TechSpot

Fake Flash Player appearing on my toolbar

Inactive
By eccle
Sep 16, 2012
  1. There is this fake flash player thing on my toolbar (a white "f" inside a red box) and when I click on it, no flash player update window pops up. It's just plain weird. I am having trouble with Internet Explorer lately probably because of this. Every time I close the IE window, I always get that "Windows IE stopped from working" thing.

    A few days ago, I had a blue screen. I restarted my laptop and it's working fine lately but that fake player virus/trojan keeps on appearing on my toolbar and I am scared. Kaspersky 2003 didn't work. I ran it (normal and safe mode) but it didn't remove it. Here is the DDS log:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_35
    Run by Rev at 12:41:43 on 2012-09-16
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.585 [GMT 8:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCRTP.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    c:\program files\kingsoft\kingsoft antivirus\kxescore.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
    C:\Program Files\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\ProgramData\DatacardService\HWDeviceService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\ProgramData\Smart Bro\OnlineUpdate\ouc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\SMART BRO\AssistantServices.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\ProgramData\DatacardService\DCSHelper.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hotkey Utility\tray.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SMART BRO\UIExec.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\kingsoft\kingsoft antivirus\kxetray.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Windows\ehome\ehtray.exe
    C:\Users\Rev\AppData\Local\Facebook\Update\FacebookUpdate.exe
    C:\Program Files\Tencent\QQMusic\QQMusic.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\PPLive\PPTV\PPLive.exe
    C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Windows\System32\svchost.exe -k PPTVServiceGroup
    C:\Program Files\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCWebShield.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
    C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.hao123.com/?tn=62002018_3_hao_pg
    uURLSearchHooks: H - No File
    uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
    uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    mURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Content Blocker Plugin: {5564cc73-efa7-4cbf-918a-5cf7fbbfff4f} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
    BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
    BHO: Virtual Keyboard Plugin: {73455575-e40c-433c-9784-c78dc7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Baidu Toolbar BHO: {77fef28e-eb96-44ff-b511-3185dea48697} - c:\program files\baidu\toolbar\BaiduBarX.dll
    BHO: QQ?????????: {7c260b4b-f7a0-40b5-b403-befcdc6a4c3b} - c:\program files\tencent\qqpcmgr\6.8.2387.401\TSWebMon.dat
    BHO: Safe Money Plugin: {9e6d0d23-3d72-4a94-ae1f-2d167624e3d9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll
    BHO: A3AA4C3C-3C93-5013-63C1-DE7B16E904E7 Class: {a3aa4c3c-3c93-5013-63c1-de7b16e904e7} - c:\progra~1\baidu\{a3aa4~1\AddressBar.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: URL Advisor Plugin: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
    TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
    TB: °Ù¶È¹¤¾ßÀ¸: {b580cf65-e151-49c3-b73f-70b13fca8e86} - c:\program files\baidu\toolbar\BaiduBarX.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Facebook Update] "c:\users\rev\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [QQMusic] "c:\program files\tencent\qqmusic\QQMusic.exe" /background
    uRun: [PPAP] "c:\program files\common files\pplivenetwork\PPAP.exe" -background
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [FIC HotKey] c:\program files\hotkey utility\tray.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [UIExec] "c:\program files\smart bro\UIExec.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [PowerDVD12DMREngine] "c:\program files\cyberlink\powerdvd12\kernel\dmr\PowerDVD12DMREngine.exe"
    mRun: [PowerDVD12Agent] "c:\program files\cyberlink\powerdvd12\PowerDVD12Agent.exe"
    mRun: [ QQPCTray] "c:\program files\tencent\qqpcmgr\6.8.2387.401\QQPCTray.exe" /regrun
    mRun: [kxesc] "c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" -autorun
    mRun: [SetRoute] c:\program files\l2tphelp\setroute.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"
    StartupFolder: c:\users\rev\appdata\roaming\micros~1\windows\startm~1\programs\startup\pptv.lnk - c:\program files\pplive\pptv\PPLive.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
    IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:\program files\pplive\pptv\PPLive.exe
    IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
    TCP: Interfaces\{5D47F38F-14A7-4A54-BF32-7CE1D5424C30} : NameServer = 10.10.0.21
    TCP: Interfaces\{824ECD50-A390-4846-878B-75A8B0171671} : DhcpNameServer = 202.101.172.46 202.101.172.47
    TCP: Interfaces\{ED23D40D-2D7B-4EB6-B2FB-CC7310F911B2} : NameServer = 10.10.0.21 10.10.2.21
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\rev\appdata\roaming\mozilla\firefox\profiles\13aujkpt.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\tencent\npqscall\npqscall.dll
    FF - plugin: c:\program files\common files\tencent\txsso\1.2.1.42\bin\npSSOAxCtrlForPTLogin.dll
    FF - plugin: c:\program files\internet explorer\pplite\plugin\1.0.1.1919\npplugin2.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\kingsoft\kingsoft antivirus\npkvip.dll
    FF - plugin: c:\program files\kingsoft\kingsoft antivirus\npkws.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\tencent\qqmusic\npQzoneMusic.dll
    FF - plugin: c:\users\rev\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
    FF - plugin: c:\windows\system32\npdeployJava1.dll
    FF - plugin: c:\windows\system32\npmproxy.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 KAVBootC;KAVBootC;c:\windows\system32\drivers\kavbootc.sys [2012-9-4 27240]
    R0 TsFltMgr;tencent TsFltMgr;c:\windows\system32\drivers\TsFltMgr.sys [2012-6-7 65624]
    R0 TSysCare;TSysCare;c:\windows\system32\drivers\TSysCare.sys [2012-6-7 24824]
    R1 KDHacker;KDHacker;c:\program files\kingsoft\kingsoft antivirus\security\kxescan\kdhacker.sys [2012-9-4 127992]
    R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2012-8-2 24408]
    R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608]
    R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]
    R1 TCSafeBox;TCSafeBox;c:\program files\tencent\qqpcmgr\6.8.2387.401\TCSafeBox.sys [2012-6-7 53240]
    R1 TSCPM;TSCPM;c:\program files\tencent\qqpcmgr\6.8.2387.401\tscpm.sys [2012-6-7 32888]
    R1 TSDefenseBt;TSDefenseBt;c:\windows\system32\drivers\TSDefenseBt.sys [2012-9-4 60408]
    R1 TSKSP;TSKsp;c:\program files\tencent\qqpcmgr\6.8.2387.401\TSKsp.sys [2012-6-7 153112]
    R2 {73526619-C24F-470B-9BED-53D455FBB5C6};Power Control [2012/08/17 08:21:15];c:\program files\cyberlink\powerdvd12\common\navfilter\000.fcl [2012-7-5 88312]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-28 63960]
    R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 218880]
    R2 CLHNServiceForPowerDVD12;CLHNServiceForPowerDVD12;c:\program files\cyberlink\powerdvd12\kernel\dmp\clhnserver\CLHNServiceForPowerDVD12.exe [2012-8-17 90640]
    R2 CyberLink PowerDVD 12 Media Server Monitor Service;CyberLink PowerDVD 12 Media Server Monitor Service;c:\program files\cyberlink\powerdvd12\kernel\dms\CLMSMonitorServicePDVD12.exe [2012-8-17 78352]
    R2 CyberLink PowerDVD 12 Media Server Service;CyberLink PowerDVD 12 Media Server Service;c:\program files\cyberlink\powerdvd12\kernel\dms\CLMSServerPDVD12.exe [2012-8-17 295440]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\datacardservice\HWDeviceService.exe [2011-3-14 271712]
    R2 kisknl;kisknl;c:\windows\system32\drivers\kisknl.sys [2012-9-4 165368]
    R2 kxescore;Kingsoft Core Service;c:\program files\kingsoft\kingsoft antivirus\kxescore.exe [2012-9-4 128072]
    R2 ntk_PowerDVD12;ntk_PowerDVD12;c:\program files\cyberlink\powerdvd12\kernel\dmp\clhnserver\ntk_PowerDVD12.sys [2012-8-17 121208]
    R2 QQSysMon;QQSysMon;c:\program files\tencent\qqpcmgr\6.8.2387.401\QQSysMon.sys [2012-6-7 56568]
    R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-6-15 73216]
    R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-5-25 25432]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-7-25 25944]
    R3 ksapi;ksapi;c:\windows\system32\drivers\ksapi.sys [2012-9-4 82296]
    R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2012-9-10 22016]
    R3 TcHardWare;TcHardWare;c:\program files\tencent\qqpcmgr\6.8.2387.401\QQPCHW.sys [2012-6-7 34168]
    R4 TSSysKit;TSSysKit;c:\program files\tencent\qqpcmgr\6.8.2387.401\TSSysKit.sys [2012-6-7 91256]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-22 250056]
    S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-6-15 102784]
    S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2012-4-10 9216]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-20 114144]
    S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2012-9-10 22016]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-9-16 27192]
    S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\ZTEusbvoice.sys [2012-4-10 107776]
    .
    =============== File Associations ===============
    .
    txtfile=c:\windows\notepad.exe %1
    .
    =============== Created Last 30 ================
    .
    2012-09-15 17:04:56 -------- d-----w- c:\users\rev\appdata\local\Macromedia
    2012-09-15 16:47:56 -------- d-----w- c:\users\rev\appdata\local\VS Revo Group
    2012-09-15 16:47:30 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2012-09-15 16:47:28 -------- d-----w- c:\program files\VS Revo Group
    2012-09-14 13:51:29 -------- d-----w- c:\program files\Kaspersky Lab
    2012-09-14 13:51:28 -------- d-----w- c:\programdata\Kaspersky Lab
    2012-09-14 13:49:03 75096 ----a-w- c:\windows\system32\drivers\klflt.sys
    2012-09-14 10:22:13 -------- d-----w- c:\users\rev\appdata\roaming\Wandoujia2
    2012-09-10 16:25:35 -------- d-----w- c:\program files\common files\Symantec Shared
    2012-09-10 13:33:32 -------- d-----w- c:\programdata\Symantec
    2012-09-10 13:33:07 -------- d-----w- c:\programdata\Norton
    2012-09-10 13:33:01 -------- d-----w- c:\programdata\NortonInstaller
    2012-09-10 12:35:29 22016 ----a-w- c:\windows\system32\drivers\Ndisrd.sys
    2012-09-08 02:55:23 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
    2012-09-06 14:19:30 61440 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
    2012-09-06 14:19:30 61440 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\ARPPRODUCTICON.exe
    2012-09-06 14:19:30 106496 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
    2012-09-06 14:19:30 106496 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    2012-09-06 14:19:30 106496 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
    2012-09-06 09:17:07 -------- d-----w- c:\windows\system32\Tencent
    2012-09-06 05:20:09 -------- d-----w- c:\users\rev\appdata\local\visi_coupon
    2012-09-06 00:34:45 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-09-05 23:59:26 -------- d-----r- c:\program files\Skype
    2012-09-05 11:35:46 737280 ----a-w- c:\windows\iun6002.exe
    2012-09-05 11:35:45 -------- d-----w- c:\program files\L2TPHelp
    2012-09-04 06:27:29 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
    2012-09-04 06:18:05 -------- d-----w- C:\PPDownload
    2012-09-04 05:59:32 -------- d-----w- C:\FavoriteVideo
    2012-09-04 05:59:06 -------- d-----w- c:\programdata\Jlcm
    2012-09-04 05:58:36 -------- d-----w- c:\users\rev\appdata\roaming\PPLive
    2012-09-04 05:58:36 -------- d-----w- c:\programdata\PPLive
    2012-09-04 05:58:07 -------- d-----w- c:\program files\PPLive
    2012-09-04 05:58:07 -------- d-----w- c:\program files\common files\PPLiveNetwork
    2012-09-04 05:44:51 60408 ----a-w- c:\windows\system32\drivers\TSDefenseBt.sys
    2012-09-04 05:42:10 308640 ----a-w- c:\windows\system32\MMInstaller.dll
    2012-09-04 05:42:06 -------- d-----w- c:\program files\common files\Tencent
    2012-09-04 05:42:05 -------- d-----w- c:\program files\Tencent
    2012-09-04 05:41:49 -------- d-----w- c:\users\rev\appdata\roaming\Tencent
    2012-09-04 05:41:49 -------- d-----w- c:\programdata\Tencent
    2012-09-04 05:41:21 -------- d-----w- c:\program files\Baidu
    2012-09-04 05:41:04 -------- d-----w- c:\users\rev\funshion
    .
    ==================== Find3M ====================
    .
    2012-09-08 08:36:03 82296 ----a-w- c:\windows\system32\drivers\ksapi.sys
    2012-09-08 08:31:50 165368 ----a-w- c:\windows\system32\drivers\kisknl.sys
    2012-09-08 08:29:30 166776 ----a-w- c:\windows\system32\drivers\kdhacker64.sys
    2012-09-08 08:29:23 127992 ----a-w- c:\windows\system32\drivers\kdhacker.sys
    2012-09-06 00:34:21 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2012-09-04 05:45:15 19352 ----a-w- c:\windows\system32\drivers\ksskrpr.sys
    2012-09-04 05:45:14 31848 ----a-w- c:\windows\system32\drivers\kavbootc64.sys
    2012-09-04 05:45:14 27240 ----a-w- c:\windows\system32\drivers\kavbootc.sys
    2012-09-04 05:45:14 208728 ----a-w- c:\windows\system32\drivers\kisknl64.sys
    2012-09-04 05:45:13 24472 ----a-w- c:\windows\system32\drivers\bc.sys
    2012-08-18 09:22:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-18 09:22:37 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-15 07:37:30 491912 ----a-w- c:\windows\system32\PPTVSvc.dll
    2012-08-15 07:37:18 2291592 ----a-w- c:\windows\system32\kindling.dll
    2012-08-13 08:49:44 144344 ----a-w- c:\windows\system32\drivers\kneps.sys
    2012-08-02 07:09:30 24408 ----a-w- c:\windows\system32\drivers\klim6.sys
    2012-07-25 06:53:48 25944 ----a-w- c:\windows\system32\drivers\klmouflt.sys
    2012-06-19 09:28:12 136024 ----a-w- c:\windows\system32\drivers\kl1.sys
    .
    ============= FINISH: 12:44:47.62 ===============
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Please review the 5-Step removal instructions and post the logs back here for my review.

    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  3. eccle

    eccle TS Member Topic Starter

    Thanks for the fast reply!

