TechSpot

[A] Google redirect

Inactive
By Alan28
Mar 12, 2012
  1. I've been fighting a losing battle with the google redirect virus for a while now. I've tried many different software: hitman pro, norton, etc. I get redirected to 'gimmeanswers' 'get-answers-fast' and 'scour'.

    I did not check everything in the malware scan because those files are a part of an anti-virus software I trust.

    Also, the GMER scan did not produce a log.

    Here are the logs:
    ===================================================================

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.12.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Alan Kong :: ALANKONG-PC [administrator]

    3/12/2012 8:42:01 PM
    mbam-log-2012-03-12 (20-42-01).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 213749
    Time elapsed: 4 minute(s), 32 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\Program Files (x86)\360\360Safe\ipc\patchcheck.dll (Trojan.Agent) -> No action taken.

    Registry Keys Detected: 2
    HKCR\thunder (Trojan.Agent) -> No action taken.
    HKLM\SOFTWARE\YingSoft (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\Program Files (x86)\360\360Safe\ipc\patchcheck.dll (Trojan.Agent) -> No action taken.
    C:\Windows\System32\drivers\ComputerZ.sys (Trojan.Agent) -> No action taken.
    C:\Windows\System32\drivers\ComputerZ_x64.sys (Trojan.Agent) -> No action taken.
    C:\Windows\SysWOW64\drivers\ComputerZ.sys (Trojan.Agent) -> No action taken.
    C:\Windows\SysWOW64\drivers\ComputerZ_x64.sys (Trojan.Agent) -> No action taken.

    (end)


    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
    Run by Alan Kong at 21:07:30 on 2012-03-12
    Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.8140.5654 [GMT -4:00]
    .
    AV: 360杀毒 *Disabled/Updated* {A0FD413B-F662-C08C-7B21-F57CED225A55}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
    C:\Program Files (x86)\Stardock\MyColors\WBVista.exe
    C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files (x86)\AlienRespawn\sftservice.EXE
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\SecureW2\sw2_service.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\AlienRespawn\Components\Scheduler\STService.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe
    C:\Program Files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe
    C:\Program Files (x86)\SecureW2\sw2_tray.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\SysWOW64\RunDll32.exe
    C:\Program Files\Alienware\Command Center\AWCCServiceController.exe
    C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
    C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher32.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher64.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\Eap3Host.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files (x86)\360\360sd\DumpUper.exe
    C:\Program Files (x86)\360\360sd\360rp.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    mStart Page = about:blank
    mLocal Page =
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: ??à×?????§3?: {889d2feb-5411-4565-8998-1dd2c5261283} - C:\Alan\Software\Thunder\BHO\XunleiBHO7.1.8.2298.dll
    uRun: [360sd] "C:\Program Files (x86)\360\360sd\360sd.exe" /autorun
    uRun: [Trojan Killer] "C:\Program Files (x86)\GridinSoft Trojan Killer\trojankiller.exe" 0
    mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    mRun: [AlienwareOn-ScreenDisplay] C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe
    mRun: [Integrated Webcam Live! Central] "C:\Program Files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe" /mode2
    mRun: [<NO NAME>]
    mRun: [SecureW2 Tray] C:\Program Files (x86)\SecureW2\sw2_tray.exe
    mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [360Safetray] "C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe" /start
    mRun: [3ddown.com_trojankiller-setup] C:\Users\Public\Gforl\Ieop.exe /3ddown.com_trojankiller-setup
    mRunOnce: [Launcher] C:\Program Files (x86)\AlienRespawn\Components\Scheduler\Launcher.exe
    mRunOnce: [Malwarebytes Anti-Malware] C:\Alan\Software\Trojan Killer\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\STARDO~1.LNK - C:\Program Files (x86)\Stardock\MyColors\SDDelayedLaunch.exe
    mPolicies-explorer: NoInternetIcon = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Download all by FlashGet3 - C:\Users\Alan Kong\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
    IE: Download by FlashGet3 - C:\Users\Alan Kong\AppData\Roaming\FlashGetBHO\GetUrl.htm
    IE: 使用迅雷下载 - C:\Alan\Software\Thunder\BHO\geturl.htm
    IE: 使用迅雷下载全部链接 - C:\Alan\Software\Thunder\BHO\GetAllUrl.htm
    IE: 导出到 Microsoft Office Excel(&X) - C:\PROGRA~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
    DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    TCP: DhcpNameServer = 141.211.144.17 141.211.125.17
    TCP: Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721} : DhcpNameServer = 141.211.144.17 141.211.125.17
    TCP: Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721}\14461616E6464596E616 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721}\14C616E6B4 : DhcpNameServer = 75.75.76.76 75.75.75.75
    TCP: Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721}\2416D626F6F6541676C656 : DhcpNameServer = 141.211.144.17 141.211.125.17 192.168.1.1
    TCP: Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721}\64D4D213331323 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721}\74F60224C65756 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721}\85948594D2A414D49454 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721}\D475962756C6563737D2341454E4 : DhcpNameServer = 141.212.2.81 141.212.2.69 141.213.73.83 141.211.125.15
    TCP: Interfaces\{B6E3C3D8-0B89-4B11-8162-1DBECB7B467F} : DhcpNameServer = 192.168.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: ??à×?????§3?: {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Alan\Software\Thunder\BHO\XunleiBHO7.1.8.2298.dll
    BHO-X64: XunleiBHO - No File
    mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    mRun-x64: [AlienwareOn-ScreenDisplay] C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe
    mRun-x64: [Integrated Webcam Live! Central] "C:\Program Files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe" /mode2
    mRun-x64: [(Default)]
    mRun-x64: [SecureW2 Tray] C:\Program Files (x86)\SecureW2\sw2_tray.exe
    mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [360Safetray] "C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe" /start
    mRun-x64: [3ddown.com_trojankiller-setup] C:\Users\Public\Gforl\Ieop.exe /3ddown.com_trojankiller-setup
    mRunOnce-x64: [Launcher] C:\Program Files (x86)\AlienRespawn\Components\Scheduler\Launcher.exe
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Alan\Software\Trojan Killer\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    AppInit_DLLs-X64: C:\Windows\SysWOW64\nvinit.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B8f0a195c-711d-4f8a-bae7-72b68375630f%7D&mid=e0e2a427d1ed47d181a611827e2a541d-d0ed6da425414e7864772c92feef566adace9aad&ds=tg028&v=8.0.0.34.1&lang=en&pr=sa&d=2011-09-15%2017%3A10%3A13&sap=ku&q=
    FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
    FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{1B33E42F-EF14-4cd3-B6DC-174571C4349C}\components\ThunderComponent.dll
    FF - component: C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}\components\FlashGetXPI.dll
    FF - plugin: C:\Alan\Software\iTunes\Mozilla Plugins\npitunes.dll
    FF - plugin: C:\Alan\Software\椋庨浄褰遍煶\Mozilla\nppl3260.dll
    FF - plugin: C:\Alan\Software\椋庨浄褰遍煶\Mozilla\npqtplugin.dll
    FF - plugin: C:\Alan\Software\椋庨浄褰遍煶\Mozilla\nprpjplug.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\np360MMPlugIn.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
    FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}\plugins\npww.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 EMSC;COMPAL Embedded System Control;C:\Windows\System32\drivers\EMSC.sys [2009-6-26 13680]
    R0 nvpciflt;nvpciflt;C:\Windows\system32\DRIVERS\nvpciflt.sys --> C:\Windows\system32\DRIVERS\nvpciflt.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdcfltn.sys --> C:\Windows\system32\DRIVERS\stdcfltn.sys [?]
    R1 360Box64;360Box mini-filter driver;C:\Windows\system32\DRIVERS\360Box64.sys --> C:\Windows\system32\DRIVERS\360Box64.sys [?]
    R1 360FsFlt;360FsFlt mini-filter driver;C:\Windows\system32\DRIVERS\360FsFlt.sys --> C:\Windows\system32\DRIVERS\360FsFlt.sys [?]
    R1 360netmon;360netmon;C:\Windows\system32\DRIVERS\360netmon.sys --> C:\Windows\system32\DRIVERS\360netmon.sys [?]
    R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2011-10-29 23208]
    R1 BAPIDRV;BAPIDRV;C:\Windows\system32\Drivers\BAPIDRV64.SYS --> C:\Windows\system32\Drivers\BAPIDRV64.SYS [?]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 360rp;360 杀毒实时防护服务;C:\Program Files (x86)\360\360sd\360rp.exe [2010-12-10 939352]
    R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2011-10-29 2979280]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-10-21 89600]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-1-24 13336]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\AlienRespawn\SftService.exe [2011-1-24 689472]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-3-9 378472]
    R2 SW2SVC;SecureW2 Service;C:\Program Files (x86)\SecureW2\sw2_service.exe [2010-11-12 118152]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-7-13 2655768]
    R2 ZhuDongFangYu;主动防御;C:\Program Files (x86)\360\360Safe\deepscan\ZhuDongFangYu.exe [2011-3-15 272728]
    R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
    R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
    R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
    S1 EfiMon;EfiSystemMon;C:\Windows\system32\Drivers\Efimon.sys --> C:\Windows\system32\Drivers\Efimon.sys [?]
    S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/24 09:09:40;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-9-28 254448]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-9-4 219632]
    S3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2011-10-29 63880]
    S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\system32\drivers\btwampfl.sys --> C:\Windows\system32\drivers\btwampfl.sys [?]
    S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\A837.tmp --> C:\Windows\system32\A837.tmp [?]
    S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-1-5 340240]
    S3 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-1-24 2009704]
