SpyWare BeWare! ASAP
April 23, 2017, 10:35:53 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
   Home   Help Search Calendar Donations Login Register Chat  



Google It!
Pages: [1] 2 3   Go Down
  Print  
Author Topic: Auto Create User Account  (Read 2602 times)
0 Members and 1 Guest are viewing this topic.
patwwh
Guest
« on: March 19, 2014, 04:41:10 PM »

A user account "yzfvcbgk" (in User group) is always auto created in my computer.
If I remove it and then reboot, it will be shown in my login screen again. (Maybe created during shut down, or during boot up).
Also, when I check the "security" property of C: root directory, yzfvcbgk is there, although it seems that it has not any authority assigned, but prohibited in the last right.

I am not familiar with system log. When I try to see it, I believe it is somehow related to all these items directly or indirectly:
svchost.exe
conhost.exe
consent.exe
csrss.exe
csrsrv.dll
smss.exe
services.exe
wininit.exe
autochk.exe

isass ~ KeyIso, Protected Storage, SamSs

I have turned off "Remote Connection" in my computer. Do CCleaner. Reset Internet Options and IE.
I have tried to followed an Microsoft instruction:
Boot into save mode somehow, and then Malwarebytes and SUPERAntiSpyware.
Malwarebytes find out and kill Trojan.Agent.
But this doesn't solve above problem. I feel worry so much.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521  BrowserJavaVersion: 10.9.2
Run by Patrick at 5:17:49 on 2014-03-20
Microsoft Windows 7 Professional   6.1.7601.1.950.852.3076.18.8095.4738 [GMT 8:00]
.
AV: ESET Smart Security 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET Smart Security 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\Sandboxie\SbieSvc.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\PDF Architect\HelperService.exe
C:\Program Files (x86)\PDF Architect\ConversionService.exe
C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\SPC\SolidPdfServicex64.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tencent\barupdate\TBUpdate.exe
C:\windows\system32\ThpSrv.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files (x86)\RescueTime\RescueTime.exe
C:\GoAgent\local\goagent.exe
C:\GoAgent\local\python27.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\TOSHIBA\Sync Utility\TosSyncScheduler.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\zabkat\xplorer2\xplorer2_64.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\SysWOW64\DllHost.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.hk/
uDefault_Page_URL = hxxp://toshiba.msn.com
mWinlogon: Userinit = userinit.exe,
BHO: Octh Class: {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll
BHO: PDF Architect Helper: {3A2D5EBA-F86D-4BD3-A177-019765996711} - C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll
BHO: {506AF41A-E71B-1147-853D-B8A7356E0F6F} - <orphaned>
BHO: Tencent Browser Helper: {6F2278F5-D603-BD9A-2367-F9E955B7DA02} -
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID 登入協助程式: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Grab Pro: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files (x86)\Orbitdownloader\GrabPro.dll
TB: PDF Architect Toolbar: {25A3A431-30BB-47C8-AD6A-E1063801134F} - C:\Program Files (x86)\PDF Architect\PDFIEPlugin.dll
uRun: [QQ2009] "C:\Program Files (x86)\Tencent\QQ\Bin\QQProtect\Bin\QQProtect.exe" /background
uRun: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a logon /a devices /a favorites
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [TSUScheduler] C:\Program Files (x86)\TOSHIBA\Sync Utility\TosSyncScheduler.exe
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
mRun: [IME14 CHT Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /CHT /Log
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [AcronisTibMounterMonitor] C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
StartupFolder: C:\Users\Patrick\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\GoAgent.lnk - C:\GoAgent\local\goagent.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RESCUE~1.LNK - C:\Program Files (x86)\RescueTime\RescueTime.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: &Download by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/204
IE: &使用&迅雷下? - <no file>
IE: &使用&迅雷下?全部?接 - <no file>
IE: &使用&迅雷离?下? - <no file>
IE: Do&wnload selected by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/202
IE: 傳送至 OneNote(&N) - C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: 匯出至 Microsoft Excel(&X) - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: 新增至東芝佈告欄 - C:\Program Files\TOSHIBA\BulletinBoard\TosBBCom.dll/1000