    For your reference, I tried to ask for help here: http://www.techsupportforum.com/for...ash-player-virus-help-666095.html#post3881560 but nobody has replied to me yet.

    Here is the content of AdwCleaner's logfile:

    # AdwCleaner v2.001 - Logfile created 09/16/2012 at 18:28:39
    # Updated 09/09/2012 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # User : Rev - REV-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Rev\Desktop\Downloads\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Found : C:\Users\Rev\AppData\Local\Temp\Uninstall.exe
    File Found : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\searchplugins\Conduit.xml
    File Found : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\searchplugins\SweetIm.xml
    Folder Found : C:\Program Files\Conduit
    Folder Found : C:\Program Files\uTorrentControl2
    Folder Found : C:\ProgramData\InstallMate
    Folder Found : C:\ProgramData\Premium
    Folder Found : C:\Users\Rev\AppData\Local\Conduit
    Folder Found : C:\Users\Rev\AppData\LocalLow\Conduit
    Folder Found : C:\Users\Rev\AppData\LocalLow\ShopperReports3
    Folder Found : C:\Users\Rev\AppData\LocalLow\uTorrentControl2
    Folder Found : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\ConduitCommon
    Folder Found : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\SweetIMToolbarData

    ***** [Registry] *****

    Key Found : HKCU\Software\AppDataLow\Software\Conduit
    Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Found : HKCU\Software\AppDataLow\Software\ShopperReports3
    Key Found : HKCU\Software\AppDataLow\Software\SmartBar
    Key Found : HKCU\Software\AppDataLow\Software\uTorrentControl2
    Key Found : HKCU\Software\AppDataLow\Toolbar
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ShopperReportsSA
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\uTorrentControl2 Toolbar
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{687578B9-7132-4A7A-80E4-30EE31099E03}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4AAF2A6-F6D1-49A5-BA1A-B20735DF1955}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
    Key Found : HKCU\Software\Softonic
    Key Found : HKCU\Software\SweetIm
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{687578B9-7132-4A7A-80E4-30EE31099E03}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{A6C2170C-FC80-41A2-95E2-A114705A2DDE}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{D4AAF2A6-F6D1-49A5-BA1A-B20735DF1955}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{453DB0C5-F41C-4D97-8DD6-CC72ECD5F699}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{4AFC07D0-59BB-46B8-B097-1A46E88EEF71}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{6511CE4C-4722-40D0-AD3D-4AFA2F50978A}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{9BEC9B38-BF39-4899-806E-A1C5DFEB60A2}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{AEBF09E2-0C15-43C8-99BF-928C645D98A0}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{B86D82BF-D39F-439A-A07C-43EDDC6F6EA6}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{DA6305B9-0869-4235-8C1D-533A65E639E5}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{E6961C59-CFCE-4CCD-B794-BC78DB98413A}
    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
    Key Found : HKLM\Software\Conduit
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{162BACAB-CD26-4775-9257-5B9531A36882}
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B53C9DAF-2C20-4A07-BF16-1A859892BC2E}
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{687578B9-7132-4A7A-80E4-30EE31099E03}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D4AAF2A6-F6D1-49A5-BA1A-B20735DF1955}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentControl2 Toolbar
    Key Found : HKLM\Software\SweetIm
    Key Found : HKLM\Software\uTorrentControl2
    Key Found : HKU\S-1-5-21-1690172613-2495476871-168188171-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{687578B9-7132-4A7A-80E4-30EE31099E03}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
    Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{687578B9-7132-4A7A-80E4-30EE31099E03}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{687578B9-7132-4A7A-80E4-30EE31099E03}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{687578B9-7132-4A7A-80E4-30EE31099E03}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v7.0.6002.18005

    [OK] Registry is clean.

    -\\ Mozilla Firefox v15.0.1 (en-US)

    Profile name : default
    File : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\prefs.js

    Found : user_pref("CT2786678..clientLogIsEnabled", true);
    Found : user_pref("CT2786678..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
    Found : user_pref("CT2786678..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
    Found : user_pref("CT2786678.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
    Found : user_pref("CT2786678.AppTrackingLastCheckTime", "Sat Nov 05 2011 09:20:47 GMT+0800 (China Standard T[...]
    Found : user_pref("CT2786678.BrowserCompStateIsOpen_129579220236217502", true);
    Found : user_pref("CT2786678.CTID", "CT2786678");
    Found : user_pref("CT2786678.CurrentServerDate", "7-11-2011");
    Found : user_pref("CT2786678.DSInstall", true);
    Found : user_pref("CT2786678.DialogsAlignMode", "LTR");
    Found : user_pref("CT2786678.DialogsGetterLastCheckTime", "Mon Nov 07 2011 12:40:09 GMT+0800 (China Standard[...]
    Found : user_pref("CT2786678.DownloadReferralCookieData", "");
    Found : user_pref("CT2786678.EMailNotifierPollDate", "Thu Oct 27 2011 14:42:33 GMT+0800 (China Standard Time[...]
    Found : user_pref("CT2786678.EnableClickToSearchBox", false);
    Found : user_pref("CT2786678.EnableSearchHistory", false);
    Found : user_pref("CT2786678.EnableSearchSuggest", false);
    Found : user_pref("CT2786678.FeedLastCount5690698542593514850", 194);
    Found : user_pref("CT2786678.FeedPollDate2429156812186649977", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156813040823546", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156813130095866", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156813224203613", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156813230837251", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156813454291735", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156813729834876", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156813860870021", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156814264681793", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156814863075366", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedPollDate2429156815257761081", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.FeedTTL2429156813040823546", 15);
    Found : user_pref("CT2786678.FeedTTL2429156813130095866", 10);
    Found : user_pref("CT2786678.FeedTTL2429156813454291735", 5);
    Found : user_pref("CT2786678.FeedTTL2429156814264681793", 5);
    Found : user_pref("CT2786678.FirstServerDate", "27-10-2011");
    Found : user_pref("CT2786678.FirstTime", true);
    Found : user_pref("CT2786678.FirstTimeFF3", true);
    Found : user_pref("CT2786678.FixPageNotFoundErrors", false);
    Found : user_pref("CT2786678.GroupingServerCheckInterval", 1440);
    Found : user_pref("CT2786678.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
    Found : user_pref("CT2786678.HPInstall", false);
    Found : user_pref("CT2786678.HasUserGlobalKeys", true);
    Found : user_pref("CT2786678.HomePageProtectorEnabled", true);
    Found : user_pref("CT2786678.HomepageBeforeUnload", "hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=[...]
    Found : user_pref("CT2786678.Initialize", true);
    Found : user_pref("CT2786678.InitializeCommonPrefs", true);
    Found : user_pref("CT2786678.InstallationAndCookieDataSentCount", 3);
    Found : user_pref("CT2786678.InstallationType", "UnknownIntegration");
    Found : user_pref("CT2786678.InstalledDate", "Thu Oct 27 2011 14:27:27 GMT+0800 (China Standard Time)");
    Found : user_pref("CT2786678.IsAlertDBUpdated", true);
    Found : user_pref("CT2786678.IsGrouping", false);
    Found : user_pref("CT2786678.IsInitSetupIni", true);
    Found : user_pref("CT2786678.IsMulticommunity", false);
    Found : user_pref("CT2786678.IsOpenThankYouPage", true);
    Found : user_pref("CT2786678.IsOpenUninstallPage", false);
    Found : user_pref("CT2786678.IsProtectorsInit", true);
    Found : user_pref("CT2786678.LanguagePackLastCheckTime", "Mon Nov 07 2011 12:40:03 GMT+0800 (China Standard [...]
    Found : user_pref("CT2786678.LanguagePackReloadIntervalMM", 1440);
    Found : user_pref("CT2786678.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
    Found : user_pref("CT2786678.LastLogin_3.7.0.6", "Mon Nov 07 2011 20:39:59 GMT+0800 (China Standard Time)");
    Found : user_pref("CT2786678.LatestVersion", "3.7.0.6");
    Found : user_pref("CT2786678.Locale", "en");
    Found : user_pref("CT2786678.MCDetectTooltipHeight", "83");
    Found : user_pref("CT2786678.MCDetectTooltipShow", false);
    Found : user_pref("CT2786678.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
    Found : user_pref("CT2786678.MCDetectTooltipWidth", "295");
    Found : user_pref("CT2786678.MyStuffEnabledAtInstallation", true);
    Found : user_pref("CT2786678.OriginalFirstVersion", "3.7.0.6");
    Found : user_pref("CT2786678.RadioShrinked", "shrinked");
    Found : user_pref("CT2786678.RadioShrinkedFromSetup", true);
    Found : user_pref("CT2786678.SHRINK_TOOLBAR", 0);
    Found : user_pref("CT2786678.SavedHomepage", "hxxp://home.sweetim.com");
    Found : user_pref("CT2786678.SearchBackToDefaultEngine", false);
    Found : user_pref("CT2786678.SearchBoxWidth", 100);
    Found : user_pref("CT2786678.SearchCaption", " ");
    Found : user_pref("CT2786678.SearchEngineBeforeUnload", "SweetIM Search");
    Found : user_pref("CT2786678.SearchFromAddressBarIsInit", true);
    Found : user_pref("CT2786678.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT278[...]
    Found : user_pref("CT2786678.SearchInNewTabEnabled", true);
    Found : user_pref("CT2786678.SearchInNewTabIntervalMM", 1440);
    Found : user_pref("CT2786678.SearchInNewTabLastCheckTime", "Mon Nov 07 2011 12:39:54 GMT+0800 (China Standar[...]
    Found : user_pref("CT2786678.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
    Found : user_pref("CT2786678.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]
    Found : user_pref("CT2786678.SearchInNewTabUserEnabled", false);
    Found : user_pref("CT2786678.SearchProtectorEnabled", false);
    Found : user_pref("CT2786678.SearchProtectorToolbarDisabled", false);
    Found : user_pref("CT2786678.SendProtectorDataViaLogin", true);
    Found : user_pref("CT2786678.ServiceMapLastCheckTime", "Mon Nov 07 2011 12:40:00 GMT+0800 (China Standard Ti[...]
    Found : user_pref("CT2786678.SettingsLastCheckTime", "Mon Nov 07 2011 12:39:54 GMT+0800 (China Standard Time[...]
    Found : user_pref("CT2786678.SettingsLastUpdate", "1314985690");
    Found : user_pref("CT2786678.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13");
    Found : user_pref("CT2786678.ThirdPartyComponentsInterval", 504);
    Found : user_pref("CT2786678.ThirdPartyComponentsLastCheck", "Thu Oct 27 2011 14:27:28 GMT+0800 (China Stand[...]
    Found : user_pref("CT2786678.ThirdPartyComponentsLastUpdate", "1312887586");
    Found : user_pref("CT2786678.ToolbarShrinkedFromSetup", true);
    Found : user_pref("CT2786678.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2786678");
    Found : user_pref("CT2786678.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,clien[...]
    Found : user_pref("CT2786678.Uninstall", true);
    Found : user_pref("CT2786678.UserID", "UN13282842862589217");
    Found : user_pref("CT2786678.WeatherNetwork", "");
    Found : user_pref("CT2786678.WeatherPollDate", "Thu Oct 27 2011 15:47:37 GMT+0800 (China Standard Time)");
    Found : user_pref("CT2786678.WeatherUnit", "C");
    Found : user_pref("CT2786678.alertChannelId", "1178763");
    Found : user_pref("CT2786678.approveUntrustedApps", true);
    Found : user_pref("CT2786678.backendstorage.cbfirsttime", "546875204F637420323720323031312031343A32373A34332[...]
    Found : user_pref("CT2786678.componentAlertEnabled", false);
    Found : user_pref("CT2786678.components.1000034", false);
    Found : user_pref("CT2786678.components.1000234", false);
    Found : user_pref("CT2786678.components.129295698017012804", false);
    Found : user_pref("CT2786678.components.129309485163350924", false);
    Found : user_pref("CT2786678.components.129309489763975460", false);
    Found : user_pref("CT2786678.components.129315411424256896", false);
    Found : user_pref("CT2786678.components.129526967958500204", false);
    Found : user_pref("CT2786678.components.129579220236217502", false);
    Found : user_pref("CT2786678.components.5690698542593514850", false);
    Found : user_pref("CT2786678.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.c[...]
    Found : user_pref("CT2786678.globalFirstTimeInfoLastCheckTime", "Mon Nov 07 2011 20:39:54 GMT+0800 (China St[...]
    Found : user_pref("CT2786678.homepageProtectorEnableByLogin", true);
    Found : user_pref("CT2786678.initDone", true);
    Found : user_pref("CT2786678.isAppTrackingManagerOn", true);
    Found : user_pref("CT2786678.isFirstRadioInstallation", false);
    Found : user_pref("CT2786678.isSearchProtectorNotifyChanges", false);
    Found : user_pref("CT2786678.myStuffEnabled", true);
    Found : user_pref("CT2786678.myStuffPublihserMinWidth", 400);
    Found : user_pref("CT2786678.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
    Found : user_pref("CT2786678.myStuffServiceIntervalMM", 1440);
    Found : user_pref("CT2786678.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
    Found : user_pref("CT2786678.oldAppsList", "129295695672325902,129295695672325903,1000234,129295698017012804[...]
    Found : user_pref("CT2786678.revertSettingsEnabled", true);
    Found : user_pref("CT2786678.searchProtectorDialogDelayInSec", 10);
    Found : user_pref("CT2786678.searchProtectorEnableByLogin", true);
    Found : user_pref("CT2786678.testingCtid", "");
    Found : user_pref("CT2786678.toolbarAppMetaDataLastCheckTime", "Mon Nov 07 2011 12:40:04 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.toolbarContextMenuLastCheckTime", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Found : user_pref("CT2786678.usageEnabled", false);
    Found : user_pref("CT2786678.usagesFlag", 1);
    Found : user_pref("CommunityToolbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT2786678&Search[...]
    Found : user_pref("CommunityToolbar.ConduitSearchList", " ");
    Found : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT3072253/CT3072253[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1178763/1174448/PH", "\"0\"[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2786678", [...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT3072253", [...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.7.[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2786678",[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT3072253",[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.conduit-services.com/?ctid=CT2786678&octid=[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=EB_LOCALE",[...]
    Found : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"21b[...]
    Found : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\Rev\\AppData\\Roaming\\Mozilla\\Fir[...]
    Found : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.13.0.6");
    Found : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "");
    Found : user_pref("CommunityToolbar.ToolbarsList", "CT2786678");
    Found : user_pref("CommunityToolbar.ToolbarsList2", "CT2786678");
    Found : user_pref("CommunityToolbar.ToolbarsList4", "CT2786678");
    Found : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Thu Oct 27 2011 14:27:34 GMT+0800 (Chi[...]
    Found : user_pref("CommunityToolbar.globalUserId", "80d090a7-1d7a-4ab3-a6ca-63678bac16e4");
    Found : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
    Found : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
    Found : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT3072253");
    Found : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Thu Jun 21 2012 20:16:3[...]
    Found : user_pref("CommunityToolbar.notifications.alertEnabled", false);
    Found : user_pref("CommunityToolbar.notifications.alertInfoInterval", 1440);
    Found : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Thu Jun 21 2012 20:16:27 GMT+080[...]
    Found : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
    Found : user_pref("CommunityToolbar.notifications.locale", "en");
    Found : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
    Found : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Thu Jun 21 2012 20:16:19 GMT+0800 (C[...]
    Found : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
    Found : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
    Found : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
    Found : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
    Found : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
    Found : user_pref("CommunityToolbar.notifications.userId", "cabae55e-3950-496a-b24f-b827d5310078");
    Found : user_pref("CommunityToolbar.originalHomepage", "hxxp://home.sweetim.com");
    Found : user_pref("CommunityToolbar.originalSearchEngine", "SweetIM Search");
    Found : user_pref("browser.search.defaultenginename", "SweetIM Search");
    Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&Sea[...]
    Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=");
    Found : user_pref("sweetim.toolbar.highlight.colors", "#FFFF00,#00FFE4,#5AFF00,#0087FF,#FFCC00,#FF00F0");
    Found : user_pref("sweetim.toolbar.logger.ConsoleHandler.MinReportLevel", "7");
    Found : user_pref("sweetim.toolbar.logger.FileHandler.FileName", "ff-toolbar.log");
    Found : user_pref("sweetim.toolbar.logger.FileHandler.MaxFileSize", "200000");
    Found : user_pref("sweetim.toolbar.logger.FileHandler.MinReportLevel", "7");
    Found : user_pref("sweetim.toolbar.mode.debug", "false");
    Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
    Found : user_pref("sweetim.toolbar.previous.browser.search.defaulturl", "");
    Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
    Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "google.com.ph");
    Found : user_pref("sweetim.toolbar.previous.keyword.URL", "");
    Found : user_pref("sweetim.toolbar.search.external", "<?xml version=\"1.0\"?><TOOLBAR><EXTERNAL_SEARCH engin[...]
    Found : user_pref("sweetim.toolbar.search.history.capacity", "10");
    Found : user_pref("sweetim.toolbar.searchguard.enable", "true");
    Found : user_pref("sweetim.toolbar.simapp_id", "{369B96EC-0064-11E1-BCF1-001060D142B9}");
    Found : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com");