    S3 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\Cyberlink\Shared files\RichVideo64.exe [2011-3-3 386344]
    S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-9-4 1116656]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
    S3 SWDUMon;SWDUMon;C:\Windows\system32\DRIVERS\SWDUMon.sys --> C:\Windows\system32\DRIVERS\SWDUMon.sys [?]
    S3 tcphoc;tcphoc;C:\Alan\Software\Thunder\XLDoctor\7.1.7.2244_3\Program\tcphoc.sys [2011-3-23 8488]
    S3 TFsExDisk;TFsExDisk;\??\C:\Windows\System32\Drivers\TFsExDisk.sys --> C:\Windows\System32\Drivers\TFsExDisk.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
    S3 XLDoctor Service;XLDoctor Service;C:\Windows\system32\svchost -k DoctorService --> C:\Windows\system32\svchost -k DoctorService [?]
    .
    =============== File Associations ===============
    .
    VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
    VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2012-03-13 00:40:29 -------- d-----w- C:\Users\Alan Kong\AppData\Roaming\Malwarebytes
    2012-03-13 00:40:11 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-03-13 00:40:10 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-03-13 00:24:37 -------- d-sh--r- C:\360SANDBOX
    2012-03-13 00:01:46 18816 ------w- C:\Windows\SysWow64\SAVRKBootTasks.sys
    2012-03-12 23:49:12 12872 ----a-w- C:\Windows\System32\bootdelete.exe
    2012-03-12 23:42:51 -------- d-----w- C:\ProgramData\HitmanPro
    2012-03-12 23:35:05 6144 ------w- C:\Windows\System32\A837.tmp
    2012-03-12 23:34:37 6144 ------w- C:\Windows\System32\3A76.tmp
    2012-03-12 19:34:44 -------- d-----w- C:\Windows\SysWow64\YingInstall
    2012-03-11 08:34:46 413760 ----a-w- C:\Windows\System32\MPG4C32.DLL
    2012-03-11 08:34:46 262416 ----a-w- C:\Windows\System32\MPG4DS32.AX
    2012-03-09 12:09:38 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{00795044-9D50-492B-9427-5FD6F3BA3AB5}\mpengine.dll
    2012-02-28 02:23:24 -------- d-----w- C:\Program Files\AlienAutopsy
    2012-02-24 05:00:29 -------- d-----w- C:\ProgramData\Solidshield
    2012-02-24 04:52:59 -------- d-----w- C:\Users\Alan Kong\AppData\Roaming\Ubisoft
    2012-02-24 04:51:27 -------- d-----w- C:\ProgramData\Tages
    2012-02-24 03:51:36 -------- d-----w- C:\Users\Alan Kong\AppData\Roaming\Stardock
    2012-02-24 03:51:24 -------- d-----w- C:\ProgramData\Gibraltar
    2012-02-24 03:51:05 -------- d-----w- C:\ProgramData\Stardock
    2012-02-24 03:50:39 -------- d--h--w- C:\ProgramData\{F17D9C21-2BB9-4DE6-A952-721D90A7029A}
    2012-02-15 03:22:37 3145728 ----a-w- C:\Windows\System32\win32k.sys
    2012-02-15 03:20:30 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
    2012-02-15 03:20:30 634880 ----a-w- C:\Windows\System32\msvcrt.dll
    2012-02-15 03:18:19 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
    2012-02-15 03:12:27 509952 ----a-w- C:\Windows\System32\ntshrui.dll
    2012-02-15 03:12:27 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
    2012-02-15 03:12:26 515584 ----a-w- C:\Windows\System32\timedate.cpl
    2012-02-15 03:12:26 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
    .
    ==================== Find3M ====================
    .
    2012-03-06 07:34:29 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-02-21 15:45:44 354904 ----a-w- C:\Windows\System32\drivers\360fsflt.sys
    2011-12-23 08:35:28 274008 ----a-w- C:\Windows\System32\drivers\360Box64.sys
    2011-12-20 15:10:48 17192 ----a-w- C:\Windows\System32\nitrolocalui2.dll
    2011-12-20 15:10:46 28968 ----a-w- C:\Windows\System32\nitrolocalmon2.dll
    2011-12-14 07:11:03 2308096 ----a-w- C:\Windows\System32\jscript9.dll
    2011-12-14 07:04:30 1390080 ----a-w- C:\Windows\System32\wininet.dll
    2011-12-14 07:03:38 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
    2011-12-14 06:57:28 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-12-14 03:04:54 1798656 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2011-12-14 02:57:18 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-12-14 02:56:58 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2011-12-14 02:50:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    .
    ============= FINISH: 21:07:42.34 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 1/28/2011 7:03:51 PM
    System Uptime: 3/12/2012 8:23:43 PM (1 hours ago)
    .
    Motherboard: Alienware | | M17xR3
    Processor: Intel(R) Core(TM) i7-2820QM CPU @ 2.30GHz | CPU1 | 2301/1333mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 1383 GiB total, 995.651 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP318: 2/29/2012 2:05:32 AM - Windows Defender Checkpoint
    RP319: 2/29/2012 3:00:10 AM - Windows Update
    RP320: 3/6/2012 12:56:52 PM - Windows Update
    RP321: 3/12/2012 4:30:29 PM - Removed Java(TM) 6 Update 23
    .
    ==== Installed Programs ======================
    .
    360°2è??àê?
    360安全卫士
    360杀毒
    360硬件大师
    A Murder of Crows
    AccelerometerP11
    Adobe AIR
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Help Center 1.0
    Adobe Photoshop CS2
    Adobe Reader 9.5.0
    Adobe Stock Photos 1.0
    Advanced Audio FX Engine
    AlienRespawn
    AlienRespawn - Support Software
    Alienware M17x Manual
    Alienware On-Screen Display
    Apple Application Support
    Apple Software Update
    Artificial Girl 3
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    Banctec Service Agreement
    Chinese Simplified Fonts Support For Adobe Reader 9
    Cities XL
    Collab
    Comcast Desktop Software (v1.2.0.9)
    Command Center
    Compatibility Pack for the 2007 Office system
    CyberLink PowerDirector
    CyberLink PowerDVD 9.6
    CyberLink WaveEditor
    DAEMON Tools Lite
    Dawn of Discovery
    Dawn of Discovery - Gold Edition
    Dawn of Discovery? Gold
    Dev-C++ 5 beta 9 release (4.9.9.2)
    DirectX 9 Runtime
    DriverUpdate
    EMSC
    Emsisoft Anti-Malware
    Family Tree Maker 2012
    FL Studio 8
    FlashGet 3.7
    GoToAssist Corporate
    Hotfix for Microsoft Visual C++ 2010 Express - ENU (KB2542054)
    IDT Audio
    IL Download Manager
    Impulse?
    Impulse?REMOVE
    Integrated Webcam Live! Central
    Intel(R) Control Center
    Intel(R) Management Engine Components
    Intel(R) Processor Graphics
    Intel(R) Rapid Storage Technology
    Java Auto Updater
    Java(TM) 6 Update 23
    K-Lite Codec Pack 8.4.0 (Standard)
    LIMBO
    Macromedia Dreamweaver 8
    Macromedia Extension Manager
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Silverlight
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server System CLR Types
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
    Microsoft Visual C++ 2010 Express - ENU
    Microsoft Visual Studio 2010 Shell (Isolated) - ENU
    Mozilla Firefox 10.0.2 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA 3D Vision Controller Driver
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    OpenAL
    Pando Media Booster
    PC Connectivity Solution
    PCSX2 黎明破晓前
    PhotoShowExpress
    PoiZone
    PrimoPDF -- brought to you by Nitro PDF Software
    QuickTime
    r.u.s.e
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek PCIE Card Reader
    RealUpgrade 1.1
    Renesas Electronics USB 3.0 Host Controller Driver
    Rosetta Stone Version 3
    Roxio Activation Module
    Roxio BackOnTrack
    Roxio Burn
    Roxio Creator Starter
    Roxio Express Labeler 3
    SchoolMate
    SecureW2 Enterprise Client 3.5.0
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Visual C++ 2010 Express - ENU (KB2251489)
    Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
    Sid Meier's Civilization IV: Beyond the Sword
    Sins of a Solar Empire Trinity
    Skype? 4.2
    SmartSound Quicktracks 5
    Sonic CinePlayer Decoder Pack
    Sophos Anti-Rootkit 1.5.20
    SotS Tutorial Videos
    StarCraft II
    Stardock Central
    Stardock MyColors
    Steam
    Stronghold 2 Deluxe
    Tech48
    Tencent QQ
    The Complete National Geographic
    The Elder Scrolls V: Skyrim
    Toxic Biohazard
    Trojan Killer 2.1
    Ubisoft Game Launcher
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Wanko to Kurasou English v1.0
    Windows Media Encoder 9 Series
    WinRAR archiver
    World of Warcraft
    神鬼寓言3
    质量效应2简体中文完整增强版
    迅雷7
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/8/2012 2:16:21 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/8/2012 12:22:39 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/7/2012 11:15:19 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/6/2012 8:14:02 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/6/2012 3:26:07 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/6/2012 10:23:09 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/5/2012 2:40:10 AM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
    3/12/2012 8:43:51 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/12/2012 8:31:22 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/12/2012 8:28:00 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/12/2012 8:25:15 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: EfiMon SAVRKBootTasks
    3/12/2012 8:25:04 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    3/12/2012 8:24:17 PM, Error: Application Popup [1060] - \SystemRoot\System32\Drivers\Efimon.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    3/12/2012 7:35:05 PM, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
    3/12/2012 7:35:05 PM, Error: Application Popup [1060] - \??\C:\Windows\system32\A837.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    3/12/2012 7:34:37 PM, Error: Application Popup [1060] - \??\C:\Windows\system32\3A76.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    3/12/2012 6:26:00 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/12/2012 2:57:27 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/12/2012 2:08:27 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: EfiMon
    3/12/2012 12:00:11 AM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/11/2012 8:19:41 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR7.
    3/11/2012 8:13:59 PM, Error: Disk [11] - The driver detected a controller error on \...\DR1.
    3/11/2012 12:08:04 AM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004
    3/10/2012 6:04:29 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/10/2012 2:10:41 AM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/10/2012 12:20:11 AM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/10/2012 11:11:19 PM, Error: Service Control Manager [7031] - The 360 杀毒实时防护服务 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================================================