IE: 轉換為 Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: 轉換連結目標為 Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: 附加至現有 PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: 附加連結目標至現有 PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
IE: {97F922BD-8563-4184-87EE-8C4ACA438823} - {5D29E593-73A5-400A-B3BD-6B7A1AF05A31} - C:\Program Files\TOSHIBA\BulletinBoard\TosBBCom.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{93C7F2C9-6648-42CA-80FD-3834E963C697} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{A0EDDA2B-785A-40DE-B3C9-F8B729F7707B} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: {E74F179F-F6CC-4BE0-9638-DEA49583953F} - <orphaned>
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [ThpSrv] C:\windows\System32\thpsrv /logon
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [IME14 CHT Setup] C:\PROGRA~1\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /CHT /Log
x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-IE: {97F922BD-8563-4184-87EE-8C4ACA438823} - {5D29E593-73A5-400A-B3BD-6B7A1AF05A31} - C:\Program Files\TOSHIBA\BulletinBoard\TosBBCom64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\qrien1f8.default-1395136612345\
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll
FF - plugin: C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.78\Bin\npSSOAxCtrlForPTLogin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Tencent\QQMusic\QzoneMusic\npQzoneMusic.dll
FF - plugin: C:\Program Files (x86)\Tencent\Qzone\npQQPhotoDrawEx.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll
FF - plugin: C:\windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;C:\windows\System32\drivers\epfwwfp.sys [2013-9-17 62136]
R0 fltsrv;Acronis Storage Filter Management;C:\windows\System32\drivers\fltsrv.sys [2014-3-19 116000]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\System32\drivers\thpdrv.sys [2009-6-29 34880]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\System32\drivers\Thpevm.sys [2009-6-29 14784]
R0 tib;Acronis TIB Manager;C:\windows\System32\drivers\tib.sys [2014-3-19 1120032]
R0 tib_mounter;Acronis TIB Mounter;C:\windows\System32\drivers\tib_mounter.sys [2014-3-19 198432]
R0 vididr;Acronis Virtual Disk;C:\windows\System32\drivers\vididr.sys [2014-3-19 161568]
R0 vidsflt;Acronis Disk Storage Filter;C:\windows\System32\drivers\vidsflt.sys [2014-3-19 117024]
R1 cnnctfy2;Connectify LightWeight Filter;C:\windows\System32\drivers\cnnctfy2.sys [2012-8-20 31344]
R1 eamonm;eamonm;C:\windows\System32\drivers\eamonm.sys [2013-9-17 239320]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\windows\System32\drivers\EpfwLWF.sys [2013-9-17 44120]
R2 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2014-3-19 3873784]
R2 c2cautoupdatesvc;Skype Click to Call Updater;C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-3-3 1363584]
R2 c2cpnrsvc;Skype Click to Call PNR Service;C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-3-3 1748608]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2013-9-12 1337752]
R2 ImeDictUpdateService;Microsoft IME Dictionary Update;C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE [2010-10-20 83312]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-3-20 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-3-20 701512]
R2 OS Selector;Acronis OS Selector activator;C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe [2011-11-15 2139400]
R2 PDF Architect Helper Service;PDF Architect Helper Service;C:\Program Files (x86)\PDF Architect\HelperService.exe [2012-11-22 1522312]
R2 PDF Architect Service;PDF Architect Service;C:\Program Files (x86)\PDF Architect\ConversionService.exe [2012-11-22 905864]
R2 risdxc;risdxc;C:\windows\System32\drivers\risdxc64.sys [2012-8-20 100352]
R2 SPDFCreatorReadSpool;SolidPDFCreatorReadSpool;C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\SPC\SolidPdfServicex64.exe [2013-3-25 193832]
R2 syncagentsrv;Acronis Sync Agent Service;C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [2014-2-4 7142320]
R2 TBUpdate;Tencent Toolbar Update Service;C:\Program Files\Tencent\barupdate\TBUpdate.exe [2012-8-22 408632]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2011-4-7 294328]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-8-20 2656280]
R3 afcdp;afcdp;C:\windows\System32\drivers\afcdp.sys [2014-3-19 367200]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2014-3-20 25928]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\System32\drivers\nusb3hub.sys [2011-2-10 82432]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\System32\drivers\nusb3xhc.sys [2011-2-10 181760]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2012-8-20 35008]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2014-1-18 202600]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2012-8-20 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2011-4-5 828336]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 BtFilter;Bluetooth LowerFilter Class Filter Driver;C:\windows\System32\drivers\btfilter.sys [2012-8-20 42096]