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\Rev\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [22693 octets] - [16/09/2012 18:28:39]

    ########## EOF - C:\AdwCleaner[R1].txt - [22754 octets] ##########
  4. eccle

    eccle TS Member Topic Starter

    GMER log (part 1):


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-09-16 12:38:37
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0000
    Running: gmer.exe; Driver: C:\Users\Rev\AppData\Local\Temp\uwldrpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x9074E008]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x90701CAE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x90701FF6]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwAlpcSendWaitReceivePort [0x917041C8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x906EA712]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x90701988]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x906EAC8A]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwCreateFile [0x916FA904]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwCreateKey [0x9170278A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x906EAB70]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x90701E5A]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwCreateSection [0x917064A4]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x906EADAA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0x90711A90]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x9075030A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x90701F28]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x9074FE54]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwDeleteFile [0x916FAC52]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwDeleteKey [0x91703118]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwDeleteValueKey [0x917032EC]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwDeviceIoControlFile [0x91708E13]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwDuplicateObject [0x916F9C0A]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwEnumerateValueKey [0x916FF584]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwLoadDriver [0x91709168]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x90711AB0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwNotifyChangeKey [0x90700118]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x906EAD20]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwOpenFile [0x916FAE43]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x906EAC00]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwOpenProcess [0x917012B5]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwOpenSection [0x91706657]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x906EAE40]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x90750066]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwPlugPlayControl [0x90711AA0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x906EAECA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryObject [0x90700326]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwQueryValueKey [0x916FFF6E]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwQueueApcThread [0x9170767F]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TCSafeBox.sys ZwReadVirtualMemory [0x9078C9F4]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x90702220]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x907020AE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePortEx [0x90702164]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x90702290]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x9075084C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x90701B16]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x907509A8]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwSetInformationFile [0x916FA235]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x906EAF6C]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwSetSecurityObject [0x91709695]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwSetSystemInformation [0x9170A0D8]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwSetValueKey [0x91702AB7]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x9074FB9C]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwSuspendThread [0x917073CD]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwSystemDebugControl [0x91709591]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TCSafeBox.sys ZwTerminateProcess [0x9078C72C]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwTerminateThread [0x91707526]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x90751286]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys ZwWriteFile [0x916FA6EF]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TCSafeBox.sys ZwWriteVirtualMemory [0x9078C898]
    SSDT \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TCSafeBox.sys ZwCreateThreadEx [0x9078C382]
    SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateUserProcess [0x80C10984]

    Code \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys KeUserModeCallback

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwQueryLicenseValue + BA8 83493BEC 5 Bytes CALL 80C1D0D5 \??\C:\Windows\system32\drivers\kisknl.sys
    .text ntkrnlpa.exe!ZwQueryLicenseValue + BB5 83493BF9 8 Bytes JMP 84B3F39D \SystemRoot\System32\drivers\TsFltMgr.sys (TsFltMgr /Tencent)
    .text ntkrnlpa.exe!KeSetEvent + 119 834F57DC 4 Bytes [08, E0, 74, 90] {OR AL, AH; JZ 0xffffffffffffff94}
    .text ntkrnlpa.exe!KeSetEvent + 13D 834F5800 8 Bytes [AE, 1C, 70, 90, F6, 1F, 70, ...] {SCASB ; SBB AL, 0x70; NOP ; NEG BYTE [EDI]; JO 0xffffffffffffff98}
    .text ntkrnlpa.exe!KeSetEvent + 181 834F5844 4 Bytes [C8, 41, 70, 91] {ENTER 0x7041, 0x91}
    .text ntkrnlpa.exe!KeSetEvent + 1A9 834F586C 4 Bytes [12, A7, 6E, 90]
    .text ntkrnlpa.exe!KeSetEvent + 1C1 834F5884 4 Bytes [88, 19, 70, 90] {MOV [ECX], BL; JO 0xffffffffffffff94}
    .text ...
    PAGE ntkrnlpa.exe!KeUserModeCallback 8364EA63 5 Bytes JMP 9170151E \??\C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSKsp.sys
    .text C:\Program Files\CyberLink\PowerDVD12\Common\NavFilter\000.fcl section is writeable [0xB0323000, 0x2892, 0xE8000020]
    .vmp2 C:\Program Files\CyberLink\PowerDVD12\Common\NavFilter\000.fcl entry point in ".vmp2" section [0xB0346050]
    ? C:\Users\Rev\AppData\Local\Temp\mbr.sys
  5. eccle

    eccle TS Member Topic Starter

    GMER log (part 2):

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCRTP.exe[1092] kernel32.dll!SetUnhandledExceptionFilter 7790A8C5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1748] kernel32.dll!SetUnhandledExceptionFilter 7790A8C5 5 Bytes JMP 10001507 c:\program files\kingsoft\kingsoft antivirus\kdump.dll (Kingsoft Antivirus Dump Collect Library/Kingsoft Corporation)
    ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2192] C:\Windows\system32\ntdll.dll time/date stamp mismatch; unknown module: secserv.dll
    .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2192] ntdll.dll!NtProtectVirtualMemory 77CB4BA4 5 Bytes JMP 718A1A54 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll (Ushata module/Kaspersky Lab ZAO)
    ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2192] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
    .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2192] user32.dll!SetScrollInfo + 7A8 768E7980 4 Bytes [53, 2A, 8A, 71]
    .text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[2964] kernel32.dll!CreateFileW 7792B0EB 5 Bytes JMP 024BEFA0 C:\Program Files\Common Files\PPLiveNetwork\1.0.1.1919\tipsclient.dll
    .text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[2964] kernel32.dll!CreateFileA 7792D07F 5 Bytes JMP 024BEF40 C:\Program Files\Common Files\PPLiveNetwork\1.0.1.1919\tipsclient.dll
    .text C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe[2964] USER32.dll!ShowWindow 768DCA10 5 Bytes JMP 024BED90 C:\Program Files\Common Files\PPLiveNetwork\1.0.1.1919\tipsclient.dll
    .text C:\Program Files\kingsoft\kingsoft antivirus\kxetray.exe[3096] kernel32.dll!SetUnhandledExceptionFilter 7790A8C5 5 Bytes JMP 02BC1507 C:\Program Files\kingsoft\kingsoft antivirus\kdump.dll (Kingsoft Antivirus Dump Collect Library/Kingsoft Corporation)
    .text C:\Program Files\kingsoft\kingsoft antivirus\kxetray.exe[3096] SHELL32.dll!ShellExecuteW 76C29725 5 Bytes JMP 0040ABA1 C:\Program Files\kingsoft\kingsoft antivirus\kxetray.exe (????2012/Kingsoft Corporation)
    .text C:\Program Files\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe[3136] kernel32.dll!SetUnhandledExceptionFilter 7790A8C5 5 Bytes JMP 69D01000 C:\Program Files\CyberLink\PowerDVD12\Common\Boomerang\BoomerangLib.dll (BoomerangLib.dll/CyberLink Corp.)
    ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[4152] C:\Windows\system32\ntdll.dll time/date stamp mismatch; unknown module: secserv.dll
    .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[4152] ntdll.dll!NtProtectVirtualMemory 77CB4BA4 5 Bytes JMP 718A1A54 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll (Ushata module/Kaspersky Lab ZAO)
    ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[4152] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
    .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[4152] user32.dll!SetScrollInfo + 7A8 768E7980 4 Bytes [53, 2A, 8A, 71]
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] kernel32.dll!SetUnhandledExceptionFilter 7790A8C5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] ADVAPI32.dll!RegOpenKeyExA 76617C42 5 Bytes JMP 308B0520 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] ADVAPI32.dll!RegOpenKeyExW 76627BA1 5 Bytes JMP 308B05E0 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] GDI32.dll!CreateFontIndirectW 77E396B9 5 Bytes JMP 308D6490 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] GDI32.dll!CreateFontW 77E3BDE7 5 Bytes JMP 308D6430 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!InvalidateRgn 768D8F3B 5 Bytes JMP 30856030 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!ShowWindow 768DCA10 5 Bytes JMP 30854E10 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!SetScrollRange 768DD185 5 Bytes JMP 308EE0F0 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!GetUpdateRect 768DD3E0 5 Bytes JMP 30855CD0 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!GetScrollInfo 768DF073 7 Bytes JMP 308EDFC0 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!ShowScrollBar 768DF8AE 3 Bytes JMP 308EE140 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!ShowScrollBar + 4 768DF8B2 1 Byte [BA]
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!CreateWindowExW 768E1305 5 Bytes JMP 30854F40 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!SetWindowLongW 768E13B4 5 Bytes JMP 30854EE0 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!SetWindowPos 768E35E3 5 Bytes JMP 30854E70 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!SetScrollInfo 768E71D8 7 Bytes JMP 308EE070 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!DestroyWindow 768E7FB6 5 Bytes JMP 30855D80 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!InvalidateRect 768E9062 5 Bytes JMP 30855FF0 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!BeginPaint 768EA2A3 5 Bytes JMP 30855D20 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!EnableScrollBar 768FAF53 7 Bytes JMP 308EDF80 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!ValidateRgn 76900B29 5 Bytes JMP 30855150 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!ValidateRect 769015C8 5 Bytes JMP 30855140 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!GetScrollPos 7690337D 5 Bytes JMP 308EE000 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!GetScrollRange 769034A5 5 Bytes JMP 308EE030 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQMusic\QQMusic.exe[4248] USER32.dll!SetScrollPos 76903602 5 Bytes JMP 308EE0B0 C:\Program Files\Tencent\QQMusic\GF.dll (QQMusic/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] kernel32.dll!SetUnhandledExceptionFilter 7790A8C5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] ADVAPI32.dll!RegOpenKeyExA 76617C42 5 Bytes JMP 30901920 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] ADVAPI32.dll!RegOpenKeyExW 76627BA1 5 Bytes JMP 30909BE0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] GDI32.dll!CreateFontIndirectW 77E396B9 5 Bytes JMP 30880DD0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] GDI32.dll!CreateFontW 77E3BDE7 5 Bytes JMP 30880D70 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!InvalidateRgn 768D8F3B 5 Bytes JMP 30855D10 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!ShowWindow 768DCA10 5 Bytes JMP 30854AC0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!SetScrollRange 768DD185 5 Bytes JMP 30950540 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!GetUpdateRect 768DD3E0 5 Bytes JMP 30855970 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!GetScrollInfo 768DF073 7 Bytes JMP 30950410 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!ShowScrollBar 768DF8AE 5 Bytes JMP 30950590 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!CreateWindowExW 768E1305 5 Bytes JMP 30854BF0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!SetWindowLongW 768E13B4 5 Bytes JMP 30854B90 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!SetWindowPos 768E35E3 1 Byte [E9]
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!SetWindowPos 768E35E3 5 Bytes JMP 30854B20 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!SetScrollInfo 768E71D8 7 Bytes JMP 309504C0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!DestroyWindow 768E7FB6 5 Bytes JMP 30855A20 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!InvalidateRect 768E9062 5 Bytes JMP 30855CD0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!BeginPaint 768EA2A3 5 Bytes JMP 308559C0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!EnableScrollBar 768FAF53 7 Bytes JMP 309503D0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!ValidateRgn 76900B29 5 Bytes JMP 30854E00 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!ValidateRect 769015C8 5 Bytes JMP 30854DF0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!GetScrollPos 7690337D 5 Bytes JMP 30950450 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!GetScrollRange 769034A5 5 Bytes JMP 30950480 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe[4672] USER32.dll!SetScrollPos 76903602 5 Bytes JMP 30950500 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\GF.dll (QQ2010/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCWebShield.exe[5396] ntdll.dll!NtCreateFile 77CB4244 5 Bytes JMP 10002B10 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\ptrate.dll (QQ????????/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCWebShield.exe[5396] ntdll.dll!NtOpenFile 77CB4A24 5 Bytes JMP 10002B60 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\ptrate.dll (QQ????????/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCWebShield.exe[5396] ntdll.dll!NtQueryAttributesFile 77CB4BC4 5 Bytes JMP 10002BA0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\ptrate.dll (QQ????????/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCWebShield.exe[5396] ntdll.dll!NtQueryFullAttributesFile 77CB4C74 5 Bytes JMP 10002BE0 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\ptrate.dll (QQ????????/Tencent)
    .text C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCWebShield.exe[5396] kernel32.dll!SetUnhandledExceptionFilter 7790A8C5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] ntdll.dll!NtCreateProcess 77CB4304 5 Bytes JMP 0366A0D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] ntdll.dll!NtCreateProcessEx 77CB4314 5 Bytes JMP 0366A040 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!CreateProcessW 778E1BF3 5 Bytes JMP 0366CA90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!CreateProcessA 778E1C28 5 Bytes JMP 0366C9F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!CopyFileExW 778F0221 7 Bytes JMP 0366A720 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!CopyFileW 778F02A9 5 Bytes JMP 0366A950 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!CreateProcessInternalW 77905477 5 Bytes JMP 0366B400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!CreateProcessInternalA 77908C25 5 Bytes JMP 0366B800 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!LoadLibraryExW 7790927C 5 Bytes JMP 0366AD30 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!LoadLibraryExW + 6 77909282 1 Byte [90]
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!LoadLibraryW 77909400 5 Bytes JMP 0366ABA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!LoadLibraryExA 77909554 5 Bytes JMP 0366AC20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!LoadLibraryA 7790957C 5 Bytes JMP 0366AA10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!CopyFileA 77932653 5 Bytes JMP 0366A7E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!CopyFileExA 77971B59 5 Bytes JMP 0366A5A0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] kernel32.dll!WinExec + 5 779760D4 6 Bytes JMP 0366B1E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] ADVAPI32.dll!RegSetValueExA 76603BEC 7 Bytes JMP 0366E290 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] ADVAPI32.dll!RegQueryValueExA 76617A9D 7 Bytes JMP 0366C340 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] ADVAPI32.dll!RegQueryValueExW 7662765E 7 Bytes JMP 0366C700 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WS2_32.dll!closesocket 77E8330C 5 Bytes JMP 0369C0E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WS2_32.dll!recv 77E8343A 5 Bytes JMP 0369C0B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WS2_32.dll!WSASend 77E84496 5 Bytes JMP 03668830 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WS2_32.dll!send 77E8659B 5 Bytes JMP 03668650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WS2_32.dll!WSAGetOverlappedResult 77E88143 5 Bytes JMP 0369C020 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WS2_32.dll!WSARecv 77E88400 5 Bytes JMP 0369BFF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] USER32.dll!InSendMessageEx + 4C9 768DE7C8 7 Bytes JMP 5A3CDF63 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] USER32.dll!CreateWindowExW + AA 768E13AF 7 Bytes JMP 5A3CDEF2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] USER32.dll!GetWindowInfo 768E428E 5 Bytes JMP 5A214536 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] USER32.dll!SetMenuItemBitmaps + 71 768F14EE 7 Bytes JMP 5A214B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] ole32.dll!CoGetClassObject 77B3FAE8 5 Bytes JMP 03698300 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] SHELL32.dll!SHFileOperationW 76C568E8 5 Bytes JMP 0369C3B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] SHELL32.dll!ShellExecuteEx 76E2A292 5 Bytes JMP 0366B9F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] SHLWAPI.dll!SHRegGetUSValueW 779C4F59 5 Bytes JMP 0366C1A0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WININET.dll!HttpOpenRequestA 77A2FBBC 5 Bytes JMP 0366A160 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WININET.dll!InternetConnectW 77A37BA9 5 Bytes JMP 0366A330 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WININET.dll!HttpOpenRequestW 77A37ECA 5 Bytes JMP 0366A290 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WININET.dll!InternetOpenUrlA 77A3FE7B 5 Bytes JMP 0366A3D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5876] WININET.dll!InternetOpenUrlW 77A89219 5 Bytes JMP 0366A500 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
  6. eccle

