Inactive Malware infected

[laiyee]

Hi, I had recently found that my laptop (DELL inspiron1420-quite some ages ) could not access any antivirus websites or download any antivirus software and my laptop does not have any antivirus software installed. I'm worry it might due to any malware or virus infected?

Could you please help me up for the issues?

Thanks.
Good day

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[laiyee]

Hi, thanks for the reply.
My laptop back to normal after ran Malwarebytes Anti-Malware (MBAM) and it helped me to remove all infected files.

Its really help a lot. thank you.
Good day.

 

[Broni]

It doesn't work that way.

I strongly suggest you follow my previous reply.

 

[laiyee]

Thanks for the advice.
I'm gonna follow your instructions to start the steps.
I need to backup my files before starting.
Thanks.

 

[Broni]

 

[laiyee]

• Malwarebytes Anti-Malware log

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.03.02

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
YULE :: YULE-PC [administrator]

Protection: Enabled

03-Jun-13 2:45:54 PM
MBAM-log-2013-06-03 (15-06-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228793
Time elapsed: 18 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 59
HKCR\AppID\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} (PUP.Funshion) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} (PUP.Funshion) -> No action taken.
HKCR\AppID\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} (Adware.BDSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} (Adware.BDSearch) -> No action taken.
HKCR\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05} (PUP.Funshion) -> No action taken.
HKCR\TypeLib\{F9BC0421-BB5C-447d-8547-BB45AFA80A4D} (PUP.Funshion) -> No action taken.
HKCR\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58} (PUP.Funshion) -> No action taken.
HKCR\AddressSearch.JsObject.1 (PUP.Funshion) -> No action taken.
HKCR\AddressSearch.JsObject (PUP.Funshion) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11CC93E4-0BE6-4F8F-82AA-D577FB955B05} (PUP.Funshion) -> No action taken.
HKCR\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03} (Adware.BDSearch) -> No action taken.
HKCR\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172} (Adware.BDSearch) -> No action taken.
HKCR\Interface\{2923508C-9425-4A61-B9CE-A98239055916} (Adware.BDSearch) -> No action taken.
HKCR\BarBroker.BDBroker.1 (Adware.BDSearch) -> No action taken.
HKCR\BarBroker.BDBroker (Adware.BDSearch) -> No action taken.
HKCR\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697} (Trojan.Cinmus) -> No action taken.
HKCR\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6} (Trojan.Cinmus) -> No action taken.
HKCR\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC} (Trojan.Cinmus) -> No action taken.
HKCR\BaiduBarX.BandIE.1 (Trojan.Cinmus) -> No action taken.
HKCR\BaiduBarX.BandIE (Trojan.Cinmus) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} (Trojan.Cinmus) -> No action taken.
HKCR\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027} (PUP.Funshion) -> No action taken.
HKCR\TypeLib\{D02E3AB9-7796-40cb-BDFC-20D834FE1F75} (PUP.Funshion) -> No action taken.
HKCR\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC} (PUP.Funshion) -> No action taken.
HKCR\ASBarBroker.BDBroker.1 (PUP.Funshion) -> No action taken.
HKCR\ASBarBroker.BDBroker (PUP.Funshion) -> No action taken.
HKCR\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9} (Trojan.Cinmus) -> No action taken.
HKCR\BaiduBar.Tool.1 (Trojan.Cinmus) -> No action taken.
HKCR\BaiduBar.Tool (Trojan.Cinmus) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7F05EE4-0426-454F-8013-C41E3596E9E9} (Trojan.Cinmus) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A7F05EE4-0426-454F-8013-C41E3596E9E9} (Trojan.Cinmus) -> No action taken.
HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86} (Trojan.Cinmus) -> No action taken.
HKCR\BaiduBarX.ToolBand.1 (Trojan.Cinmus) -> No action taken.
HKCR\BaiduBarX.ToolBand (Trojan.Cinmus) -> No action taken.
HKCR\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46} (Adware.BDSearch) -> No action taken.
HKCR\BaiduBarEx.BDHomePage.5 (Adware.BDSearch) -> No action taken.
HKCR\BaiduBarEx.BDHomePage (Adware.BDSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46} (Adware.BDSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46} (Adware.BDSearch) -> No action taken.
HKCR\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86} (PUP.Funshion) -> No action taken.
HKCR\AddressSearch.SnavHttpProtocol.1 (PUP.Funshion) -> No action taken.
HKCR\AddressSearch.SnavHttpProtocol (PUP.Funshion) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDAEAB93-6DC0-4A63-81C6-95C88ED36F6A} (Adware.Sogou) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FDAEAB93-6DC0-4A63-81C6-95C88ED36F6A} (Adware.Sogou) -> No action taken.
HKCR\BaiduBar.Tool (PUP.Baidu) -> No action taken.
HKCR\BaiduBar.Tool.1 (PUP.Baidu) -> No action taken.
HKCR\BaiduBarEx.BDHomePage (PUP.Baidu) -> No action taken.
HKCR\BaiduBarEx.BDHomePage.1 (PUP.Baidu) -> No action taken.
HKCR\BaiduBarEx.BDHomePage.2 (PUP.Baidu) -> No action taken.
HKCR\BaiduBarEx.BDHomePage.3 (PUP.Baidu) -> No action taken.
HKCR\BaiduBarEx.BDHomePage.4 (PUP.Baidu) -> No action taken.
HKCR\BaiduBarEx.BDHomePage.5 (PUP.Baidu) -> No action taken.
HKCR\HTTP\shell\SogouExplorer (Adware.Sogou) -> No action taken.
HKCR\file\shell\SogouExplorer (Adware.Sogou) -> No action taken.
HKCR\htmlfile\shell\SogouExplorer (Adware.Sogou) -> No action taken.
HKCR\https\shell\SogouExplorer (Adware.Sogou) -> No action taken.
HKCR\mhtmlfile\shell\SogouExplorer (Adware.Sogou) -> No action taken.
HKCR\xmlfile\shell\SogouExplorer (Adware.Sogou) -> No action taken.
HKLM\SOFTWARE\Clients\StartMenuInternet\SogouExplorer.exe (Adware.Sogou) -> No action taken.