S3 dmvsc;dmvsc;C:\windows\System32\drivers\dmvsc.sys [2010-11-23 71168]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-8-21 1038088]
S3 fssfltr;fssfltr;C:\windows\System32\drivers\fssfltr.sys [2012-8-20 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 GenericMount;Generic Mount Driver;C:\windows\System32\drivers\GenericMount.sys [2009-9-21 54320]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\windows\System32\ieetwcollector.exe [2014-3-20 111616]
S3 massfilter_hs;HS HandSet Mass Storage Filter Driver;C:\windows\System32\drivers\massfilter_hs.sys [2012-9-10 18456]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 pwdrvio;pwdrvio;C:\windows\System32\pwdrvio.sys [2014-3-19 19152]
S3 pwdspio;pwdspio;C:\windows\System32\pwdspio.sys [2014-3-19 12504]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2012-11-18 19456]
S3 StorSvc;Storage Service;C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2011-5-29 27648]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2014-3-20 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2012-11-18 30208]
S3 WatAdminSvc;Windows 啟用技術服務;C:\windows\System32\Wat\WatAdminSvc.exe [2012-8-20 1255736]
S3 zghsdiag;ZTE General Handset Diagnostic Port;C:\windows\System32\drivers\zghsdiag.sys [2012-9-10 129560]
S4 Connectify;Connectify;C:\Program Files (x86)\Connectify\ConnectifyService.exe [2011-12-2 69632]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
FileExt: .txt: txt_auto_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1" [UserChoice]
FileExt: .ini: Ini File="C:\Program Files (x86)\GetDiz\GetDiz.exe" "%1"
FileExt: .inf: inffile=C:\windows\System32\NOTEPAD.EXE %1 [UserChoice]
ShellExec: SolidPDFCreator.exe: open=C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\SPC\SolidPDFCreator.exe
.
=============== Created Last 30 ================
.
2014-03-19 20:25:08   25928   ----a-w-   C:\windows\System32\drivers\mbam.sys
2014-03-19 20:25:07   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-19 19:49:01   --------   d-----w-   C:\Program Files\SUPERAntiSpyware
2014-03-19 19:36:02   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\Malwarebytes
2014-03-19 19:35:34   --------   d-----w-   C:\ProgramData\Malwarebytes
2014-03-19 17:38:58   --------   d-----w-   C:\Users\Patrick\AppData\Local\RescueTime.com
2014-03-19 17:38:57   --------   d-----w-   C:\Program Files (x86)\RescueTime
2014-03-19 17:25:06   548864   ----a-w-   C:\windows\System32\vbscript.dll
2014-03-19 17:25:06   454656   ----a-w-   C:\windows\SysWow64\vbscript.dll
2014-03-19 16:52:28   194048   ----a-w-   C:\windows\SysWow64\elshyph.dll
2014-03-19 16:48:34   6574592   ----a-w-   C:\windows\System32\mstscax.dll
2014-03-19 16:48:34   5694464   ----a-w-   C:\windows\SysWow64\mstscax.dll
2014-03-19 16:18:52   465920   ----a-w-   C:\windows\System32\WMPhoto.dll
2014-03-19 16:18:52   417792   ----a-w-   C:\windows\SysWow64\WMPhoto.dll
2014-03-19 16:18:52   3928064   ----a-w-   C:\windows\System32\d2d1.dll
2014-03-19 16:18:52   3419136   ----a-w-   C:\windows\SysWow64\d2d1.dll
2014-03-19 16:18:52   2565120   ----a-w-   C:\windows\System32\d3d10warp.dll
2014-03-19 16:18:52   1987584   ----a-w-   C:\windows\SysWow64\d3d10warp.dll
2014-03-19 16:18:42   1424384   ----a-w-   C:\windows\System32\WindowsCodecs.dll
2014-03-19 16:18:42   1230336   ----a-w-   C:\windows\SysWow64\WindowsCodecs.dll
2014-03-19 16:01:07   792576   ----a-w-   C:\windows\SysWow64\TSWorkspace.dll
2014-03-19 16:01:07   1030144   ----a-w-   C:\windows\System32\TSWorkspace.dll
2014-03-19 15:09:03   167424   ----a-w-   C:\Program Files\Windows Media Player\wmplayer.exe
2014-03-19 15:09:03   164864   ----a-w-   C:\Program Files (x86)\Windows Media Player\wmplayer.exe
2014-03-19 15:09:03   12625920   ----a-w-   C:\windows\System32\wmploc.DLL
2014-03-19 15:09:02   12625408   ----a-w-   C:\windows\SysWow64\wmploc.DLL
2014-03-19 10:13:15   --------   d-----w-   C:\windows\Migration
2014-03-19 08:57:37   --------   d-----w-   C:\windows\System32\MRT
2014-03-19 07:02:40   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\TrueCrypt
2014-03-19 06:41:48   3050808   ----a-w-   C:\windows\System32\pwNative.exe
2014-03-19 06:41:48   19152   ------w-   C:\windows\System32\pwdrvio.sys
2014-03-19 06:41:47   12504   ------w-   C:\windows\System32\pwdspio.sys