    eccle TS Member Topic Starter

    GMER log (part 3):

    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtCreateFile + 6 77CB424A 4 Bytes [28, 00, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtCreateFile + B 77CB424F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtCreateKey + 6 77CB428A 4 Bytes [68, 01, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtCreateKey + B 77CB428F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtCreateMutant + 6 77CB42BA 4 Bytes [28, 02, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtCreateMutant + B 77CB42BF 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtCreateSection + 6 77CB433A 4 Bytes [68, 02, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtCreateSection + B 77CB433F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtMapViewOfSection + 6 77CB499A 4 Bytes [A8, 04, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtMapViewOfSection + B 77CB499F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenFile + 6 77CB4A2A 4 Bytes [68, 00, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenFile + B 77CB4A2F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenKey + 6 77CB4A5A 4 Bytes [A8, 01, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenKey + B 77CB4A5F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenMutant + B 77CB4A7F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenProcess + 6 77CB4AAA 1 Byte [28]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenProcess + 6 77CB4AAA 4 Bytes [28, 03, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenProcess + B 77CB4AAF 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenProcessToken + 6 77CB4ABA 1 Byte [68]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenProcessToken + 6 77CB4ABA 4 Bytes [68, 03, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenProcessToken + B 77CB4ABF 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenProcessTokenEx + 6 77CB4ACA 4 Bytes [28, 04, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenProcessTokenEx + B 77CB4ACF 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenSection + 6 77CB4ADA 4 Bytes [A8, 02, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenSection + B 77CB4ADF 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenThread + B 77CB4B1F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenThreadToken + 6 77CB4B2A 1 Byte [E8]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenThreadToken + B 77CB4B2F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenThreadTokenEx + 6 77CB4B3A 4 Bytes [68, 04, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtOpenThreadTokenEx + B 77CB4B3F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtQueryAttributesFile + 6 77CB4BCA 4 Bytes [A8, 00, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtQueryAttributesFile + B 77CB4BCF 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtQueryFullAttributesFile + B 77CB4C7F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtSetInformationFile + 6 77CB515A 4 Bytes [28, 01, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtSetInformationFile + B 77CB515F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtSetInformationThread + 6 77CB51AA 1 Byte [A8]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtSetInformationThread + 6 77CB51AA 4 Bytes [A8, 03, 16, 00]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtSetInformationThread + B 77CB51AF 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ntdll.dll!NtUnmapViewOfSection + B 77CB544F 1 Byte [E2]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] kernel32.dll!CreateProcessW 778E1BF3 5 Bytes JMP 000100B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] kernel32.dll!CreateProcessA 778E1C28 5 Bytes JMP 000100F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] kernel32.dll!OpenEventW 778FC033 5 Bytes JMP 00010070
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] kernel32.dll!CreateEventW 7792B87E 5 Bytes JMP 00010030
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!DeleteObject 77E35A37 5 Bytes JMP 001801B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetDeviceCaps 77E3617F 5 Bytes JMP 001803B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SelectObject 77E362A0 5 Bytes JMP 001805F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SetTextColor 77E3666B 5 Bytes JMP 001809F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SetBkMode 77E36716 5 Bytes JMP 001808B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!DeleteDC 77E368CD 5 Bytes JMP 00180170
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetCurrentObject 77E36B58 5 Bytes JMP 00180370
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SetStretchBltMode 77E37206 5 Bytes JMP 00180670
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SaveDC 77E375BA 5 Bytes JMP 00180570
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!RestoreDC 77E37675 5 Bytes JMP 00180530
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!StretchDIBits 77E378CF 5 Bytes JMP 00180730
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!ExtSelectClipRgn 77E379F8 5 Bytes JMP 001802F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SelectClipRgn 77E37AF9 5 Bytes JMP 001805B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!MoveToEx 77E37C33 5 Bytes JMP 00180470
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!Rectangle 77E37EA9 5 Bytes JMP 00180970
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetTextAlign 77E382E0 5 Bytes JMP 00180D30
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SetTextAlign 77E385CB 5 Bytes JMP 001809B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!ExtTextOutW 77E3872B 5 Bytes JMP 00180930
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetTextMetricsW 77E38A81 5 Bytes JMP 00180DF0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!IntersectClipRect 77E38B64 5 Bytes JMP 001803F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetClipBox 77E39071 5 Bytes JMP 00180330
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SetICMMode 77E394E7 5 Bytes JMP 00180D70
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!CreateDCW 77E3A91D 5 Bytes JMP 001800F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!CreateDCA 77E3AA49 5 Bytes JMP 001800B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!CreateICW 77E3B2E9 5 Bytes JMP 00180130
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetTextFaceW 77E3B637 5 Bytes JMP 00180CF0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetFontData 77E3BA6C 5 Bytes JMP 00180C30
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetTextExtentPoint32W 77E3C01A 5 Bytes JMP 00180630
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SetWorldTransform 77E3C46A 5 Bytes JMP 001806B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!LineTo 77E3C65E 5 Bytes JMP 00180430
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetTextMetricsA 77E3CCEB 5 Bytes JMP 00180DB0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!ExtTextOutA 77E400A5 5 Bytes JMP 001808F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!ExtEscape 77E422A7 5 Bytes JMP 001802B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!Escape 77E427F1 5 Bytes JMP 00180270
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!ResetDCW 77E43132 5 Bytes JMP 00180A70
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!EndPage 77E4375E 5 Bytes JMP 00180230
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SetPolyFillMode 77E461D3 5 Bytes JMP 00180AF0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SetMiterLimit 77E462E2 5 Bytes JMP 00180B30
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetTextFaceA 77E4F4C5 5 Bytes JMP 00180CB0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!GetGlyphOutlineW 77E5A41F 5 Bytes JMP 00180C70
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!CreateScalableFontResourceW 77E5C88B 5 Bytes JMP 00180B70
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!AddFontResourceW 77E5CC93 5 Bytes JMP 00180BB0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!RemoveFontResourceW 77E5D129 5 Bytes JMP 00180BF0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!AbortDoc 77E62CC4 5 Bytes JMP 00180030
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!EndDoc 77E630D8 5 Bytes JMP 001801F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!StartPage 77E631C3 5 Bytes JMP 001806F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!StartDocW 77E63CA7 5 Bytes JMP 001807B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!BeginPath 77E64465 5 Bytes JMP 001807F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!SelectClipPath 77E644BC 5 Bytes JMP 00180AB0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!CloseFigure 77E64517 5 Bytes JMP 00180070
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!EndPath 77E6456E 5 Bytes JMP 00180A30
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!StrokePath 77E647A0 5 Bytes JMP 00180770
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!FillPath 77E6482C 1 Byte [E9]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!FillPath 77E6482C 5 Bytes JMP 00180830
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!PolylineTo 77E64C95 5 Bytes JMP 001804F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!PolyBezierTo 77E64D25 5 Bytes JMP 001804B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] GDI32.dll!PolyDraw 77E64DD6 5 Bytes JMP 00180870
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!SetCursor 768DD37D 5 Bytes JMP 00190530
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!RegisterClipboardFormatW 768DD6AC 1 Byte [E9]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!RegisterClipboardFormatW 768DD6AC 3 Bytes JMP 001902B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!RegisterClipboardFormatW + 4 768DD6B0 1 Byte [89]
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!ActivateKeyboardLayout 768E478C 5 Bytes JMP 001904F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!IsWindowVisible 768E878A 7 Bytes JMP 001906B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!MonitorFromWindow 768E88D4 4 Bytes JMP 00190630
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!MonitorFromWindow + 5 768E88D9 2 Bytes [CC, CC] {INT 3 ; INT 3 }
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!ScreenToClient 768E8C56 7 Bytes JMP 00190670
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetClientRect 768E8F0D 7 Bytes JMP 001905B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetParent 768E90AA 7 Bytes JMP 001906F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!RegisterClipboardFormatA 768EA111 5 Bytes JMP 001902F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!PostMessageW 768EA175 5 Bytes JMP 001905F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!MapWindowPoints 768EA30D 5 Bytes JMP 00190570
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetClipboardFormatNameA 768EA552 5 Bytes JMP 00190270
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetOpenClipboardWindow 768F26A6 5 Bytes JMP 001903F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!SetClipboardViewer 768FBA2D 5 Bytes JMP 001904B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!IsClipboardFormatAvailable 768FC2E3 5 Bytes JMP 001900F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!CloseClipboard 768FC2F7 5 Bytes JMP 001900B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!OpenClipboard 768FC31D 5 Bytes JMP 00190070
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetTopWindow 768FCE0A 7 Bytes JMP 00190730
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetClipboardSequenceNumber 768FD8B7 5 Bytes JMP 00190330
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!ChangeClipboardChain 768FDF83 5 Bytes JMP 00190430
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!CountClipboardFormats 76900048 5 Bytes JMP 001901F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetClipboardOwner 769026EF 5 Bytes JMP 00190370
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!SetClipboardData 76916410 5 Bytes JMP 00190170
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!EnumClipboardFormats 76916D16 5 Bytes JMP 001901B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!SetCursorPos 76916FB2 5 Bytes JMP 00190770
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetClipboardData 7691715A 5 Bytes JMP 00190030
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetClipboardFormatNameW 7691A99F 5 Bytes JMP 00190230
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!EmptyClipboard 7693398B 5 Bytes JMP 00190130
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetClipboardViewer 769339ED 5 Bytes JMP 00190470
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] USER32.dll!GetPriorityClipboardFormat 76933AEF 5 Bytes JMP 001903B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!FreeContextBuffer 76342D83 5 Bytes JMP 002B00F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!DeleteSecurityContext 76342F18 5 Bytes JMP 002B0270
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!FreeCredentialsHandle 76343598 5 Bytes JMP 002B0130
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!EncryptMessage 76343745 5 Bytes JMP 002B01F0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!DecryptMessage 76343813 5 Bytes JMP 002B0230
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!InitializeSecurityContextA 763487DF 5 Bytes JMP 002B0170
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!AcquireCredentialsHandleA 76348A43 5 Bytes JMP 002B0030
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!QueryContextAttributesA 76348E77 5 Bytes JMP 002B0070
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!ApplyControlToken 7634DE4F 5 Bytes JMP 002B01B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] Secur32.dll!QueryCredentialsAttributesA 7634E052 5 Bytes JMP 002B00B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ole32.dll!OleGetClipboard 77B774C9 5 Bytes JMP 002C00B0
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ole32.dll!OleSetClipboard 77BA11E3 5 Bytes JMP 002C0030
    .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[6520] ole32.dll!OleIsCurrentClipboard 77BAA8F9 5 Bytes JMP 002C0070
  7. eccle

    eccle TS Member Topic Starter

    GMER log (last part):