    Your MBAM log says "No action taken".
    Re-run it, FIX all issues, post new log.

    Then....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  3. Alan28

    Alan28 TS Rookie Topic Starter

    I think there was an error during the boot_cleaner scan
    logs:
    ---------------------

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.12.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Alan Kong :: ALANKONG-PC [administrator]

    3/12/2012 9:40:29 PM
    mbam-log-2012-03-12 (21-40-29).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 213845
    Time elapsed: 50 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\Program Files (x86)\360\360Safe\ipc\patchcheck.dll (Trojan.Agent) -> Delete on reboot.

    Registry Keys Detected: 1
    HKCR\thunder (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\Program Files (x86)\360\360Safe\ipc\patchcheck.dll (Trojan.Agent) -> Delete on reboot.
    C:\Windows\System32\drivers\ComputerZ.sys (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\System32\drivers\ComputerZ_x64.sys (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\SysWOW64\drivers\ComputerZ.sys (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\SysWOW64\drivers\ComputerZ_x64.sys (Trojan.Agent) -> Quarantined and deleted successfully.

    (end)


    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-12 22:44:20
    -----------------------------
    22:44:20.702 OS Version: Windows x64 6.1.7601 Service Pack 1
    22:44:20.702 Number of processors: 8 586 0x2A07
    22:44:20.702 ComputerName: ALANKONG-PC UserName: Alan Kong
    22:44:35.615 Initialize success
    22:45:40.240 AVAST engine defs: 12031200
    22:47:13.299 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    22:47:13.300 Disk 0 Vendor: Intel___ 1.0. Size: 1430805MB BusType: 8
    22:47:13.318 Disk 0 MBR read successfully
    22:47:13.319 Disk 0 MBR scan
    22:47:13.325 Disk 0 Windows VISTA default MBR code
    22:47:13.328 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
    22:47:13.341 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 81920
    22:47:13.355 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1415764 MB offset 30801920
    22:47:13.407 Disk 0 scanning C:\Windows\system32\drivers
    22:47:28.597 Service scanning
    22:47:54.947 Modules scanning
    22:47:54.955 Disk 0 trace - called modules:
    22:47:54.971 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys iaStor.sys hal.dll
    22:47:55.298 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800994d790]
    22:47:55.300 3 CLASSPNP.SYS[fffff8800185b43f] -> nt!IofCallDriver -> [0xfffffa8009862cb0]
    22:47:55.303 5 stdcfltn.sys[fffff88001b6bc52] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007e41050]
    22:47:56.922 AVAST engine scan C:\Windows
    22:47:59.642 AVAST engine scan C:\Windows\system32
    22:52:53.087 AVAST engine scan C:\Windows\system32\drivers
    22:53:09.071 AVAST engine scan C:\Users\Alan Kong
    22:57:16.482 AVAST engine scan C:\ProgramData
    22:59:35.569 Scan finished successfully
    23:01:16.603 Disk 0 MBR has been saved successfully to "C:\Users\Alan Kong\Desktop\MBR.dat"
    23:01:16.606 The log file has been saved successfully to "C:\Users\Alan Kong\Desktop\aswMBR.txt"


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`ac000000
    ATA_Read(): DeviceIoControl() ERROR 87
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    1397 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  4. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Alan28

    Alan28 TS Rookie Topic Starter

    Here's the combofix log, thanks:
    ----------------------------------------

    ComboFix 12-03-13.01 - Alan Kong 3/2012 Tue 21:42:58.1.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.8140.5893 [GMT -4:00]
    执行位置: c:\users\Alan Kong\Desktop\ComboFix.exe
    AV: 360杀毒 *Disabled/Updated* {A0FD413B-F662-C08C-7B21-F57CED225A55}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    Error: Cfiles.dat
    .
    ((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\360Rec
    c:\360rec\20110707\063E959.vir
    c:\360rec\20111029\0102E45.vir
    c:\360rec\20111104\1508D90.vir
    c:\360rec\20111125\1957001.vir
    c:\360rec\20120101\122E9F9.vir
    c:\360rec\20120101\122EAA6.vir
    c:\360rec\20120101\122EAF5.vir
    c:\360rec\20120101\122EB34.vir
    c:\360rec\20120101\122EB83.vir
    c:\360rec\20120101\122EBD2.vir
    c:\360rec\20120101\122EC02.vir
    c:\360rec\20120221\215E437.vir
    c:\program files (x86)\Downloaded Installers
    c:\program files (x86)\Downloaded Installers\{232769d5-3512-4e0f-bad3-3b41b5a8feba}\setup.msi
    c:\programdata\Roaming
    c:\users\Alan Kong\AppData\Local\Tempals_inst.exe
    c:\users\Alan Kong\AppData\Roaming\360SE
    c:\users\Alan Kong\AppData\Roaming\360SE\pd\se_june2.ini
    c:\users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{e7a0702a-a9e0-451f-83bf-189836587a64}
    c:\users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{e7a0702a-a9e0-451f-83bf-189836587a64}\chrome\xulcache.jar
    c:\users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{e7a0702a-a9e0-451f-83bf-189836587a64}\defaults\preferences\xulcache.js
    c:\users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{e7a0702a-a9e0-451f-83bf-189836587a64}\install.rdf
    c:\users\Alan Kong\GoToAssistDownloadHelper.exe
    c:\windows\SysWow64\YingInstall
    c:\windows\SysWow64\YingInstall\804.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_Live
    .
    .
    ((((((((((((((((((((((((( 2012-02-14 至 2012-03-14 的新的档案 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-14 01:48 . 2012-03-14 01:48 -------- d-----w- C:\360Rec
    2012-03-13 00:40 . 2012-03-13 00:40 -------- d-----w- c:\users\Alan Kong\AppData\Roaming\Malwarebytes
    2012-03-13 00:40 . 2012-03-13 00:40 -------- d-----w- c:\programdata\Malwarebytes
    2012-03-13 00:40 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-13 00:01 . 2011-05-12 18:05 18816 ------w- c:\windows\SysWow64\SAVRKBootTasks.sys
    2012-03-12 23:49 . 2012-03-12 23:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2012-03-12 23:42 . 2012-03-12 23:49 -------- d-----w- c:\programdata\HitmanPro
    2012-03-12 23:35 . 2011-05-12 18:03 6144 ------w- c:\windows\system32\A837.tmp
    2012-03-12 23:34 . 2011-05-12 18:03 6144 ------w- c:\windows\system32\3A76.tmp
    2012-03-12 19:20 . 2012-03-12 19:20 -------- d-----w- c:\users\Public\msnc
    2012-03-12 19:20 . 2012-03-12 23:49 -------- d-----w- c:\users\Public\Gforl
    2012-03-11 08:34 . 2002-08-15 20:00 413760 ----a-w- c:\windows\system32\MPG4C32.DLL
    2012-03-11 08:34 . 2000-08-09 01:31 262416 ----a-w- c:\windows\system32\MPG4DS32.AX
    2012-03-09 12:09 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{00795044-9D50-492B-9427-5FD6F3BA3AB5}\mpengine.dll
    2012-02-28 02:23 . 2012-02-28 02:23 -------- d-----w- c:\program files\AlienAutopsy
    2012-02-24 05:00 . 2012-02-24 05:00 -------- d-----w- c:\programdata\Solidshield
    2012-02-24 04:52 . 2012-02-24 05:00 -------- d-----w- c:\users\Alan Kong\AppData\Roaming\Ubisoft
    2012-02-24 04:51 . 2012-02-24 04:52 -------- d-----w- c:\programdata\Tages
    2012-02-24 03:51 . 2012-02-24 03:52 -------- d-----w- c:\users\Alan Kong\AppData\Roaming\Stardock
    2012-02-24 03:51 . 2012-02-24 03:51 -------- d-----w- c:\programdata\Gibraltar
    2012-02-24 03:51 . 2012-02-24 03:51 -------- d-----w- c:\programdata\Stardock
    2012-02-24 03:50 . 2012-02-24 03:51 -------- d--h--w- c:\programdata\{F17D9C21-2BB9-4DE6-A952-721D90A7029A}
    2012-02-15 03:22 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-02-15 03:20 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 03:20 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
    2012-02-15 03:18 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-15 03:12 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
    2012-02-15 03:12 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
    2012-02-15 03:12 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
    2012-02-15 03:12 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-06 07:34 . 2012-02-05 09:12 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-23 14:18 . 2011-01-29 01:02 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-21 15:45 . 2011-01-29 07:12 354904 ----a-w- c:\windows\system32\drivers\360fsflt.sys
    2012-02-05 17:29 . 2011-02-04 05:44 84192 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2012-02-05 17:28 . 2011-09-14 17:50 112832 ----a-w- c:\programdata\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
    2011-12-23 08:35 . 2011-12-07 18:00 274008 ----a-w- c:\windows\system32\drivers\360Box64.sys
    2011-12-20 15:10 . 2012-01-17 06:47 17192 ----a-w- c:\windows\system32\nitrolocalui2.dll
    2011-12-20 15:10 . 2012-01-17 06:47 28968 ----a-w- c:\windows\system32\nitrolocalmon2.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *注意* 空白与合法缺省登录将不会被显示
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "360sd"="c:\program files (x86)\360\360sd\360sd.exe" [2010-12-08 1529256]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-09-13 283160]
    "AlienwareOn-ScreenDisplay"="c:\program files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe" [2011-03-08 1635696]
    "Integrated Webcam Live! Central"="c:\program files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe" [2010-08-20 487562]
    "SecureW2 Tray"="c:\program files (x86)\SecureW2\sw2_tray.exe" [2010-11-12 279944]
    "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "360Safetray"="c:\program files (x86)\360\360Safe\safemon\360Tray.exe" [2011-12-07 558680]
    "3ddown.com_trojankiller-setup"="c:\users\Public\Gforl\Ieop.exe" [2012-03-12 23508678]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
    Stardock MyColors.lnk - c:\program files (x86)\Stardock\MyColors\SDDelayedLaunch.exe [2009-12-15 11520]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    IconPackager.lnk - c:\program files (x86)\Stardock\MyColors\IconPackager.exe [2009-12-16 1387688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
    .
    R1 EfiMon;EfiSystemMon;c:\windows\system32\Drivers\Efimon.sys [x]
    R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/24 09:09;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-09-28 254448]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-09-04 219632]
    R3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [2011-11-04 63880]
    R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
    R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A837.tmp [x]
    R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-01-05 340240]
    R3 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-03-21 2009704]
    R3 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\Cyberlink\Shared files\RichVideo64.exe [2010-08-19 386344]
    R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-09-04 1116656]
    R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
    R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [x]
    R3 tcphoc;tcphoc;c:\alan\Software\Thunder\XLDoctor\7.1.7.2244_3\Program\tcphoc.sys [2011-03-23 8488]
    R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
    R3 XLDoctor Service;XLDoctor Service;c:\windows\system32\svchost [x]
    S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
    S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
    S1 360Box64;360Box mini-filter driver;c:\windows\system32\DRIVERS\360Box64.sys [x]
    S1 360FsFlt;360FsFlt mini-filter driver;c:\windows\system32\DRIVERS\360FsFlt.sys [x]
    S1 360netmon;360netmon;c:\windows\system32\DRIVERS\360netmon.sys [x]
    S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2011-05-19 23208]
    S1 BAPIDRV;BAPIDRV;c:\windows\System32\Drivers\BAPIDRV64.SYS [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 360rp;360 杀毒实时防护服务;c:\program files (x86)\360\360sd\360rp.exe [2010-12-10 939352]
    S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [2011-11-04 2979280]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-13 13336]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\AlienRespawn\sftservice.EXE [2010-08-20 689472]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-03-09 378472]
    S2 SW2SVC;SecureW2 Service;c:\program files (x86)\SecureW2\sw2_service.exe [2010-11-12 118152]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-09 2655768]
    S2 ZhuDongFangYu;主动防御;c:\program files (x86)\360\360Safe\deepscan\zhudongfangyu.exe [2012-02-17 276960]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
    S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    *Deregistered* - CLKMDRV10_9EC60124
    *Deregistered* - qutmdserv
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan sysagent
    DoctorService REG_MULTI_SZ XLDoctor Service
    .
    ‘计划任务’ 文件夹 里的内容
    .
    2012-03-14 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\AlienAutopsy\uaclauncher.exe [2012-02-07 23:24]
    .
    2012-03-14 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\AlienAutopsy\uaclauncher.exe [2012-02-07 23:24]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Command Center Controllers"="c:\program files\Alienware\Command Center\AWCCStartupOrchestrator.exe" [2010-11-10 13256]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-05 1933584]
    "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-03-09 312936]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-17 1128448]
    "FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 686704]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-08-31 167704]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-08-31 392472]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-08-31 416024]
    "combofix"="c:\combofix\CF30240.3XE" [2010-11-20 345088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    "AppInit_DLLs"=c:\windows\System32\nvinitx.dll
    .
    ------- 而外的扫描 -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mStart Page = about:blank
    mLocal Page =
    uInternet Settings,ProxyOverride = *.local
    IE: Download all by FlashGet3 - c:\users\Alan Kong\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
    IE: Download by FlashGet3 - c:\users\Alan Kong\AppData\Roaming\FlashGetBHO\GetUrl.htm
    IE: 使用迅雷下载 - c:\alan\Software\Thunder\BHO\geturl.htm
    IE: 使用迅雷下载全部链接 - c:\alan\Software\Thunder\BHO\GetAllUrl.htm
    IE: 导出到 Microsoft Office Excel(&X) - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 141.211.144.17 141.211.125.17
    DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
    FF - ProfilePath - c:\users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B8f0a195c-711d-4f8a-bae7-72b68375630f%7D&mid=e0e2a427d1ed47d181a611827e2a541d-d0ed6da425414e7864772c92feef566adace9aad&ds=tg028&v=8.0.0.34.1&lang=en&pr=sa&d=2011-09-15%2017%3A10%3A13&sap=ku&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Wow6432Node-HKCU-Run-Trojan Killer - c:\program files (x86)\GridinSoft Trojan Killer\trojankiller.exe
    Toolbar-Locked - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-(Default) - (no file)
    .
    .
    "ImagePath"="\"c:\program files\Cyberlink\Shared files\RichVideo64.exe\"\00Z
    [\]^_?\00?\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~?\00?\00\00\00?\00\00\00\00\00\00\00 "
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\A837.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
    "PositionInfo-Monitor1"=hex:f7,01,00,00,04,01,00,00,00,00,00,00,00,00,00,00
    .
    [HKEY_USERS\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]
    "Value"=multi:"\00\00"
    "Maximum Entries"=dword:0000000a
    .
    [HKEY_USERS\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]
    "Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
    90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ 其他运行进程 ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    完成时间: 2012-03-13 21:51:45 - 电脑已重新启动
    ComboFix-quarantined-files.txt 2012-03-14 01:51
    .
    Pre-Run: 1,068,526,157,824 bytes free
    Post-Run: 1,067,963,314,176 bytes free
    .
    - - End Of File - - 7048D8EF71D296029773539F9B0ACCDF
     