2014-03-19 06:41:28   --------   d-----w-   C:\Program Files (x86)\MiniTool Partition Wizard Home Edition 8.1.1
2014-03-19 04:41:05   367200   ----a-w-   C:\windows\System32\drivers\afcdp.sys
2014-03-19 04:41:03   198432   ----a-w-   C:\windows\System32\drivers\tib_mounter.sys
2014-03-19 04:08:47   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\Seagate
2014-03-19 04:08:22   1120032   ----a-w-   C:\windows\System32\drivers\tib.sys
2014-03-19 04:08:21   161568   ----a-w-   C:\windows\System32\drivers\vididr.sys
2014-03-19 04:08:21   1464096   ----a-w-   C:\windows\System32\drivers\tdrpman.sys
2014-03-19 04:08:20   117024   ----a-w-   C:\windows\System32\drivers\vidsflt.sys
2014-03-19 04:08:19   269600   ----a-w-   C:\windows\System32\drivers\snapman.sys
2014-03-19 04:08:17   116000   ----a-w-   C:\windows\System32\drivers\fltsrv.sys
2014-03-19 03:30:24   743   ----a-w-   C:\windows\System32\AutoPartNt.scr
2014-03-19 03:30:16   1387420   ----a-w-   C:\windows\System32\AutoPartNt.exe
2014-03-18 17:53:57   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\Passware
2014-03-18 17:53:47   --------   d-----w-   C:\Program Files\Temp
2014-03-18 17:50:20   231376   ----a-w-   C:\windows\System32\drivers\truecrypt.sys
2014-03-18 17:50:09   --------   d-----w-   C:\Program Files\TrueCrypt
2014-03-18 17:27:48   --------   d-----w-   C:\GoAgent
2014-03-18 17:15:21   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\KeePass
2014-03-18 17:12:12   --------   d-----w-   C:\Program Files (x86)\KeePass Password Safe 2
2014-03-18 17:12:01   25088   ----a-w-   C:\windows\SysWow64\msxml3a.dll
2014-03-18 17:10:02   --------   d-----w-   C:\Program Files (x86)\Business-in-a-Box
2014-03-18 16:58:46   --------   d-----w-   C:\Users\Patrick\AppData\Local\BusinessOfficePro
2014-03-18 16:56:40   --------   d-----w-   C:\Program Files (x86)\Business Office Pro
2014-03-18 16:55:01   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\BusinessOfficePro
2014-03-18 16:53:52   --------   d-----w-   C:\Users\Patrick\AppData\Local\IsolatedStorage
2014-03-18 16:53:21   --------   d-----w-   C:\Users\Patrick\AppData\Local\SolidDocuments
2014-03-18 16:52:19   --------   d-----w-   C:\Program Files (x86)\SolidDocuments
2014-03-18 16:32:07   --------   d-----w-   C:\Program Files (x86)\MDictPC
2014-03-18 16:16:50   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\EDrawings
2014-03-18 16:16:18   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\DassaultSystemes
2014-03-18 16:16:18   --------   d-----w-   C:\Users\Patrick\AppData\Local\DassaultSystemes
2014-03-18 16:16:18   --------   d-----w-   C:\ProgramData\DassaultSystemes
2014-03-18 16:15:41   --------   d-----w-   C:\Program Files (x86)\Common Files\eDrawings2014
2014-03-18 16:09:56   --------   d-----w-   C:\ProgramData\TEC-IT
2014-03-18 16:09:56   --------   d-----w-   C:\Program Files (x86)\TEC-IT
2014-03-18 16:07:38   --------   d-----w-   C:\Program Files\camprocessor
2014-03-18 16:03:52   --------   d-----w-   C:\Program Files (x86)\VS Revo Group
2014-03-18 15:42:49   --------   d-----w-   C:\FWBuilder51
2014-03-18 15:41:48   3600856   ----a-w-   C:\windows\System32\auto_reactivate.exe
2014-03-18 15:41:48   345408   ----a-w-   C:\windows\System32\snapapiar64.dll
2014-03-18 12:56:10   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\MatchWare
2014-03-18 12:56:10   --------   d-----w-   C:\Users\Patrick\AppData\Local\MatchWare
2014-03-18 12:51:09   --------   d-----w-   C:\Program Files (x86)\MatchWare
2014-03-18 12:51:08   --------   d-----w-   C:\ProgramData\mwas
2014-03-18 11:12:20   --------   d-----w-   C:\Users\Patrick\AppData\Roaming\Copernic
2014-03-18 11:12:19   --------   d-----w-   C:\Program Files (x86)\Common Files\Copernic
2014-03-18 11:12:17   109782   ----a-w-   C:\windows\CopernicAgentUninstall.exe
2014-03-18 11:12:17   --------   d-----w-   C:\Program Files (x86)\Copernic Agent
2014-03-18 09:58:36   633856   ----a-w-   C:\windows\System32\comctl32.dll
2014-03-18 09:58:36   530432   ----a-w-   C:\windows\SysWow64\comctl32.dll
2014-03-18 09:58:36   48640   ----a-w-   C:\windows\System32\wwanprotdim.dll
2014-03-18 09:58:36   335360   ----a-w-   C:\windows\System32\msieftp.dll
2014-03-18 09:58:36   301568   ----a-w-   C:\windows\SysWow64\msieftp.dll
2014-03-18 09:58:36   228864   ----a-w-   C:\windows\System32\wwansvc.dll
2014-03-18 09:58:26   224256   ----a-w-   C:\windows\System32\wintrust.dll
2014-03-18 09:58:26   175104   ----a-w-   C:\windows\SysWow64\wintrust.dll
2014-03-18 09:58:17   70144   ----a-w-   C:\windows\System32\appinfo.dll
2014-03-18 09:58:17   111448   ----a-w-   C:\windows\System32\consent.exe
