 2016-09-20 08:55 - 00000000 ____D D:\Users\hetti\AppData\Local\{A321431E-4E51-4307-B7D6-B9E60A64E1BA}
2016-09-20 08:54 - 2016-09-20 08:54 - 00000118 _____ C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-09-20 08:26 - 2016-09-20 08:27 - 00241952 _____ C:\Windows\ntbtlog.txt
2016-09-19 19:59 - 2016-09-19 19:59 - 00000000 ____D D:\Users\hetti\AppData\Local\{1E29E90E-3FF3-4309-8AFE-A945D6F15A8E}
2016-09-19 12:07 - 2016-09-19 12:07 - 00000000 ____D D:\Users\liao\AppData\Local\{4E056E11-4ADC-45AD-B10E-A429D361C308}
2016-09-19 00:06 - 2016-09-19 00:06 - 00000000 ____D D:\Users\liao\AppData\Local\{08B83F9B-6D5C-40C5-A4F3-410685766121}
2016-09-18 12:06 - 2016-09-18 12:06 - 00000000 ____D D:\Users\liao\AppData\Local\{E9895EF0-681F-4EC3-B198-41DE8B6515B4}
2016-09-18 00:06 - 2016-09-18 00:06 - 00000000 ____D D:\Users\liao\AppData\Local\{7885933C-D223-4D50-8294-C709F782D46D}
2016-09-17 17:57 - 2016-09-17 17:57 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-09-17 17:56 - 2016-09-17 19:07 - 00000000 ____D C:\Program Files\RogueKiller
2016-09-17 17:56 - 2016-09-17 17:56 - 00000000 ____D C:\ProgramData\RogueKiller
2016-09-17 17:56 - 2016-09-17 17:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-09-17 12:05 - 2016-09-17 12:05 - 00000000 ____D D:\Users\liao\AppData\Local\{83840BDC-7760-4182-B5BB-5BFB6D1E7379}
2016-09-17 00:05 - 2016-09-17 00:05 - 00000000 ____D D:\Users\liao\AppData\Local\{90AC039A-6539-4BDA-A3DB-25BDF78487D7}
2016-09-16 21:30 - 2016-09-16 21:30 - 00000000 ____D D:\Users\612a\Tracing
2016-09-16 21:30 - 2016-09-16 21:30 - 00000000 ____D D:\Users\612a\AppData\Roaming\Skype
2016-09-16 19:14 - 2016-09-16 20:11 - 00000116 _____ D:\Users\hetti\Desktop\blacklist.txt
2016-09-16 16:23 - 2015-11-09 17:05 - 00000000 ____D D:\Users\hetti\Desktop\RogueKillerPortable
2016-09-16 16:17 - 2016-09-16 16:17 - 20270924 _____ D:\Users\hetti\Desktop\RogueKillerPortable_12.4.2_azo.exe
2016-09-16 15:49 - 2016-09-16 15:49 - 00000000 ____D D:\Users\hetti\AppData\Local\{BEE5CBE3-F63E-4474-B3EA-0EA846B2607B}
2016-09-16 12:05 - 2016-09-16 12:05 - 00000000 ____D D:\Users\liao\AppData\Local\{5E2D760F-A910-4FDA-97CB-92F450585A00}
2016-09-16 00:05 - 2016-09-16 00:05 - 00000000 ____D D:\Users\liao\AppData\Local\{BF68DB1D-E4C4-4E06-B5AF-3B1AD8340416}
2016-09-15 12:04 - 2016-09-15 12:04 - 00000000 ____D D:\Users\liao\AppData\Local\{482253EE-03B8-44A9-84E5-A39CAE1D6038}
2016-09-15 00:04 - 2016-09-15 00:04 - 00000000 ____D D:\Users\liao\AppData\Local\{2F064379-0F51-451D-8C00-E5C2B55761FC}
2016-09-14 14:17 - 2016-09-14 14:17 - 00087768 _____ D:\Users\hetti\Desktop\體育賽事線上報名網.pdf
2016-09-14 14:16 - 2016-09-16 18:31 - 00000726 _____ D:\Users\hetti\Desktop\123.txt
2016-09-14 13:55 - 2016-09-14 13:55 - 00170675 _____ D:\Users\hetti\Desktop\2016 Autum class.pdf
2016-09-14 12:02 - 2016-09-14 12:03 - 00000000 ____D D:\Users\liao\AppData\Local\{465F3F7F-626A-4854-9707-17B157997B7C}
2016-09-14 11:03 - 2016-09-14 11:03 - 00121486 _____ D:\Users\hetti\Desktop\paypal list.pdf
2016-09-14 09:57 - 2016-09-14 09:57 - 00975380 _____ D:\Users\hetti\Desktop\104加值產品委託單.pdf
2016-09-14 08:55 - 2016-09-14 08:55 - 00000000 ____D D:\Users\hetti\AppData\Local\{6C1CC0CD-7E45-4D10-9714-A989AC64667E}
2016-09-13 16:17 - 2016-09-13 16:17 - 04931468 _____ D:\Users\hetti\Desktop\dyson.pdf
2016-09-13 09:11 - 2016-09-13 09:11 - 00000000 ____D D:\Users\hetti\AppData\Local\{C285F963-1545-4626-94C4-19212C3DC304}
2016-09-12 14:39 - 2016-09-12 14:39 - 00000104 _____ D:\Users\hetti\Desktop\mail log.txt
2016-09-12 14:00 - 2016-09-12 14:00 - 00696427 _____ D:\Users\hetti\Desktop\1609026 CARRAY.pdf
2016-09-12 10:57 - 2016-09-12 10:57 - 00000000 ____D D:\Users\hetti\AppData\Local\{E6D2B9AE-6162-4255-B330-AD4BD67F0E91}
2016-09-10 09:13 - 2016-09-10 09:13 - 00000000 ____D D:\Users\hetti\AppData\Local\{2266C568-5504-41F4-BBDA-EF3C07298A94}
2016-09-09 11:53 - 2016-09-09 11:55 - 00000161 _____ D:\Users\hetti\Desktop\8600033昆明信諾萊.txt
2016-09-09 09:34 - 2016-09-09 09:34 - 00000000 ____D D:\Users\hetti\AppData\Local\{957E31C4-06A5-485F-A7B9-ED2EB81D63A4}
2016-09-09 09:31 - 2016-09-09 13:51 - 00000010 _____ D:\Users\hetti\Desktop\allsent.txt
2016-09-08 16:28 - 2016-09-08 16:28 - 00000000 ____D D:\Users\hetti\AppData\Local\{BDBA1B9B-4633-45A9-A96B-1F3673B66B5E}
2016-09-08 12:40 - 2016-09-08 12:40 - 00000000 ____D D:\Users\609a\Tracing
2016-09-08 12:40 - 2016-09-08 12:40 - 00000000 ____D D:\Users\609a\AppData\Roaming\Skype
2016-09-07 08:35 - 2016-09-07 08:35 - 00000000 ____D D:\Users\hetti\AppData\Local\{51457544-7A82-4FB4-AA9A-F311A13BD913}
2016-09-06 09:48 - 2016-09-06 09:48 - 00207906 _____ D:\Users\hetti\Desktop\億君電腦Kaspersky報價.pdf
2016-09-06 09:15 - 2016-09-06 09:15 - 00000000 ____D D:\Users\hetti\AppData\Local\{8B1F55CA-A143-4213-83DF-F921A6393066}
2016-09-05 14:48 - 2016-09-05 14:48 - 00000000 ____D D:\Users\hetti\AppData\Local\{79BA2E74-3B53-4E73-9122-7FE5327BCB5B}
2016-09-05 11:23 - 2016-09-08 16:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-09-05 11:06 - 2016-09-05 11:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Small Office Security
2016-09-05 11:06 - 2013-05-06 08:13 - 00110176 _____ (Kaspersky Lab ZAO) C:\Windows\system32\klfphc.dll
2016-09-05 11:05 - 2016-09-21 10:25 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2016-09-05 11:05 - 2016-09-05 11:21 - 00843696 _____ (Kaspersky Lab ZAO) C:\Windows\system32\Drivers\klif.sys
2016-09-05 11:05 - 2016-09-05 11:05 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2016-09-05 11:05 - 2016-04-01 23:42 - 00159960 _____ (Kaspersky Lab ZAO) C:\Windows\system32\Drivers\klflt.sys
2016-09-05 09:45 - 2016-09-05 09:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-09-02 15:14 - 2016-09-02 15:14 - 00000000 ____D D:\Users\hetti\AppData\Local\{394E9608-F668-4839-BEBD-6549635719BE}
2016-09-01 15:34 - 2016-09-01 15:34 - 00000000 ____D D:\Users\hetti\AppData\Local\{EEA37123-FC51-4754-99FC-671C6236A999}
2016-09-01 10:07 - 2016-09-01 10:07 - 00498832 _____ D:\Users\duke\AppData\Local\GDIPFONTCACHEV1.DAT
2016-09-01 10:07 - 2016-09-01 10:07 - 00000000 ____D D:\Users\duke\AppData\Roaming\.clamwin
2016-08-24 21:13 - 2016-08-24 21:13 - 00000000 ____D D:\Users\hetti\AppData\Local\{545E09DC-DC3D-4B75-BCD4-ABF6D7FEEA88}
2016-08-24 16:37 - 2016-08-24 16:45 - 00000159 _____ D:\Users\hetti\Desktop\徐經理.txt
2016-08-24 09:12 - 2016-08-24 09:12 - 00000000 ____D D:\Users\hetti\AppData\Local\{83F915D7-70D3-4F8E-915F-E9AF9592BB6D}
2016-08-23 18:21 - 2016-08-23 18:21 - 03818811 _____ D:\Users\hetti\Desktop\1.MISUMI 專案+工作日誌-20160823T102041Z.zip
2016-08-23 08:46 - 2016-08-23 08:46 - 00000000 ____D D:\Users\hetti\AppData\Local\{5183E88C-37BE-4EA5-9C6F-C4B5E780AD04}
2016-08-22 12:06 - 2016-07-07 23:36 - 01896168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2016-08-22 12:06 - 2016-07-07 23:36 - 00377576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2016-08-22 12:06 - 2016-07-07 23:36 - 00287976 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2016-08-22 12:06 - 2016-07-07 23:08 - 00046080 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpipreg.sys
2016-08-22 12:06 - 2016-07-01 23:31 - 00976896 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-08-22 12:06 - 2016-07-01 23:31 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll
2016-08-22 12:06 - 2016-07-01 23:13 - 00741888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-08-22 12:06 - 2016-07-01 23:13 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\INETRES.dll
2016-08-22 12:06 - 2016-07-01 22:56 - 00464896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2016-08-22 12:06 - 2016-07-01 22:56 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2016-08-22 12:06 - 2016-07-01 22:56 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2016-08-22 10:29 - 2016-08-22 10:29 - 00000000 ____D D:\Users\hetti\AppData\Local\{D15218A3-A20C-48CC-858E-1C9E69C38AB0}
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-21 15:02 - 2014-11-22 15:18 - 00000000 ____D D:\Users\hetti\AppData\Roaming\Skype
2016-09-21 14:52 - 2014-11-25 12:35 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-09-21 14:48 - 2014-10-29 06:44 - 00000542 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-21 14:47 - 2014-10-29 05:52 - 00000526 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-21 12:10 - 2014-11-18 18:06 - 00000476 _____ C:\Windows\Tasks\ShadowCopyVolume{ffc1dc39-825d-44b7-bc3d-41ba8e00bc87}.job
2016-09-21 10:25 - 2014-10-29 06:44 - 00000538 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-20 19:49 - 2015-05-20 20:52 - 00000000 ____D D:\Users\liao\AppData\Roaming\Skype
2016-09-20 16:54 - 2016-04-06 13:49 - 00000000 ____D D:\Users\liao\AppData\Local\Windows Live Writer
2016-09-20 16:35 - 2016-04-06 13:49 - 00000000 ____D D:\Users\liao\AppData\Roaming\Windows Live Writer
2016-09-20 08:39 - 2009-07-14 12:49 - 00027568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-20 08:39 - 2009-07-14 12:49 - 00027568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-20 08:38 - 2010-11-22 02:40 - 00435014 _____ C:\Windows\system32\prfh0404.dat
2016-09-20 08:38 - 2010-11-22 02:40 - 00140226 _____ C:\Windows\system32\prfc0404.dat
2016-09-20 08:38 - 2009-07-14 13:10 - 01425770 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-20 08:38 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\inf
2016-09-20 08:29 - 2014-10-30 08:54 - 00000000 ____D C:\ProgramData\VMware
2016-09-20 08:29 - 2009-07-14 13:06 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-20 08:04 - 2014-10-28 23:59 - 144199024 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-09-20 08:04 - 2014-10-28 23:59 - 00000000 ____D C:\Windows\system32\MRT
2016-09-19 19:50 - 2014-11-12 22:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-09-18 10:39 - 2016-04-06 13:53 - 00000000 ____D D:\Users\liao\.oracle_jre_usage
2016-09-17 17:51 - 2014-10-29 06:44 - 00002178 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-14 12:09 - 2014-12-25 08:05 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-09-14 02:47 - 2014-10-29 05:52 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-09-14 02:47 - 2014-10-29 05:52 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-09-14 02:47 - 2014-10-29 05:52 - 00003464 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-09-14 02:47 - 2014-10-29 05:52 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-09-14 02:47 - 2014-10-29 05:52 - 00000000 ____D C:\Windows\system32\Macromed
2016-09-08 11:22 - 2016-08-17 09:24 - 00000000 ____D C:\Program Files (x86)\ClamWin
2016-09-06 08:35 - 2016-01-29 09:52 - 00000000 ____D C:\IPCollect
2016-09-05 12:57 - 2014-12-02 15:32 - 00000000 ____D C:\DigiWinVNC
2016-09-05 12:57 - 2014-10-28 23:16 - 00000000 ____D C:\Windows\Winapp
2016-09-05 11:21 - 2016-04-01 23:42 - 00049240 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klim6.sys
2016-09-05 11:13 - 2014-10-29 05:43 - 00000000 ____D C:\ProgramData\Package Cache
2016-09-05 11:10 - 2016-04-01 23:42 - 00237480 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys
2016-09-05 10:40 - 2014-11-06 15:43 - 00000000 ____D C:\ProgramData\Symantec
2016-09-05 09:45 - 2016-06-29 09:20 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-09-05 09:45 - 2014-11-18 21:27 - 00000000 ____D C:\ProgramData\Skype
2016-09-02 16:01 - 2014-11-21 13:55 - 00000000 ____D C:\ProgramData\CanonIJPLM
2016-08-24 16:46 - 2016-08-17 18:29 - 00156672 _____ D:\Users\hetti\Desktop\20160817最新密碼表.xlsx
2016-08-23 13:42 - 2014-10-28 23:15 - 00000000 ____D C:\Users\Administrator
2016-08-22 12:09 - 2016-08-17 17:26 - 00000610 ____H C:\Windows\Tasks\Norton Product InstallerIdle.job
2016-08-22 12:09 - 2014-12-16 17:06 - 00000576 __RSH C:\ProgramData\ntuser.pol
 