  6. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    How is redirection?

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\3A76.tmp
    c:\windows\system32\A837.tmp
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  7. Alan28

    Alan28 TS Rookie Topic Starter

    Google search is still redirecting me to random sites. I think it may have something to do with Java because the Java icon kept popping up.

    Here's the log, thanks
    --------------------------

    ComboFix 12-03-13.01 - Alan Kong 3/2012 Tue 23:47:08.2.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.8140.6282 [GMT -4:00]
    执行位置: c:\users\Alan Kong\Desktop\ComboFix.exe
    Command switches used :: c:\users\Alan Kong\Desktop\CFScript.txt
    AV: 360杀毒 *Disabled/Updated* {A0FD413B-F662-C08C-7B21-F57CED225A55}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\3A76.tmp"
    "c:\windows\system32\A837.tmp"
    .
    Error: Cfiles.dat
    .
    ((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\360Rec
    c:\windows\system32\3A76.tmp
    c:\windows\system32\A837.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_MEMSWEEP2
    .
    .
    ((((((((((((((((((((((((( 2012-02-14 至 2012-03-14 的新的档案 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-14 03:53 . 2012-03-14 03:53 -------- d-----w- C:\360Rec
    2012-03-14 03:52 . 2012-03-14 03:52 -------- d-----r- C:\360SANDBOX
    2012-03-13 18:35 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-03-13 18:35 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-03-13 18:35 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-03-13 18:35 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-03-13 18:35 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-03-13 18:35 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-03-13 18:35 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-03-13 00:40 . 2012-03-13 00:40 -------- d-----w- c:\users\Alan Kong\AppData\Roaming\Malwarebytes
    2012-03-13 00:40 . 2012-03-13 00:40 -------- d-----w- c:\programdata\Malwarebytes
    2012-03-13 00:40 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-13 00:01 . 2011-05-12 18:05 18816 ------w- c:\windows\SysWow64\SAVRKBootTasks.sys
    2012-03-12 23:49 . 2012-03-12 23:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2012-03-12 23:42 . 2012-03-12 23:49 -------- d-----w- c:\programdata\HitmanPro
    2012-03-12 19:20 . 2012-03-12 19:20 -------- d-----w- c:\users\Public\msnc
    2012-03-12 19:20 . 2012-03-12 23:49 -------- d-----w- c:\users\Public\Gforl
    2012-03-11 08:34 . 2002-08-15 20:00 413760 ----a-w- c:\windows\system32\MPG4C32.DLL
    2012-03-11 08:34 . 2000-08-09 01:31 262416 ----a-w- c:\windows\system32\MPG4DS32.AX
    2012-03-09 12:09 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{00795044-9D50-492B-9427-5FD6F3BA3AB5}\mpengine.dll
    2012-02-28 02:23 . 2012-02-28 02:23 -------- d-----w- c:\program files\AlienAutopsy
    2012-02-24 05:00 . 2012-02-24 05:00 -------- d-----w- c:\programdata\Solidshield
    2012-02-24 04:52 . 2012-02-24 05:00 -------- d-----w- c:\users\Alan Kong\AppData\Roaming\Ubisoft
    2012-02-24 04:51 . 2012-02-24 04:52 -------- d-----w- c:\programdata\Tages
    2012-02-24 03:51 . 2012-02-24 03:52 -------- d-----w- c:\users\Alan Kong\AppData\Roaming\Stardock
    2012-02-24 03:51 . 2012-02-24 03:51 -------- d-----w- c:\programdata\Gibraltar
    2012-02-24 03:51 . 2012-02-24 03:51 -------- d-----w- c:\programdata\Stardock
    2012-02-24 03:50 . 2012-02-24 03:51 -------- d--h--w- c:\programdata\{F17D9C21-2BB9-4DE6-A952-721D90A7029A}
    2012-02-15 03:22 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-02-15 03:20 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 03:20 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
    2012-02-15 03:18 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-15 03:12 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
    2012-02-15 03:12 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
    2012-02-15 03:12 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
    2012-02-15 03:12 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-06 07:34 . 2012-02-05 09:12 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-23 14:18 . 2011-01-29 01:02 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-21 15:45 . 2011-01-29 07:12 354904 ----a-w- c:\windows\system32\drivers\360fsflt.sys
    2012-02-05 17:29 . 2011-02-04 05:44 84192 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2012-02-05 17:28 . 2011-09-14 17:50 112832 ----a-w- c:\programdata\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
    2011-12-23 08:35 . 2011-12-07 18:00 274008 ----a-w- c:\windows\system32\drivers\360Box64.sys
    2011-12-20 15:10 . 2012-01-17 06:47 17192 ----a-w- c:\windows\system32\nitrolocalui2.dll
    2011-12-20 15:10 . 2012-01-17 06:47 28968 ----a-w- c:\windows\system32\nitrolocalmon2.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-14_01.48.47 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-07-14 04:54 . 2012-03-14 01:48 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-03-14 03:52 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-03-14 03:52 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-03-14 01:48 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-03-14 01:48 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-03-14 03:52 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-01-24 14:31 . 2012-03-14 03:19 59852 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-03-14 03:19 34916 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-01-29 00:46 . 2012-03-14 03:19 21988 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1595919775-4157470039-2895891653-1001_UserData.bin
    + 2012-03-13 18:35 . 2012-01-25 06:38 77312 c:\windows\system64\rdpwsx.dll
    - 2011-06-23 04:34 . 2010-11-20 13:27 77312 c:\windows\system64\rdpwsx.dll
    - 2009-07-14 00:16 . 2009-07-14 00:16 23552 c:\windows\system64\drivers\tdtcp.sys
    + 2012-03-13 18:35 . 2012-02-17 04:57 23552 c:\windows\system64\drivers\tdtcp.sys
    + 2011-01-24 14:31 . 2012-03-14 03:19 59852 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-03-14 03:19 34916 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-01-29 00:46 . 2012-03-14 03:19 21988 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1595919775-4157470039-2895891653-1001_UserData.bin
    + 2009-07-14 04:46 . 2012-03-14 03:20 91680 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2012-03-13 18:35 . 2012-01-25 06:33 9216 c:\windows\system64\rdrmemptylst.exe
    - 2011-01-24 16:22 . 2012-03-14 01:47 2190 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat
    + 2011-01-24 16:22 . 2012-03-14 03:51 2190 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat
    - 2012-03-14 01:48 . 2012-03-14 01:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-03-14 03:52 . 2012-03-14 03:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-03-14 03:52 . 2012-03-14 03:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-03-14 01:48 . 2012-03-14 01:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-06-23 04:34 . 2010-11-20 13:27 149504 c:\windows\system64\rdpcorekmts.dll
    + 2012-03-13 18:35 . 2012-01-25 06:38 149504 c:\windows\system64\rdpcorekmts.dll
    + 2012-03-13 18:35 . 2012-02-17 04:58 210944 c:\windows\system64\drivers\rdpwd.sys
    - 2011-06-23 04:35 . 2010-11-20 11:04 210944 c:\windows\system64\drivers\rdpwd.sys
    - 2009-07-14 05:01 . 2012-03-14 01:47 308480 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-03-14 03:51 308480 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-06-23 04:35 . 2010-11-20 13:27 1031680 c:\windows\system64\rdpcore.dll
    + 2012-03-13 18:35 . 2012-02-17 06:38 1031680 c:\windows\system64\rdpcore.dll
    + 2009-07-14 02:36 . 2012-03-14 03:22 3204982 c:\windows\system64\perfh009.dat
    + 2009-07-14 02:36 . 2012-03-14 03:22 2521944 c:\windows\system64\perfc009.dat
    + 2009-07-14 02:36 . 2012-03-14 03:22 3204982 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-03-14 03:22 2521944 c:\windows\system32\perfc009.dat
    + 2009-07-14 04:45 . 2012-03-14 03:19 7114300 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    - 2009-07-14 04:45 . 2012-02-24 17:03 7114300 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    - 2009-07-14 02:34 . 2012-03-13 18:42 11010048 c:\windows\system64\SMI\Store\Machine\schema.dat
    + 2009-07-14 02:34 . 2012-03-14 03:16 11010048 c:\windows\system64\SMI\Store\Machine\schema.dat
    - 2009-07-14 02:34 . 2012-03-13 18:42 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2009-07-14 02:34 . 2012-03-14 03:16 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2011-01-29 00:43 . 2012-03-14 03:51 45007180 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1595919775-4157470039-2895891653-1001-8192.dat
    - 2011-01-29 00:43 . 2012-03-14 01:47 45007180 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1595919775-4157470039-2895891653-1001-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *注意* 空白与合法缺省登录将不会被显示
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "360sd"="c:\program files (x86)\360\360sd\360sd.exe" [2010-12-08 1529256]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-09-13 283160]
    "AlienwareOn-ScreenDisplay"="c:\program files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe" [2011-03-08 1635696]
    "Integrated Webcam Live! Central"="c:\program files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe" [2010-08-20 487562]
    "SecureW2 Tray"="c:\program files (x86)\SecureW2\sw2_tray.exe" [2010-11-12 279944]
    "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "360Safetray"="c:\program files (x86)\360\360Safe\safemon\360Tray.exe" [2011-12-07 558680]
    "3ddown.com_trojankiller-setup"="c:\users\Public\Gforl\Ieop.exe" [2012-03-12 23508678]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
    Stardock MyColors.lnk - c:\program files (x86)\Stardock\MyColors\SDDelayedLaunch.exe [2009-12-15 11520]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    IconPackager.lnk - c:\program files (x86)\Stardock\MyColors\IconPackager.exe [2009-12-16 1387688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
    .
    R1 EfiMon;EfiSystemMon;c:\windows\system32\Drivers\Efimon.sys [x]
    R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/24 09:09;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-09-28 254448]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-09-04 219632]
    R3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [2011-11-04 63880]
    R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
    R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-01-05 340240]
    R3 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-03-21 2009704]
    R3 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\Cyberlink\Shared files\RichVideo64.exe [2010-08-19 386344]
    R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-09-04 1116656]
    R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
    R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [x]
    R3 tcphoc;tcphoc;c:\alan\Software\Thunder\XLDoctor\7.1.7.2244_3\Program\tcphoc.sys [2011-03-23 8488]
    R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
    R3 XLDoctor Service;XLDoctor Service;c:\windows\system32\svchost [x]
    S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
    S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
    S1 360Box64;360Box mini-filter driver;c:\windows\system32\DRIVERS\360Box64.sys [x]
    S1 360FsFlt;360FsFlt mini-filter driver;c:\windows\system32\DRIVERS\360FsFlt.sys [x]
    S1 360netmon;360netmon;c:\windows\system32\DRIVERS\360netmon.sys [x]
    S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2011-05-19 23208]
    S1 BAPIDRV;BAPIDRV;c:\windows\System32\Drivers\BAPIDRV64.SYS [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 360rp;360 杀毒实时防护服务;c:\program files (x86)\360\360sd\360rp.exe [2010-12-10 939352]
    S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [2011-11-04 2979280]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-13 13336]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\AlienRespawn\sftservice.EXE [2010-08-20 689472]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-03-09 378472]
    S2 SW2SVC;SecureW2 Service;c:\program files (x86)\SecureW2\sw2_service.exe [2010-11-12 118152]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-09 2655768]
    S2 ZhuDongFangYu;主动防御;c:\program files (x86)\360\360Safe\deepscan\zhudongfangyu.exe [2012-02-17 276960]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
    S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - CLKMDRV10_9EC60124
    *Deregistered* - qutmdserv
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan sysagent
    DoctorService REG_MULTI_SZ XLDoctor Service
    .
    ‘计划任务’ 文件夹 里的内容
    .
    2012-03-14 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\AlienAutopsy\uaclauncher.exe [2012-02-07 23:24]
    .
    2012-03-14 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\AlienAutopsy\uaclauncher.exe [2012-02-07 23:24]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "Command Center Controllers"="c:\program files\Alienware\Command Center\AWCCStartupOrchestrator.exe" [2010-11-10 13256]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-05 1933584]
    "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-03-09 312936]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-17 1128448]
    "FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 686704]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-08-31 167704]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-08-31 392472]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-08-31 416024]
    "combofix"="c:\combofix\CF21820.3XE" [2010-11-20 345088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\windows\System32\nvinitx.dll
    .
    ------- 而外的扫描 -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mStart Page = about:blank
    mLocal Page =
    uInternet Settings,ProxyOverride = *.local
    IE: Download all by FlashGet3 - c:\users\Alan Kong\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
    IE: Download by FlashGet3 - c:\users\Alan Kong\AppData\Roaming\FlashGetBHO\GetUrl.htm
    IE: 使用迅雷下载 - c:\alan\Software\Thunder\BHO\geturl.htm
    IE: 使用迅雷下载全部链接 - c:\alan\Software\Thunder\BHO\GetAllUrl.htm
    IE: 导出到 Microsoft Office Excel(&X) - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
    DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
    FF - ProfilePath - c:\users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B8f0a195c-711d-4f8a-bae7-72b68375630f%7D&mid=e0e2a427d1ed47d181a611827e2a541d-d0ed6da425414e7864772c92feef566adace9aad&ds=tg028&v=8.0.0.34.1&lang=en&pr=sa&d=2011-09-15%2017%3A10%3A13&sap=ku&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    "ImagePath"="\"c:\program files\Cyberlink\Shared files\RichVideo64.exe\"\00Z
    [\]^_?\00?\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~?\00?\00\00\00?\00\00\00\00\00\00\00 "
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
    "PositionInfo-Monitor1"=hex:f7,01,00,00,04,01,00,00,00,00,00,00,00,00,00,00
    .
    [HKEY_USERS\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\File Name MRU]
    "Value"=multi:"\00\00"
    "Maximum Entries"=dword:0000000a
    .
    [HKEY_USERS\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_\View]
    "Data"=hex:04,16,00,47,28,14,14,14,0d,01,02,01,00,18,41,00,0d,00,fa,08,00,00,
    90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,90,0d,00,fa,08,00,00,90,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ 其他运行进程 ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    完成时间: 2012-03-13 23:56:21 - 电脑已重新启动
    ComboFix-quarantined-files.txt 2012-03-14 03:56
    ComboFix2.txt 2012-03-14 01:51
    .
    Pre-Run: 1,068,537,311,232 bytes free
    Post-Run: 1,068,430,938,112 bytes free
    .
    - - End Of File - - 96BAF852C14F63CBFA0F1C634079BE83
     