2014-03-18 09:58:01   1656680   ----a-w-   C:\windows\System32\drivers\ntfs.sys
2014-03-18 09:56:59   553984   ----a-w-   C:\windows\System32\RMActivate_ssp.exe
2014-03-18 09:55:10   --------   d-----w-   C:\Users\Patrick\AppData\Local\Skype
2014-03-18 09:52:27   404480   ----a-w-   C:\windows\System32\gdi32.dll
2014-03-18 09:52:27   311808   ----a-w-   C:\windows\SysWow64\gdi32.dll
2014-03-18 09:52:24   751104   ----a-w-   C:\windows\System32\win32spl.dll
2014-03-18 09:52:24   492544   ----a-w-   C:\windows\SysWow64\win32spl.dll
2014-03-18 09:52:18   68608   ----a-w-   C:\windows\System32\taskhost.exe
2014-03-18 09:52:14   624128   ----a-w-   C:\windows\System32\qedit.dll
2014-03-18 09:52:14   509440   ----a-w-   C:\windows\SysWow64\qedit.dll
2014-03-18 09:52:10   30720   ----a-w-   C:\windows\System32\cryptdlg.dll
2014-03-18 09:52:10   24576   ----a-w-   C:\windows\SysWow64\cryptdlg.dll
2014-03-18 09:50:27   859648   ----a-w-   C:\windows\System32\IKEEXT.DLL
2014-03-18 09:50:27   830464   ----a-w-   C:\windows\System32\nshwfp.dll
2014-03-18 09:50:27   656896   ----a-w-   C:\windows\SysWow64\nshwfp.dll
2014-03-18 09:50:27   324096   ----a-w-   C:\windows\System32\FWPUCLNT.DLL
2014-03-18 09:50:27   216576   ----a-w-   C:\windows\SysWow64\FWPUCLNT.DLL
2014-03-18 09:45:58   --------   d-----w-   C:\Program Files (x86)\FileHippo.com
2014-03-18 09:44:16   461312   ----a-w-   C:\windows\System32\scavengeui.dll
2014-03-18 09:31:07   --------   d-----w-   C:\windows\pss
2014-03-18 06:41:19   --------   d-----w-   C:\Program Files\ESET
2014-03-18 06:37:49   24416   ----a-r-   C:\windows\System32\AdobePDFUI.dll
.
==================== Find3M  ====================
.
2014-03-19 09:16:06   9728   ---ha-w-   C:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-01 05:17:02   2724864   ----a-w-   C:\windows\System32\mshtml.tlb
2014-03-01 05:16:26   4096   ----a-w-   C:\windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55   66048   ----a-w-   C:\windows\System32\iesetup.dll
2014-03-01 04:51:59   48640   ----a-w-   C:\windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52   139264   ----a-w-   C:\windows\System32\ieUnatt.exe
2014-03-01 04:33:34   111616   ----a-w-   C:\windows\System32\ieetwcollector.exe
2014-03-01 04:32:59   708608   ----a-w-   C:\windows\System32\jscript9diag.dll
2014-03-01 04:23:49   940032   ----a-w-   C:\windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20   2724864   ----a-w-   C:\windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33   5768704   ----a-w-   C:\windows\System32\jscript9.dll
2014-03-01 03:52:43   61952   ----a-w-   C:\windows\SysWow64\iesetup.dll
2014-03-01 03:51:53   51200   ----a-w-   C:\windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26   112128   ----a-w-   C:\windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35   553472   ----a-w-   C:\windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11   2041856   ----a-w-   C:\windows\System32\inetcpl.cpl
2014-03-01 03:14:15   4244480   ----a-w-   C:\windows\SysWow64\jscript9.dll
2014-03-01 03:10:28   2334208   ----a-w-   C:\windows\System32\wininet.dll
2014-03-01 03:00:08   1964032   ----a-w-   C:\windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16   1820160   ----a-w-   C:\windows\SysWow64\wininet.dll
2014-02-07 01:23:30   3156480   ----a-w-   C:\windows\System32\win32k.sys
2014-01-29 02:32:18   484864   ----a-w-   C:\windows\System32\wer.dll
2014-01-29 02:06:47   381440   ----a-w-   C:\windows\SysWow64\wer.dll
.
============= FINISH:  5:18:26.39 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20/8/2012 20:16:03
System Uptime: 20/3/2014 4:38:04 (1 hours ago)
.
Motherboard: TOSHIBA |  | Portable PC
Processor: Intel(R) Core(TM) i5-2435M CPU @ 2.40GHz | Socket BGA1023 | 2401/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 148 GiB total, 57.909 GiB free.
E: is FIXED (NTFS) - 932 GiB total, 931.397 GiB free.
T: is NetworkDisk (NTFS) - 2778 GiB total, 399.617 GiB free.
U: is NetworkDisk (NTFS) - 2778 GiB total, 399.617 GiB free.
V: is NetworkDisk (NTFS) - 2778 GiB total, 399.617 GiB free.
W: is NetworkDisk (NTFS) - 2778 GiB total, 399.617 GiB free.
X: is NetworkDisk (NTFS) - 2778 GiB total, 399.617 GiB free.
Y: is NetworkDisk (NTFS) - 2778 GiB total, 399.617 GiB free.
Z: is NetworkDisk (NTFS) - 2778 GiB total, 399.617 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP122: 19/3/2014 16:41:50 - Windows Update
RP123: 19/3/2014 17:44:52 - Windows Update
RP124: 19/3/2014 23:58:35 - Windows 模組安裝程式
RP125: 20/3/2014 0:01:16 - Windows Update
RP126: 20/3/2014 0:36:43 - Windows Update
RP127: 20/3/2014 0:49:34 - Windows Update
RP128: 20/3/2014 1:24:48 - Windows Update
.