    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] ntdll.dll!LdrLoadDll 77C79378 5 Bytes JMP 5A0C0C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] ntdll.dll!NtCreateProcess 77CB4304 5 Bytes JMP 03FCA0D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] ntdll.dll!NtCreateProcessEx 77CB4314 5 Bytes JMP 03FCA040 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!CreateProcessW 778E1BF3 5 Bytes JMP 03FCCA90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!CreateProcessA 778E1C28 5 Bytes JMP 03FCC9F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!CopyFileExW 778F0221 7 Bytes JMP 03FCA720 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!CopyFileW 778F02A9 5 Bytes JMP 03FCA950 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!MoveFileWithProgressW 7790113C 5 Bytes JMP 03FFC290 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!CreateProcessInternalW 77905477 5 Bytes JMP 03FCB400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!CreateProcessInternalA 77908C25 5 Bytes JMP 03FCB800 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!LoadLibraryExW 7790927C 5 Bytes JMP 03FCAD30 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!LoadLibraryExW + 6 77909282 1 Byte [90]
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!LoadLibraryW 77909400 5 Bytes JMP 03FCABA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!LoadLibraryExA 77909554 5 Bytes JMP 03FCAC20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!LoadLibraryA 7790957C 5 Bytes JMP 03FCAA10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!HeapSetInformation + 26 7790A8C0 7 Bytes JMP 5A0C3FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!ExitProcess 779243F4 5 Bytes JMP 5BF698A4 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSWebMon.dat
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!LockResource + C 77926B0B 7 Bytes JMP 5A2F7B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!VirtualAllocEx + 54 7792AF70 7 Bytes JMP 5A2F7B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!CopyFileA 77932653 5 Bytes JMP 03FCA7E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!CopyFileExA 77971B59 5 Bytes JMP 03FCA5A0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] kernel32.dll!WinExec + 5 779760D4 6 Bytes JMP 03FCB1E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] GDI32.dll!SetStretchBltMode + 256 77E3745C 7 Bytes JMP 5A2F7AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WS2_32.dll!closesocket 77E8330C 5 Bytes JMP 03FFC0E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WS2_32.dll!recv 77E8343A 5 Bytes JMP 03FFC0B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WS2_32.dll!WSASocketW 77E834EB 7 Bytes JMP 5BF63EE4 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSWebMon.dat
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WS2_32.dll!WSASend 77E84496 5 Bytes JMP 03FC8830 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WS2_32.dll!send 77E8659B 5 Bytes JMP 03FC8650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WS2_32.dll!WSAGetOverlappedResult 77E88143 5 Bytes JMP 03FFC020 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WS2_32.dll!WSARecv 77E88400 5 Bytes JMP 03FFBFF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WS2_32.dll!WSAAsyncSelect 77E9A17C 5 Bytes JMP 5BF64033 C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\TSWebMon.dat
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] SHELL32.dll!ShellExecuteEx 76E2A292 5 Bytes JMP 03FCB9F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WININET.dll!HttpOpenRequestA 77A2FBBC 5 Bytes JMP 03FCA160 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WININET.dll!InternetConnectW 77A37BA9 5 Bytes JMP 03FCA330 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WININET.dll!HttpOpenRequestW 77A37ECA 5 Bytes JMP 03FCA290 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WININET.dll!InternetOpenUrlA 77A3FE7B 5 Bytes JMP 03FCA3D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[7588] WININET.dll!InternetOpenUrlW 77A89219 5 Bytes JMP 03FCA500 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] kernel32.dll!CreateProcessW 778E1BF3 5 Bytes JMP 02ADCB50 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] kernel32.dll!CreateProcessInternalW 77905477 5 Bytes JMP 02ADB400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] kernel32.dll!CreateProcessInternalA 77908C25 5 Bytes JMP 02ADB800 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] ADVAPI32.dll!RegSetValueExA 76603BEC 7 Bytes JMP 02ADE290 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] ADVAPI32.dll!RegQueryValueExA 76617A9D 7 Bytes JMP 02ADC340 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] ADVAPI32.dll!RegQueryValueExW 7662765E 7 Bytes JMP 02ADC700 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] SHLWAPI.dll!SHRegGetUSValueW 779C4F59 5 Bytes JMP 02ADC1A0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] SHELL32.dll!ShellExecuteExW 76C7C155 5 Bytes JMP 02ADB2A0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] SHELL32.dll!ShellExecuteExW + 18DF 76C7DA34 4 Bytes [04, 00, A5, 00]
    .text C:\Windows\explorer.exe[7928] SHELL32.dll!ShellExecuteExW + 29C5 76C7EB1A 5 Bytes JMP 02AD7B40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)
    .text C:\Windows\explorer.exe[7928] SHELL32.dll!SHEnumerateUnreadMailAccountsW + 12A4 76E04322 5 Bytes JMP 02B0C3D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll (Kingsoft Webshield Module/Kingsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs kisknl.sys
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys (Network filtering component/Kaspersky Lab)
    AttachedDevice \Driver\tdx \Device\Udp kltdi.sys (Network filtering component/Kaspersky Lab)
    AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys (Network filtering component/Kaspersky Lab)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d142b9
    Reg HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Linkage@Bind ???u?*??? ???????'?????????????#?????????????????????9?9?8???*?+?)???+???(??????????????? ???(???B??????????? ???????????????????'?=??????"???4??????????8???8?8?o???????$???????????5?5?????@?@?@???)?)????????????????????l?????????????????????????????????????????????????????????????????????????????????????????????????????????????????&????????????????????????????????????? ???????????????????MSAFD RfComm [Bluetooth]????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????DE??? ???????(?????????????k???????????? ???????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{D75A461E-86CB-4CFF-B384-E67DA448450E}] SEQPACKET 38?????????(??????????ir?????(????ndis5????8?8?????????????(???????e??umbus???monitor.inf:Generic.NTx86:pnPMonitor.Install:6.0.6001.18000:*pnp09ff?T???????(???n???e??monitor?Bi??? (??(???:?????ows??Generic PnP Monitor??(???(?(?(?(?(?(?(?
    Reg HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Linkage@Route ???`?S???????5???.??2 ??tap0901?????????????? ???5??????????????9-2-2010????? b??5???I?????? o?????9???9?????????5??????? ???????:?@???????????5?=???????????????????????????????????? ????????????????????????????????????????? ??????????? ??????????? ??????????? ????????????????????????????????????????????????????9???$???????????????9???_?????????????????????????????????5?????????????????????5?5????? ???????5???????????(?#???????????????????????5?????????????9???????????5???????????5?5{3??? "??5???5?????-80??ZTEportInstall6k?5??? ???????5?????5???????#???????????????????????7?????7?7????????? ???????5???????????+?#????????"??????????????5??????????????????????"??5??????????ZTEportInstall6k?o??? ???5??? ???????5??.NT??????????????5???5??? ???????5?????5???????#????????????????????? ???????5???????????1?#???????????????????????5?????????????????????????5??????????.NT??5???? ??5???s??????in??ZTE Corporation?????? ???????5?????5???????#??????????????????????????????????????8??7???????????5??????????????H??????????
    Reg HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Linkage@Export ???:?R???$?'?$??? ???????$?????????????#????????????????????????? ?????????????!???????%????????????(???????????????????????? ???????!?????$???????%??"???&??????????????1??? ???????T?????\Vo??? ????????????? ???????#?????????????????????5?5e????????!??? ?????????nd-??@system32\drivers\pci.sys,#65536;PCI bus %1, device %2, function %3;(0,28,1)????????????????????n???? ???????!??????????? ?%??????"?????????????? ???????!?????5???????%??(??????????????????????????????! ???????????r??!????????<???????????????@???????????????@???????????????????????????????D???????????????D?????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???!??????????????PCI\VEN_8086&DEV_2841&SUBSYS_2F131509&REV_03?PCI\VEN_8086&DEV_2841&SUBSYS_2F131509?PCI\VEN_8086&DEV_2841&CC_060400?PCI\VEN_8086&DEV_2841&CC_0604????? ???!???????????!????N??!????????Da27??{4d36e97d-e325-11ce-bfc1-08002be10318}?b?????????????????????????????$???!???h???????5??????????????????? ???d???????????????!?
    Reg HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Linkage@Export ???)?w???R?R?R??? ???????)???????????'?#?????????????????????????????)?+?????)??????????????? ???????????????????'?=??????"???@??????????????????)???????????)??{4d36e972-e325-11ce-bfc1-08002be10318}???????????)??? ??s???tap0901??3??MSAFD NetBIOS [\Device\NetBT_Tcpip6_{F87C35FB-BFC1-4BEE-A946-270B6E7A2B36}] DATAGRAM 43??????????)???????????????y?y????????????????????l???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip_{D07CA303-EB17-441D-A99B-D9C43DBFD8B3}] DATAGRAM 35??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ???????????????????'?=??????"???IO????????ce??MSAFD NetBIOS [\Device\NetBT_Tcpip6_{782059DC-DB02-4015-B2BD-8D7CD8CFBE10}] DATAGRAM 51??'??? ???????????????????'?=??????"?????????????? ??? ???????????????????'?=??????"????
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060d142b9 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\LanmanServer\Linkage@Bind ???U?????????V??????p?????????????????????8??U????????h??????????V?????????n?????????????.???????????I?????????????g??????$??V?????????e????@%systemroot%\system32\drivers\dfsc.sys,-101?????W?W?U?????V?U???????U?????????????g????File System Filter Manager Driver???Microsoft UAA Function Driver for High Definition Audio Service?ice?al??Microsoft UAA Bus Driver for High Definition Audio???????? ??>?????????e????????????????????i8042 Keyboard and PS/2 Mouse Port Driver??????U?`???????????????????????????U???R?????eDa????????????????????????8??U????????h??????????????????????????r?r?????????????????????n??????system32\DRIVERS\lltdio.sys?????????????????????????USB??l???????????????d???????V???????????????j???????????U???e?f???????V?????????????????????????V???????V???????????V??????????????FAT12/16/32 File System Driver???????????????????????????????????????????????????????????????????????????????????r?r??????:??o?????????;??????P??????o??????????k ???U?????V????????????????k ??FltMgr???????????????n?????????????
    Reg HKLM\SYSTEM\ControlSet003\Services\LanmanServer\Linkage@Route ???U?`???????????????????????????U???R?????eDa????????????????????????8??U????????h??????????????????????????r?r?????????????????????n??????system32\DRIVERS\lltdio.sys?????????????????????????USB??l???????????????d???????V???????????????j???????????U???e?f???????V?????????????????????????V???????V???????????V??????????????FAT12/16/32 File System Driver???????????????????????????????????????????????????????????????????????????????????r?r??????:??o?????????;??????P??????o??????????k ???U?????V????????????????k ??FltMgr???????????????n???????????????????????????I?I?l???????????U?U?U?U?U?U?l????T??U?????????e?????k?n?????r?r?R??rt???_?_?_??USBSTOR??!??????????????s???system32\DRIVERS\HDAudBus.sys?daudbus.sys???This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start.???????????????????????????a?oTD??system32\DRIVERS\i8042prt.sys?8042prt.sys?????8??V???????????????????U???m??pa??????????????????system32\DRIVERS\iaStor
    Reg HKLM\SYSTEM\ControlSet003\Services\LanmanServer\Linkage@Export ???V?????????????????????????V???????V???????????V??????????????FAT12/16/32 File System Driver???????????????????????????????????????????????????????????????????????????????????r?r??????:??o?????????;??????P??????o??????????k ???U?????V????????????????k ??FltMgr???????????????n???????????????????????????I?I?l???????????U?U?U?U?U?U?l????T??U?????????e?????k?n?????r?r?R??rt???_?_?_??USBSTOR??!??????????????s???system32\DRIVERS\HDAudBus.sys?daudbus.sys???This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start.???????????????????????????a?oTD??system32\DRIVERS\i8042prt.sys?8042prt.sys?????8??V???????????????????U???m??pa??????????????????system32\DRIVERS\iaStor.sys?????????????????t???UAC File Virtualization?????????????????t???system32\DRIVERS\tdx.sys?vers\tdx.sys?????`??e?????????e????Mouse Class Driver???????????????@???????????????R?grt??Pointer Class??????g?k??volume_snapshot_install??V??nettun.inf???V????0??V?
    Reg HKLM\SYSTEM\ControlSet003\Services\LanmanWorkstation\Linkage@Export ???V???????????????????????????????g?????V?V?V?V?V?Vs???system32\DRIVERS\intelppm.sys?ntelppm.sys???PNP_TDI?S???????????????t????????????????????V?V?V?V?V?V?V?????????????g????????????? J??o????????????????:??V????????h?????system32\DRIVERS\msiscsi.sys?msiscsi.sys????????????????????????????????????t????????V???6???V???A?U?U?U?U?V?V???V??? N??]??????????e????U?U?V?U?V?V?U???????V??????????????@o?????W???????????????g?S??text?????V??????????????? ???V???U??????????9.0.0.8?????Microsoft Composite Battery Driver??????s???????0??????????????V?7??1500?V????V??V???y?g????Controls the underlying video driver stacks to provide fully-featured display capabilities.??????????????????????????]?]?a??????????????t???Type?????_?_?V??Keyboard Port????????????????????????????????????????????????????????????U???????????????????????????f?f??????2??V????????h??????[?f?????u?u?u??ReadyBoost Caching Driver????????U??????????????????????????????t???RPCSS????????????V??????p?????$??V?????????n?????????????????e???Z?[?V?????V????Sys

    ---- Files - GMER 1.0.15 ----

    File C:\Users\Rev\AppData\Roaming\Microsoft\Windows\Cookies\3O7OO1NY.txt 0 bytes

    ---- EOF - GMER 1.0.15 ----
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    AdwCleaner Fix
    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.