  8. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Which browser is affected?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. Alan28

    Alan28 TS Rookie Topic Starter

    I am using mozilla firefox

    here are the OTL logs, thanks:


    OTL logfile created on: 3/14/2012 12:28:05 AM - Run 1
    OTL by OldTimer - Version 3.2.36.3 Folder = C:\Users\Alan Kong\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    7.95 Gb Total Physical Memory | 6.11 Gb Available Physical Memory | 76.81% Memory free
    15.90 Gb Paging File | 13.80 Gb Available in Paging File | 86.83% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 1382.58 Gb Total Space | 995.19 Gb Free Space | 71.98% Space Free | Partition Type: NTFS

    Computer Name: ALANKONG-PC | User Name: Alan Kong | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/03/14 00:21:41 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Users\Alan Kong\Desktop\OTL.exe
    PRC - [2012/02/17 12:52:16 | 000,276,960 | ---- | M] (360.cn) -- C:\Program Files (x86)\360\360Safe\deepscan\ZhuDongFangYu.exe
    PRC - [2011/12/07 01:26:00 | 000,558,680 | ---- | M] (360.cn) -- C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe
    PRC - [2011/11/04 13:27:56 | 002,979,280 | ---- | M] (Emsi Software GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
    PRC - [2011/03/09 15:13:24 | 000,378,472 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    PRC - [2011/03/08 17:06:10 | 001,635,696 | ---- | M] () -- C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe
    PRC - [2010/12/17 09:25:22 | 000,686,704 | ---- | M] () -- C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
    PRC - [2010/12/10 09:50:28 | 000,939,352 | ---- | M] (360.cn) -- C:\Program Files (x86)\360\360sd\360rp.exe
    PRC - [2010/12/09 13:38:20 | 002,655,768 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    PRC - [2010/12/09 13:38:20 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    PRC - [2010/12/08 07:53:36 | 001,529,256 | ---- | M] (360.cn) -- C:\Program Files (x86)\360\360sd\360sd.exe
    PRC - [2010/11/16 21:43:30 | 000,113,288 | ---- | M] (Renesas Electronics Corporation) -- C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    PRC - [2010/11/10 12:51:20 | 000,014,792 | ---- | M] (Alienware) -- C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher32.exe
    PRC - [2010/11/10 12:45:08 | 000,069,584 | ---- | M] (Alienware Corporation) -- C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
    PRC - [2010/09/13 17:32:32 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    PRC - [2010/09/13 17:32:30 | 000,283,160 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    PRC - [2010/08/20 03:53:08 | 000,689,472 | ---- | M] (SoftThinks SAS) -- C:\Program Files (x86)\AlienRespawn\SftService.exe
    PRC - [2010/08/19 20:06:56 | 000,487,562 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe
    PRC - [2010/07/29 18:39:24 | 000,013,600 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/02/24 15:37:02 | 001,218,560 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\948e064065ae9c42dec5b18bfcb9688c\System.Management.ni.dll
    MOD - [2012/02/24 15:35:27 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\8eae4f462e213f23c3e6f50eeafa7c7b\System.Runtime.Remoting.ni.dll
    MOD - [2012/02/24 15:31:51 | 001,782,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\6c8906fa837891175e2e7ef6ee9670c1\System.Xaml.ni.dll
    MOD - [2012/02/23 02:43:59 | 018,000,384 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\f4b9116fe7a2c7ce54bc85c1a527b798\PresentationFramework.ni.dll
    MOD - [2012/02/23 02:43:24 | 011,450,880 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\57de961267705c1db2730c4a8999fbd1\PresentationCore.ni.dll
    MOD - [2012/02/23 02:43:17 | 013,138,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\b7809e80d954c5d8584f8ce244fbc77d\System.Windows.Forms.ni.dll
    MOD - [2012/02/23 02:43:10 | 006,815,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\a459faaf3d54a1923061abb7b8a2aed3\System.Data.ni.dll
    MOD - [2012/02/23 02:42:52 | 007,069,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\41e5d99657322412a400e3e0e882dab7\System.Core.ni.dll
    MOD - [2012/02/23 02:42:48 | 003,858,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\a666dd225a8d2483df2603ce9c54bf52\WindowsBase.ni.dll
    MOD - [2012/02/23 02:42:47 | 001,653,248 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\64f8d980b275ea869cfd49e2926ec3cd\System.Drawing.ni.dll
    MOD - [2012/02/23 02:42:44 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\5a5695b4b9030499c5e8fe7604906ef5\System.Xml.ni.dll
    MOD - [2012/02/23 02:42:34 | 000,982,528 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\79159cd75b4078e0afc6b21128be5278\System.Configuration.ni.dll
    MOD - [2012/02/23 02:42:26 | 009,092,096 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\b8e3fb7840bc07c9be132e66f3e11004\System.ni.dll
    MOD - [2012/02/23 02:42:17 | 000,145,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\c3403f04ddb005914c5115cf377e9b2b\System.Numerics.ni.dll
    MOD - [2012/02/23 02:42:10 | 014,413,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\860de4c5977f6462ec91f6275b23ba71\mscorlib.ni.dll
    MOD - [2012/02/16 22:25:13 | 000,475,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\c6b914d595e5b00ae540004a71c6c3a2\IAStorUtil.ni.dll
    MOD - [2012/02/15 00:45:28 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\42ae8760f0a74ab774e82a64368aa1f6\System.Web.ni.dll
    MOD - [2012/02/15 00:45:23 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\a1c4a635721f85bef0ea4194b888b871\System.Runtime.Remoting.ni.dll
    MOD - [2012/02/15 00:45:01 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6c51e152e7404188914c9fa4d8503ff9\System.Windows.Forms.ni.dll
    MOD - [2012/02/15 00:44:56 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\ab87129c2b603f218e4aa5300c9b1bdd\System.Drawing.ni.dll
    MOD - [2012/02/15 00:44:46 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\47b9e7f070271ff50f988f75ea68fa3e\WindowsBase.ni.dll
    MOD - [2012/02/15 00:44:42 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\9866d1f6178e1cde25642f1ac293ff8d\System.Xml.ni.dll
    MOD - [2012/02/15 00:44:40 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e620323cacb5b6bfd93fd28d263440e4\System.Configuration.ni.dll
    MOD - [2012/02/15 00:44:38 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\faf4e8730ecbd07570111bb7c3b20565\System.ni.dll
    MOD - [2011/10/21 03:36:23 | 000,014,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\ebfad289d9759034cd3a887802fadb5b\IAStorCommon.ni.dll
    MOD - [2011/10/12 11:15:16 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
    MOD - [2011/03/08 17:06:10 | 001,635,696 | ---- | M] () -- C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe
    MOD - [2010/12/17 09:25:22 | 000,686,704 | ---- | M] () -- C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
    MOD - [2010/06/17 19:40:52 | 000,057,904 | ---- | M] () -- C:\Windows\SysWOW64\wbload.dll
    MOD - [2009/12/18 13:07:06 | 000,577,536 | ---- | M] () -- C:\Program Files (x86)\Alienware On-Screen Display\EMSC.dll