==================== Files in the root of some directories =======
 
2014-10-29 05:46 - 2014-10-29 05:50 - 0000021 _____ () C:\Users\Administrator\AppData\Roaming\fixcfg.ini
2016-08-17 17:40 - 2016-08-17 17:54 - 0893330 _____ () C:\Users\Administrator\AppData\Local\ars.cache
2016-08-17 17:40 - 2016-08-17 17:54 - 0860991 _____ () C:\Users\Administrator\AppData\Local\census.cache
2014-10-29 06:48 - 2014-10-29 06:48 - 0373222 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistMSI22BE.txt
2014-10-29 06:48 - 2014-10-29 06:48 - 0361042 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistMSI22E8.txt
2014-10-30 08:54 - 2014-10-30 08:54 - 0375396 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistMSI5146.txt
2014-10-30 08:54 - 2014-10-30 08:54 - 0372954 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistMSI514D.txt
2014-10-29 08:49 - 2014-10-29 08:49 - 0425808 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistMSI7EFF.txt
2014-10-29 08:49 - 2014-10-29 08:49 - 0439174 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistMSI7F0F.txt
2014-10-29 06:48 - 2014-10-29 06:48 - 0012394 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI22BE.txt
2014-10-29 06:48 - 2014-10-29 06:48 - 0012410 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI22E8.txt
2016-07-07 00:05 - 2016-07-07 00:05 - 0015076 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI3E36.txt
2014-10-30 08:54 - 2014-10-30 08:54 - 0011434 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI5146.txt
2014-10-30 08:54 - 2014-10-30 08:54 - 0011482 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI514D.txt
2014-10-29 08:49 - 2014-10-29 08:49 - 0015710 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI7EFF.txt
2014-10-29 08:49 - 2014-10-29 08:49 - 0015758 _____ () C:\Users\Administrator\AppData\Local\dd_vcredistUI7F0F.txt
2015-02-14 19:47 - 2015-02-14 19:47 - 0415198 _____ () C:\Users\Administrator\AppData\Local\dd_vstor40_lp_x64_chtMSI6D7B.txt
2015-02-14 19:47 - 2015-02-14 19:47 - 0020674 _____ () C:\Users\Administrator\AppData\Local\dd_vstor40_lp_x64_chtUI6D7B.txt
2015-02-14 19:47 - 2015-02-14 19:47 - 0824808 _____ () C:\Users\Administrator\AppData\Local\dd_vstor40_x64MSI6D6B.txt
2015-02-14 19:47 - 2015-02-14 19:47 - 0020822 _____ () C:\Users\Administrator\AppData\Local\dd_vstor40_x64UI6D6B.txt
2016-08-17 17:26 - 2016-08-17 17:26 - 0000036 _____ () C:\Users\Administrator\AppData\Local\housecall.guid.cache
2014-12-09 12:03 - 2014-12-09 12:03 - 0000017 _____ () C:\Users\Administrator\AppData\Local\resmon.resmoncfg
2014-11-24 14:53 - 2014-11-24 15:29 - 0000657 _____ () C:\ProgramData\hpzinstall.log
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-27 00:21
 
==================== End of FRST.txt ============================

 