==== Installed Programs ======================
.
7-Zip 9.20 (x64 edition)
Acrobat.com
Acronis True Image 2014
Acronis?Disk?Director?11?Home
Adobe Acrobat 9.5.5 - CPSID_83708
Adobe Acrobat Pro 9 - ChineseT
Adobe AIR
Adobe Anchor Service CS4
Adobe Anchor Service x64 CS4
Adobe Asset Services CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe CMaps x64 CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Recommended Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Design Premium
Adobe CSI CS4
Adobe CSI CS4 x64
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Drive CS4 x64
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Fonts All
Adobe Fonts All x64
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Japan)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe InDesign CS4 Icon Handler x64
Adobe Linguistics CS4
Adobe Linguistics CS4 x64
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe PDF Library Files x64 CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 (64 Bit)
Adobe Photoshop CS4 Support
Adobe Reader X (10.1.9) - Chinese Traditional
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe Type Support CS4
Adobe Type Support x64 CS4
Adobe Update Manager CS4
Adobe Version Cue CS4 Server
Adobe WinSoft Linguistics Plugin
Adobe WinSoft Linguistics Plugin x64
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Almega acVision.net
Almega acWorkspace
Almega BibleTools 4 Updates
Any Video Converter 3.5.5
Atheros Bluetooth Filter Driver Package
Atheros Driver Installation Program
Belarc Advisor 8.4
BibleWorks 8
Bluetooth Stack for Windows by Toshiba
Business-in-a-Box
Business Office Pro
CAMeditor 3.1.1
Canon MF Toolbox 4.9.1.1.mf12
Canon MF4360-4390
CCleaner
Color Network ScanGear Ver.2.71
Connect
Connectify
Copernic Agent Personal
COWON Media Center - jetAudio Basic VX
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 64-Bit Edition
eDrawings 2014
ESET Smart Security
Firewall Builder 5.1
GetDiz
Google Chrome
Google Drive
Google Update Helper
Image Resizer for Windows
Image Resizer for Windows (64 bit)
Intel(R) Management Engine Components
Intel(R) Network Connections Drivers
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
Java 7 Update 9
Java Auto Updater
Java(TM) 6 Update 20
Join Air
Junk Mail filter update
K-Lite Mega Codec Pack 9.2.0
KeePass Password Safe 2.25
kuler
Malwarebytes Anti-Malware version 1.75.0.1300
MatchWare MindView 5.0
Mesh Runtime
Messenger 分享元件
Microsoft .NET Framework 4.5.1
Microsoft .NET Framework 4.5.1 (CHT)
Microsoft Application Error Reporting
Microsoft Office Access MUI (Chinese (Traditional)) 2010
Microsoft Office Excel MUI (Chinese (Traditional)) 2010
Microsoft Office Groove MUI (Chinese (Traditional)) 2010
Microsoft Office IME (Chinese (Traditional)) 2010
Microsoft Office InfoPath MUI (Chinese (Traditional)) 2010
Microsoft Office Office 32-bit Components 2010
Microsoft Office OneNote MUI (Chinese (Traditional)) 2010
Microsoft Office Outlook MUI (Chinese (Traditional)) 2010
Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (Chinese (Traditional)) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proofing (Chinese (Traditional)) 2010
Microsoft Office Publisher MUI (Chinese (Traditional)) 2010
Microsoft Office Shared 32-bit MUI (Chinese (Traditional)) 2010
Microsoft Office Shared MUI (Chinese (Traditional)) 2010
Microsoft Office Word MUI (Chinese (Traditional)) 2010
Microsoft Primary Interoperability Assemblies 2005
Microsoft Research Mesh Virtual WIFI
Microsoft Silverlight
Microsoft Speech