Registry Values Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Gscico (Backdoor.IRCBot) -> Data: C:\Users\YULE\AppData\Roaming\Gscico.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{B580CF65-E151-49C3-B73F-70B13FCA8E86} (Trojan.Cinmus) -> Data: e蟺礠崦I?p?蕩?CLSID -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{B580CF65-E151-49C3-B73F-70B13FCA8E86} (Trojan.Cinmus) -> Data: 12 -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{B580CF65-E151-49C3-B73F-70B13FCA8E86} (Trojan.Cinmus) -> Data: -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} (Trojan.Cinmus) -> Data: -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
c:\users\yule\appdata\roaming\gscico.exe (Backdoor.IRCBot) -> No action taken.
C:\Users\YULE\Downloads\u.kiss.0330.piano.sheet.music.mac_downloader.exe (PUP.MediaFinder) -> No action taken.

(end)

 

[laiyee]

DDS logs: both DDS.txt
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.17.2
Run by YULE at 10:35:41 on 2013-06-04
Microsoft Windows 7 Ultimate 6.1.7600.0.936.86.1033.18.2038.640 [GMT 8:00]
.
AV: Kaspersky Anti-Virus *Enabled/Outdated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
SP: Kaspersky Anti-Virus *Enabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
C:\Windows\system32\ChgService.exe
C:\Windows\system32\crypserv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\OEM02Mon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\kuwo\KWMUSIC\bin\kwmusic.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\kuwo\KWMUSIC\bin\IESandBox.exe
C:\Program Files\kuwo\KWMUSIC\bin\KwService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\YULE\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\YULE\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\YULE\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\YULE\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\YULE\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
C:\Windows\system32\taskhost.exe
C:\Users\YULE\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.hk/
uURLSearchHooks: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - c:\program files\ytd toolbar\ie\7.1\ytdToolbarIE.dll
uURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
uURLSearchHooks: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} -
mURLSearchHooks: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} -
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} -
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: GCiBaBHO Class: {76F8B2BF-4A1B-449E-AF7A-A50DD2F85EF9} - c:\program files\kingsoft\powerword lite\addins\ieaddin\CBIEAddin.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CCB9509F-5011-26C9-709E-DD124EF55A80 Class: {CCB9509F-5011-26C9-709E-DD124EF55A80} - LocalServer32 - <no file>
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\urladvisor\klwtbbho.dll
BHO: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - c:\program files\ytd toolbar\ie\7.1\ytdToolbarIE.dll
TB: Softonic-Eng7 Toolbar: {414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3} -
TB: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} -
TB: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - c:\program files\ytd toolbar\ie\7.1\ytdToolbarIE.dll
uRun: [PPS Accelerator] c:\program files\ppstream\ppsap.exe
uRun: [Google Update] "c:\users\yule\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Facebook Update] "c:\users\yule\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [AROReminder] c:\program files\aro 2013\ARO.exe -rem
uRun: [Gscico] c:\users\yule\appdata\roaming\Gscico.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [kwmusic] "c:\program files\kuwo\kwmusic\Kwmusic.exe" /autorun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe"
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\users\yule\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBC} - <orphaned>
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A22C622B-B304-472f-88EF-5933BB255F63} - {2D40AC3B-42F2-4787-8D8B-2B63F03C6541} - c:\program files\kingsoft\powerword lite\addins\ieaddin\CBIEAddin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2013\ieext\urladvisor\klwtbbho.dll
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCE1} - hxxps://www2.pbebank.com/ebroking/wecos/control/csoex_pbb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_09-windows-i586.cab
DPF: {B9B2EE1A-E314-4338-A305-BE845EACB113} - hxxps://www2.pbebank.com/ebroking/wecos/control/csw25.cab
DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 172.16.240.250 172.16.240.251
TCP: Interfaces\{1B290AF0-3F27-444C-B4CE-A486EA38BD10} : DHCPNameServer = 172.16.240.250 172.16.240.251
TCP: Interfaces\{2C973AF0-4EFC-43F3-BA29-B87464068E7C} : NameServer = 58.71.136.10 58.71.132.10