    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  9. eccle

    eccle TS Member Topic Starter

    Dragon Master Jay! Thanks a lot for your help! I ran ComboFix and here's the log:

    ComboFix 12-09-16.01 - Rev 09/17/2012 19:50:44.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.816 [GMT 8:00]
    Running from: c:\users\Rev\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\favoritevideo\InvisibleFolder
    c:\favoritevideo\InvisibleFolder\20110930151327_vasmoren110930zanting.jpg
    c:\favoritevideo\InvisibleFolder\20111201095443_wopaiwang111201zanting.swf
    c:\favoritevideo\InvisibleFolder\20120202101934_yinyueyazhou120202zhuzt.jpg
    c:\favoritevideo\InvisibleFolder\20120229175439_pinganchexian120229qipao.swf
    c:\favoritevideo\InvisibleFolder\20120424183332_vip120424zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120504183218_jielin120505jiaobiao.swf
    c:\favoritevideo\InvisibleFolder\20120517145403_shengyu120517vipzhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120517145435_shengyu120517buhuiainizhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120706114522_pingan120301zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120718105311_jianeng120718fucheng.swf
    c:\favoritevideo\InvisibleFolder\20120725103948_haizeiwang120725zanting.swf
    c:\favoritevideo\InvisibleFolder\20120801111630_olay120801zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120807151521_tgc120808zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120809110901_libai120809zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120816144904_admasten120816zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120817180427_volos60120817cha15s.swf
    c:\favoritevideo\InvisibleFolder\20120817181153_volos80120817cha15s.swf
    c:\favoritevideo\InvisibleFolder\20120820105151_daxiazhuan120820zhuhc1.swf
    c:\favoritevideo\InvisibleFolder\20120820105238_daxiazhuan120820zhuhc2.swf
    c:\favoritevideo\InvisibleFolder\20120820105322_daxiazhuan120820zhuhc3.swf
    c:\favoritevideo\InvisibleFolder\20120820105656_daxiazhuan120820yxqp1.swf
    c:\favoritevideo\InvisibleFolder\20120820105758_daxiazhuan120820yxqp2.swf
    c:\favoritevideo\InvisibleFolder\20120820105838_daxiazhuan120820yxqp3.swf
    c:\favoritevideo\InvisibleFolder\20120820112658_zhongqinglv120820zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120820123816_kelaisile120820zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120820124022_kelaisile120820zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120821112943_lianxiang120821zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120821163458_lafang120821zhuzt1.swf
    c:\favoritevideo\InvisibleFolder\20120822132542_yunying120823zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120822153051_kelaisile120822fuceng.swf
    c:\favoritevideo\InvisibleFolder\20120823113415_yulongzaitian120826zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120823113539_yulongzaitian120826zanting.swf
    c:\favoritevideo\InvisibleFolder\20120823172518_aimoli120823fuceng.swf
    c:\favoritevideo\InvisibleFolder\20120824101202_fenzong1200w120824zhufuceng.swf
    c:\favoritevideo\InvisibleFolder\20120824103244_fenzhong800w120824zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120824103353_fenzhong800w120824zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120824170717_tongyisucaig120826zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120824170818_tongyisucaig120826zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120827104618_mabao120827zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120827130828_haierpm120827zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120827134946_baiduyouxi120827zhu15snew.swf
    c:\favoritevideo\InvisibleFolder\20120827152300_tongyisucaih120828zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120827152404_tongyisucaih120828zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120827155611_mabao120827zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120828104002_boshi120828zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120828104057_boshi120828zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120830120658_ruizhu120830zhufuceng.swf
    c:\favoritevideo\InvisibleFolder\20120830121015_qunaer120830zanting.swf
    c:\favoritevideo\InvisibleFolder\20120830165632_fenzon120830qipao.swf
    c:\favoritevideo\InvisibleFolder\20120830180611_lafang120830zanting.swf
    c:\favoritevideo\InvisibleFolder\20120831112108_xinmenghuanzhicheng120831zhuhc1.swf
    c:\favoritevideo\InvisibleFolder\20120831112214_xinmenghuanzhicheng120831zhuhc2.swf
    c:\favoritevideo\InvisibleFolder\20120831112524_xinmenghuanzhicheng120831zhuhc3.swf
    c:\favoritevideo\InvisibleFolder\20120831112758_xinmenghuanzhicheng120831qipao1.swf
    c:\favoritevideo\InvisibleFolder\20120831112850_xinmenghuanzhicheng120831qipao2.swf
    c:\favoritevideo\InvisibleFolder\20120831112932_xinmenghuanzhicheng120831qipao3.swf
    c:\favoritevideo\InvisibleFolder\20120831143652_jianengdv120831zanting.swf
    c:\favoritevideo\InvisibleFolder\20120831164346_niweiya120901zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120831172702_37wan120901zantinga.swf
    c:\favoritevideo\InvisibleFolder\20120831172702_37wan120901zantingb.swf
    c:\favoritevideo\InvisibleFolder\20120831174112_niweina120901fuceng.swf
    c:\favoritevideo\InvisibleFolder\20120831180630_kangshifu120901cha15s.swf
    c:\favoritevideo\InvisibleFolder\20120831182705_jieling120901zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120831183135_jieling120901zhufuceng.swf
    c:\favoritevideo\InvisibleFolder\20120831190546_jilief1120901zhufuceng.swf
    c:\favoritevideo\InvisibleFolder\20120831200608_jilief1120901zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120831202231_jilief1120901zhujiaobiao.jpg
    c:\favoritevideo\InvisibleFolder\20120831202517_jilief1120901zhuteshujiaobiao.jpg
    c:\favoritevideo\InvisibleFolder\20120903101717_shilijia120903zanting.swf
    c:\favoritevideo\InvisibleFolder\20120903160254_kangshifu120903zanting.swf
    c:\favoritevideo\InvisibleFolder\20120903160836_baiduyouxi120904zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120904154829_zuixiyou2fu120904zhuhc1.swf
    c:\favoritevideo\InvisibleFolder\20120904154938_zuixiyou2fu120904zhuhc2.swf
    c:\favoritevideo\InvisibleFolder\20120904155037_zuixiyou2fu120904zhuhc3.swf
    c:\favoritevideo\InvisibleFolder\20120904155344_zuixiyou2fu120904qipao1.swf
    c:\favoritevideo\InvisibleFolder\20120904155441_zuixiyou2fu120904qipao2.swf
    c:\favoritevideo\InvisibleFolder\20120904155558_zuixiyou2fu120904qipao3.swf
    c:\favoritevideo\InvisibleFolder\20120905161725_37wan120906zantinga.swf
    c:\favoritevideo\InvisibleFolder\20120905161725_37wan120906zantingb.swf
    c:\favoritevideo\InvisibleFolder\20120906110143_vip120906zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120906110229_vas120906zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120906113959_tongyisucai120906huanchong.swf
    c:\favoritevideo\InvisibleFolder\20120906114107_tongyisucai120906zanting.swf
    c:\favoritevideo\InvisibleFolder\20120906145904_mingxun120907zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120906150034_mingxun120906zanting.swf
    c:\favoritevideo\InvisibleFolder\20120906150144_mingxun120907cha15s.swf
    c:\favoritevideo\InvisibleFolder\20120906153713_xianluofanchen120907zhuhc1.swf
    c:\favoritevideo\InvisibleFolder\20120906153910_xianluofanchen120907zhuhc3.swf
    c:\favoritevideo\InvisibleFolder\20120906154123_aili120906zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120906154215_aili120906zhufuceng.swf
    c:\favoritevideo\InvisibleFolder\20120906155529_xianluofanchen120907qipao2.swf
    c:\favoritevideo\InvisibleFolder\20120906155633_xianluofanchen120907qipao3.swf
    c:\favoritevideo\InvisibleFolder\20120906155653_xianlufanchen120907qipao1.swf
    c:\favoritevideo\InvisibleFolder\20120906161047_37wan120907zantinga.swf
    c:\favoritevideo\InvisibleFolder\20120906161047_37wan120907zantingb.swf
    c:\favoritevideo\InvisibleFolder\20120907095537_tao800120907zhufuceng.swf
    c:\favoritevideo\InvisibleFolder\20120907101547_guangzhouyayao120907cha15s.swf
    c:\favoritevideo\InvisibleFolder\20120907103103_nizhan120907zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120907103310_nizhan120907zanting.swf
    c:\favoritevideo\InvisibleFolder\20120907143536_shijitiancheng120907yixingqipao.swf
    c:\favoritevideo\InvisibleFolder\20120907160520_480%2b360guding1.swf
    c:\favoritevideo\InvisibleFolder\20120907160613_480%2b360guding2.swf
    c:\favoritevideo\InvisibleFolder\20120907160659_480%2b360guding3.swf
    c:\favoritevideo\InvisibleFolder\20120907161201_tengxun120907zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120907161350_tengxun120907zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120907162520_300%2b250guding1.swf
    c:\favoritevideo\InvisibleFolder\20120907162729_300%2b250guding2.swf
    c:\favoritevideo\InvisibleFolder\20120907162909_300%2b250guding3.swf
    c:\favoritevideo\InvisibleFolder\20120907164005_37wan120908zhuztb.swf
    c:\favoritevideo\InvisibleFolder\20120907164034_37wan120908zhuzta.swf
    c:\favoritevideo\InvisibleFolder\20120907170258_dangdangwang120907zhufuceng.swf
    c:\favoritevideo\InvisibleFolder\20120907172012_tnf120910zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120907172217_haizeiwang120908zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120907173130_rexuehaizeiwang120907zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120907175803_480%2b360guding1.swf
    c:\favoritevideo\InvisibleFolder\20120907175907_480%2b360guding2.swf
    c:\favoritevideo\InvisibleFolder\20120907180802_300%2b250guding1.swf
    c:\favoritevideo\InvisibleFolder\20120907180954_300%2b250guding2.swf
    c:\favoritevideo\InvisibleFolder\20120910094617_jianeng120910fuceng.swf
    c:\favoritevideo\InvisibleFolder\20120910095825_yixunwang120911zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120910111641_langangzaixian120910zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120910111753_langangzaixian120910zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120910161554_ptvliantong120910zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120910161831_ptvliantong120910zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120910162103_ptvliantong120910qipao.swf
    c:\favoritevideo\InvisibleFolder\20120910174212_wangyi120911zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120911100722_dangdangwang120911zhufuceng.swf
    c:\favoritevideo\InvisibleFolder\20120911152153_souhuwangluo120911yixingqipao.swf
    c:\favoritevideo\InvisibleFolder\20120911152354_souhuwangluo120912zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120911153031_aili120911zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120911164444_lafang120911zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120911170305_480%2b360guding1.swf
    c:\favoritevideo\InvisibleFolder\20120911170351_480%2b360guding2.swf
    c:\favoritevideo\InvisibleFolder\20120911170842_300%2b2501.swf
    c:\favoritevideo\InvisibleFolder\20120911170904_300%2b2502.swf
    c:\favoritevideo\InvisibleFolder\20120911170946_300%2b2503.swf
    c:\favoritevideo\InvisibleFolder\20120911182210_37wan120912zantinga.swf
    c:\favoritevideo\InvisibleFolder\20120911182210_37wan120912zantingb.swf
    c:\favoritevideo\InvisibleFolder\20120912094338_wangyi120912zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120912094450_wangyi120912zanting.swf
    c:\favoritevideo\InvisibleFolder\20120912101601_yixunwang120912zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120912142923_baiduyouxi120912zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120912181836_bmwf35120913zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120912182232_bmwf35120913zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120913093030_wangyi120913zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120913093214_wangyi120913zanting.swf
    c:\favoritevideo\InvisibleFolder\20120913093321_wangyi120913qipao.swf
    c:\favoritevideo\InvisibleFolder\20120913094054_qiannvyouhun120913zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120913095828_souhuwangluo120913qipao.swf
    c:\favoritevideo\InvisibleFolder\20120913095941_souhuwangluo120913zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120913141518_songxia120915zanting.swf
    c:\favoritevideo\InvisibleFolder\20120913141732_tengxun120913zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120913142112_tengxun120913zhuzhanting.swf
    c:\favoritevideo\InvisibleFolder\20120913153014_baiduyouxi120914zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120913155614_ailiwang120913fucengguanggao.swf
    c:\favoritevideo\InvisibleFolder\20120913161156_tengxunqqxianlingzhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120914095453_wangyizhanhun120914zhuhuanchong15S.swf
    c:\favoritevideo\InvisibleFolder\20120914095824_wangyizhanhunzhuzhanting.swf
    c:\favoritevideo\InvisibleFolder\20120914102052_tengxunLOL120914zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120914102332_dadiyuanxian120914zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120914102350_tengxunLOL120914zhuzanting.swf
    c:\favoritevideo\InvisibleFolder\20120914102630_tengxunLOL120914zhuqipao.swf
    c:\favoritevideo\InvisibleFolder\20120914102837_dianxin120914zanting.swf
    c:\favoritevideo\InvisibleFolder\20120914104455_beijinglanqiu120915zhu15s.swf
    c:\favoritevideo\InvisibleFolder\20120914115934_480%2b360.swf
    c:\favoritevideo\InvisibleFolder\20120914120027_400%2b300.swf
    c:\favoritevideo\InvisibleFolder\20120914140502_ailiwang120914fuceng.swf
    c:\favoritevideo\InvisibleFolder\20120914152602_vas120914zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120914163515_tengxunxuanyuanchuanqi120917zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120914163646_tengxunxueyuanjian120917zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120914170238_tongyisucaiJ120914zhu.swf
    c:\favoritevideo\InvisibleFolder\20120914172539_feilipu120914fucengbu.swf
    c:\favoritevideo\InvisibleFolder\20120914180754_boshi120917zhuhc.swf
    c:\favoritevideo\InvisibleFolder\20120914181839_huadi120914zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120917095847_tengxun120917zhuhuanchong15s.swf
    c:\favoritevideo\InvisibleFolder\20120917100023_lol120917zhuzt.swf
    c:\favoritevideo\InvisibleFolder\20120917101003_lol120917yixingqipao.swf
    c:\favoritevideo\InvisibleFolder\20120917150711_kasadi120917cha15s.swf
    c:\favoritevideo\InvisibleFolder\20120917163815_37wan120918zhuzantingA.swf
    c:\favoritevideo\InvisibleFolder\20120917163815_37wan120918zhuzantingB.swf
    c:\favoritevideo\InvisibleFolder\logclient.dll
    c:\favoritevideo\InvisibleFolder\peer.dll
    c:\favoritevideo\InvisibleFolder\pplss2.swf
    c:\favoritevideo\InvisibleFolder\pptvcodecsetup2.exe
    c:\favoritevideo\InvisibleFolder\realmediasplitter.ax
    c:\favoritevideo\InvisibleFolder\tipsbubble(0).dll
    c:\favoritevideo\InvisibleFolder\tipsbubble.dll
    c:\favoritevideo\InvisibleFolder\tipsclient(0).dll
    c:\favoritevideo\InvisibleFolder\tipsclient.dll
    c:\favoritevideo\InvisibleFolder\tipsdone.dll
    c:\programdata\Roaming
    c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
    c:\users\Rev\AppData\Roaming\sysdirec.dll
    c:\programdata\Microsoft\Windows\Start Menu\?????????? .lnk . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-17 to 2012-09-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-17 12:05 . 2012-09-17 12:11 -------- d-----w- c:\users\Rev\AppData\Local\temp
    2012-09-17 12:05 . 2012-09-17 12:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-17 11:58 . 2012-09-17 11:58 0 ----a-w- c:\windows\system32\mmmuaeua.dll
    2012-09-17 11:58 . 2012-09-17 11:58 0 ----a-w- c:\windows\system32\ati2paag.dll
    2012-09-17 11:25 . 2012-09-17 11:25 -------- d-----w- c:\windows\system32\IconDir
    2012-09-15 17:04 . 2012-09-15 17:04 -------- d-----w- c:\users\Rev\AppData\Local\Macromedia
    2012-09-15 16:47 . 2012-09-15 16:47 -------- d-----w- c:\users\Rev\AppData\Local\VS Revo Group
    2012-09-15 16:47 . 2009-12-30 03:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2012-09-15 16:47 . 2012-09-15 16:47 -------- d-----w- c:\program files\VS Revo Group
    2012-09-14 13:51 . 2012-09-14 13:51 -------- d-----w- c:\program files\Kaspersky Lab
    2012-09-14 13:51 . 2012-09-17 12:11 -------- d-----w- c:\programdata\Kaspersky Lab
    2012-09-14 13:49 . 2012-08-13 10:24 75096 ----a-w- c:\windows\system32\drivers\klflt.sys
    2012-09-14 10:22 . 2012-09-14 10:22 -------- d-----w- c:\users\Rev\AppData\Roaming\Wandoujia2
    2012-09-10 16:25 . 2012-09-12 03:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2012-09-10 13:33 . 2012-09-15 01:37 -------- d-----w- c:\programdata\Symantec
    2012-09-10 13:33 . 2012-09-15 01:37 -------- d-----w- c:\programdata\Norton
    2012-09-10 12:35 . 2012-09-10 12:35 22016 ----a-w- c:\windows\system32\drivers\Ndisrd.sys
    2012-09-08 02:55 . 2012-09-08 02:55 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
    2012-09-06 14:19 . 2012-09-06 14:19 61440 ----a-r- c:\users\Rev\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
    2012-09-06 14:19 . 2012-09-06 14:19 61440 ----a-r- c:\users\Rev\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\ARPPRODUCTICON.exe
    2012-09-06 14:19 . 2012-09-06 14:19 106496 ----a-r- c:\users\Rev\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
    2012-09-06 14:19 . 2012-09-06 14:19 106496 ----a-r- c:\users\Rev\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    2012-09-06 14:19 . 2012-09-06 14:19 106496 ----a-r- c:\users\Rev\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
    2012-09-06 05:20 . 2012-09-06 05:20 -------- d-----w- c:\users\Rev\AppData\Local\visi_coupon
    2012-09-06 00:34 . 2012-09-06 06:51 -------- d-----w- c:\programdata\Yahoo! Companion
    2012-09-05 23:59 . 2012-09-17 08:54 -------- d-----w- c:\users\Rev\AppData\Roaming\Skype
    2012-09-05 23:59 . 2012-09-05 23:59 -------- d-----w- c:\program files\Common Files\Skype
    2012-09-05 23:59 . 2012-09-05 23:59 -------- d-----r- c:\program files\Skype
    2012-09-05 23:59 . 2012-09-05 23:59 -------- d-----w- c:\programdata\Skype
    2012-09-05 11:35 . 2012-09-05 23:45 737280 ----a-w- c:\windows\iun6002.exe
    2012-09-05 11:35 . 2012-09-05 23:45 -------- d-----w- c:\program files\L2TPHelp
    2012-09-04 06:18 . 2012-09-04 06:18 -------- d-----w- C:\PPDownload
    2012-09-04 06:08 . 2012-09-04 06:08 -------- d-----w- c:\program files\Microsoft Silverlight
    2012-09-04 05:59 . 2012-09-17 12:05 -------- d-----w- C:\FavoriteVideo
    2012-09-04 05:59 . 2012-09-04 06:11 -------- d-----w- c:\programdata\Jlcm
    2012-09-04 05:58 . 2012-09-04 06:10 -------- d-----w- c:\users\Rev\AppData\Roaming\PPLive
    2012-09-04 05:58 . 2012-09-04 05:59 -------- d-----w- c:\programdata\PPLive
    2012-09-04 05:58 . 2012-09-04 05:58 -------- d-----w- c:\program files\Common Files\PPLiveNetwork
    2012-09-04 05:58 . 2012-09-04 05:58 -------- d-----w- c:\program files\PPLive
    2012-09-04 05:45 . 2012-09-06 00:06 -------- d-----w- C:\KRECYCLE
    2012-09-04 05:45 . 2012-09-09 01:46 -------- d-----w- c:\users\Rev\AppData\Roaming\Kingsoft
    2012-09-04 05:45 . 2012-09-09 01:00 -------- d-----w- c:\programdata\KingSoft
    2012-09-04 05:45 . 2012-09-04 05:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Tencent
    2012-09-04 05:45 . 2012-09-04 05:45 -------- d-----w- c:\program files\kingsoft
    2012-09-04 05:45 . 2012-09-04 05:45 -------- d-----w- C:\QMDownload
    2012-09-04 05:44 . 2012-06-07 10:04 60408 ----a-w- c:\windows\system32\drivers\TSDefenseBt.sys
    2012-09-04 05:42 . 2012-07-24 11:00 308640 ----a-w- c:\windows\system32\MMInstaller.dll
    2012-09-04 05:42 . 2012-09-06 14:19 -------- d-----w- c:\program files\Common Files\Tencent
    2012-09-04 05:42 . 2012-09-04 06:27 -------- d-----w- c:\program files\Tencent
    2012-09-04 05:41 . 2012-09-17 10:53 -------- d-----w- c:\users\Rev\AppData\Roaming\Tencent
    2012-09-04 05:41 . 2012-09-04 05:45 -------- d-----w- c:\programdata\Tencent
    2012-09-04 05:41 . 2012-09-05 01:47 -------- d-----w- c:\program files\Baidu
    2012-09-04 05:41 . 2012-09-04 06:42 -------- d-----w- c:\users\Rev\funshion
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-06 06:18 . 2012-09-04 06:27 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
    2012-09-06 00:34 . 2012-09-06 00:34 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-09-06 00:34 . 2011-11-03 22:57 473072 ----a-w- c:\windows\system32\deployJava1.dll
    2012-08-18 09:22 . 2012-06-21 21:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-18 09:22 . 2011-10-26 12:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-15 07:37 . 2012-08-15 07:37 491912 ----a-w- c:\windows\system32\PPTVSvc.dll
    2012-08-15 07:37 . 2012-08-15 07:37 2291592 ----a-w- c:\windows\system32\kindling.dll
    2012-08-13 08:49 . 2012-08-13 08:49 144344 ----a-w- c:\windows\system32\drivers\kneps.sys
    2012-08-02 07:09 . 2012-08-02 07:09 24408 ----a-w- c:\windows\system32\drivers\klim6.sys
    2012-07-25 06:53 . 2012-07-25 06:53 25944 ----a-w- c:\windows\system32\drivers\klmouflt.sys
    2012-06-29 08:44 . 2012-07-25 17:34 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BFD1BECB-4FD8-4902-A486-866C36377725}\mpengine.dll
    2012-09-08 02:55 . 2011-10-26 12:16 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTo0.dll" [2011-05-09 176936]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-06-11 1524056]
    .
    [HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentControl2\prxtbuTo0.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}]
    2012-06-07 10:04 398712 ----a-w- c:\program files\Tencent\QQPCMgr\6.8.2387.401\TSWebMon.dat
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E6D0D23-3D72-4A94-AE1F-2D167624E3D9}]
    2012-08-17 13:39 424888 ----a-w- c:\program files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\OnlineBanking\online_banking_bho.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3AA4C3C-3C93-5013-63C1-DE7B16E904E7}]
    2011-01-25 08:53 1184176 ----a-w- c:\progra~1\Baidu\{A3AA4~1\AddressBar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTo0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{687578B9-7132-4A7A-80E4-30EE31099E03}"= "c:\program files\uTorrentControl2\prxtbuTo0.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-15 00:32 94208 ----a-w- c:\users\Rev\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-15 00:32 94208 ----a-w- c:\users\Rev\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-15 00:32 94208 ----a-w- c:\users\Rev\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-06-21 1021840]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Facebook Update"="c:\users\Rev\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-08-12 138096]
    "QQMusic"="c:\program files\Tencent\QQMusic\QQMusic.exe" [2012-07-24 1103264]
    "PPAP"="c:\program files\Common Files\PPLiveNetwork\PPAP.exe" [2012-08-15 250784]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-05-24 6595928]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-17 102400]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712]
    "FIC HotKey"="c:\program files\Hotkey Utility\tray.exe" [2007-11-28 356352]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-18 421736]
    "UIExec"="c:\program files\SMART BRO\UIExec.exe" [2011-04-02 139088]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
    "PowerDVD12DMREngine"="c:\program files\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe" [2012-07-25 505872]
    "PowerDVD12Agent"="c:\program files\CyberLink\PowerDVD12\PowerDVD12Agent.exe" [2012-07-25 374560]
    "QQPCTray"="c:\program files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe" [2012-06-07 1275256]
    "SetRoute"="c:\program files\L2TPHelp\setroute.exe" [2005-06-16 883651]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe" [2012-08-17 218880]
    .
    c:\users\Rev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    PPTV.lnk - c:\program files\PPLive\PPTV\PPLive.exe [2012-8-15 250784]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2007-6-14 425984]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    PPTVServiceGroup REG_MULTI_SZ PPTVService
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-21 09:22]
    .
    2012-09-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1690172613-2495476871-168188171-1000Core.job
    - c:\users\Rev\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-12 10:41]
    .
    2012-09-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1690172613-2495476871-168188171-1000UA.job
    - c:\users\Rev\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-12 10:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.hao123.com/?tn=62002018_3_hao_pg
    uInternet Settings,ProxyServer = http=login.yahoo.com:80
    uInternet Settings,ProxyOverride = <local>
    IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2013\ie_banner_deny.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
    TCP: Interfaces\{5D47F38F-14A7-4A54-BF32-7CE1D5424C30}: NameServer = 10.10.0.21
    FF - ProfilePath - c:\users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    ------- File Associations -------
    .
    txtfile=c:\windows\notepad.exe %1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
    WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-17 20:10
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    " QQPCTray"="\"c:\\Program Files\\Tencent\\QQPCMgr\\6.8.2387.401\\QQPCTray.exe\" /regrun"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{73526619-C24F-470B-9BED-53D455FBB5C6}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD12\Common\NavFilter\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000001
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(8436)
    c:\users\Rev\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Tencent\QQPCMgr\6.8.2387.401\QQPCRTP.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
    c:\program files\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\programdata\DatacardService\HWDeviceService.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\programdata\Smart Bro\OnlineUpdate\ouc.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\SMART BRO\AssistantServices.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\conime.exe
    c:\program files\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    c:\program files\Synaptics\SynTP\SynTPEnh.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\ehome\ehmsas.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-17 20:19:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-17 12:19
    .
    Pre-Run: 26,559,115,264 bytes free
    Post-Run: 31,819,440,128 bytes free
    .
    - - End Of File - - 89A1DFA6DD63103B5C00A3F3329082B1
  10. eccle