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-09-2016
Ran by Administrator (21-09-2016 15:05:28)
Running from C:\Users\Administrator\Desktop
Windows Server 2008 R2 Standard Service Pack 1 (X64) (2014-10-28 15:12:57)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
401a (S-1-5-21-452594280-1839335267-1421973757-1015 - Limited - Enabled) => D:\Users\401a
503a (S-1-5-21-452594280-1839335267-1421973757-1016 - Limited - Enabled) => D:\Users\503a
503b (S-1-5-21-452594280-1839335267-1421973757-1017 - Limited - Enabled) => D:\Users\503b
505a (S-1-5-21-452594280-1839335267-1421973757-1018 - Limited - Enabled) => D:\Users\505a
506a (S-1-5-21-452594280-1839335267-1421973757-1019 - Limited - Enabled) => D:\Users\506a
507a (S-1-5-21-452594280-1839335267-1421973757-1020 - Limited - Enabled) => D:\Users\507a
508a (S-1-5-21-452594280-1839335267-1421973757-1021 - Limited - Enabled) => D:\Users\508a
600a (S-1-5-21-452594280-1839335267-1421973757-1058 - Limited - Enabled)
602a (S-1-5-21-452594280-1839335267-1421973757-1022 - Limited - Enabled) => D:\Users\602a
605a (S-1-5-21-452594280-1839335267-1421973757-1023 - Limited - Enabled) => D:\Users\605a
606a (S-1-5-21-452594280-1839335267-1421973757-1024 - Limited - Enabled) => D:\Users\606a
607a (S-1-5-21-452594280-1839335267-1421973757-1025 - Limited - Enabled) => D:\Users\607a
608a (S-1-5-21-452594280-1839335267-1421973757-1026 - Limited - Enabled) => D:\Users\608a
609a (S-1-5-21-452594280-1839335267-1421973757-1027 - Limited - Enabled) => D:\Users\609a
610a (S-1-5-21-452594280-1839335267-1421973757-1028 - Limited - Enabled) => D:\Users\610a
611a (S-1-5-21-452594280-1839335267-1421973757-1029 - Limited - Enabled) => D:\Users\611a
611b (S-1-5-21-452594280-1839335267-1421973757-1030 - Limited - Enabled) => D:\Users\611b
612a (S-1-5-21-452594280-1839335267-1421973757-1031 - Limited - Enabled) => D:\Users\612a
613a (S-1-5-21-452594280-1839335267-1421973757-1032 - Limited - Enabled) => D:\Users\613a
615a (S-1-5-21-452594280-1839335267-1421973757-1033 - Limited - Enabled) => D:\Users\615a
615b (S-1-5-21-452594280-1839335267-1421973757-1034 - Limited - Enabled) => D:\Users\615b
615c (S-1-5-21-452594280-1839335267-1421973757-1035 - Limited - Enabled) => D:\Users\615c
616a (S-1-5-21-452594280-1839335267-1421973757-1036 - Limited - Enabled) => D:\Users\616a
617a (S-1-5-21-452594280-1839335267-1421973757-1037 - Limited - Enabled) => D:\Users\617a
618a (S-1-5-21-452594280-1839335267-1421973757-1038 - Limited - Enabled) => D:\Users\618a
619a (S-1-5-21-452594280-1839335267-1421973757-1039 - Limited - Enabled) => D:\Users\619a
621a (S-1-5-21-452594280-1839335267-1421973757-1040 - Limited - Enabled) => D:\Users\621a
698a (S-1-5-21-452594280-1839335267-1421973757-1041 - Limited - Enabled) => D:\Users\698a
Administrator (S-1-5-21-452594280-1839335267-1421973757-500 - Administrator - Enabled) => C:\Users\Administrator
duke (S-1-5-21-452594280-1839335267-1421973757-1043 - Administrator - Enabled) => D:\Users\duke
Guest (S-1-5-21-452594280-1839335267-1421973757-501 - Limited - Disabled)
hetti (S-1-5-21-452594280-1839335267-1421973757-1014 - Limited - Enabled) => D:\Users\hetti
liao (S-1-5-21-452594280-1839335267-1421973757-1042 - Limited - Enabled) => D:\Users\liao
User (S-1-5-21-452594280-1839335267-1421973757-1000 - Administrator - Enabled) => C:\Users\User
___VMware_Conv_SA___ (S-1-5-21-452594280-1839335267-1421973757-1002 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
64 Bit HP CIO Components Installer (Version: 17.2.1 - Hewlett-Packard) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC - Chinese Traditional (HKLM-x32\...\{AC76BA86-7AD7-1028-7B44-AC0F074E4100}) (Version: 15.017.20053 - Adobe Systems Incorporated)
Adobe Acrobat X Pro - ChineseT (HKLM-x32\...\{AC76BA86-1028-0000-7760-000000000005}) (Version: 10.1.16 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 14.0.0.178 - Adobe Systems Incorporated)
Adobe Flash Player 23 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 23.0.0.162 - Adobe Systems Incorporated)
Adobe Flash Player 23 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 23.0.0.162 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.2.152 - Adobe Systems, Inc.)
Adobe Widget Browser (HKLM-x32\...\com.adobe.WidgetBrowser) (Version: 2.0 Build 348 - Adobe Systems Incorporated.)
Adobe® Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 3.4.3 - Adobe Systems, Incorporated)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
Canon Easy-WebPrint EX (HKLM-x32\...\Easy-WebPrint EX) (Version: 1.6.0.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.5.14 - Canon Inc.)
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: 4.2.0 - Canon Inc.)
Canon MX470 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX470_series) (Version: 1.00 - Canon Inc.)
Canon MX470 series On-screen Manual (HKLM-x32\...\Canon MX470 series On-screen Manual) (Version: 7.6.1 - Canon Inc.)
Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 3.2.0 - Canon Inc.)
Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 3.2.0 - Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.2.1 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.6.0 - Canon Inc.)
Canon 快速撥號公用程式 (HKLM-x32\...\Speed Dial Utility) (Version: 1.6.0 - Canon Inc.)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DSC Smart ERP Systems (HKLM-x32\...\{D55CA3A1-A7B8-4F8E-A6AC-3AC69C169117}) (Version: 8.2.0.0 - Data Systems Consulting Co., Ltd.)
EPSON AL-M2410 Advanced Printer Driver (HKLM\...\EPSON AL-M2410 Advanced) (Version:  - SEIKO EPSON Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 53.0.2785.116 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7619.1252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
hp LaserJet-all-in-one (HKLM-x32\...\hp LaserJet-all-in-one) (Version:  - hp)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3960 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.1.0.1058 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 3.0.0.34 - Intel Corporation)
Intel® 晶片組裝置軟體 (x32 Version: 10.0.20 - Intel® Corporation) Hidden
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.15 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kaspersky Small Office Security (HKLM-x32\...\InstallWIX_{33F9240D-1887-4FF9-8A6E-35F32A05A277}) (Version: 15.0.2.396 - 卡巴斯基實驗室)
Kaspersky Small Office Security (x32 Version: 15.0.2.361 - 卡巴斯基實驗室) Hidden
K-Lite Mega Codec Pack 10.8.5 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.8.5 - )
LaserAIO (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (繁體中文) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1028) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.9.218.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50428.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) 語言套件 - 繁體中文 (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - CHT) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 33.1 (x86 zh-TW) (HKLM-x32\...\Mozilla Firefox 33.1 (x86 zh-TW)) (Version: 33.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 47.0.1.6018 - Mozilla)
Non Driver CIO Components (HKLM-x32\...\Non Driver CIO Components) (Version:  - )
NVIDIA HD 音訊驅動程式 1.3.32.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.32.1 - NVIDIA Corporation)
NVIDIA PhysX 系統軟體 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)
NVIDIA 圖形驅動程式 344.48 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 344.48 - NVIDIA Corporation)
PDF-XChange Editor (HKLM-x32\...\{E04E0D78-07B7-49BA-9DFD-0C04574CBD6F}) (Version: 5.5.311.0 - Tracker Software Products (Canada) Ltd.)
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
QFolder (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
RaidenMAILD (TC) 3.3.1 (HKLM-x32\...\RaidenMAILD (TC)) (Version: 3.3.1 - Team John Long)
RAMDisk (HKLM-x32\...\{0FEB4B92-FA19-4417-B7A2-092D1F85A2FA}) (Version: 4.4.0.32 - Dataram, Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0033 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7246 - Realtek Semiconductor Corp.)
RogueKiller version 12 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12 - Adlice Software)
Scan (x32 Version: 4.9.0.0 - Hewlett-Packard) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (HKLM\...\{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{A3364707-2F53-4C83-8F68-C9877A9080C7}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (Version:  - Microsoft) Hidden
SkyATA-101 (HKLM-x32\...\SkyATA-101_is1) (Version:  - GodEngine Technology Inc.)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 8.3.0.9150 - Microsoft Corporation)
Skype™ 7.26 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.26.101 - Skype Technologies S.A.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
VMware vCenter Converter Standalone (HKLM-x32\...\{17C3235A-A4B9-44ED-8794-54D8408F9733}) (Version: 5.1.1.1890470 - VMware, Inc.)
VMware Workstation (HKLM-x32\...\VMware_Workstation) (Version: 10.0.3 - VMware, Inc)
VMware Workstation (Version: 10.0.3 - VMware, Inc.) Hidden
Windows Live 程式集 (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows 驅動程式封裝 - Intel (ISCT) System  (10/31/2013 1.0.11) (HKLM\...\1CF6D9B730DBBCB27827E7FDC43872DD07292FCB) (Version: 10/31/2013 1.0.11 - Intel)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-452594280-1839335267-1421973757-500_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {15FD352E-AA7E-4E27-9F79-E360360A7C04} - System32\Tasks\{CF764905-98D8-45EB-BB49-644B5EB3F1C5} => C:\Program Files (x86)\SkyATA-101\SkyATA-101.exe [2016-05-04] (GodEngine Technology Inc.)
Task: {48149246-5C71-4AF7-A088-8E6A3720590A} - System32\Tasks\doPDF Update => C:\Program Files\Softland\novaPDF 8\Driver\UpdateApplication.exe
Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-14] (Microsoft Corporation)
Task: {67E8E5AE-6364-4299-805E-19494DA2073E} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-09-08] (Adobe Systems Incorporated)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-21] (Microsoft Corporation)
Task: {73885C85-5DC0-43E8-8588-D0E1B16593A6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-09-14] (Adobe Systems Incorporated)
Task: {79305E45-5551-4EE2-92C1-D494743AA606} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {7ADB845A-7FF2-4C23-A422-3A766A464023} - System32\Tasks\{C1B14CD5-6355-4A5F-B17C-EAF25392D525} => C:\Program Files (x86)\SkyATA-101\SkyATA-101.exe [2016-05-04] (GodEngine Technology Inc.)
Task: {8381F80C-29F2-43BE-A606-035FDDD1959F} - System32\Tasks\{3C12B43F-0BC0-49F4-850E-B732BFC757BC} => Iexplore.exe hxxp://ui.skype.com/ui/0/7.14.85.106/x1/go/help.faq.installer?LastError=1641
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-21] (Microsoft Corporation)
Task: {C63CFE1D-B5B0-49FE-8B7F-27AB8A0E674D} - System32\Tasks\{9FCA7338-94D5-4729-AFBA-BF5F4F726367} => C:\Program Files (x86)\SkyATA-101\SkyATA-101.exe [2016-05-04] (GodEngine Technology Inc.)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-21] (Microsoft Corporation)
Task: {D78725E6-3020-4869-89B0-D7BD851169D4} - System32\Tasks\ShadowCopyVolume{ffc1dc39-825d-44b7-bc3d-41ba8e00bc87} => C:\Windows\system32\vssadmin.exe [2009-07-14] (Microsoft Corporation)
Task: {E0D47647-3A54-40FC-9D0B-445AE44626A7} - System32\Tasks\Norton Product InstallerIdle => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exe <==== ATTENTION
Task: {E90B234B-8A1D-447D-98F9-83B8D05C805B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Norton Product InstallerIdle.job => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exeK/partnerid=symantec /productlist=nss /staging=false /delay=0 /launchedby=4 C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp <==== ATTENTION
Task: C:\Windows\Tasks\ShadowCopyVolume{ffc1dc39-825d-44b7-bc3d-41ba8e00bc87}.job => C:\Windows\system32\vssadmin.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
Shortcut: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DigiWinVNC\移除DigiWinVNC.lnk -> C:\DigiWinVNC\uninstall.bat ()
 