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2012 PowerPivot for Excel  64-bit
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
Microsoft Windows Application Compatibility Database
MiniTool Partition Wizard Home Edition 8.1.1
Mozilla Firefox 27.0.1 (x86 zh-TW)
Mozilla Maintenance Service
Mozilla Thunderbird 24.3.0 (x86 zh-TW)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nikon Message Center
Nikon Transfer
Notepad++
Orbit Downloader
Passware Kit Standard 13.0 (64-bit)
PDF-Viewer
PDF Architect
PDF Settings CS4
PDFCreator
Photoshop Camera Raw
Photoshop Camera Raw_x64
piaip AppLocale
PL-2303 USB-to-Serial
PlayReady PC Runtime amd64
Presto! PageManager 7.15.35
PuTTY version 0.62
QQProtect
QuickTime
RationalPlan Multi
Realtek High Definition Audio Driver
Renesas Electronics USB 3.0 Host Controller Driver
RescueTime 2.9.4.1090
RICOH Media Driver v2.13.17.01
RosettaStoneV3.30
sancho (remove only)
Sandboxie 4.08 (64-bit)
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft Excel 2010 (KB2826033) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2687413) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 64-Bit Edition
Security Update for Microsoft Word 2010 (KB2863902) 64-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition
Skype Click to Call
Skype? 6.14
SmartSound Quicktracks Plugin
Solid PDF Tools v8
SolidPDFCreator
SolidWordAddIn
Spelling Dictionaries Support For Adobe Reader 9
Storybook4
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
TBUpdate
TEC-IT QR-Code Studio 1.0
theWord
TOSHIBA Assist
TOSHIBA Bulletin Board
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA Face Recognition
TOSHIBA HDD Protection
TOSHIBA PC Health Monitor
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA Security Assist
TOSHIBA Service Station
TOSHIBA Sleep Utility
TOSHIBA Sync Utility
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
TOSHIBA Wireless LAN Indicator
TrueCrypt
Ulead PhotoImpact 12
Ulead VideoStudio 11
Unlocker 1.9.1-x64
Update for Microsoft Access 2010 (KB2553446) 64-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2837594) 64-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 64-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 64-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 64-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 64-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 64-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 64-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 64-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 64-Bit Edition
Update for Microsoft Office 2010 (KB2863818) 64-Bit Edition
Update for Microsoft Office 2010 (KB2878225) 64-Bit Edition
Update for Microsoft OneNote 2010 (KB2837595) 64-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 64-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 64-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2775360) 64-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 64-Bit Edition
Update for Microsoft Visio 2010 (KB2878227) 64-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 64-Bit Edition
ViceVersa Pro 2.5 64-bit (Build 2513)
VideoStudio
VMware Player
Windows Live Communications Platform
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Encoder 9 Series
Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass  (12/06/2010 4.0.0000.00000)
XMind 2013 (v3.4.1)
XnView 2.20
xplorer?professional 64 bit
ZTE Handset USB Driver
Toshiba eco utilities
Toshiba HDD/SSD Alarm
Toshiba Dashboard
Windows Live Mesh ActiveX (suitable for remote connection)