    eccle TS Member Topic Starter

    My laptop is UNBELIEVABLY noiseless now hahahaha I love it! Thanks a lot for everything! Is there anything else that I have to do? What do I do with the ComboFix on my desktop? Do I delete it?
  11. eccle

    eccle TS Member Topic Starter

    And I have my anti-virus re-activated now... is that ok?
     
  12. eccle

    eccle TS Member Topic Starter

    And now my firefox and IE have this "free coupon" thing. Grrrrr. So unlucky of me.
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Did you run AdwCleaner? If not, please do that as noted above.
  14. eccle

    eccle TS Member Topic Starter

    Hi, Dragon Master Jay! I ran the AdwCleaner. Here is the log:

    # AdwCleaner v2.001 - Logfile created 09/18/2012 at 10:49:40
    # Updated 09/09/2012 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # User : Rev - REV-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Rev\Desktop\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\searchplugins\Conduit.xml
    File Deleted : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\searchplugins\SweetIm.xml
    Folder Deleted : C:\Program Files\Conduit
    Folder Deleted : C:\ProgramData\InstallMate
    Folder Deleted : C:\ProgramData\Premium
    Folder Deleted : C:\Users\Rev\AppData\Local\Conduit
    Folder Deleted : C:\Users\Rev\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Rev\AppData\LocalLow\ShopperReports3
    Folder Deleted : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\ConduitCommon
    Folder Deleted : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\SweetIMToolbarData

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Deleted : HKCU\Software\AppDataLow\Software\ShopperReports3
    Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ShopperReportsSA
    Key Deleted : HKCU\Software\Softonic
    Key Deleted : HKCU\Software\SweetIm
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{453DB0C5-F41C-4D97-8DD6-CC72ECD5F699}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4AFC07D0-59BB-46B8-B097-1A46E88EEF71}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6511CE4C-4722-40D0-AD3D-4AFA2F50978A}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BEC9B38-BF39-4899-806E-A1C5DFEB60A2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AEBF09E2-0C15-43C8-99BF-928C645D98A0}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B86D82BF-D39F-439A-A07C-43EDDC6F6EA6}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DA6305B9-0869-4235-8C1D-533A65E639E5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E6961C59-CFCE-4CCD-B794-BC78DB98413A}
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
    Key Deleted : HKLM\Software\SweetIm

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v15.0.1 (en-US)

    Profile name : default
    File : C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\prefs.js

    C:\Users\Rev\AppData\Roaming\Mozilla\Firefox\Profiles\13aujkpt.default\user.js ... Deleted !