TCP: Interfaces\{487309EC-975B-49E2-A33A-D4A88EA3FD9B} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{487309EC-975B-49E2-A33A-D4A88EA3FD9B}\C496D60277966696 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{487309EC-975B-49E2-A33A-D4A88EA3FD9B}\E4544574541425 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{9ACC973B-8DA1-474D-A54B-712646BFBE63} : NameServer = 58.71.136.10 58.71.132.10
TCP: Interfaces\{BCDC7ED6-1A4D-4B10-B8D5-004C52922CE6} : NameServer = 58.71.136.10 58.71.132.10
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\yule\appdata\roaming\mozilla\firefox\profiles\b5ipxd6f.default\
FF - prefs.js: browser.search.selectedEngine - 百度
FF - prefs.js: keyword.URL - hxxp://www.baidu.com/baidu?tn=dealio_dg&wd=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\yule\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\yule\appdata\local\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2012-8-2 24408]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2013-3-6 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2010-8-29 73728]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2013-5-15 806776]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2013\avp.exe [2013-3-6 356376]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2010-9-5 135168]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-6-3 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-6-3 701512]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2013-3-6 25944]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2013-3-6 25944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-6-3 22856]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2010-9-5 103424]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-7-3 201168]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-18 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-7-3 101120]
.
=============== Created Last 30 ================
.
2013-06-04 01:56:1160872----a-w-c:\programdata\microsoft\windows defender\definition updates\{e07f52da-eeb4-40f9-836e-0e74798b7952}\offreg.dll
2013-06-04 00:41:20--------d-----w-c:\windows\system32\SPReview
2013-06-04 00:39:23--------d-----w-c:\windows\system32\EventProviders
2013-06-03 09:06:16--------d-----w-c:\windows\ELAMBKUP
2013-06-03 09:05:56--------d-----w-c:\programdata\Kaspersky Lab
2013-06-03 09:05:56--------d-----w-c:\program files\Kaspersky Lab
2013-06-03 09:04:4375096----a-w-c:\windows\system32\drivers\klflt.sys
2013-06-03 06:40:28--------d-----w-c:\users\yule\appdata\roaming\Malwarebytes
2013-06-03 06:40:16--------d-----w-c:\programdata\Malwarebytes
2013-06-03 06:40:1422856----a-w-c:\windows\system32\drivers\mbam.sys
2013-06-03 06:40:14--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2013-06-03 05:45:31--------d-----w-c:\users\yule\appdata\local\MFAData
2013-06-03 05:45:31--------d-----w-c:\users\yule\appdata\local\Avg2013
2013-06-03 05:36:492422272----a-w-c:\windows\system32\wucltux.dll
2013-06-03 05:36:1988576----a-w-c:\windows\system32\wudriver.dll
2013-06-03 05:35:5933792----a-w-c:\windows\system32\wuapp.exe
2013-06-03 05:35:59171904----a-w-c:\windows\system32\wuwebv.dll
2013-06-03 05:13:53--------d-----w-c:\users\yule\appdata\roaming\Sammsoft
2013-06-03 05:13:22--------d-----w-c:\program files\ARO 2013
2013-06-03 05:11:55--------d-----w-c:\users\yule\appdata\local\Programs
2013-06-03 00:24:49--------d-----w-c:\program files\Application Updater
2013-06-03 00:24:47--------d-----w-c:\program files\YTD Toolbar
2013-06-03 00:24:47--------d-----w-c:\program files\common files\Spigot
2013-05-14 05:31:106128760----a-w-c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2013-05-14 05:31:106128760----a-w-c:\program files\mozilla firefox\browser\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
.
==================== Find3M ====================
.
2013-05-20 00:51:1971048----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-20 00:51:19692104----a-w-c:\windows\system32\FlashPlayerApp.exe
2013-04-21 05:44:06205----a-w-c:\windows\system32\lsprst7.dll
2013-04-04 02:07:091025----a-w-c:\windows\system32\sysprs7.dll
2013-04-02 06:20:0494112----a-w-c:\windows\system32\WindowsAccessBridge.dll
2013-04-02 06:20:01861088----a-w-c:\windows\system32\npdeployJava1.dll
2013-04-02 06:20:01782240----a-w-c:\windows\system32\deployJava1.dll
2013-03-06 05:24:1458712----a-w-c:\windows\system32\klfphc.dll
2013-03-06 05:24:1443608----a-w-c:\windows\system32\drivers\kltdi.sys
2013-03-06 05:24:1425944----a-w-c:\windows\system32\drivers\klmouflt.sys
2013-03-06 05:24:1425944----a-w-c:\windows\system32\drivers\klkbdflt.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
1 ntkrnlpa!IofCallDriver[0x83284458] -> \Device\Harddisk0\DR0[0x866769C8]
3 CLASSPNP[0x89F8959E] -> ntkrnlpa!IofCallDriver[0x83284458] -> \Device\Ide\IdeDeviceP1T0L0-2[0x85883908]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
.