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2011/03/17 03:14:56 | 000,297,984 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Program Files\IDT\WDM\stacsv64.exe -- (STacSV)
    SRV:64bit: - [2011/01/05 12:41:38 | 001,515,792 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
    SRV:64bit: - [2011/01/05 12:28:50 | 000,340,240 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe -- (MyWiFiDHCPDNS)
    SRV:64bit: - [2011/01/05 12:26:56 | 000,836,880 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
    SRV:64bit: - [2010/08/19 05:43:24 | 000,386,344 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Cyberlink\Shared files\RichVideo64.exe -- (RichVideo64) Cyberlink RichVideo64 Service(CRVS)
    SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/03/03 02:42:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\IDT\WDM\AESTSr64.exe -- (AESTFilters)
    SRV - [2012/02/23 03:30:07 | 000,489,256 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2012/02/17 12:52:16 | 000,276,960 | ---- | M] (360.cn) [Auto | Running] -- C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe -- (ZhuDongFangYu)
    SRV - [2011/11/04 13:27:56 | 002,979,280 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware)
    SRV - [2011/04/29 04:47:10 | 000,083,248 | ---- | M] (ShenZhen Xunlei Networking Technologies,LTD) [On_Demand | Stopped] -- C:\Alan\Software\Thunder\Program\DctSer.dll -- (XLDoctor Service)
    SRV - [2011/03/21 13:15:42 | 002,009,704 | ---- | M] (NVIDIA Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2011/03/09 15:13:24 | 000,378,472 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2011/03/07 17:07:34 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2011/02/14 14:04:06 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
    SRV - [2010/12/10 09:50:28 | 000,939,352 | ---- | M] (360.cn) [Auto | Running] -- C:\Program Files (x86)\360\360sd\360rp.exe -- (360rp)
    SRV - [2010/12/09 13:38:20 | 002,655,768 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
    SRV - [2010/12/09 13:38:20 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
    SRV - [2010/11/12 11:12:02 | 000,118,152 | ---- | M] (SecureW2 B.V.) [Auto | Running] -- C:\Program Files (x86)\SecureW2\sw2_service.exe -- (SW2SVC)
    SRV - [2010/09/28 19:45:14 | 000,254,448 | ---- | M] (CyberLink) [Auto | Stopped] -- c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe -- (CLKMSVC10_9EC60124)
    SRV - [2010/09/13 17:32:32 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
    SRV - [2010/09/04 03:15:22 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
    SRV - [2010/09/04 03:14:26 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
    SRV - [2010/08/20 03:53:08 | 000,689,472 | ---- | M] (SoftThinks SAS) [Auto | Running] -- C:\Program Files (x86)\AlienRespawn\sftservice.EXE -- (SftService)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2009/06/09 11:56:16 | 000,337,200 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe -- (WindowBlinds)
    SRV - [2009/04/22 23:19:10 | 000,200,704 | ---- | M] (S.C. BitDefender S.R.L) [On_Demand | Stopped] -- C:\Program Files (x86)\360\360sd\scan.dll -- (scan)
    SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/02/21 11:45:44 | 000,354,904 | ---- | M] (360.cn) [File_System | System | Running] -- C:\Windows\SysNative\drivers\360fsflt.sys -- (360FsFlt)
    DRV:64bit: - [2011/12/23 04:35:28 | 000,274,008 | ---- | M] (360安全中心) [File_System | System | Running] -- C:\Windows\SysNative\drivers\360Box64.sys -- (360Box64)
    DRV:64bit: - [2011/12/05 16:07:08 | 000,171,360 | ---- | M] (360.cn) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\BAPIDRV64.SYS -- (BAPIDRV)
    DRV:64bit: - [2011/10/24 16:50:57 | 000,015,672 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SWDUMon.sys -- (SWDUMon)
    DRV:64bit: - [2011/09/15 16:11:15 | 000,270,912 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
    DRV:64bit: - [2011/08/31 18:53:22 | 012,306,848 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
    DRV:64bit: - [2011/07/10 14:22:33 | 000,088,480 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt)
    DRV:64bit: - [2011/07/10 14:22:33 | 000,046,400 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt)
    DRV:64bit: - [2011/05/18 07:08:32 | 000,047,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
    DRV:64bit: - [2011/05/10 08:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
    DRV:64bit: - [2011/04/02 01:48:14 | 000,056,920 | ---- | M] (360.cn) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\360netmon.sys -- (360netmon)
    DRV:64bit: - [2011/03/21 14:15:42 | 000,025,960 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\nvpciflt.sys -- (nvpciflt)
    DRV:64bit: - [2011/03/17 03:14:56 | 000,521,728 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2011/01/04 10:29:46 | 008,507,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwNs64.sys -- (NETwNs64) ___ Intel(R)
    DRV:64bit: - [2010/12/13 08:34:14 | 000,027,760 | ---- | M] (ST Microelectronics) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Accelern.sys -- (Acceler)
    DRV:64bit: - [2010/12/01 19:26:46 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
    DRV:64bit: - [2010/11/30 10:32:36 | 000,326,760 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsPStor.sys -- (RSPCIESTOR)
    DRV:64bit: - [2010/11/29 17:48:38 | 000,076,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
    DRV:64bit: - [2010/11/28 20:03:06 | 001,395,760 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
    DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 05:37:42 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
    DRV:64bit: - [2010/11/16 04:43:32 | 000,180,736 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
    DRV:64bit: - [2010/11/16 04:43:32 | 000,080,384 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
    DRV:64bit: - [2010/10/19 22:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel(R)
    DRV:64bit: - [2010/09/13 20:24:26 | 000,437,272 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
    DRV:64bit: - [2010/08/20 10:05:12 | 000,021,616 | ---- | M] (ST Microelectronics) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\stdcfltn.sys -- (stdcfltn)
    DRV:64bit: - [2010/08/17 09:17:46 | 000,344,616 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwampfl.sys -- (btwampfl)
    DRV:64bit: - [2010/08/16 17:17:46 | 000,135,720 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
    DRV:64bit: - [2010/08/16 17:17:46 | 000,021,544 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)
    DRV:64bit: - [2010/08/13 06:54:08 | 000,019,712 | ---- | M] (奇虎网) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\efimon.sys -- (EfiMon)
    DRV:64bit: - [2010/08/12 12:51:30 | 000,175,168 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CtClsFlt.sys -- (CtClsFlt)
    DRV:64bit: - [2010/04/16 03:40:00 | 000,091,184 | ---- | M] (360安全中心) [Kernel | System | Unknown] -- C:\Windows\SysNative\drivers\qutmdrv.sys -- (qutmdserv)
    DRV:64bit: - [2010/03/19 05:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
    DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 21:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
    DRV:64bit: - [2009/05/18 10:42:12 | 000,016,392 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TFsExDisk.sys -- (TFsExDisk)
    DRV:64bit: - [2009/05/08 21:14:24 | 000,033,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64k.sys -- (Point64)
    DRV:64bit: - [2008/05/06 16:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
    DRV:64bit: - [2007/09/17 15:53:34 | 000,029,184 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd)
    DRV:64bit: - [2006/11/01 14:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
    DRV - [2011/11/04 13:27:14 | 000,063,880 | ---- | M] (Emsi Software GmbH) [File_System | On_Demand | Stopped] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys -- (a2acc)
    DRV - [2011/05/19 13:10:34 | 000,023,208 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys -- (A2DDA)
    DRV - [2011/05/12 14:05:32 | 000,018,816 | ---- | M] (Sophos Group) [Kernel | System | Stopped] -- C:\Windows\SysWOW64\SAVRKBootTasks.sys -- (SAVRKBootTasks)
    DRV - [2011/03/23 02:12:56 | 000,008,488 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Alan\Software\Thunder\XLDoctor\7.1.7.2244_3\Program\tcphoc.sys -- (tcphoc)
    DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
    DRV - [2009/06/26 17:43:42 | 000,013,680 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\EMSC.SYS -- (EMSC)
    DRV - [2002/07/17 17:20:32 | 000,084,832 | ---- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\ASPI32.SYS -- (ASPI)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D6 94 EE 77 30 B5 C1 48 BD AE 98 EA 6A 7B 90 A6 [binary data]

    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D6 94 EE 77 30 B5 C1 48 BD AE 98 EA 6A 7B 90 A6 [binary data]