    Deleted : user_pref("CT2786678..clientLogIsEnabled", true);
    Deleted : user_pref("CT2786678..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
    Deleted : user_pref("CT2786678..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
    Deleted : user_pref("CT2786678.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
    Deleted : user_pref("CT2786678.AppTrackingLastCheckTime", "Sat Nov 05 2011 09:20:47 GMT+0800 (China Standard T[...]
    Deleted : user_pref("CT2786678.BrowserCompStateIsOpen_129579220236217502", true);
    Deleted : user_pref("CT2786678.CTID", "CT2786678");
    Deleted : user_pref("CT2786678.CurrentServerDate", "7-11-2011");
    Deleted : user_pref("CT2786678.DSInstall", true);
    Deleted : user_pref("CT2786678.DialogsAlignMode", "LTR");
    Deleted : user_pref("CT2786678.DialogsGetterLastCheckTime", "Mon Nov 07 2011 12:40:09 GMT+0800 (China Standard[...]
    Deleted : user_pref("CT2786678.DownloadReferralCookieData", "");
    Deleted : user_pref("CT2786678.EMailNotifierPollDate", "Thu Oct 27 2011 14:42:33 GMT+0800 (China Standard Time[...]
    Deleted : user_pref("CT2786678.EnableClickToSearchBox", false);
    Deleted : user_pref("CT2786678.EnableSearchHistory", false);
    Deleted : user_pref("CT2786678.EnableSearchSuggest", false);
    Deleted : user_pref("CT2786678.FeedLastCount5690698542593514850", 194);
    Deleted : user_pref("CT2786678.FeedPollDate2429156812186649977", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156813040823546", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156813130095866", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156813224203613", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156813230837251", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156813454291735", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156813729834876", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156813860870021", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156814264681793", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156814863075366", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedPollDate2429156815257761081", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.FeedTTL2429156813040823546", 15);
    Deleted : user_pref("CT2786678.FeedTTL2429156813130095866", 10);
    Deleted : user_pref("CT2786678.FeedTTL2429156813454291735", 5);
    Deleted : user_pref("CT2786678.FeedTTL2429156814264681793", 5);
    Deleted : user_pref("CT2786678.FirstServerDate", "27-10-2011");
    Deleted : user_pref("CT2786678.FirstTime", true);
    Deleted : user_pref("CT2786678.FirstTimeFF3", true);
    Deleted : user_pref("CT2786678.FixPageNotFoundErrors", false);
    Deleted : user_pref("CT2786678.GroupingServerCheckInterval", 1440);
    Deleted : user_pref("CT2786678.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
    Deleted : user_pref("CT2786678.HPInstall", false);
    Deleted : user_pref("CT2786678.HasUserGlobalKeys", true);
    Deleted : user_pref("CT2786678.HomePageProtectorEnabled", true);
    Deleted : user_pref("CT2786678.HomepageBeforeUnload", "hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=[...]
    Deleted : user_pref("CT2786678.Initialize", true);
    Deleted : user_pref("CT2786678.InitializeCommonPrefs", true);
    Deleted : user_pref("CT2786678.InstallationAndCookieDataSentCount", 3);
    Deleted : user_pref("CT2786678.InstallationType", "UnknownIntegration");
    Deleted : user_pref("CT2786678.InstalledDate", "Thu Oct 27 2011 14:27:27 GMT+0800 (China Standard Time)");
    Deleted : user_pref("CT2786678.IsAlertDBUpdated", true);
    Deleted : user_pref("CT2786678.IsGrouping", false);
    Deleted : user_pref("CT2786678.IsInitSetupIni", true);
    Deleted : user_pref("CT2786678.IsMulticommunity", false);
    Deleted : user_pref("CT2786678.IsOpenThankYouPage", true);
    Deleted : user_pref("CT2786678.IsOpenUninstallPage", false);
    Deleted : user_pref("CT2786678.IsProtectorsInit", true);
    Deleted : user_pref("CT2786678.LanguagePackLastCheckTime", "Mon Nov 07 2011 12:40:03 GMT+0800 (China Standard [...]
    Deleted : user_pref("CT2786678.LanguagePackReloadIntervalMM", 1440);
    Deleted : user_pref("CT2786678.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
    Deleted : user_pref("CT2786678.LastLogin_3.7.0.6", "Mon Nov 07 2011 20:39:59 GMT+0800 (China Standard Time)");
    Deleted : user_pref("CT2786678.LatestVersion", "3.7.0.6");
    Deleted : user_pref("CT2786678.Locale", "en");
    Deleted : user_pref("CT2786678.MCDetectTooltipHeight", "83");
    Deleted : user_pref("CT2786678.MCDetectTooltipShow", false);
    Deleted : user_pref("CT2786678.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
    Deleted : user_pref("CT2786678.MCDetectTooltipWidth", "295");
    Deleted : user_pref("CT2786678.MyStuffEnabledAtInstallation", true);
    Deleted : user_pref("CT2786678.OriginalFirstVersion", "3.7.0.6");
    Deleted : user_pref("CT2786678.RadioShrinked", "shrinked");
    Deleted : user_pref("CT2786678.RadioShrinkedFromSetup", true);
    Deleted : user_pref("CT2786678.SHRINK_TOOLBAR", 0);
    Deleted : user_pref("CT2786678.SavedHomepage", "hxxp://home.sweetim.com");
    Deleted : user_pref("CT2786678.SearchBackToDefaultEngine", false);
    Deleted : user_pref("CT2786678.SearchBoxWidth", 100);
    Deleted : user_pref("CT2786678.SearchCaption", " ");
    Deleted : user_pref("CT2786678.SearchEngineBeforeUnload", "SweetIM Search");
    Deleted : user_pref("CT2786678.SearchFromAddressBarIsInit", true);
    Deleted : user_pref("CT2786678.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT278[...]
    Deleted : user_pref("CT2786678.SearchInNewTabEnabled", true);
    Deleted : user_pref("CT2786678.SearchInNewTabIntervalMM", 1440);
    Deleted : user_pref("CT2786678.SearchInNewTabLastCheckTime", "Mon Nov 07 2011 12:39:54 GMT+0800 (China Standar[...]
    Deleted : user_pref("CT2786678.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
    Deleted : user_pref("CT2786678.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]
    Deleted : user_pref("CT2786678.SearchInNewTabUserEnabled", false);
    Deleted : user_pref("CT2786678.SearchProtectorEnabled", false);
    Deleted : user_pref("CT2786678.SearchProtectorToolbarDisabled", false);
    Deleted : user_pref("CT2786678.SendProtectorDataViaLogin", true);
    Deleted : user_pref("CT2786678.ServiceMapLastCheckTime", "Mon Nov 07 2011 12:40:00 GMT+0800 (China Standard Ti[...]
    Deleted : user_pref("CT2786678.SettingsLastCheckTime", "Mon Nov 07 2011 12:39:54 GMT+0800 (China Standard Time[...]
    Deleted : user_pref("CT2786678.SettingsLastUpdate", "1314985690");
    Deleted : user_pref("CT2786678.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13");
    Deleted : user_pref("CT2786678.ThirdPartyComponentsInterval", 504);
    Deleted : user_pref("CT2786678.ThirdPartyComponentsLastCheck", "Thu Oct 27 2011 14:27:28 GMT+0800 (China Stand[...]
    Deleted : user_pref("CT2786678.ThirdPartyComponentsLastUpdate", "1312887586");
    Deleted : user_pref("CT2786678.ToolbarShrinkedFromSetup", true);
    Deleted : user_pref("CT2786678.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2786678");
    Deleted : user_pref("CT2786678.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,clien[...]
    Deleted : user_pref("CT2786678.Uninstall", true);
    Deleted : user_pref("CT2786678.UserID", "UN13282842862589217");
    Deleted : user_pref("CT2786678.WeatherNetwork", "");
    Deleted : user_pref("CT2786678.WeatherPollDate", "Thu Oct 27 2011 15:47:37 GMT+0800 (China Standard Time)");
    Deleted : user_pref("CT2786678.WeatherUnit", "C");
    Deleted : user_pref("CT2786678.alertChannelId", "1178763");
    Deleted : user_pref("CT2786678.approveUntrustedApps", true);
    Deleted : user_pref("CT2786678.backendstorage.cbfirsttime", "546875204F637420323720323031312031343A32373A34332[...]
    Deleted : user_pref("CT2786678.componentAlertEnabled", false);
    Deleted : user_pref("CT2786678.components.1000034", false);
    Deleted : user_pref("CT2786678.components.1000234", false);
    Deleted : user_pref("CT2786678.components.129295698017012804", false);
    Deleted : user_pref("CT2786678.components.129309485163350924", false);
    Deleted : user_pref("CT2786678.components.129309489763975460", false);
    Deleted : user_pref("CT2786678.components.129315411424256896", false);
    Deleted : user_pref("CT2786678.components.129526967958500204", false);
    Deleted : user_pref("CT2786678.components.129579220236217502", false);
    Deleted : user_pref("CT2786678.components.5690698542593514850", false);
    Deleted : user_pref("CT2786678.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.c[...]
    Deleted : user_pref("CT2786678.globalFirstTimeInfoLastCheckTime", "Mon Nov 07 2011 20:39:54 GMT+0800 (China St[...]
    Deleted : user_pref("CT2786678.homepageProtectorEnableByLogin", true);
    Deleted : user_pref("CT2786678.initDone", true);
    Deleted : user_pref("CT2786678.isAppTrackingManagerOn", true);
    Deleted : user_pref("CT2786678.isFirstRadioInstallation", false);
    Deleted : user_pref("CT2786678.isSearchProtectorNotifyChanges", false);
    Deleted : user_pref("CT2786678.myStuffEnabled", true);
    Deleted : user_pref("CT2786678.myStuffPublihserMinWidth", 400);
    Deleted : user_pref("CT2786678.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
    Deleted : user_pref("CT2786678.myStuffServiceIntervalMM", 1440);
    Deleted : user_pref("CT2786678.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
    Deleted : user_pref("CT2786678.oldAppsList", "129295695672325902,129295695672325903,1000234,129295698017012804[...]
    Deleted : user_pref("CT2786678.revertSettingsEnabled", true);
    Deleted : user_pref("CT2786678.searchProtectorDialogDelayInSec", 10);
    Deleted : user_pref("CT2786678.searchProtectorEnableByLogin", true);
    Deleted : user_pref("CT2786678.testingCtid", "");
    Deleted : user_pref("CT2786678.toolbarAppMetaDataLastCheckTime", "Mon Nov 07 2011 12:40:04 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.toolbarContextMenuLastCheckTime", "Thu Oct 27 2011 14:27:34 GMT+0800 (China Sta[...]
    Deleted : user_pref("CT2786678.usageEnabled", false);
    Deleted : user_pref("CT2786678.usagesFlag", 1);
    Deleted : user_pref("CommunityToolbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT2786678&Search[...]
    Deleted : user_pref("CommunityToolbar.ConduitSearchList", " ");
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT3072253/CT3072253[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1178763/1174448/PH", "\"0\"[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2786678", [...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT3072253", [...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.7.[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2786678",[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT3072253",[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.conduit-services.com/?ctid=CT2786678&octid=[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=EB_LOCALE",[...]
    Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"21b[...]
    Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\Rev\\AppData\\Roaming\\Mozilla\\Fir[...]
    Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.13.0.6");
    Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "");
    Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2786678");
    Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2786678");
    Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2786678");
    Deleted : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Thu Oct 27 2011 14:27:34 GMT+0800 (Chi[...]
    Deleted : user_pref("CommunityToolbar.globalUserId", "80d090a7-1d7a-4ab3-a6ca-63678bac16e4");
    Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
    Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
    Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT3072253");
    Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Thu Jun 21 2012 20:16:3[...]
    Deleted : user_pref("CommunityToolbar.notifications.alertEnabled", false);
    Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 1440);
    Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Thu Jun 21 2012 20:16:27 GMT+080[...]
    Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
    Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
    Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
    Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Thu Jun 21 2012 20:16:19 GMT+0800 (C[...]
    Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
    Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
    Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
    Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
    Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
    Deleted : user_pref("CommunityToolbar.notifications.userId", "cabae55e-3950-496a-b24f-b827d5310078");
    Deleted : user_pref("CommunityToolbar.originalHomepage", "hxxp://home.sweetim.com");
    Deleted : user_pref("CommunityToolbar.originalSearchEngine", "SweetIM Search");
    Deleted : user_pref("browser.search.defaultenginename", "SweetIM Search");
    Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&Sea[...]
    Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=");
    Deleted : user_pref("sweetim.toolbar.highlight.colors", "#FFFF00,#00FFE4,#5AFF00,#0087FF,#FFCC00,#FF00F0");
    Deleted : user_pref("sweetim.toolbar.logger.ConsoleHandler.MinReportLevel", "7");
    Deleted : user_pref("sweetim.toolbar.logger.FileHandler.FileName", "ff-toolbar.log");
    Deleted : user_pref("sweetim.toolbar.logger.FileHandler.MaxFileSize", "200000");
    Deleted : user_pref("sweetim.toolbar.logger.FileHandler.MinReportLevel", "7");
    Deleted : user_pref("sweetim.toolbar.mode.debug", "false");
    Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
    Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaulturl", "");
    Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
    Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "google.com.ph");
    Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
    Deleted : user_pref("sweetim.toolbar.search.external", "<?xml version=\"1.0\"?><TOOLBAR><EXTERNAL_SEARCH engin[...]
    Deleted : user_pref("sweetim.toolbar.search.history.capacity", "10");
    Deleted : user_pref("sweetim.toolbar.searchguard.enable", "true");
    Deleted : user_pref("sweetim.toolbar.simapp_id", "{369B96EC-0064-11E1-BCF1-001060D142B9}");
    Deleted : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com");

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\Rev\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [22824 octets] - [16/09/2012 18:28:39]
    AdwCleaner[R2].txt - [20040 octets] - [18/09/2012 10:36:11]
    AdwCleaner[R3].txt - [20101 octets] - [18/09/2012 10:49:05]
    AdwCleaner[S1].txt - [20844 octets] - [18/09/2012 10:49:40]

    ########## EOF - C:\AdwCleaner[S1].txt - [20905 octets] ##########
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.


    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please give an update. Thread marked inactive.

    We'd like to still help.
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! This is the last check-in for you. Please update us on your situation here. We'd love to help!


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.