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --disk-cache-dir="z:\Temp"
 
==================== Loaded Modules (Whitelisted) ==============
 
2014-10-29 06:24 - 2014-10-16 22:11 - 00116880 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2009-07-03 10:56 - 2009-07-03 10:56 - 00694656 _____ () D:\SmartERP\DSCPatchAgent.exe
2014-11-21 13:58 - 2013-06-28 15:28 - 00084616 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2014-06-12 17:44 - 2014-06-12 17:44 - 14407384 _____ () C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
2016-09-01 09:55 - 2016-06-24 15:54 - 02074112 _____ () C:\Users\Administrator\Desktop\FSCapture_v53.exe
2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\office14\Cultures\office.odf
2014-06-10 20:56 - 2014-06-10 20:56 - 00086744 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\mspack.dll
2014-06-10 20:55 - 2014-06-10 20:55 - 01297624 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\libxml2.dll
2014-06-10 20:54 - 2014-06-10 20:54 - 00542936 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\sqlite3.dll
2014-06-12 18:22 - 2014-06-12 18:22 - 01261272 _____ () C:\Program Files (x86)\VMware\VMware Workstation\libxml2.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2014-06-12 18:22 - 2014-06-12 18:22 - 00330456 _____ () C:\Program Files (x86)\VMware\VMware Workstation\libcurl.dll
2014-06-12 18:23 - 2014-06-12 18:23 - 00319704 _____ () C:\Program Files (x86)\VMware\VMware Workstation\libldap_r.dll
2014-06-12 18:22 - 2014-06-12 18:22 - 00146648 _____ () C:\Program Files (x86)\VMware\VMware Workstation\liblber.dll
2014-06-12 18:22 - 2014-06-12 18:22 - 00070360 _____ () C:\Program Files (x86)\VMware\VMware Workstation\zlib1.dll
2015-09-24 23:42 - 2015-09-24 23:42 - 00019456 _____ () C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Locale\zh_TW\acrotray.cht
2016-06-29 09:10 - 2014-01-06 13:46 - 00237568 _____ () C:\Program Files (x86)\SkyATA-101\HandleSkypeUI.dll
2016-06-29 09:10 - 2014-09-18 16:28 - 00294912 _____ () C:\Program Files (x86)\SkyATA-101\Dongle_Ut.dll
2016-06-29 09:10 - 2007-02-07 16:00 - 00049152 _____ () C:\Program Files (x86)\SkyATA-101\ADV.dll
2016-06-29 09:10 - 2015-05-18 16:22 - 00221184 _____ () C:\Program Files (x86)\SkyATA-101\Dongle_Hw.dll
2001-12-07 11:29 - 2001-12-07 11:29 - 00028672 _____ () D:\RaidenServer\RaidenMAILD\RaidenHOST.dll
2007-10-20 02:06 - 2007-10-20 02:06 - 00036864 _____ () D:\RaidenServer\RaidenMAILD\TIPFWLite.dll
2016-09-17 17:51 - 2016-09-14 08:38 - 01806152 _____ () C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\libglesv2.dll
2016-09-17 17:51 - 2016-09-14 08:38 - 00094024 _____ () C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\libegl.dll
2015-09-24 23:42 - 2015-09-24 23:42 - 00019456 _____ () C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\locale\zh_tw\acrotray.cht
2016-06-29 09:10 - 2009-11-21 13:02 - 00212992 _____ () C:\Program Files (x86)\SkyATA-101\AudioDevice4VistaW.dll
2016-09-07 09:09 - 2016-09-06 12:00 - 05197312 _____ () D:\Users\hetti\AppData\Local\Google\Chrome\User Data\SwiftShader\3.3.0.1\libglesv2.dll
2016-09-07 09:09 - 2016-09-06 12:00 - 00147456 _____ () D:\Users\hetti\AppData\Local\Google\Chrome\User Data\SwiftShader\3.3.0.1\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\atashost => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 10:34 - 2016-09-08 11:21 - 00000905 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-452594280-1839335267-1421973757-1014\Control Panel\Desktop\\Wallpaper -> D:\Users\hetti\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-452594280-1839335267-1421973757-500\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 172.16.1.3 - 168.95.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe
FirewallRules: [{E4B05DB7-3433-4C54-889F-1EF7AD4E13BA}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{47B12E46-50F6-4867-84F5-C53BDC127136}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{685E7D12-ECC9-4C4D-94B8-F817219D4C16}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{E550F105-E901-45EE-B35D-09319571B01A}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{DDA5611D-A436-4859-B428-6951437BDF45}] => (Allow) D:\SoftWare\DriverGenius2013\ksoft\xlmodule\download\minithunderplatform.exe
FirewallRules: [{198DAFE7-C64B-489E-B358-1565BD6A9355}] => (Allow) D:\SoftWare\DriverGenius2013\ksoft\xlmodule\download\minithunderplatform.exe
FirewallRules: [{CEA9B09C-2375-4684-861C-FA367C4DADC5}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
FirewallRules: [{5C935103-306E-47FA-8404-4BD66186781B}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
FirewallRules: [{FD24826E-66E1-4F8F-B64C-92C7C5D2DC8B}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
FirewallRules: [{9D8D69F4-889A-474F-B8F5-CF582B73FB5E}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
FirewallRules: [{DDA7B56E-3687-4A34-95D0-62A797428F1B}] => (Allow) LPort=9089
FirewallRules: [{7FE9EB56-EBBA-4105-9C18-4029BC1C466A}] => (Allow) LPort=56789
FirewallRules: [TCP Query User{DD1D33B6-4117-4045-BEED-8957CB006ED9}C:\program files (x86)\flashget\flashget.exe] => (Allow) C:\program files (x86)\flashget\flashget.exe
FirewallRules: [UDP Query User{AFB8FFC0-40C3-4BBA-849D-71BBF1A0F32D}C:\program files (x86)\flashget\flashget.exe] => (Allow) C:\program files (x86)\flashget\flashget.exe
FirewallRules: [TCP Query User{1B4DEAD1-95B4-421A-BA75-65BA4E3781A6}D:\smarterp\s_dsbin\scktsrvr.exe] => (Allow) D:\smarterp\s_dsbin\scktsrvr.exe
FirewallRules: [UDP Query User{48D3C47D-0A14-400B-8BC7-CD36DEB31533}D:\smarterp\s_dsbin\scktsrvr.exe] => (Allow) D:\smarterp\s_dsbin\scktsrvr.exe
FirewallRules: [{75179A42-70FC-410B-AD43-32BC3BF2D52D}] => (Allow) C:\Program Files (x86)\Naver\LINE\Line.exe
FirewallRules: [{59874068-63E0-40E6-A0C4-2084B333FD71}] => (Allow) C:\Program Files (x86)\Naver\LINE\Line.exe
FirewallRules: [TCP Query User{AD7C036D-2FDE-4BD1-9D15-A9BAFF9FD116}C:\program files (x86)\skyata-101\skyata-101.exe] => (Allow) C:\program files (x86)\skyata-101\skyata-101.exe
FirewallRules: [UDP Query User{A2C7E51D-0B88-432F-AA10-722EF19CFDCC}C:\program files (x86)\skyata-101\skyata-101.exe] => (Allow) C:\program files (x86)\skyata-101\skyata-101.exe
FirewallRules: [TCP Query User{2A115694-3779-4868-BBF7-67AF6290B2CB}C:\program files (x86)\skyata-101\skyata-101.exe] => (Allow) C:\program files (x86)\skyata-101\skyata-101.exe
FirewallRules: [UDP Query User{9CAC38E9-4552-4A9E-A0CE-E1B1B747E8A5}C:\program files (x86)\skyata-101\skyata-101.exe] => (Allow) C:\program files (x86)\skyata-101\skyata-101.exe
FirewallRules: [{26F716F0-ADC8-4D2B-B33D-40C5B940A1B9}] => (Allow) C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe
FirewallRules: [{5996D70A-3106-4EAB-B21F-03E7C9AB306F}] => (Allow) C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe
FirewallRules: [FaxComponent-FaxService-RPC-TPC-in-1] => (Allow) %systemroot%\system32\fxssvc.exe
FirewallRules: [{8722E0CB-41F6-4C92-A275-7B17BAFC8BFD}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{19EB4DB2-4E7B-4C33-80DC-12867C568D4B}] => (Allow) LPort=2869
FirewallRules: [{975B5E20-CF35-4C7E-9694-8FC7D44C11AE}] => (Allow) LPort=1900
FirewallRules: [{E3895762-2A46-4EA6-88FD-DFF24E12CF6A}] => (Allow) C:\DigiWinVNC\winvnc2.exe
FirewallRules: [{E75C32E9-805B-48EE-97D9-11F1D11A212C}] => (Allow) C:\DigiWinVNC\winvnc2.exe
FirewallRules: [TCP Query User{C76E7FD2-53D7-498D-8E6A-7D592186DB91}C:\windows\system32\wfs.exe] => (Block) C:\windows\system32\wfs.exe
FirewallRules: [UDP Query User{AE8EE17B-6699-43F9-915F-0A9DFDA6143A}C:\windows\system32\wfs.exe] => (Block) C:\windows\system32\wfs.exe
FirewallRules: [TCP Query User{6BA8A725-5FFA-428F-9961-959A7BEFA01F}D:\smarterp\systemcontrols.exe] => (Allow) D:\smarterp\systemcontrols.exe
FirewallRules: [UDP Query User{177BF1B6-DF3A-4C7D-9BF5-76C5733DFB74}D:\smarterp\systemcontrols.exe] => (Allow) D:\smarterp\systemcontrols.exe
FirewallRules: [TCP Query User{E52558CC-0195-4D0D-A368-F1C9B2C47670}D:\共用\smarterp\leadersetup\patch\servicepack\s_dsbin\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\patch\servicepack\s_dsbin\systemcontrols.exe
FirewallRules: [UDP Query User{816E0DED-0A29-4DC4-91E4-83B83710274B}D:\共用\smarterp\leadersetup\patch\servicepack\s_dsbin\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\patch\servicepack\s_dsbin\systemcontrols.exe
FirewallRules: [TCP Query User{8EBE7FFA-5847-4A53-88D2-3FBD9355F1A6}D:\共用\smarterp\leadersetup\patch\servicepack\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\patch\servicepack\systemcontrols.exe
FirewallRules: [UDP Query User{050CF5EE-D564-47AE-8D17-3A6497E97CAD}D:\共用\smarterp\leadersetup\patch\servicepack\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\patch\servicepack\systemcontrols.exe
FirewallRules: [TCP Query User{0C5CBF95-DB9F-48CB-BA3A-38BA92E551E0}D:\共用\smarterp\leadersetup\patch\conductor\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\patch\conductor\systemcontrols.exe
FirewallRules: [UDP Query User{33E84427-7D43-43A1-A02E-4B32B7687C94}D:\共用\smarterp\leadersetup\patch\conductor\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\patch\conductor\systemcontrols.exe
FirewallRules: [TCP Query User{70A6D72B-EDBB-41D6-AD13-50A0DA64CCC4}D:\共用\smarterp\leadersetup\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\systemcontrols.exe
FirewallRules: [UDP Query User{DE205518-F9EF-49B7-B537-BDBC6B48D518}D:\共用\smarterp\leadersetup\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\systemcontrols.exe
FirewallRules: [TCP Query User{3C2CCBFD-913C-47C6-BC1C-C4B2309FE78B}D:\共用\smarterp\leadersetup\patch\conductor\s_dsbin\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\patch\conductor\s_dsbin\systemcontrols.exe
FirewallRules: [UDP Query User{498A78B4-28F4-459A-A468-47E0891882E1}D:\共用\smarterp\leadersetup\patch\conductor\s_dsbin\systemcontrols.exe] => (Block) D:\共用\smarterp\leadersetup\patch\conductor\s_dsbin\systemcontrols.exe
FirewallRules: [{0A51BCE7-7C71-4C93-AB4D-8AA33DDC0FE5}] => (Allow) D:\Backup\AnyDesk.exe
FirewallRules: [{8883B578-A520-4D69-AB77-0755C7312851}] => (Allow) D:\Backup\AnyDesk.exe
FirewallRules: [{12998D69-2683-43B2-BD7B-BB8FDDCA03F9}] => (Allow) D:\Backup\AnyDesk.exe
FirewallRules: [{50DF2529-4259-4FC8-97E1-2CB2B39D021D}] => (Allow) D:\Backup\AnyDesk.exe
FirewallRules: [{3B2E65E2-5815-4A66-AAF7-8977F22637D7}] => (Allow) C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe
FirewallRules: [{114EF9B6-42E8-4F8D-8BD6-0F64ED37FCA3}] => (Allow) C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe
FirewallRules: [{9D12F8C2-C64B-49CB-B2B4-A85E3B93268E}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{0595DF33-C231-4833-9EAB-A59DCF1F5460}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{86640C6A-9ABA-4029-BDDE-004F2D13E770}] => (Allow) D:\RaidenServer\RaidenMAILD\RaidenMAILD.exe
FirewallRules: [{5DDFDD22-8DAB-42C0-9417-FA8D12D8CA1A}] => (Allow) D:\RaidenServer\RaidenMAILD\MAILDService.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
Name: VMware Virtual Ethernet Adapter for VMnet1
Description: VMware Virtual Ethernet Adapter for VMnet1
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: VMware, Inc.
Service: VMnetAdapter
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: VMware Virtual Ethernet Adapter for VMnet8
Description: VMware Virtual Ethernet Adapter for VMnet8
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: VMware, Inc.
Service: VMnetAdapter
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/21/2016 02:52:49 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:47 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:47 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:42 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:40 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:39 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:37 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:36 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:36 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (09/21/2016 02:52:36 PM) (Source: MAILDService.exe) (EventID: 0) (User: )
Description: Event-ID 0
 