    IE - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://support.alienware.com [binary data]
    IE - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\..\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}: "URL" = http://www.baidu.com/s?tn=leizhen_dg&ie=utf-8&wd={searchTerms}
    IE - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
    FF - prefs.js..browser.startup.homepage: "www.google.com"
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: {1B33E42F-EF14-4cd3-B6DC-174571C4349C}:3.6
    FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.2
    FF - prefs.js..extensions.enabledItems: {DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}:1.1
    FF - prefs.js..extensions.enabledItems: {4D144BC3-23FB-47de-90C5-63CCB0139CCF}:1.0
    FF - prefs.js..keyword.URL: "http://isearch.avg.com/search?cid=%7B8f0a195c-711d-4f8a-bae7-72b68375630f%7D&mid=e0e2a427d1ed47d181a611827e2a541d-d0ed6da425414e7864772c92feef566adace9aad&ds=tg028&v=8.0.0.34.1&lang=en&pr=sa&d=2011-09-15%2017%3A10%3A13&sap=ku&q="

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Alan\Software\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
    FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2321: C:\Alan\Software\风雷影音\Mozilla\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files (x86)\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1483: C:\Alan\Software\风雷影音\Mozilla\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/02/20 18:01:01 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/02/28 13:41:28 | 000,000,000 | ---D | M]

    [2011/01/29 03:54:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alan Kong\AppData\Roaming\Mozilla\Extensions
    [2012/03/12 00:28:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions
    [2011/05/03 19:44:47 | 000,000,000 | ---D | M] (Thunder Extension) -- C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{1B33E42F-EF14-4cd3-B6DC-174571C4349C}
    [2011/05/15 23:17:19 | 000,000,000 | ---D | M] (TradeManager-Plugin) -- C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
    [2011/04/10 23:50:21 | 000,000,000 | ---D | M] (flashget3 Extension) -- C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}
    [2012/03/06 23:00:19 | 000,000,000 | ---D | M] (Ant Video Downloader) -- C:\Users\Alan Kong\AppData\Roaming\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\anttoolbar@ant.com
    [2011/11/27 11:07:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    () (No name found) -- C:\USERS\ALAN KONG\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\M384YEQF.DEFAULT\EXTENSIONS\AJXCCYAEWF@AJXCCYAEWF.ORG.XPI
    [2012/02/20 18:01:01 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/01/05 20:09:12 | 000,107,352 | ---- | M] (360.cn) -- C:\Program Files (x86)\mozilla firefox\plugins\np360MMPlugIn.dll
    [2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
    [2012/02/12 00:29:12 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/02/12 00:29:12 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/03/13 23:53:19 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (ѸÀ×ÏÂÔØÖ§³Ö) - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Alan\Software\Thunder\BHO\XunleiBHO7.1.8.2298.dll (深圳市迅雷网络技术有限公司)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4:64bit: - HKLM..\Run: [Command Center Controllers] C:\Program Files\Alienware\Command Center\AWCCStartupOrchestrator.exe (Microsoft)
    O4:64bit: - HKLM..\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe ()
    O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
    O4:64bit: - HKLM..\Run: [NVHotkey] C:\Windows\SysNative\nvHotkey.dll (NVIDIA Corporation)
    O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
    O4 - HKLM..\Run: [360Safetray] C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe (360.cn)
    O4 - HKLM..\Run: [3ddown.com_trojankiller-setup] C:\Users\Public\Gforl\Ieop.exe ()
    O4 - HKLM..\Run: [AlienwareOn-ScreenDisplay] C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe ()
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
    O4 - HKLM..\Run: [Integrated Webcam Live! Central] C:\Program Files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe (Creative Technology Ltd)
    O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
    O4 - HKLM..\Run: [SecureW2 Tray] C:\Program Files (x86)\SecureW2\sw2_tray.exe (SecureW2 B.V.)
    O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001..\Run: [360sd] C:\Program Files (x86)\360\360sd\360sd.exe (360.cn)
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4:64bit: - HKLM..\RunOnce\Setup: [Registering MPEG4 Codec] C:\Windows\SysNative\MPG4C32.DLL (Microsoft Corporation)
    O4:64bit: - HKLM..\RunOnce\Setup: [Registering Mpeg4 Direct Show Decoder...] C:\Windows\SysNative\MPG4DS32.AX (Microsoft Corporation)
    O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IconPackager.lnk = C:\Program Files (x86)\Stardock\MyColors\IconPackager.exe (Stardock Corporation)
    O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IconPackager.lnk = C:\Program Files (x86)\Stardock\MyColors\IconPackager.exe (Stardock Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\360SandBox\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 221
    O7 - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
    O7 - HKU\S-1-5-21-1595919775-4157470039-2895891653-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8:64bit: - Extra context menu item: Download all by FlashGet3 - C:\Users\Alan Kong\AppData\Roaming\FlashGetBHO\GetAllUrl.htm ()
    O8:64bit: - Extra context menu item: Download by FlashGet3 - C:\Users\Alan Kong\AppData\Roaming\FlashGetBHO\GetUrl.htm ()
    O8:64bit: - Extra context menu item: 使用迅雷下载 - C:\Alan\Software\Thunder\BHO\geturl.htm ()
    O8:64bit: - Extra context menu item: 使用迅雷下载全部链接 - C:\Alan\Software\Thunder\BHO\getAllurl.htm ()
    O8 - Extra context menu item: Download all by FlashGet3 - C:\Users\Alan Kong\AppData\Roaming\FlashGetBHO\GetAllUrl.htm ()
    O8 - Extra context menu item: Download by FlashGet3 - C:\Users\Alan Kong\AppData\Roaming\FlashGetBHO\GetUrl.htm ()
    O8 - Extra context menu item: 使用迅雷下载 - C:\Alan\Software\Thunder\BHO\geturl.htm ()
    O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Alan\Software\Thunder\BHO\getAllurl.htm ()
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {682C59F5-478C-4421-9070-AD170D143B77} http://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab (Launcher Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.76.76 75.75.75.75
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6AD5FA49-BE34-4CD7-91E7-6664C2608721}: DhcpNameServer = 75.75.76.76 75.75.75.75
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B6E3C3D8-0B89-4B11-8162-1DBECB7B467F}: DhcpNameServer = 192.168.1.1
    O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
    O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found
    O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
    O20:64bit: - AppInit_DLLs: (C:\Windows\System32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation)
    O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation)
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll) - C:\Program Files (x86)\Citrix\GoToAssist\615\g2awinlogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
    O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
    O20:64bit: - Winlogon\Notify\WB: DllName - (C:\Program Files (x86)\Stardock\MyColors\fast64.dll) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*


    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32:64bit: vidc.MP42 - MPG4C32.DLL (Microsoft Corporation)
    Drivers32:64bit: vidc.MP43 - MPG4C32.DLL (Microsoft Corporation)
    Drivers32:64bit: vidc.MPG4 - MPG4C32.DLL (Microsoft Corporation)
    Drivers32: ff_vfw.dll - ff_vfw.dll File not found
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3codecp - C:\Windows\SysWow64\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.vorbis - C:\Windows\SysWow64\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
    Drivers32: vidc.VP70 - C:\Windows\SysWow64\vp7vfw.dll (On2.com)
     