.
==== End Of File ===========================


Thanks so much for your help first !! Smiley
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #1 on: March 20, 2014, 08:22:02 PM »

Sorry for the delay.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes and use the default font)

MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #2 on: March 21, 2014, 10:57:27 AM »

Hello Mr Charlie,

Thanks a lot for your help first. Smiley
Please see the attached scan report.

Pat
Logged
patwwh
Guest
« Reply #3 on: March 21, 2014, 10:58:28 AM »

Forget to answer you....My system is Windows 7 Pro SP1
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #4 on: March 21, 2014, 11:48:48 AM »

Please run TDSSKiller and ComboFix as outlined in the link below: (disregard running CCleaner)

https://forums.malwarebytes.org/index.php?showtopic=144127&p=803271

Post/attach back all the logs, MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #5 on: March 24, 2014, 10:32:16 AM »

I discovered my original upload is missed due to over size.
I just try it but it still hasn't been shown in the forum.
Try to upload the log again here.
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #6 on: March 24, 2014, 12:04:44 PM »

The attachment is there.

I'm linking you to the tasks I want you to perform because I do the majority of my work at that forum and the prepared texts I have won't work here...I would have to re-write all of them. So it's just easier to link you to what I need you to do.


Please run AdwCleaner, Junk Removal Tool and Malwarebytes as outlined in the link below:
https://forums.malwarebytes.org/index.php?showtopic=144792&p=807266

Thanks.....MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #7 on: March 26, 2014, 04:12:22 AM »

Hello Mr Charlie,

Log files are attached. Thanks.

Pat
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #8 on: March 26, 2014, 09:29:05 AM »

How is it????

MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #9 on: March 26, 2014, 11:15:41 AM »

You saw my last upload, right?

The last tests find out 3 programs. All of them are famous.
I used them for many years already. I know they have some spam, but they should not be too harmful.
And I doubt if current phenomenon is caused by their latest version.
Tencent QQ (an very important messenger for me to communicate with Chinese customers, just as MSN messager. Should not cause big problem)
Orbit Downloader (finally remove it. I can use other replacement)
PDFCreator (have downgraded to a older and safer version. no more spam alarm from my NOD32, but AdwCleaner)

In the opposite, I want to listen your so far analysis.
1.Do you think if the relevant spam is removed or not? From which log data do you find certify this?
2.About the auto-generated user account, will it be generated by proper program (e.g. SQLServer) and not spam?
3.Before I contact you, what I can do is to change the user password of that account, and remove the auto authorized folders. I suppose this can partially limit its behavior.
If you think it is spam, and I am safe to do so, I can make a test by removing that user account. If it is re-generated after reboot, then it is still there. (but I want to listen your comment, because removing it means re-activate it, if it is still there.)
4.Finally, if you meet this kind of malware before, can you share with me its name and usual behavior (which kind of secret will it steal). In the worst case, I may persuade myself to live with this cancer.  Cry
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #10 on: March 26, 2014, 12:58:55 PM »

1.Do you think if the relevant spam is removed or not? From which log data do you find certify this?

No

2.About the auto-generated user account, will it be generated by proper program (e.g. SQLServer) and not spam?

I'm not sure

3.Before I contact you, what I can do is to change the user password of that account, and remove the auto authorized folders. I suppose this can partially limit its behavior.
If you think it is spam, and I am safe to do so, I can make a test by removing that user account. If it is re-generated after reboot, then it is still there. (but I want to listen your comment, because removing it means re-activate it, if it is still there.)

Give it a try

4.Finally, if you meet this kind of malware before, can you share with me its name and usual behavior (which kind of secret will it steal). In the worst case, I may persuade myself to live with this cancer.

OK

-------------------------------------------------

PM sent, MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #11 on: March 26, 2014, 09:36:00 PM »

Hello Mr Charlie,

Thanks a lot for your help. I think you are correct. The problem is still here. That user-account is still auto-generated.
How do you see? Is there still anything we can do?

Pat
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #12 on: March 27, 2014, 07:29:18 AM »

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.
(use correct version for your system.....Which system am I using?)
FRST <----for 32 bit systems
FRST64 <----for 64 bit systems
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #13 on: March 27, 2014, 09:56:22 AM »

Hello Mr Charlie,

Please see attached log.
It hasn't warn me or requested me to run fix, so I haven't run it without your indication.

N.B. If you want to move our dialogue to Malware forum, please do so and just leave me the link.

Pat
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #14 on: March 27, 2014, 02:40:14 PM »

 Do you recognize these:

Quote
C:\Program Files (x86)\Yellow blue soft\Tabbles\TabblesExplorerListener.exe

C:\Users\Charis\AppData\Roaming\TrueCrypt

C:\Users\Biz\AppData\Roaming\TrueCrypt

CHR Extension: (有道词典) - C:\Users\Biz\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdfmlclmlmmllklbenfjgaialleabmlp [2014-03-25]

-------------------------------------------

Please use your CCleaner to clean out temp files.

Then.............

Download the attached fixlist.txt to the same folder as FRST.
Run FRST.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
Pages: [1] 2 3   Go Up
  Print  
 
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!