 
System errors:
=============
Error: (09/21/2016 02:52:45 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: 無法辨識印表機 傳送至 OneNote 2010 所需的驅動程式 Send To Microsoft OneNote 2010 Driver。在您重新登入前,請連絡系統管理員來安裝驅動程式。
 
Error: (09/21/2016 10:25:54 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: 無法辨識印表機 傳送至 OneNote 2010 所需的驅動程式 Send To Microsoft OneNote 2010 Driver。在您重新登入前,請連絡系統管理員來安裝驅動程式。
 
Error: (09/21/2016 12:44:02 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Fax 服務意外終止,服務曾完成這項動作 1 次。以下的修正操作將在 60000 毫秒內執行: 重新啟動服務。
 
Error: (09/21/2016 12:28:20 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Fax 服務意外終止,服務曾完成這項動作 1 次。以下的修正操作將在 60000 毫秒內執行: 重新啟動服務。
 
Error: (09/20/2016 06:35:40 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: 無法辨識印表機 傳送至 OneNote 2007 所需的驅動程式 Send To Microsoft OneNote Driver。在您重新登入前,請連絡系統管理員來安裝驅動程式。
 
Error: (09/20/2016 06:35:37 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: 無法辨識印表機 Snagit 9 所需的驅動程式 Snagit 9 Printer。在您重新登入前,請連絡系統管理員來安裝驅動程式。
 
Error: (09/20/2016 03:54:34 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: 無法辨識印表機 傳送至 OneNote 2007 所需的驅動程式 Send To Microsoft OneNote Driver。在您重新登入前,請連絡系統管理員來安裝驅動程式。
 
Error: (09/20/2016 03:54:31 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: 無法辨識印表機 Snagit 9 所需的驅動程式 Snagit 9 Printer。在您重新登入前,請連絡系統管理員來安裝驅動程式。
 
Error: (09/20/2016 02:12:26 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: 無法辨識印表機 Snagit 9 所需的驅動程式 Snagit 9 Printer。在您重新登入前,請連絡系統管理員來安裝驅動程式。
 
Error: (09/20/2016 02:12:24 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: 無法辨識印表機 傳送至 OneNote 2007 所需的驅動程式 Send To Microsoft OneNote Driver。在您重新登入前,請連絡系統管理員來安裝驅動程式。
 
 
CodeIntegrity:
===================================
  Date: 2016-09-20 16:17:22.724
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codecp.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 16:17:22.672
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\ac3acm.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 16:17:22.616
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 16:08:54.154
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codecp.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 16:08:54.098
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\ac3acm.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 16:08:54.029
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 15:58:46.867
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codecp.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 15:58:46.795
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\ac3acm.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 15:58:46.723
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-09-20 14:38:18.546
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codecp.acm because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-4690K CPU @ 3.50GHz
Percentage of memory in use: 45%
Total physical RAM: 32685.84 MB
Available physical RAM: 17735.71 MB
Total Virtual: 36684.02 MB
Available Virtual: 23378.3 MB
 
==================== Drives ================================
 
Drive c: (WINDOWS) (Fixed) (Total:101.8 GB) (Free:52.43 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:5588.91 GB) (Free:3544.32 GB) NTFS
Drive z: (RAMDISK) (Fixed) (Total:3.99 GB) (Free:3.84 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 4 GB) (Disk ID: 6087479B)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)
 
========================================================
Disk: 1 (Size: 111.8 GB) (Disk ID: 0C493E82)
Partition 1: (Active) - (Size=101.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 5589 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

 

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:44 AM

Posted 21 September 2016 - 02:50 PM

Greetings Hetty.

I will tell you up front we don't normally deal with Servers so I will be reluctant to be aggressive in addressing your computer.

Do you recognize this?

==================== NetSvcs (Whitelisted) ===================

NETSVCx32: dg623 -> C:\Windows\SysWOW64\dg623\dg623.dll (MyDrivers.com)


-----

These are in a very odd locations. Does this look reasonable to you?

Task: {E0D47647-3A54-40FC-9D0B-445AE44626A7} - System32\Tasks\Norton Product InstallerIdle => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exe <==== ATTENTION

Task: C:\Windows\Tasks\Norton Product InstallerIdle.job => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exeK/partnerid=symantec /productlist=nss /staging=false /delay=0 /launchedby=4 C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp <==== ATTENTION


-----

Please do these things for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
SearchScopes: HKU\S-1-5-21-452594280-1839335267-1421973757-1014 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-1014 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-500 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [No File]
S2 DGPNPSEV; D:\SoftWare\DriverGenius2013\DgService.exe [X]
S3 ALSysIO; \??\C:\Users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [X]
S2 DgSafe; \??\C:\Windows\system32\drivers\DgSafe.sys [X]
2016-09-21 10:29 - 2016-09-21 10:29 - 00000000 ____D D:\Users\hetti\AppData\Local\{CA3B05A6-C03A-4694-975D-5372F5F20639}
2016-09-20 13:26 - 2016-09-20 13:27 - 00000000 ____D D:\Users\liao\AppData\Local\{9DBC9929-9CDF-4CB7-A67B-692CB94F99A6}
2016-09-20 08:55 - 2016-09-20 08:55 - 00000000 ____D D:\Users\hetti\AppData\Local\{A321431E-4E51-4307-B7D6-B9E60A64E1BA}
2016-09-19 19:59 - 2016-09-19 19:59 - 00000000 ____D D:\Users\hetti\AppData\Local\{1E29E90E-3FF3-4309-8AFE-A945D6F15A8E}
2016-09-19 12:07 - 2016-09-19 12:07 - 00000000 ____D D:\Users\liao\AppData\Local\{4E056E11-4ADC-45AD-B10E-A429D361C308}
2016-09-19 00:06 - 2016-09-19 00:06 - 00000000 ____D D:\Users\liao\AppData\Local\{08B83F9B-6D5C-40C5-A4F3-410685766121}
2016-09-18 12:06 - 2016-09-18 12:06 - 00000000 ____D D:\Users\liao\AppData\Local\{E9895EF0-681F-4EC3-B198-41DE8B6515B4}
2016-09-18 00:06 - 2016-09-18 00:06 - 00000000 ____D D:\Users\liao\AppData\Local\{7885933C-D223-4D50-8294-C709F782D46D}
2016-09-17 12:05 - 2016-09-17 12:05 - 00000000 ____D D:\Users\liao\AppData\Local\{83840BDC-7760-4182-B5BB-5BFB6D1E7379}
2016-09-17 00:05 - 2016-09-17 00:05 - 00000000 ____D D:\Users\liao\AppData\Local\{90AC039A-6539-4BDA-A3DB-25BDF78487D7}
2016-09-16 15:49 - 2016-09-16 15:49 - 00000000 ____D D:\Users\hetti\AppData\Local\{BEE5CBE3-F63E-4474-B3EA-0EA846B2607B}
2016-09-16 12:05 - 2016-09-16 12:05 - 00000000 ____D D:\Users\liao\AppData\Local\{5E2D760F-A910-4FDA-97CB-92F450585A00}
2016-09-16 00:05 - 2016-09-16 00:05 - 00000000 ____D D:\Users\liao\AppData\Local\{BF68DB1D-E4C4-4E06-B5AF-3B1AD8340416}
2016-09-15 12:04 - 2016-09-15 12:04 - 00000000 ____D D:\Users\liao\AppData\Local\{482253EE-03B8-44A9-84E5-A39CAE1D6038}
2016-09-15 00:04 - 2016-09-15 00:04 - 00000000 ____D D:\Users\liao\AppData\Local\{2F064379-0F51-451D-8C00-E5C2B55761FC}
2016-09-14 12:02 - 2016-09-14 12:03 - 00000000 ____D D:\Users\liao\AppData\Local\{465F3F7F-626A-4854-9707-17B157997B7C}
2016-09-14 08:55 - 2016-09-14 08:55 - 00000000 ____D D:\Users\hetti\AppData\Local\{6C1CC0CD-7E45-4D10-9714-A989AC64667E}
2016-09-13 09:11 - 2016-09-13 09:11 - 00000000 ____D D:\Users\hetti\AppData\Local\{C285F963-1545-4626-94C4-19212C3DC304}
2016-09-12 10:57 - 2016-09-12 10:57 - 00000000 ____D D:\Users\hetti\AppData\Local\{E6D2B9AE-6162-4255-B330-AD4BD67F0E91}
2016-09-10 09:13 - 2016-09-10 09:13 - 00000000 ____D D:\Users\hetti\AppData\Local\{2266C568-5504-41F4-BBDA-EF3C07298A94}
2016-09-09 09:34 - 2016-09-09 09:34 - 00000000 ____D D:\Users\hetti\AppData\Local\{957E31C4-06A5-485F-A7B9-ED2EB81D63A4}
2016-09-08 16:28 - 2016-09-08 16:28 - 00000000 ____D D:\Users\hetti\AppData\Local\{BDBA1B9B-4633-45A9-A96B-1F3673B66B5E}
2016-09-07 08:35 - 2016-09-07 08:35 - 00000000 ____D D:\Users\hetti\AppData\Local\{51457544-7A82-4FB4-AA9A-F311A13BD913}
2016-09-06 09:15 - 2016-09-06 09:15 - 00000000 ____D D:\Users\hetti\AppData\Local\{8B1F55CA-A143-4213-83DF-F921A6393066}
2016-09-05 14:48 - 2016-09-05 14:48 - 00000000 ____D D:\Users\hetti\AppData\Local\{79BA2E74-3B53-4E73-9122-7FE5327BCB5B}
2016-09-02 15:14 - 2016-09-02 15:14 - 00000000 ____D D:\Users\hetti\AppData\Local\{394E9608-F668-4839-BEBD-6549635719BE}
2016-09-01 15:34 - 2016-09-01 15:34 - 00000000 ____D D:\Users\hetti\AppData\Local\{EEA37123-FC51-4754-99FC-671C6236A999}
2016-08-24 21:13 - 2016-08-24 21:13 - 00000000 ____D D:\Users\hetti\AppData\Local\{545E09DC-DC3D-4B75-BCD4-ABF6D7FEEA88}
2016-08-24 09:12 - 2016-08-24 09:12 - 00000000 ____D D:\Users\hetti\AppData\Local\{83F915D7-70D3-4F8E-915F-E9AF9592BB6D}
2016-08-23 08:46 - 2016-08-23 08:46 - 00000000 ____D D:\Users\hetti\AppData\Local\{5183E88C-37BE-4EA5-9C6F-C4B5E780AD04}
2016-08-22 10:29 - 2016-08-22 10:29 - 00000000 ____D D:\Users\hetti\AppData\Local\{D15218A3-A20C-48CC-858E-1C9E69C38AB0}
File: D:\SoftWare\DriverGenius2013\ksoft\xlmodule\download\minithunderplatform.exe
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook and save it to your Desktop.
  • Right-click SystemLook.exe and select Run as administrator...
  • Copy the content of the following codebox into the main textfield:
:filefind
npf.sys
wpcap.dll
Packet.dll
:file
D:\SoftWare\DriverGenius2013\ksoft\xlmodule\download\minithunderplatform.exe
:regfind
NetworkNotifyer
InfoPlayedCurrent
TimestampMode
DBSavedUse
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Recognize entries?
  • Fixlog
  • SystemLook report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 September 2016 - 09:32 AM

About the entries :

 
I do not know the function of this file so I checked on virustotal.
[dg623.dll] detection ratio is 0/57 on virustotal.com
NETSVCx32: dg623 -> C:\Windows\SysWOW64\dg623\dg623.dll (MyDrivers.com)
 
 
I couldn't find "1" under "Temp" folder.
C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exe
 
 
I do not know the function of this file so I checked on virustotal.
[Norton Product InstallerIdle.job] detection ratio is 0/55 on virustotal.com
C:\Windows\Tasks\Norton Product InstallerIdle.job 
 
 
Fixlog.txt
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 21-09-2016
Ran by Administrator (22-09-2016 22:11:24) Run:1
Running from C:\Users\Administrator\Desktop
Loaded Profiles: hetti & Administrator (Available Profiles: User & hetti & 401a & 503a & 503b & 505a & 506a & 507a & 508a & 602a & 605a & 606a & 607a & 608a & 609a & 610a & 611a & 611b & 612a & 613a & 615a & 615b & 615c & 616a & 617a & 618a & 619a & 621a & 698a & liao & duke & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
SearchScopes: HKU\S-1-5-21-452594280-1839335267-1421973757-1014 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-1014 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-452594280-1839335267-1421973757-500 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [No File]
S2 DGPNPSEV; D:\SoftWare\DriverGenius2013\DgService.exe [X]
S3 ALSysIO; \??\C:\Users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [X]
S2 DgSafe; \??\C:\Windows\system32\drivers\DgSafe.sys [X]
2016-09-21 10:29 - 2016-09-21 10:29 - 00000000 ____D D:\Users\hetti\AppData\Local\{CA3B05A6-C03A-4694-975D-5372F5F20639}
2016-09-20 13:26 - 2016-09-20 13:27 - 00000000 ____D D:\Users\liao\AppData\Local\{9DBC9929-9CDF-4CB7-A67B-692CB94F99A6}
2016-09-20 08:55 - 2016-09-20 08:55 - 00000000 ____D D:\Users\hetti\AppData\Local\{A321431E-4E51-4307-B7D6-B9E60A64E1BA}
2016-09-19 19:59 - 2016-09-19 19:59 - 00000000 ____D D:\Users\hetti\AppData\Local\{1E29E90E-3FF3-4309-8AFE-A945D6F15A8E}
2016-09-19 12:07 - 2016-09-19 12:07 - 00000000 ____D D:\Users\liao\AppData\Local\{4E056E11-4ADC-45AD-B10E-A429D361C308}
2016-09-19 00:06 - 2016-09-19 00:06 - 00000000 ____D D:\Users\liao\AppData\Local\{08B83F9B-6D5C-40C5-A4F3-410685766121}
2016-09-18 12:06 - 2016-09-18 12:06 - 00000000 ____D D:\Users\liao\AppData\Local\{E9895EF0-681F-4EC3-B198-41DE8B6515B4}
2016-09-18 00:06 - 2016-09-18 00:06 - 00000000 ____D D:\Users\liao\AppData\Local\{7885933C-D223-4D50-8294-C709F782D46D}
2016-09-17 12:05 - 2016-09-17 12:05 - 00000000 ____D D:\Users\liao\AppData\Local\{83840BDC-7760-4182-B5BB-5BFB6D1E7379}
2016-09-17 00:05 - 2016-09-17 00:05 - 00000000 ____D D:\Users\liao\AppData\Local\{90AC039A-6539-4BDA-A3DB-25BDF78487D7}
2016-09-16 15:49 - 2016-09-16 15:49 - 00000000 ____D D:\Users\hetti\AppData\Local\{BEE5CBE3-F63E-4474-B3EA-0EA846B2607B}
2016-09-16 12:05 - 2016-09-16 12:05 - 00000000 ____D D:\Users\liao\AppData\Local\{5E2D760F-A910-4FDA-97CB-92F450585A00}
2016-09-16 00:05 - 2016-09-16 00:05 - 00000000 ____D D:\Users\liao\AppData\Local\{BF68DB1D-E4C4-4E06-B5AF-3B1AD8340416}
2016-09-15 12:04 - 2016-09-15 12:04 - 00000000 ____D D:\Users\liao\AppData\Local\{482253EE-03B8-44A9-84E5-A39CAE1D6038}
2016-09-15 00:04 - 2016-09-15 00:04 - 00000000 ____D D:\Users\liao\AppData\Local\{2F064379-0F51-451D-8C00-E5C2B55761FC}
2016-09-14 12:02 - 2016-09-14 12:03 - 00000000 ____D D:\Users\liao\AppData\Local\{465F3F7F-626A-4854-9707-17B157997B7C}
2016-09-14 08:55 - 2016-09-14 08:55 - 00000000 ____D D:\Users\hetti\AppData\Local\{6C1CC0CD-7E45-4D10-9714-A989AC64667E}
2016-09-13 09:11 - 2016-09-13 09:11 - 00000000 ____D D:\Users\hetti\AppData\Local\{C285F963-1545-4626-94C4-19212C3DC304}
2016-09-12 10:57 - 2016-09-12 10:57 - 00000000 ____D D:\Users\hetti\AppData\Local\{E6D2B9AE-6162-4255-B330-AD4BD67F0E91}
2016-09-10 09:13 - 2016-09-10 09:13 - 00000000 ____D D:\Users\hetti\AppData\Local\{2266C568-5504-41F4-BBDA-EF3C07298A94}
2016-09-09 09:34 - 2016-09-09 09:34 - 00000000 ____D D:\Users\hetti\AppData\Local\{957E31C4-06A5-485F-A7B9-ED2EB81D63A4}
2016-09-08 16:28 - 2016-09-08 16:28 - 00000000 ____D D:\Users\hetti\AppData\Local\{BDBA1B9B-4633-45A9-A96B-1F3673B66B5E}
2016-09-07 08:35 - 2016-09-07 08:35 - 00000000 ____D D:\Users\hetti\AppData\Local\{51457544-7A82-4FB4-AA9A-F311A13BD913}
2016-09-06 09:15 - 2016-09-06 09:15 - 00000000 ____D D:\Users\hetti\AppData\Local\{8B1F55CA-A143-4213-83DF-F921A6393066}
2016-09-05 14:48 - 2016-09-05 14:48 - 00000000 ____D D:\Users\hetti\AppData\Local\{79BA2E74-3B53-4E73-9122-7FE5327BCB5B}
2016-09-02 15:14 - 2016-09-02 15:14 - 00000000 ____D D:\Users\hetti\AppData\Local\{394E9608-F668-4839-BEBD-6549635719BE}
2016-09-01 15:34 - 2016-09-01 15:34 - 00000000 ____D D:\Users\hetti\AppData\Local\{EEA37123-FC51-4754-99FC-671C6236A999}
2016-08-24 21:13 - 2016-08-24 21:13 - 00000000 ____D D:\Users\hetti\AppData\Local\{545E09DC-DC3D-4B75-BCD4-ABF6D7FEEA88}
2016-08-24 09:12 - 2016-08-24 09:12 - 00000000 ____D D:\Users\hetti\AppData\Local\{83F915D7-70D3-4F8E-915F-E9AF9592BB6D}
2016-08-23 08:46 - 2016-08-23 08:46 - 00000000 ____D D:\Users\hetti\AppData\Local\{5183E88C-37BE-4EA5-9C6F-C4B5E780AD04}
2016-08-22 10:29 - 2016-08-22 10:29 - 00000000 ____D D:\Users\hetti\AppData\Local\{D15218A3-A20C-48CC-858E-1C9E69C38AB0}
File: D:\SoftWare\DriverGenius2013\ksoft\xlmodule\download\minithunderplatform.exe
*****************
 
"HKU\S-1-5-21-452594280-1839335267-1421973757-1014\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found. 
HKU\S-1-5-21-452594280-1839335267-1421973757-1014\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value removed successfully
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key not found. 
HKU\S-1-5-21-452594280-1839335267-1421973757-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value removed successfully
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key not found. 
"HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\adobe.com/AdobeExManDetect" => key removed successfully
DGPNPSEV => service removed successfully
ALSysIO => service removed successfully
DgSafe => service removed successfully
"2016-09-21 10:29 - 2016-09-21 10:29 - 00000000 ____D D:\Users\hetti\AppData\Local\{CA3B05A6-C03A-4694-975D-5372F5F20639}" => not found.
"2016-09-20 13:26 - 2016-09-20 13:27 - 00000000 ____D D:\Users\liao\AppData\Local\{9DBC9929-9CDF-4CB7-A67B-692CB94F99A6}" => not found.
"2016-09-20 08:55 - 2016-09-20 08:55 - 00000000 ____D D:\Users\hetti\AppData\Local\{A321431E-4E51-4307-B7D6-B9E60A64E1BA}" => not found.
"2016-09-19 19:59 - 2016-09-19 19:59 - 00000000 ____D D:\Users\hetti\AppData\Local\{1E29E90E-3FF3-4309-8AFE-A945D6F15A8E}" => not found.
"2016-09-19 12:07 - 2016-09-19 12:07 - 00000000 ____D D:\Users\liao\AppData\Local\{4E056E11-4ADC-45AD-B10E-A429D361C308}" => not found.
"2016-09-19 00:06 - 2016-09-19 00:06 - 00000000 ____D D:\Users\liao\AppData\Local\{08B83F9B-6D5C-40C5-A4F3-410685766121}" => not found.
"2016-09-18 12:06 - 2016-09-18 12:06 - 00000000 ____D D:\Users\liao\AppData\Local\{E9895EF0-681F-4EC3-B198-41DE8B6515B4}" => not found.
"2016-09-18 00:06 - 2016-09-18 00:06 - 00000000 ____D D:\Users\liao\AppData\Local\{7885933C-D223-4D50-8294-C709F782D46D}" => not found.
"2016-09-17 12:05 - 2016-09-17 12:05 - 00000000 ____D D:\Users\liao\AppData\Local\{83840BDC-7760-4182-B5BB-5BFB6D1E7379}" => not found.
"2016-09-17 00:05 - 2016-09-17 00:05 - 00000000 ____D D:\Users\liao\AppData\Local\{90AC039A-6539-4BDA-A3DB-25BDF78487D7}" => not found.
"2016-09-16 15:49 - 2016-09-16 15:49 - 00000000 ____D D:\Users\hetti\AppData\Local\{BEE5CBE3-F63E-4474-B3EA-0EA846B2607B}" => not found.
"2016-09-16 12:05 - 2016-09-16 12:05 - 00000000 ____D D:\Users\liao\AppData\Local\{5E2D760F-A910-4FDA-97CB-92F450585A00}" => not found.
"2016-09-16 00:05 - 2016-09-16 00:05 - 00000000 ____D D:\Users\liao\AppData\Local\{BF68DB1D-E4C4-4E06-B5AF-3B1AD8340416}" => not found.
"2016-09-15 12:04 - 2016-09-15 12:04 - 00000000 ____D D:\Users\liao\AppData\Local\{482253EE-03B8-44A9-84E5-A39CAE1D6038}" => not found.
"2016-09-15 00:04 - 2016-09-15 00:04 - 00000000 ____D D:\Users\liao\AppData\Local\{2F064379-0F51-451D-8C00-E5C2B55761FC}" => not found.
"2016-09-14 12:02 - 2016-09-14 12:03 - 00000000 ____D D:\Users\liao\AppData\Local\{465F3F7F-626A-4854-9707-17B157997B7C}" => not found.
"2016-09-14 08:55 - 2016-09-14 08:55 - 00000000 ____D D:\Users\hetti\AppData\Local\{6C1CC0CD-7E45-4D10-9714-A989AC64667E}" => not found.
"2016-09-13 09:11 - 2016-09-13 09:11 - 00000000 ____D D:\Users\hetti\AppData\Local\{C285F963-1545-4626-94C4-19212C3DC304}" => not found.
"2016-09-12 10:57 - 2016-09-12 10:57 - 00000000 ____D D:\Users\hetti\AppData\Local\{E6D2B9AE-6162-4255-B330-AD4BD67F0E91}" => not found.
"2016-09-10 09:13 - 2016-09-10 09:13 - 00000000 ____D D:\Users\hetti\AppData\Local\{2266C568-5504-41F4-BBDA-EF3C07298A94}" => not found.
"2016-09-09 09:34 - 2016-09-09 09:34 - 00000000 ____D D:\Users\hetti\AppData\Local\{957E31C4-06A5-485F-A7B9-ED2EB81D63A4}" => not found.
"2016-09-08 16:28 - 2016-09-08 16:28 - 00000000 ____D D:\Users\hetti\AppData\Local\{BDBA1B9B-4633-45A9-A96B-1F3673B66B5E}" => not found.
"2016-09-07 08:35 - 2016-09-07 08:35 - 00000000 ____D D:\Users\hetti\AppData\Local\{51457544-7A82-4FB4-AA9A-F311A13BD913}" => not found.
"2016-09-06 09:15 - 2016-09-06 09:15 - 00000000 ____D D:\Users\hetti\AppData\Local\{8B1F55CA-A143-4213-83DF-F921A6393066}" => not found.
"2016-09-05 14:48 - 2016-09-05 14:48 - 00000000 ____D D:\Users\hetti\AppData\Local\{79BA2E74-3B53-4E73-9122-7FE5327BCB5B}" => not found.
"2016-09-02 15:14 - 2016-09-02 15:14 - 00000000 ____D D:\Users\hetti\AppData\Local\{394E9608-F668-4839-BEBD-6549635719BE}" => not found.
"2016-09-01 15:34 - 2016-09-01 15:34 - 00000000 ____D D:\Users\hetti\AppData\Local\{EEA37123-FC51-4754-99FC-671C6236A999}" => not found.
"2016-08-24 21:13 - 2016-08-24 21:13 - 00000000 ____D D:\Users\hetti\AppData\Local\{545E09DC-DC3D-4B75-BCD4-ABF6D7FEEA88}" => not found.
"2016-08-24 09:12 - 2016-08-24 09:12 - 00000000 ____D D:\Users\hetti\AppData\Local\{83F915D7-70D3-4F8E-915F-E9AF9592BB6D}" => not found.
"2016-08-23 08:46 - 2016-08-23 08:46 - 00000000 ____D D:\Users\hetti\AppData\Local\{5183E88C-37BE-4EA5-9C6F-C4B5E780AD04}" => not found.
"2016-08-22 10:29 - 2016-08-22 10:29 - 00000000 ____D D:\Users\hetti\AppData\Local\{D15218A3-A20C-48CC-858E-1C9E69C38AB0}" => not found.
 
========================= File: D:\SoftWare\DriverGenius2013\ksoft\xlmodule\download\minithunderplatform.exe ========================
 
"D:\SoftWare\DriverGenius2013\ksoft\xlmodule\download\minithunderplatform.exe" => not found.
====== End of File: ======
 
 
==== End of Fixlog 22:11:24 ====
 
 
Systemlook.txt
 
SystemLook 30.07.11 by jpshortstuff
Log created at 22:15 on 22/09/2016 by Administrator
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.
 
========== filefind ==========
 
Searching for "npf.sys"
No files found.
 
Searching for "wpcap.dll"
C:\Windows\Temp\DRSUnzipTemp\nmap\wpcap.dll --a---- 282360 bytes [09:45 17/08/2016] [03:07 19/08/2014] 4633B298D57014627831CCAC89A2C50B
 
Searching for "Packet.dll"
C:\Windows\Temp\DRSUnzipTemp\nmap\Packet.dll --a---- 98040 bytes [09:45 17/08/2016] [03:07 19/08/2014] 86316BE34481C1ED5B792169312673FD
 
========== file ==========
 
D:\SoftWare\DriverGenius2013\ksoft\xlmodule\download\minithunderplatform.exe - Unable to find/read file.
 
========== regfind ==========
 
Searching for "NetworkNotifyer"
No data found.
 
Searching for "InfoPlayedCurrent"
No data found.
 
Searching for "TimestampMode"
No data found.
 
Searching for "DBSavedUse"
No data found.
 
-= EOF =-
 

Attached Files



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:44 AM

Posted 22 September 2016 - 09:36 AM

Thank you for the information. Just wanted to let you know I will be away from my computer for a few hours but will work on this immediately upon my return.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 September 2016 - 10:00 AM

Hi Gary,

 

Thank you for your swift reply.

I forgot to tell you that I don't know how to start the computer with safe mode, 

so I couldn't do this step in safe mode: Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode.

 

When I restart the computer, I pressed F8 to try to enter Safe Mode, but only this screen pop up (see attached m618 photo 2.JPG).

Then I press enter, and the computer starts normally as usual, didn't give me option to select Safe Mode.

 

Also, my environment is one server with about 15 PC.

Should I apply the same steps you told me to those 15 PC. Maybe the virus is in one of those PC ?

 

Thanks again.

Hetty 

Attached Files



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:44 AM

Posted 22 September 2016 - 01:46 PM

Grettings Hetty,

Sorry the instructions were not clear in running FRST. Safe Mode is an option only if you can't boot into Normal Boot.

-----
 

Also, my environment is one server with about 15 PC.

Should I apply the same steps you told me to those 15 PC. Maybe the virus is in one of those PC ?

I am attempting to deal with the server to clean it up but it may become necessary to monitor the activities of the networked computer to see which one(s) might be sending the spam. If it comes to that I would probably refer you over to the Networking Forum so they could assist you in setting up the proper monitoring mechanisms since I don't have any expertise in that area.

-----
 

Searching for "wpcap.dll"
C:\Windows\Temp\DRSUnzipTemp\nmap\wpcap.dll --a---- 282360 bytes [09:45 17/08/2016] [03:07 19/08/2014] 4633B298D57014627831CCAC89A2C50B

Searching for "Packet.dll"
C:\Windows\Temp\DRSUnzipTemp\nmap\Packet.dll --a---- 98040 bytes [09:45 17/08/2016] [03:07 19/08/2014] 86316BE34481C1ED5B792169312673FD

This looks very suspicious to me. If you have been infected by Kelihos (which is a Backdoor Trojan) these legitimate files are dropped but in a different location than what is shown on your computer. Could you please check the contents of the C:\Windows\Temp\DRSUnzipTemp folder and see if you recognize the contents.

-----

Even though those files come back clean if you do not recognize them I would remove them. If you want to do that you can run the fixlist below.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
NETSVCx32: dg623 -> C:\Windows\SysWOW64\dg623\dg623.dll (MyDrivers.com)
C:\Windows\SysWOW64\dg623
Task: {E0D47647-3A54-40FC-9D0B-445AE44626A7} - System32\Tasks\Norton Product InstallerIdle => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exe
Task: C:\Windows\Tasks\Norton Product InstallerIdle.job => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exeK/partnerid=symantec /productlist=nss /staging=false /delay=0 /launchedby=4 C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp
C:\Users\ADMINI~1\AppData\Local\Temp\1
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Folder contents familiar?
  • Fixlog, if you ran the fixlist

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 23 September 2016 - 09:57 AM

Greetings Gary,

 

Do you mean that I was running in Normal boot, so the results I ran last time are okay ?

 

I would like to inform you that I will follow your steps and posts the results in 12 hours from now. ( a bit late than usual)

 

Thanks for waiting.

Hetty



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:44 AM

Posted 23 September 2016 - 10:05 AM

Hi Hetty

Yes the results were perfect.

No problem at all. I will be here when you are able to work through things.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 23 September 2016 - 09:18 PM

Greetings Gary,

 

I do not find the (C:\Windows\Temp\DRSUnzipTemp) folder contents familiar.

Hence, I follow the steps (use FRST.exe) to remove those suspicious files/folders.  

 

I have a question about the result Fixlog.txt

Task: {E0D47647-3A54-40FC-9D0B-445AE44626A7} - System32\Tasks\Norton Product InstallerIdle => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exe

(Does it mean this suspicious file SymInstallStub.exe has been removed ? I do find the file very suspicious because it seems like it's hiding, I can't find it under "Temp" folder. ) 

 

I use the antivirus software, Kaspersky. When it was first installed two weeks ago, it found many suspicious files.

After the files were removed, it didn't find any suspicious files since then. But CBL still detects weird activities from my IP, so does it mean the Kelihos (a backdoor Trojan) is hiding ? That's why even antivirus software cannot find it ? 

 

 

Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-09-2016
Ran by Administrator (24-09-2016 09:52:21) Run:2
Running from C:\Users\Administrator\Desktop
Loaded Profiles: hetti & Administrator (Available Profiles: User & hetti & 401a & 503a & 503b & 505a & 506a & 507a & 508a & 602a & 605a & 606a & 607a & 608a & 609a & 610a & 611a & 611b & 612a & 613a & 615a & 615b & 615c & 616a & 617a & 618a & 619a & 621a & 698a & liao & duke & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
NETSVCx32: dg623 -> C:\Windows\SysWOW64\dg623\dg623.dll (MyDrivers.com)
C:\Windows\SysWOW64\dg623
Task: {E0D47647-3A54-40FC-9D0B-445AE44626A7} - System32\Tasks\Norton Product InstallerIdle => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exe     
Task: C:\Windows\Tasks\Norton Product InstallerIdle.job => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exeK/partnerid=symantec /productlist=nss /staging=false /delay=0 /launchedby=4 C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp
C:\Users\ADMINI~1\AppData\Local\Temp\1
*****************
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs dg623 => removed successfully
C:\Windows\SysWOW64\dg623 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E0D47647-3A54-40FC-9D0B-445AE44626A7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E0D47647-3A54-40FC-9D0B-445AE44626A7}" => key removed successfully
C:\Windows\System32\Tasks\Norton Product InstallerIdle => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Product InstallerIdle" => key removed successfully
C:\Windows\Tasks\Norton Product InstallerIdle.job => moved successfully
"C:\Users\ADMINI~1\AppData\Local\Temp\1" => not found.
 
==== End of Fixlog 09:52:22 ====

Edited by m618, 23 September 2016 - 09:19 PM.


#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:44 AM

Posted 24 September 2016 - 05:49 PM

Hi Hetty.
 

Hence, I follow the steps (use FRST.exe) to remove those suspicious files/folders.

Excellent.

-----
 

I have a question about the result Fixlog.txt

Task: {E0D47647-3A54-40FC-9D0B-445AE44626A7} - System32\Tasks\Norton Product InstallerIdle => C:\Users\ADMINI~1\AppData\Local\Temp\1\7zSD79E.tmp\SymInstallStub.exe

(Does it mean this suspicious file SymInstallStub.exe has been removed ? I do find the file very suspicious because it seems like it's hiding, I can't find it under "Temp" folder. )

It appears the file was already removed. What we did in the latest fix was remove the registry key pointing to that non-existent file.

-----
 

After the files were removed, it didn't find any suspicious files since then. But CBL still detects weird activities from my IP, so does it mean the Kelihos (a backdoor Trojan) is hiding ? That's why even antivirus software cannot find it ?

So far your Server appears to be clean. Are spam emails being sent out from any other address besides liao@misumi.com.tw?

I don't know much about mail servers. When one of the networked computers sends an email is it always shown as coming from the server ip address?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 25 September 2016 - 07:56 PM

Glad to hear my server is clean. Thank you for your instruction.
 
About the mail account liao@misumi.com.tw sending mail to itself, is it possible that it is also sending to many other mail addresses but I can’t see ?
 
I actually has set up a rule: I would receive a copy for all the outgoing mails. But I do not see any weird outgoing mails.
That's something I am really confused, there isn't any weird outgoing mails, why would CBL say that my ip/computer was infected with a spam sending trojan. 
 
Yes, when one of the networked computers sends an email, it is always shown as coming from the same server ip address.
 
Today I have delisted on CBL website (abuseat.org), I will wait for 2 days to see if my ip address would stay clean.
If yes, it should be resolved then. If any please give me your suggestions, thank you.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users