  10. Alan28

    Alan28 TS Rookie Topic Starter

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/14 00:21:40 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Users\Alan Kong\Desktop\OTL.exe
    [2012/03/14 00:01:43 | 000,000,000 | ---D | C] -- C:\Users\Alan Kong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth Devices
    [2012/03/13 23:53:23 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/03/13 23:53:00 | 000,000,000 | ---D | C] -- C:\360Rec
    [2012/03/13 23:52:42 | 000,000,000 | RHSD | C] -- C:\360SANDBOX
    [2012/03/13 21:42:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/03/13 21:42:21 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/03/13 21:42:21 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/03/13 21:42:19 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/03/13 21:42:17 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/03/13 21:25:09 | 004,434,769 | R--- | C] (Swearware) -- C:\Users\Alan Kong\Desktop\ComboFix.exe
    [2012/03/12 21:29:08 | 000,000,000 | ---D | C] -- C:\Users\Alan Kong\Desktop\ANTI
    [2012/03/12 20:40:29 | 000,000,000 | ---D | C] -- C:\Users\Alan Kong\AppData\Roaming\Malwarebytes
    [2012/03/12 20:40:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/03/12 20:40:10 | 000,023,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/03/12 20:01:46 | 000,018,816 | ---- | C] (Sophos Group) -- C:\Windows\SysWow64\SAVRKBootTasks.sys
    [2012/03/12 19:49:12 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
    [2012/03/12 19:42:51 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
    [2012/03/11 15:13:16 | 000,000,000 | ---D | C] -- C:\Users\Alan Kong\Desktop\MESS
    [2012/02/27 22:23:58 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AlienAutopsy
    [2012/02/27 22:23:24 | 000,000,000 | ---D | C] -- C:\Program Files\AlienAutopsy
    [2012/02/24 13:33:31 | 000,000,000 | ---D | C] -- C:\Users\Alan Kong\Documents\Dawn of Discovery Venice
    [2012/02/24 01:46:31 | 000,000,000 | ---D | C] -- C:\Users\Alan Kong\Documents\Dawn of Discovery
    [2012/02/24 01:00:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Solidshield
    [2012/02/24 00:52:59 | 000,000,000 | ---D | C] -- C:\Users\Alan Kong\AppData\Roaming\Ubisoft
    [2012/02/24 00:51:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Tages
    [2012/02/23 23:51:36 | 000,000,000 | ---D | C] -- C:\Users\Alan Kong\AppData\Roaming\Stardock
    [2012/02/23 23:51:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Gibraltar
    [2012/02/23 23:51:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Stardock
    [2012/02/23 23:50:39 | 000,000,000 | -H-D | C] -- C:\ProgramData\{F17D9C21-2BB9-4DE6-A952-721D90A7029A}
    [2 C:\*.tmp files -> C:\*.tmp -> ]
    [1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/14 00:21:41 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Users\Alan Kong\Desktop\OTL.exe
    [2012/03/14 00:04:55 | 000,014,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/03/14 00:04:55 | 000,014,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/03/14 00:02:35 | 003,209,624 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/03/14 00:02:35 | 002,526,394 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/03/14 00:02:35 | 000,006,488 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/03/13 23:57:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/03/13 23:57:31 | 2106,449,919 | -HS- | M] () -- C:\hiberfil.sys
    [2012/03/13 23:53:19 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/03/13 21:48:26 | 000,000,536 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
    [2012/03/13 21:48:26 | 000,000,478 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
    [2012/03/13 21:28:27 | 000,004,415 | ---- | M] () -- C:\Users\Alan Kong\Desktop\attachments.zip
    [2012/03/13 21:28:26 | 000,029,885 | ---- | M] () -- C:\Users\Alan Kong\Desktop\p3.cpp
    [2012/03/13 21:25:18 | 004,434,769 | R--- | M] (Swearware) -- C:\Users\Alan Kong\Desktop\ComboFix.exe
    [2012/03/12 19:49:12 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
    [2012/03/12 17:13:23 | 000,007,607 | ---- | M] () -- C:\Users\Alan Kong\AppData\Local\Resmon.ResmonCfg
    [2012/03/12 15:03:13 | 000,000,000 | -H-- | M] () -- C:\Users\Alan Kong\Documents\Default.rdp
    [2012/03/09 11:36:03 | 000,010,240 | ---- | M] () -- C:\Users\Alan Kong\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/22 03:03:44 | 000,001,352 | ---- | M] () -- C:\Users\Alan Kong\Documents\AutoHotkey.ahk
    [2012/02/21 11:45:44 | 000,354,904 | ---- | M] (360.cn) -- C:\Windows\SysNative\drivers\360fsflt.sys
    [2012/02/16 00:59:35 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
    [2012/02/15 00:41:09 | 000,357,072 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2 C:\*.tmp files -> C:\*.tmp -> ]
    [1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/13 21:42:21 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/03/13 21:42:21 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/03/13 21:42:21 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/03/13 21:42:21 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/03/13 21:42:21 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/03/13 21:28:34 | 000,029,885 | ---- | C] () -- C:\Users\Alan Kong\Desktop\p3.cpp
    [2012/03/13 21:28:26 | 000,004,415 | ---- | C] () -- C:\Users\Alan Kong\Desktop\attachments.zip
    [2012/03/12 15:03:13 | 000,000,000 | -H-- | C] () -- C:\Users\Alan Kong\Documents\Default.rdp
    [2012/02/28 13:41:28 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
    [2012/02/27 22:24:01 | 000,000,536 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
    [2012/02/27 22:23:59 | 000,000,478 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
    [2012/02/22 03:03:44 | 000,001,352 | ---- | C] () -- C:\Users\Alan Kong\Documents\AutoHotkey.ahk
    [2012/02/05 22:11:26 | 000,007,607 | ---- | C] () -- C:\Users\Alan Kong\AppData\Local\Resmon.ResmonCfg
    [2012/01/15 12:47:41 | 000,000,600 | ---- | C] () -- C:\Users\Alan Kong\AppData\Local\PUTTY.RND
    [2011/12/20 00:53:30 | 000,007,786 | -HS- | C] () -- C:\Users\Alan Kong\AppData\Local\828171r2d483v637o245f4ihm4s4
    [2011/12/20 00:53:30 | 000,007,786 | -HS- | C] () -- C:\ProgramData\828171r2d483v637o245f4ihm4s4
    [2011/12/06 23:46:28 | 000,000,990 | -HS- | C] () -- C:\Users\Alan Kong\AppData\Local\1e05p63n5b5r673671ae414r54i6d62r66xfx
    [2011/12/06 23:46:28 | 000,000,990 | -HS- | C] () -- C:\ProgramData\1e05p63n5b5r673671ae414r54i6d62r66xfx
    [2011/10/21 21:33:28 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
    [2011/08/31 18:51:16 | 000,216,000 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
    [2011/08/31 18:46:00 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
    [2011/08/31 18:26:20 | 013,903,872 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll
    [2011/07/13 22:50:46 | 000,008,192 | ---- | C] () -- C:\Windows\SysWow64\drivers\IntelMEFWVer.dll
    [2011/07/13 21:41:10 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
    [2011/07/07 07:11:34 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
    [2011/07/07 06:53:15 | 000,122,880 | ---- | C] () -- C:\Windows\SysWow64\v2k2_dec.dll
    [2011/06/16 19:00:42 | 000,053,760 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
    [2011/04/13 04:06:16 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
    [2011/04/11 00:08:49 | 000,000,248 | ---- | C] () -- C:\Windows\SysWow64\secustat.dat
    [2011/04/11 00:05:21 | 000,000,305 | ---- | C] () -- C:\Windows\SysWow64\secushr.dat
    [2011/04/10 23:49:46 | 000,000,025 | ---- | C] () -- C:\Windows\libem.INI
    [2011/03/14 21:19:40 | 000,010,240 | ---- | C] () -- C:\Users\Alan Kong\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/03/14 20:56:18 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
    [2011/02/22 00:00:03 | 000,018,760 | ---- | C] () -- C:\Windows\SysWow64\QQVistaHelper.dll
    [2011/02/10 00:03:48 | 000,000,326 | ---- | C] () -- C:\Windows\primopdf.ini
    [2011/02/08 03:56:46 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
    [2011/02/04 01:42:35 | 000,779,558 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2010/12/17 07:30:20 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
    [2010/11/10 12:50:38 | 000,098,232 | ---- | C] () -- C:\Windows\SysWow64\CCBiosSupportAPI.dll
    [2010/06/17 19:40:52 | 000,057,904 | ---- | C] () -- C:\Windows\SysWow64\wbload.dll
    [2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat

    ========== LOP Check ==========

    [2011/07/02 10:06:23 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\.minecraft
    [2012/03/05 04:54:57 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\360chrome
    [2012/03/12 19:14:27 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\360Desktop
    [2011/11/21 11:29:57 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\360Login
    [2012/03/13 16:00:24 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\360safe
    [2012/03/12 17:28:55 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\BITS
    [2011/06/08 21:44:14 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\com.nationalgeographic.products.cng120.68B1CC4249876152EBE333BD4B7514ADB4D94062.1
    [2012/01/05 01:31:25 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\DAEMON Tools Lite
    [2012/03/12 00:28:05 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Dev-Cpp
    [2012/01/06 23:58:23 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\FamilyTreeMaker
    [2011/02/04 01:45:15 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Firaxis
    [2011/12/20 01:18:17 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\FixTDSS
    [2011/04/10 23:49:35 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\FlashGet
    [2011/04/10 23:49:33 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\FlashGetBHO
    [2011/09/15 16:10:19 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Genieo
    [2011/06/22 16:45:12 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Lionhead Studios
    [2012/01/17 02:49:57 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Nitro PDF
    [2012/01/17 02:47:23 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\OpenCandy
    [2011/06/04 19:13:57 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\PC Suite
    [2012/02/05 22:17:09 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\PCDr
    [2012/01/05 00:21:10 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Pdfsvg
    [2012/03/04 19:54:03 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\PrimoPDF
    [2012/02/23 23:52:08 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Stardock
    [2011/02/22 00:01:53 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Tencent
    [2011/05/21 13:46:59 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\The Creative Assembly
    [2012/01/19 20:44:40 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Tropico 3
    [2012/02/24 01:00:42 | 000,000,000 | ---D | M] -- C:\Users\Alan Kong\AppData\Roaming\Ubisoft
    [2012/03/13 21:48:26 | 000,000,536 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    [2012/03/13 23:52:57 | 000,032,610 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2012/03/13 21:48:26 | 000,000,478 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2012/03/13 23:56:21 | 000,026,920 | ---- | M] () -- C:\ComboFix.txt
    [2011/10/21 21:59:09 | 000,005,632 | ---- | M] () -- C:\freefallprotection.log
    [2012/03/13 23:57:31 | 2106,449,919 | -HS- | M] () -- C:\hiberfil.sys
    [2012/03/13 23:57:35 | 4240,257,023 | -HS- | M] () -- C:\pagefile.sys
    [2011/08/07 22:02:12 | 000,002,037 | ---- | M] () -- C:\RASregfile.reg
    [2010/03/19 19:55:52 | 002,073,703 | ---- | M] () -- C:\VS_EXPBSLN_x64_enu.CAB
    [2010/03/19 19:58:20 | 000,551,424 | ---- | M] () -- C:\VS_EXPBSLN_x64_enu.MSI
    [2011/08/07 21:39:24 | 000,002,037 | ---- | M] () -- C:\X64.reg
    [2 C:\*.tmp files -> C:\*.tmp -> ]

    < %systemroot%\Fonts\*.com >
    [2009/07/14 01:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/14 01:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/14 01:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/14 01:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 16:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/14 00:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/05/22 14:03:52 | 000,000,221 | -HS- | M] () -- C:\Users\Alan Kong\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012/03/13 21:25:18 | 004,434,769 | R--- | M] (Swearware) -- C:\Users\Alan Kong\Desktop\ComboFix.exe
    [2012/03/14 00:21:41 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Users\Alan Kong\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012/03/13 21:48:26 | 000,000,536 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
    [2012/03/13 23:57:46 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2012/03/13 23:52:57 | 000,032,610 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT
    [2012/03/13 21:48:26 | 000,000,478 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 17:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2012/02/15 00:41:53 | 000,000,436 | -HS- | M] () -- C:\Users\Alan Kong\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/12/06 23:46:28 | 000,000,990 | -HS- | M] () -- C:\ProgramData\1e05p63n5b5r673671ae414r54i6d62r66xfx
    [2011/12/20 00:57:53 | 000,007,786 | -HS- | M] () -- C:\ProgramData\828171r2d483v637o245f4ihm4s4
    [2012/02/16 00:59:35 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
    [C:\Windows\system64] -> \systemroot\system32 -> Mount Point

    < End of report >
     
  11. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Can you check if IE is redirected as well?

    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
     
     
  12. Alan28

    Alan28 TS Rookie Topic Starter

    I have not yet noticed any redirecting in IE, also IE seems to be a lot faster than firefox. the problem could be the browser

    here's the log, thanks:

    GooredFix by jpshortstuff (03.07.10.1)
    Log created at 16:00 on 16/03/2012 (Alan Kong)
    Firefox version 10.0.2 (en-US)

    ========== GooredScan ==========


    ========== GooredLog ==========

    C:\Program Files (x86)\Mozilla Firefox\extensions\
    {972ce4c6-7e08-4474-a285-3208198ce6fd} [02:50 05/03/2011]

    C:\Users\Alan Kong\Application Data\Mozilla\Firefox\Profiles\m384yeqf.default\extensions\
    anttoolbar@ant.com [03:00 07/03/2012]
    {1B33E42F-EF14-4cd3-B6DC-174571C4349C} [23:44 03/05/2011]
    {4D144BC3-23FB-47de-90C5-63CCB0139CCF} [03:17 16/05/2011]
    {DB9127A2-3381-41ec-82B3-1B6ED4C6F29A} [03:50 11/04/2011]

    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    (none)

    -=E.O.F=-
     
  13. Broni

    Broni Malware Annihilator Posts: 48,011   +271

  14. Alan28

    Alan28 TS Rookie Topic Starter

    So far so good. No redirects. Thank you very much!!
     
  15. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Good news :)
    Let me check your OTL logs now....
     
  16. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      [2011/12/20 00:53:30 | 000,007,786 | -HS- | C] () -- C:\Users\Alan Kong\AppData\Local\828171r2d483v637o245f4ihm4s4
      [2011/12/20 00:53:30 | 000,007,786 | -HS- | C] () -- C:\ProgramData\828171r2d483v637o245f4ihm4s4
      [2011/12/06 23:46:28 | 000,000,990 | -HS- | C] () -- C:\Users\Alan Kong\AppData\Local\1e05p63n5b5r673671ae414r54i6d62r66xfx
      [2011/12/06 23:46:28 | 000,000,990 | -HS- | C] () -- C:\ProgramData\1e05p63n5b5r673671ae414r54i6d62r66xfx
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ====================================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ====================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  17. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Still with me?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.