============= FINISH: 10:38:33.75 ===============

• DDS logs: Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 30-Aug-10 3:10:49 AM
System Uptime: 04-Jun-13 8:17:42 AM (2 hours ago)
.
Motherboard: Dell Inc. | | 0DT492
Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | Microprocessor | 2000/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 220 GiB total, 167.754 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.714 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01F31028&REV_12\4&3599CE57&0&0BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01F31028&REV_12\4&3599CE57&0&0BF0
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F31028&REV_12\4&3599CE57&0&0AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F31028&REV_12\4&3599CE57&0&0AF0
Service:
.
==== System Restore Points ===================
.
RP151: 04-Jun-13 8:40:49 AM - Windows 7 Service Pack 1
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop 7.0
Adobe Reader X (10.1.7)
Advanced Audio FX Engine
Advanced Video FX Engine
ARO 2013
BioEdit
Color LaserJet 2600n
D3DX10
Dell Driver Download Manager
Dell Webcam Center
Dell Webcam Manager
Facebook Video Calling 1.2.0.287
Flash Player 2.0
Free Mp3 Wma Converter V 1.93
Free WMA to MP3 Converter 1.16
GELSIS v5.0
GeneSnap from SynGene
GeneStudio
Google Chrome
Google Update Helper
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
Java 2 Runtime Environment, SE v1.4.2_09
Java 7 Update 17
Java Auto Updater
Junk Mail filter update
K-Lite Codec Pack 4.7.5 (Basic)
Kaspersky Anti-Virus 2013
Laptop Integrated Webcam Driver (1.04.01.1011)
Macromedia Flash MX
Malwarebytes Anti-Malware version 1.75.0.1300
Maxis Broadband
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Modeller 9v8
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
POV-Ray for Windows v3.6.1c
QvodPlayer(快播) v3.5
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Sequence Scanner v1.0
SeqVerter
SigmaTel Audio
Skype Click to Call
Skype? 6.3
SPSS 16.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2598306) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VMD 1.9
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.20 (32-bit)
YTD Toolbar v7.1
YTD Video Downloader 3.9
暴风影音5
美图秀秀 3.1.0
酷我音乐 2012
.
==== Event Viewer Messages From Past Week ========
.
31-May-13 11:50:31 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
03-Jun-13 11:41:29 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer FCYBER1-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1B290AF0-3F27-444C-B4CE-A486EA3. The master browser is stopping or an election is being forced.
03-Jun-13 1:51:03 PM, Error: Service Control Manager [7034] - The Change Modem Device Service service terminated unexpectedly. It has done this 1 time(s).
03-Jun-13 1:51:02 PM, Error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
03-Jun-13 1:48:03 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer USER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1B290AF0-3F27-444C-B4CE-A486EA38BD. The master browser is stopping or an election is being forced.
.
==== End Of File ===========================

 

[laiyee]

Here are the files attached.

Thanks for help.

 

[Broni]

Your MBAM log says "No action taken".
Re-run MBAM, fix all issues and post new log.

Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.

• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
• Otherwise just double-click on RogueKiller.exe
• Pre-scan will start. Let it finish.
• Click on SCAN button.
• Wait until the Status box shows Scan Finished
• Click on Delete.
• Wait until the Status box shows Deleting Finished.
• Click on Report and copy/paste the content of the Notepad into your next reply.
• RKreport.txt could also be found on your desktop.
• If more than one log is produced post all logs.
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

Download Malwarebytes Anti-Rootkit (MBAR) from HERE

• Unzip downloaded file.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt