Unknown virus, possibly keylogger

holaboo

New Member
Thread author
Apr 10, 2013
12
UPDATE: I have run a exe analysis on the file and have attached a report.

Here is a link to the file I downloaded, maybe it can help you to analyse the problem. I believe the initial RAR file is harmless.

https://mega.co.nz/#!I9Ul0SxA!Iel0TwivZbNfadPnIZBEpmraj88LFPOwRkBJPyUtA0U
 

Attachments

  • Extras.Txt
    205 KB · Views: 196
  • OTL.Txt
    151.6 KB · Views: 133
  • aswMBR.txt
    2 KB · Views: 85
  • report_1176f8ad43e3b58246d69f91a5af56197.txt
    18.6 KB · Views: 102

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips fellow summoner! :p

I'm Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
I analyzed the file you downloaded, it seems to be a backdoor/bot infection.


Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D98D3097-8A4D-4F1A-947B-C59AD700C145}: DhcpNameServer = 8.8.8.8
[2011/08/14 19:01:33 | 000,000,256 | ---- | C] () -- C:\Users\FW56E\AppData\Roaming\090024D6292A4E
[2010/04/30 01:46:49 | 000,005,009 | ---- | C] () -- C:\ProgramData\tbuxfygh.lbm
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:8CEFE51A
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:CE2C623F

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Next, Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select Run as Administrator to start
  • Wait until Prescan has finished, then click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
    Exit/Close RogueKiller+

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
 
Last edited by a moderator:

holaboo

New Member
Thread author
Apr 10, 2013
12
Hi Fiery,

thanks so much for the prompt reply! I have run the first step and have posted the log below, is this the log you meant? If not I'm not sure where the log is supposed to be saved.

While I'm here could you tell me what exactly the backdoor bot does?


Files\Folders moved on Reboot...
C:\Users\FW56E\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\FW56E\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 moved successfully.
C:\Users\FW56E\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 moved successfully.
C:\Users\FW56E\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

holaboo

New Member
Thread author
Apr 10, 2013
12
I have completed the roguekiller scan and here is the report:
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : FW56E [Admin rights]
Mode : Scan -- Date : 04/10/2013 18:30:47
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK5055GSX +++++
--- User ---
[MBR] 6b882a5861a8e61d058fcf174bcad430
[BSP] 8c1d120d3d47be8f9c65b274e7d41e49 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 11438 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 23427072 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 23631872 | Size: 465400 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04102013_02d1830.txt >>
RKreport[1]_S_04102013_02d1830.txt
 

holaboo

New Member
Thread author
Apr 10, 2013
12
Last but not least, the Farbar report:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 28 days old)
Ran by SYSTEM at 10-04-2013 18:39:17
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Apoint] %ProgramFiles%\Apoint\Apoint.exe [208384 2009-08-03] (Alps Electric Co., Ltd.)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7938080 2009-07-24] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-07-24] (Realtek Semiconductor Corp.)
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-05] (Intel Corporation)
HKLM-x32\...\Run: [360Safetray] "C:\Program Files (x86)\360\360safe\safemon\360Tray.exe" /start [879208 2013-03-06] (360.cn)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe" [336304 2012-10-11] (Razer USA Ltd)
HKLM-x32\...\Run: [Arctosa] "C:\Program Files (x86)\Razer\Arctosa\razerhid.exe" [232960 2009-08-19] (Razer USA Ltd.)
HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3825176 2012-11-13] (Safer-Networking Ltd.)
HKU\FW56E\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\FW56E\...\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [3093624 2013-02-27] ()
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100

==================== Services (Whitelisted) ===================

3 1394hub; C:\Windows\System32\svchost.exe -k netsvcs [27136 2009-07-14] (Microsoft Corporation)
3 1394hub; C:\Windows\SysWow64\svchost.exe -k netsvcs [20992 2009-07-14] (Microsoft Corporation)
2 360rp; "C:\Program Files (x86)\360\360sd\360rp.exe" [939352 2010-12-10] (360.cn)
3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
3 KMService; C:\Windows\SysWow64\srvany.exe [8192 2012-01-05] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [418376 2013-04-04] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [701512 2013-04-04] (Malwarebytes Corporation)
2 OMSI download service; C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [90112 2009-04-30] ()
2 RapportMgmtService; "C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe" [1124184 2013-04-02] (Trusteer Ltd.)
3 Roxio UPnP Renderer 10; "C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" [313840 2009-06-26] (Sonic Solutions)
4 Roxio Upnp Server 10; "C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe" [362992 2009-06-26] (Sonic Solutions)
2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [189984 2009-07-24] (Realtek Semiconductor)
2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
3 SOHDBSvr; "C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe" [70952 2009-07-27] (Sony Corporation)
3 SOHPlMgr; "C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe" [91432 2009-07-27] (Sony Corporation)
3 TeamViewer5; "C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe" -service [173352 2010-07-06] (TeamViewer GmbH)
3 VAIO Entertainment TV Device Arbitration Service; "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe" [69632 2009-07-23] (Sony Corporation)
3 Vcsw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -RunBySCM [313264 2009-07-23] (Sony Corporation)
3 VUAgent; "C:\Program Files\Sony\VAIO Update 5\VUAgent.exe" [1223024 2010-04-09] (Sony Corporation)
3 VzCdbSvc; "C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe" [206336 2009-07-23] (Sony Corporation)
3 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [88080 2012-11-20] (ShenZhen Xunlei Networking Technologies,LTD)
2 ZhuDongFangYu; "C:\Program Files (x86)\360\360safe\deepscan\zhudongfangyu.exe" [286568 2013-01-23] (360.cn)
3 pgsql-8.3; "C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Program Files (x86)\PostgreSQL\8.3\data\" [x]

==================== Drivers (Whitelisted) =====================

1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [62848 2013-01-08] (360.cn)
1 360Box64; C:\Windows\System32\Drivers\360Box64.sys [297336 2012-12-31] (360????)
1 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [40688 2012-05-22] (360.cn)
1 360FsFlt; C:\Windows\System32\Drivers\360FsFlt.sys [211336 2012-12-06] (360.cn)
1 360netmon; C:\Windows\System32\Drivers\360netmon.sys [57984 2012-05-30] (360.cn)
1 360SelfProtection; C:\Windows\SysWow64\Drivers\360SelfProtection.sys [123520 2010-10-20] (360????)
3 Arctosa; C:\Windows\System32\Drivers\Arctosa.sys [19840 2009-08-19] (Razer USA Ltd.)
2 atksgt; C:\Windows\System32\Drivers\atksgt.sys [312480 2011-09-08] ()
1 BAPIDRV; C:\Windows\System32\Drivers\BAPIDRV64.SYS [188808 2012-11-01] (360.cn)
1 EfiMon; C:\Windows\System32\Drivers\EfiMon.sys [19712 2010-08-13] (???)
1 EfiMon; C:\Windows\SysWow64\Drivers\EfiMon.sys [19712 2010-08-13] (???)
0 HookPort; C:\Windows\SysWow64\Drivers\HookPort.sys [60544 2010-09-23] (360????)
0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69152 2010-06-04] (Lavasoft AB)
2 lirsgt; C:\Windows\System32\Drivers\lirsgt.sys [43168 2011-09-08] ()
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [102472 2009-11-04] (McAfee, Inc.)
1 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [308296 2009-11-04] (McAfee, Inc.)
3 mferkdk; C:\Windows\System32\Drivers\mferkdk.sys [40904 2009-11-04] (McAfee, Inc.)
3 mfesmfk; C:\Windows\System32\Drivers\mfesmfk.sys [49480 2009-11-04] (McAfee, Inc.)
3 Mkd2Nadr; C:\Windows\System32\Drivers\Mkd2Nadr.sys [106040 2008-10-17] (AhnLab, Inc.)
3 Mkd2Nadr; C:\Windows\SysWow64\Drivers\Mkd2Nadr.sys [106040 2008-10-17] (AhnLab, Inc.)
3 Mkd3kfNt; C:\Windows\System32\Drivers\Mkd3kfNt.sys [179768 2008-10-17] (AhnLab, Inc.)
3 NPF; C:\Windows\System32\Drivers\NPF.sys [47632 2009-10-20] (CACE Technologies, Inc.)
3 p2pfilter; \??\C:\Program Files (x86)\p2pover\p2pfilter.sys [4524 2005-05-10] ()
1 qutmdserv; C:\Windows\System32\drivers\qutmdrv.sys [91184 2010-04-16] (360????)
1 RapportCerberus_51755; \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_51755.sys [586072 2013-03-29] ()
1 RapportEI64; \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [228600 2013-04-02] (Trusteer Ltd.)
3 RapportIaso; \??\c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso64.sys [175352 2013-03-03] (Trusteer Ltd.)
0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [236248 2013-04-02] (Trusteer Ltd.)
1 RapportPG64; \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [357272 2013-04-02] (Trusteer Ltd.)
3 Razerlow; C:\Windows\System32\Drivers\Razerlow.sys [21120 2005-11-07] (Razer (Asia-Pacific) Pte Ltd)
2 risdptsk; C:\Windows\system32\DRIVERS\risdsn64.sys [76288 2009-07-31] (REDC)
3 s1018bus; C:\Windows\System32\Drivers\s1018bus.sys [113704 2009-03-25] (MCCI Corporation)
3 s1018mdfl; C:\Windows\System32\Drivers\s1018mdfl.sys [19496 2009-03-25] (MCCI Corporation)
3 s1018mdm; C:\Windows\System32\Drivers\s1018mdm.sys [153128 2009-03-25] (MCCI Corporation)
3 s1018mgmt; C:\Windows\System32\Drivers\s1018mgmt.sys [133160 2009-03-25] (MCCI Corporation)
3 s1018nd5; C:\Windows\System32\Drivers\s1018nd5.sys [34856 2009-03-25] (MCCI Corporation)
3 s1018obex; C:\Windows\System32\Drivers\s1018obex.sys [128552 2009-03-25] (MCCI Corporation)
3 s1018unic; C:\Windows\System32\Drivers\s1018unic.sys [146472 2009-03-25] (MCCI Corporation)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-03-19] (Duplex Secure Ltd.)
3 TesSafe; \??\C:\Windows\system32\TesSafe.sys [163920 2011-08-15] (TENCENT)
3 dump_wmimmc; \??\C:\Program Files (x86)\softnyxGame\GunBoundIS\GameGuard\dump_wmimmc.sys [x]
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [x]
3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [x]
2 vcs; \??\C:\Users\FW56E\Desktop\yuyinbianshengqi\vcs.sys [x]
3 X6va005; \??\C:\Users\FW56E\AppData\Local\Temp\0058ABB.tmp [x]
3 X6va006; \??\C:\Users\FW56E\AppData\Local\Temp\00632C9.tmp [x]
3 X6va007; \??\C:\Users\FW56E\AppData\Local\Temp\0077EA0.tmp [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-04-10 18:39 - 2013-04-10 18:39 - 00000000 ____D C:\FRST
2013-04-10 17:31 - 2013-04-10 17:31 - 01466241 ____A (Farbar) C:\Users\FW56E\Downloads\FRST64.exe
2013-04-10 17:30 - 2013-04-10 17:30 - 00001615 ____A C:\Users\FW56E\Desktop\RKreport[1]_S_04102013_02d1830.txt
2013-04-10 17:28 - 2013-04-10 17:30 - 00000000 ____D C:\Users\FW56E\Desktop\RK_Quarantine
2013-04-10 17:27 - 2013-04-10 17:28 - 00816128 ____A C:\Users\FW56E\Desktop\RogueKiller.exe
2013-04-10 17:16 - 2013-04-10 17:16 - 04316280 ____A (Piriform Ltd) C:\Users\FW56E\Downloads\ccsetup400 (1).exe
2013-04-10 17:15 - 2013-04-10 17:15 - 00000000 ____D C:\_OTL
2013-04-10 17:12 - 2013-04-10 17:12 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
2013-04-10 17:12 - 2013-04-10 17:12 - 00000000 ____D C:\Program Files\CCleaner
2013-04-10 17:11 - 2013-04-10 17:11 - 04316280 ____A (Piriform Ltd) C:\Users\FW56E\Downloads\ccsetup400.exe
2013-04-10 16:56 - 2013-04-10 16:56 - 00019088 ____A C:\Users\FW56E\Downloads\report_1176f8ad43e3b58246d69f91a5af56197.txt
2013-04-10 16:47 - 2013-04-10 17:15 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-04-10 16:47 - 2013-04-10 16:47 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-04-10 16:47 - 2013-04-10 16:47 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-04-10 16:47 - 2009-01-25 11:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
2013-04-10 16:46 - 2013-04-10 16:46 - 55454464 ____A (Safer-Networking Ltd. ) C:\Users\FW56E\Downloads\SpybotSD2.exe
2013-04-10 16:35 - 2013-04-10 16:38 - 00000000 ____D C:\Users\FW56E\Desktop\New folder
2013-04-10 16:35 - 2013-04-10 16:36 - 04745728 ____A (AVAST Software) C:\Users\FW56E\Downloads\aswMBR (1).exe
2013-04-10 16:32 - 2013-04-10 16:32 - 00209940 ____A C:\Users\FW56E\Downloads\Extras.Txt
2013-04-10 16:31 - 2013-04-10 16:31 - 00155232 ____A C:\Users\FW56E\Downloads\OTL.Txt
2013-04-10 16:29 - 2013-04-10 16:30 - 04745728 ____A (AVAST Software) C:\Users\FW56E\Downloads\aswMBR.exe
2013-04-10 16:11 - 2013-04-10 16:11 - 00602112 ____A (OldTimer Tools) C:\Users\FW56E\Downloads\OTL.exe
2013-04-10 15:21 - 2013-04-10 15:21 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\Malwarebytes
2013-04-10 15:20 - 2013-04-10 15:20 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-04-10 15:20 - 2013-04-10 15:20 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-04-10 15:20 - 2013-04-10 15:20 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-04-10 15:20 - 2013-04-04 13:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-04-10 15:10 - 2013-04-08 17:32 - 02309169 ____A C:\Users\FW56E\Downloads\League of Legends RP Code Generator.exe
2013-04-10 15:09 - 2013-04-10 15:09 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\FW56E\Downloads\mbam-setup-1.75.0.1300 (2).exe
2013-04-10 15:08 - 2013-04-10 15:08 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\FW56E\Downloads\mbam-setup-1.75.0.1300.exe
2013-04-10 15:08 - 2013-04-10 15:08 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\FW56E\Downloads\mbam-setup-1.75.0.1300 (1).exe
2013-04-10 15:01 - 2013-04-10 15:01 - 00691848 ____A (CNET Download.com) C:\Users\FW56E\Downloads\cbsidlm-cbsi5_4_0_101-Absolute_Key_Logger_Removal_Tool-ORG-75447038.exe
2013-04-10 14:51 - 2013-04-10 14:52 - 01056489 ____A C:\Users\FW56E\Downloads\League of Legends RP Code Generator.rar
2013-04-10 12:37 - 2013-03-02 06:04 - 01655656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-10 12:30 - 2013-02-15 06:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-10 12:30 - 2013-02-15 06:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-10 12:30 - 2013-02-15 06:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-10 12:30 - 2013-02-15 04:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-10 12:30 - 2013-02-15 04:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-10 12:30 - 2013-02-15 03:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-10 12:23 - 2013-03-19 06:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-10 12:23 - 2013-03-19 05:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-10 12:23 - 2013-03-19 05:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-10 12:23 - 2013-03-19 05:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-10 12:23 - 2013-03-19 04:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-10 12:23 - 2013-03-19 03:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-10 12:16 - 2013-03-01 03:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-03-28 15:22 - 2012-11-07 17:55 - 00039680 ____A (360????) C:\Windows\System32\Drivers\360LanProtect.sys
2013-03-21 23:45 - 2013-03-21 23:45 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2013-03-21 23:44 - 2013-03-21 23:44 - 07781072 ____A (Adobe Systems Inc.) C:\Users\FW56E\Downloads\Shockwave_Installer_Slim.exe
2013-03-21 23:44 - 2013-03-21 23:44 - 07781072 ____A (Adobe Systems Inc.) C:\Users\FW56E\Downloads\Shockwave_Installer_Slim (1).exe
2013-03-19 16:54 - 2013-03-19 16:54 - 54085656 ____A (Blizzard Entertainment) C:\Users\FW56E\Downloads\StarCraft-II-Setup-enUS.exe
2013-03-14 02:22 - 2013-03-14 02:23 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-14 02:22 - 2013-03-14 02:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-03-13 18:05 - 2013-03-13 18:05 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\Civitas2
2013-03-13 18:03 - 2013-03-13 18:03 - 00001338 ____A C:\Users\Public\Desktop\Imperium Romanum - Gold Edition.lnk
2013-03-13 18:02 - 2013-03-13 18:05 - 00000000 ____D C:\Program Files (x86)\Kalypso Media
2013-03-13 14:23 - 2013-02-12 04:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-03-13 14:06 - 2013-02-28 13:57 - 02458112 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-03-13 14:06 - 2013-02-28 13:57 - 01493504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-03-13 14:06 - 2013-02-28 13:57 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-03-13 14:06 - 2013-02-28 13:57 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-03-13 14:06 - 2013-02-28 13:57 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-03-13 14:06 - 2013-02-28 13:57 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-03-13 14:06 - 2013-02-28 13:57 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-03-13 14:06 - 2013-02-28 13:57 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 06032384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 02078208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 01231872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-03-13 14:06 - 2013-02-28 13:37 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-03-13 14:06 - 2013-02-28 12:03 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-03-13 14:06 - 2013-02-28 11:38 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-03-13 14:05 - 2013-02-28 13:57 - 12296192 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-03-13 14:05 - 2013-02-28 13:57 - 09061376 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-03-13 14:05 - 2013-02-28 13:37 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

==================== One Month Modified Files and Folders =======

2013-04-10 17:35 - 2010-03-15 19:25 - 00000437 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-04-10 17:35 - 2009-11-01 00:50 - 04614682 ____A C:\Windows\PFRO.log
2013-04-10 17:35 - 2009-07-14 05:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-10 17:35 - 2009-07-14 04:51 - 00205735 ____A C:\Windows\setupact.log
2013-04-10 17:34 - 2013-02-27 15:11 - 00000000 ____D C:\Users\FW56E\AppData\Local\PMB Files
2013-04-10 17:34 - 2009-11-01 00:10 - 01494125 ____A C:\Windows\WindowsUpdate.log
2013-04-10 17:33 - 2009-07-14 05:13 - 00797450 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-10 17:31 - 2013-04-10 17:31 - 01466241 ____A (Farbar) C:\Users\FW56E\Downloads\FRST64.exe
2013-04-10 17:30 - 2013-04-10 17:30 - 00001615 ____A C:\Users\FW56E\Desktop\RKreport[1]_S_04102013_02d1830.txt
2013-04-10 17:30 - 2013-04-10 17:28 - 00000000 ____D C:\Users\FW56E\Desktop\RK_Quarantine
2013-04-10 17:29 - 2010-04-22 21:47 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\360Safe
2013-04-10 17:28 - 2013-04-10 17:27 - 00816128 ____A C:\Users\FW56E\Desktop\RogueKiller.exe
2013-04-10 17:26 - 2009-07-14 04:45 - 00010096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-10 17:26 - 2009-07-14 04:45 - 00010096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-10 17:16 - 2013-04-10 17:16 - 04316280 ____A (Piriform Ltd) C:\Users\FW56E\Downloads\ccsetup400 (1).exe
2013-04-10 17:15 - 2013-04-10 17:15 - 00000000 ____D C:\_OTL
2013-04-10 17:15 - 2013-04-10 16:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-04-10 17:12 - 2013-04-10 17:12 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
2013-04-10 17:12 - 2013-04-10 17:12 - 00000000 ____D C:\Program Files\CCleaner
2013-04-10 17:11 - 2013-04-10 17:11 - 04316280 ____A (Piriform Ltd) C:\Users\FW56E\Downloads\ccsetup400.exe
2013-04-10 16:56 - 2013-04-10 16:56 - 00019088 ____A C:\Users\FW56E\Downloads\report_1176f8ad43e3b58246d69f91a5af56197.txt
2013-04-10 16:47 - 2013-04-10 16:47 - 00002137 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-04-10 16:47 - 2013-04-10 16:47 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-04-10 16:46 - 2013-04-10 16:46 - 55454464 ____A (Safer-Networking Ltd. ) C:\Users\FW56E\Downloads\SpybotSD2.exe
2013-04-10 16:38 - 2013-04-10 16:35 - 00000000 ____D C:\Users\FW56E\Desktop\New folder
2013-04-10 16:36 - 2013-04-10 16:35 - 04745728 ____A (AVAST Software) C:\Users\FW56E\Downloads\aswMBR (1).exe
2013-04-10 16:32 - 2013-04-10 16:32 - 00209940 ____A C:\Users\FW56E\Downloads\Extras.Txt
2013-04-10 16:31 - 2013-04-10 16:31 - 00155232 ____A C:\Users\FW56E\Downloads\OTL.Txt
2013-04-10 16:30 - 2013-04-10 16:29 - 04745728 ____A (AVAST Software) C:\Users\FW56E\Downloads\aswMBR.exe
2013-04-10 16:13 - 2010-08-31 14:52 - 00002133 ____A C:\Users\FW56E\Desktop\360????.lnk
2013-04-10 16:11 - 2013-04-10 16:11 - 00602112 ____A (OldTimer Tools) C:\Users\FW56E\Downloads\OTL.exe
2013-04-10 15:21 - 2013-04-10 15:21 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\Malwarebytes
2013-04-10 15:20 - 2013-04-10 15:20 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-04-10 15:20 - 2013-04-10 15:20 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-04-10 15:20 - 2013-04-10 15:20 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-04-10 15:09 - 2013-04-10 15:09 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\FW56E\Downloads\mbam-setup-1.75.0.1300 (2).exe
2013-04-10 15:08 - 2013-04-10 15:08 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\FW56E\Downloads\mbam-setup-1.75.0.1300.exe
2013-04-10 15:08 - 2013-04-10 15:08 - 10285040 ____A (Malwarebytes Corporation ) C:\Users\FW56E\Downloads\mbam-setup-1.75.0.1300 (1).exe
2013-04-10 15:01 - 2013-04-10 15:01 - 00691848 ____A (CNET Download.com) C:\Users\FW56E\Downloads\cbsidlm-cbsi5_4_0_101-Absolute_Key_Logger_Removal_Tool-ORG-75447038.exe
2013-04-10 14:58 - 2012-10-14 13:43 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-04-10 14:58 - 2009-07-14 04:45 - 00496728 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-10 14:55 - 2010-01-04 15:36 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\Skype
2013-04-10 14:52 - 2013-04-10 14:51 - 01056489 ____A C:\Users\FW56E\Downloads\League of Legends RP Code Generator.rar
2013-04-10 12:38 - 2012-04-01 17:54 - 00691592 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-04-10 12:38 - 2011-05-18 08:58 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-04-10 03:29 - 2012-08-13 10:39 - 00000000 ____D C:\ProgramData\QvodPlayer
2013-04-09 23:44 - 2011-11-15 17:02 - 00000000 ____D C:\Media
2013-04-09 17:58 - 2011-09-12 15:42 - 00000000 ____D C:\Users\FW56E\Documents\Outlook Files
2013-04-09 06:20 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\tracing
2013-04-08 19:59 - 2010-02-13 12:08 - 00000000 ____D C:\Users\FW56E\Documents\Tencent Files
2013-04-08 17:32 - 2013-04-10 15:10 - 02309169 ____A C:\Users\FW56E\Downloads\League of Legends RP Code Generator.exe
2013-04-07 21:47 - 2011-09-22 12:24 - 00000000 ____D C:\Program Files (x86)\StarCraft II
2013-04-07 20:35 - 2013-02-25 17:20 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-04-07 20:35 - 2009-11-01 00:38 - 00000000 ____D C:\ProgramData\Skype
2013-04-05 14:09 - 2010-02-08 23:51 - 00000000 ____D C:\ppsvodcache
2013-04-05 14:07 - 2010-04-20 19:32 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\PPStream
2013-04-04 13:50 - 2013-04-10 15:20 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-04-02 12:16 - 2011-02-25 11:51 - 00236248 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKE64.sys
2013-04-01 23:44 - 2012-01-06 18:40 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\KuGou7
2013-04-01 18:25 - 2010-06-09 20:15 - 00001076 ____A C:\Users\Public\Desktop\QQ??.lnk
2013-03-29 14:28 - 2010-02-13 12:08 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\Tencent
2013-03-29 14:26 - 2010-04-30 14:13 - 00000000 ____D C:\Windows\Tasks\360Disabled
2013-03-29 00:24 - 2012-04-09 21:57 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\360mobilemgr
2013-03-21 23:45 - 2013-03-21 23:45 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2013-03-21 23:44 - 2013-03-21 23:44 - 07781072 ____A (Adobe Systems Inc.) C:\Users\FW56E\Downloads\Shockwave_Installer_Slim.exe
2013-03-21 23:44 - 2013-03-21 23:44 - 07781072 ____A (Adobe Systems Inc.) C:\Users\FW56E\Downloads\Shockwave_Installer_Slim (1).exe
2013-03-19 20:01 - 2011-09-22 12:24 - 00000000 ____D C:\Users\FW56E\Documents\StarCraft II
2013-03-19 19:40 - 2011-09-22 12:24 - 00001057 ____A C:\Users\Public\Desktop\StarCraft II.lnk
2013-03-19 16:54 - 2013-03-19 16:54 - 54085656 ____A (Blizzard Entertainment) C:\Users\FW56E\Downloads\StarCraft-II-Setup-enUS.exe
2013-03-19 06:04 - 2013-04-10 12:23 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:46 - 2013-04-10 12:23 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-03-19 05:04 - 2013-04-10 12:23 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-03-19 05:04 - 2013-04-10 12:23 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-03-19 04:47 - 2013-04-10 12:23 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-03-19 03:06 - 2013-04-10 12:23 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-03-16 20:25 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\System32\NDF
2013-03-16 20:21 - 2012-10-09 18:06 - 00000000 ____D C:\Program Files (x86)\RaidCall
2013-03-14 03:09 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\rescache
2013-03-14 02:25 - 2010-02-08 23:20 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-03-14 02:25 - 2009-11-01 00:30 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-03-14 02:23 - 2013-03-14 02:22 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-14 02:23 - 2013-03-14 02:22 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-03-13 18:05 - 2013-03-13 18:05 - 00000000 ____D C:\Users\FW56E\AppData\Roaming\Civitas2
2013-03-13 18:05 - 2013-03-13 18:02 - 00000000 ____D C:\Program Files (x86)\Kalypso Media
2013-03-13 18:03 - 2013-03-13 18:03 - 00001338 ____A C:\Users\Public\Desktop\Imperium Romanum - Gold Edition.lnk
2013-03-13 18:00 - 2011-11-24 00:00 - 00002185 ____A C:\Users\FW56E\Desktop\??7.lnk
2013-03-13 18:00 - 2010-04-28 03:47 - 00000000 ___SD C:\kankan
2013-03-13 17:27 - 2010-12-02 19:45 - 00000000 ____D C:\TDDOWNLOAD
2013-03-12 00:10 - 2010-03-23 20:33 - 00282744 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-29 12:07:10
Restore point made on: 2013-03-29 12:12:10
Restore point made on: 2013-04-02 15:49:11
Restore point made on: 2013-04-03 10:35:31
Restore point made on: 2013-04-09 13:51:53
Restore point made on: 2013-04-10 12:03:20
Restore point made on: 2013-04-10 12:15:53
Restore point made on: 2013-04-10 12:22:55
Restore point made on: 2013-04-10 12:29:58
Restore point made on: 2013-04-10 12:37:33

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 4063.02 MB
Available physical RAM: 3405.9 MB
Total Pagefile: 4061.17 MB
Available Pagefile: 3393.76 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:454.49 GB) (Free:76.29 GB) NTFS
2 Drive e: (Recovery) (Fixed) (Total:11.17 GB) (Free:0.82 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:1.91 GB) (Free:1.17 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 1959 MB 0 B

Partitions of Disk 0:
===============

Disk ID: 239B2184

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 11 GB 1024 KB
Partition 2 Primary 100 MB 11 GB
Partition 3 Primary 454 GB 11 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 11 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 454 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1959 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT Removable 1959 MB Healthy

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 239B2184

Partition 1:
=========
Hex: 0020210027FEFFFF0008000000706501
Active: NO
Type: 27
Size: 11 GB

Partition 2:
=========
Hex: 80FEFFFF07FEFFFF0078650100200300
Active: YES
Type: 07 (NTFS)
Size: 100 MB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF0098680130C0CF38
Active: NO
Type: 07 (NTFS)
Size: 454 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 800101000E0FFF8C3F000000523E3D00
Active: YES
Type: 0E
Size: 2 GB


Last Boot: 2013-04-06 01:16

==================== End Of Log =============================
 

Fiery

Level 1
Jan 11, 2011
2,007
Hello :)

Here is a good summary of what a backdoor infection is: http://www.geekstogo.com/190/what-is-a-backdoor-trojan/

Regarding the OTL fix, I don't think you copied the entire script. Please do so again.

STEP 1:
Open OTL. Under custom scan/fixes, copy and paste the following:


  • :OTL
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D98D3097-8A4D-4F1A-947B-C59AD700C145}: DhcpNameServer = 8.8.8.8
    [2011/08/14 19:01:33 | 000,000,256 | ---- | C] () -- C:\Users\FW56E\AppData\Roaming\090024D6292A4E
    [2010/04/30 01:46:49 | 000,005,009 | ---- | C] () -- C:\ProgramData\tbuxfygh.lbm
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:8CEFE51A
    @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:CE2C623F

    :Files
    ipconfig /flushdns /c

    :Commands
    [EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

STEP 2
Next, we will use FRST to remove some drivers.

Open notepad and copy & paste the following:

3 X6va005; \??\C:\Users\FW56E\AppData\Local\Temp\0058ABB.tmp [x]
3 X6va006; \??\C:\Users\FW56E\AppData\Local\Temp\00632C9.tmp [x]
3 X6va007; \??\C:\Users\FW56E\AppData\Local\Temp\0077EA0.tmp [x]
2013-04-10 15:10 - 2013-04-08 17:32 - 02309169 ____A C:\Users\FW56E\Downloads\League of Legends RP Code Generator.exe
2013-04-10 14:51 - 2013-04-10 14:52 - 01056489 ____A C:\Users\FW56E\Downloads\League of Legends RP Code Generator.rar
C:\Users\FW56E\AppData\Local\Temp\0077EA0.tmp
C:\Users\FW56E\AppData\Local\Temp\00632C9.tmp
C:\Users\FW56E\AppData\Local\Temp\0058ABB.tmp

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

STEP 3
Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>

<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
<li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
<li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
</ul>
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

<img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

<img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
Click on <>Yes</>, to continue scanning for malware.

When finished, ComboFix will produce a log, please post it in your next reply

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
 
Last edited by a moderator:

holaboo

New Member
Thread author
Apr 10, 2013
12
Thanks Fiery, I've run the OTL again and heres the new log. It seems to have worked this time.

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D98D3097-8A4D-4F1A-947B-C59AD700C145}\\DhcpNameServer| /E : value set successfully!
File C:\Users\FW56E\AppData\Roaming\090024D6292A4E not found.
File C:\ProgramData\tbuxfygh.lbm not found.
Unable to delete ADS C:\ProgramData\TEMP:8CEFE51A .
Unable to delete ADS C:\ProgramData\TEMP:CE2C623F .
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\FW56E\Downloads\cmd.bat deleted successfully.
C:\Users\FW56E\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: FW56E
->Temp folder emptied: 19116657 bytes
->Temporary Internet Files folder emptied: 2593144 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 15435687 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 219531 bytes

User: postgres
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1686 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 107147 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 36.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 04112013_010921

Files\Folders moved on Reboot...
C:\Users\FW56E\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

holaboo

New Member
Thread author
Apr 10, 2013
12
Farbar Log:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-04-11 01:22:50 Run:1
Running from G:\

==============================================

X6va005 service deleted successfully.
X6va006 service deleted successfully.
X6va007 service deleted successfully.
C:\Users\FW56E\Downloads\League of Legends RP Code Generator.exe moved successfully.
C:\Users\FW56E\Downloads\League of Legends RP Code Generator.rar moved successfully.
C:\Users\FW56E\AppData\Local\Temp\0077EA0.tmp not found.
C:\Users\FW56E\AppData\Local\Temp\00632C9.tmp not found.
C:\Users\FW56E\AppData\Local\Temp\0058ABB.tmp not found.

==== End of Fixlog ====
 

holaboo

New Member
Thread author
Apr 10, 2013
12
So I ran combofix and after the log was created, I HAD THE LIVING CRAP SCARED OUT OF ME! Nothing would run, it kept giving me an error message saying the the registry was marked for deletion... I then realised I had a pending windows update so I shutdown my computer and then restarted it and everything was k! PHEW

anyways here is the log, sorry about the chinese characters, I have my computer set in Chinese UNICODE.

ComboFix 13-04-10.02 - FW56E 11/04/2013 1:32.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.4063.2111 [GMT 1:00]
执行位置: c:\users\FW56E\Downloads\ComboFix.exe
AV: 360杀毒 *Disabled/Outdated* {A0FD413B-F662-C08C-7B21-F57CED225A55}
SP: 360安全卫士 *Disabled/Updated* {1B9CA0DF-D058-CF02-4191-CE0E96A510E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\360Downloads
c:\360downloads\FunshionInstall_2.4.5.23.exe
c:\360downloads\ppstream_2.7.0.1345.exe
c:\360downloads\Tom-Skype_4.2.4.67.exe
C:\360Rec
c:\360rec\20100630\23016EF.vir
c:\360rec\20100630\2301700.vir
C:\CFLog
c:\favoritevideo\InvisibleFolder
c:\program files (x86)\Common Files\Tencent\Paycenter
c:\program files (x86)\Common Files\Tencent\Paycenter\qqcert.dll
c:\program files (x86)\Common Files\Tencent\Paycenter\qqedit.dll
c:\programdata\hpe4D4B.dll
c:\programdata\Microsoft\Windows\Start Menu\27代理.lnk
c:\programdata\Roaming
c:\users\Default\AppData\Roaming\SogouExplorer
c:\users\Default\AppData\Roaming\SogouExplorer\Bin\flash_wk.dll
c:\users\Default\AppData\Roaming\SogouExplorer\Bin\malurl.dat
c:\users\Default\AppData\Roaming\SogouExplorer\datapack1
c:\users\Default\AppData\Roaming\SogouExplorer\datapack2
c:\users\Default\AppData\Roaming\SogouExplorer\datapack3
c:\users\Default\AppData\Roaming\SogouExplorer\MetaSearch\metasearchupdate1
c:\users\Default\AppData\Roaming\SogouExplorer\MetaSearch\metasearchupdate2
c:\users\Default\AppData\Roaming\SogouExplorer\script.dat
c:\users\Default\AppData\Roaming\SogouExplorer\urlblack.dat
c:\users\FW56E\ace_uninstaller.exe
c:\users\FW56E\AppData\Local\assembly\tmp
c:\users\FW56E\AppData\Roaming\.#
c:\users\FW56E\AppData\Roaming\.#\MBX@1624@6B2740.###
c:\users\FW56E\AppData\Roaming\.#\MBX@1624@6B2770.###
c:\users\FW56E\AppData\Roaming\000024BE3EAF73
c:\users\FW56E\AppData\Roaming\360SE
c:\users\FW56E\AppData\Roaming\360SE\360se.ini
c:\users\FW56E\AppData\Roaming\360SE\360seie6.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\1000\1000.png
c:\users\FW56E\AppData\Roaming\360SE\apps\1000\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\1000\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\100000747\100000747.png
c:\users\FW56E\AppData\Roaming\360SE\apps\100000747\config.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\100000747\logo.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\100000747\logo.png
c:\users\FW56E\AppData\Roaming\360SE\apps\1018\1018.png
c:\users\FW56E\AppData\Roaming\360SE\apps\1018\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\1018\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\1018\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\1018\BankHelper.exe
c:\users\FW56E\AppData\Roaming\360SE\apps\1018\banklist.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\1018\BankMode.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\1018\tip.png
c:\users\FW56E\AppData\Roaming\360SE\apps\102028944\102028944.png
c:\users\FW56E\AppData\Roaming\360SE\apps\102028944\config.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\102028944\logo.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\102028944\logo.png
c:\users\FW56E\AppData\Roaming\360SE\apps\102043400\102043400.png
c:\users\FW56E\AppData\Roaming\360SE\apps\102043400\config.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\102043400\logo.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\102043400\logo.png
c:\users\FW56E\AppData\Roaming\360SE\apps\2000\2000.png
c:\users\FW56E\AppData\Roaming\360SE\apps\2000\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2000\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\2000\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2001\2001.png
c:\users\FW56E\AppData\Roaming\360SE\apps\2001\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2001\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\2001\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2011\2011.png
c:\users\FW56E\AppData\Roaming\360SE\apps\2011\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2011\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\2011\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2022\2022.png
c:\users\FW56E\AppData\Roaming\360SE\apps\2022\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2022\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\2022\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2091\2091.png
c:\users\FW56E\AppData\Roaming\360SE\apps\2091\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\2091\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\2091\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\Appslocal.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\AppsLocal.ver
c:\users\FW56E\AppData\Roaming\360SE\apps\AppsServer.ver
c:\users\FW56E\AppData\Roaming\360SE\apps\AppStat.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\baoku\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\baoku\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\baoku\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\baoku\baoku.png
c:\users\FW56E\AppData\Roaming\360SE\apps\config.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\context.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\default.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\Default.ver
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtFeedWeibo\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtFeedWeibo\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtFeedWeibo\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtFeedWeibo\ExtFeedWeibo.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtFeedWeibo\sidelogo.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtILike\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtILike\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtILike\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtILike\ExtILike.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtILike\ExtILike.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtILike\loginbanner.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtShare\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtShare\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtShare\ExtShare.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtSmartWiz\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtSmartWiz\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtSmartWiz\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtSmartWiz\ExtSmartWiz.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtSmartWiz\ExtSmartWiz.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtTgj\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtTgj\ExtTgj.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtTgj\ExtTgj.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtTgj\sidelogo.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtTuan\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtTuan\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtTuan\ExtTuan.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtWebmail\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtWebmail\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtWebmail\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtWebmail\ExtWebMail.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtWebmail\sidelogo.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtYouxi\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtYouxi\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtYouxi\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtYouxi\ExtYouxi.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtYouxi\Extyouxi.dll.tmp
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtYouxi\ExtYouxi.png
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtYouxi\GameCenter.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\ExtYouxi\sqlite3.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\LoginAssis\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\LoginAssis\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\LoginAssis\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\LoginAssis\LoginAssis.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\LoginAssis\LoginAssis.png
c:\users\FW56E\AppData\Roaming\360SE\apps\maidongxi\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\maidongxi\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\maidongxi\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\maidongxi\maidongxi.png
c:\users\FW56E\AppData\Roaming\360SE\apps\NotifyDown.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\recmd.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\Recmd2.dll
c:\users\FW56E\AppData\Roaming\360SE\apps\recmdinfo.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\root.ver
c:\users\FW56E\AppData\Roaming\360SE\apps\SEWebAppPlat.exe
c:\users\FW56E\AppData\Roaming\360SE\apps\shipin\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\shipin\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\shipin\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\shipin\shipin.png
c:\users\FW56E\AppData\Roaming\360SE\apps\Sidebar.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\Sidebar.ver
c:\users\FW56E\AppData\Roaming\360SE\apps\SnapPlugin\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\SnapPlugin\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\SnapPlugin\SnapPlugin.png
c:\users\FW56E\AppData\Roaming\360SE\apps\TranslatorPlugin\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\TranslatorPlugin\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\TranslatorPlugin\TranslatorPlugin.png
c:\users\FW56E\AppData\Roaming\360SE\apps\UseAppStat.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\wanyouxi\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\wanyouxi\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\wanyouxi\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\wanyouxi\wanyouxi.png
c:\users\FW56E\AppData\Roaming\360SE\apps\xiaoshuo\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\xiaoshuo\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\xiaoshuo\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\xiaoshuo\xiaoshuo.png
c:\users\FW56E\AppData\Roaming\360SE\apps\xinwen\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\xinwen\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\xinwen\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\xinwen\xinwen.png
c:\users\FW56E\AppData\Roaming\360SE\apps\yinyue\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\yinyue\app.ini
c:\users\FW56E\AppData\Roaming\360SE\apps\yinyue\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\yinyue\yinyue.png
c:\users\FW56E\AppData\Roaming\360SE\apps\Youxi\app.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\Youxi\app24.ico
c:\users\FW56E\AppData\Roaming\360SE\apps\Youxi\Youxi.png
c:\users\FW56E\AppData\Roaming\360SE\bin\360DL.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\360live.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\360SE.exe
c:\users\FW56E\AppData\Roaming\360SE\bin\360seAxHost.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\360start.exe
c:\users\FW56E\AppData\Roaming\360SE\bin\adfilter.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\cloudurls.dat
c:\users\FW56E\AppData\Roaming\360SE\bin\Doctor.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\download.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\ExtNetIncrement.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\ExtThumb.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\Favorites\ExtDataIO.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\Favorites\Favorites.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\GreenActivex.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\LoginEnrol\360Login.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\LoginEnrol\360NetUL.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\LoginEnrol\Login.cfg
c:\users\FW56E\AppData\Roaming\360SE\bin\LoginEnrol\LoginEnrol.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\LoginEnrol\oauthlogin.exe
c:\users\FW56E\AppData\Roaming\360SE\bin\Pages\NewTab.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\Pages\newTab2.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\Pages\pages.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\pluginbar.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\SafeCentral\SafeAddressRes.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\SafeCentral\SafeCentral.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\SafeCentral\SiteVerifier.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\SafeCentral\urllibauth.dat
c:\users\FW56E\AppData\Roaming\360SE\bin\SafeCentral\urlproc.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\SafeCentral\urlproc.exe
c:\users\FW56E\AppData\Roaming\360SE\bin\SafeCentral\urlprocnet.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\SafeCentral\wdui2.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\safelive.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\sesvc.exe
c:\users\FW56E\AppData\Roaming\360SE\bin\SeUp.exe
c:\users\FW56E\AppData\Roaming\360SE\bin\Skin\4.1default.srx
c:\users\FW56E\AppData\Roaming\360SE\bin\Skin\IE6Default.zip
c:\users\FW56E\AppData\Roaming\360SE\bin\sqlite3.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\statistic.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\suggest.dll
c:\users\FW56E\AppData\Roaming\360SE\bin\UnInst360SE.exe
c:\users\FW56E\AppData\Roaming\360SE\bin\updateMsg.ini
c:\users\FW56E\AppData\Roaming\360SE\bin\urlquery.dll
c:\users\FW56E\AppData\Roaming\360SE\data\360sefav.db
c:\users\FW56E\AppData\Roaming\360SE\data\360uyx.db
c:\users\FW56E\AppData\Roaming\360SE\data\adcache\400fc4e9321548cf2ba107fccd9c0271.cfg
c:\users\FW56E\AppData\Roaming\360SE\data\adcache\e645524da7f88f922bda635e263a710e.cfg
c:\users\FW56E\AppData\Roaming\360SE\data\Adfilter.dat
c:\users\FW56E\AppData\Roaming\360SE\data\adfilter.ini
c:\users\FW56E\AppData\Roaming\360SE\data\DailyBackup\360sefav_2012_10_16.favdb
c:\users\FW56E\AppData\Roaming\360SE\data\defsku.dll
c:\users\FW56E\AppData\Roaming\360SE\data\FaceIcon_Bits.dat
c:\users\FW56E\AppData\Roaming\360SE\data\FavouriteBar_Bits.dat
c:\users\FW56E\AppData\Roaming\360SE\data\gameurls.dat
c:\users\FW56E\AppData\Roaming\360SE\data\guardconfig.ini
c:\users\FW56E\AppData\Roaming\360SE\data\ico\6f83c9cd9c7e1ffee373d209b9643812.svp
c:\users\FW56E\AppData\Roaming\360SE\data\ico\anime-media.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\avc.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\bbs.lol.131.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\cn.bing.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\config.ini
c:\users\FW56E\AppData\Roaming\360SE\data\ico\cz.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\db.gamefaqs.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\ddt.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\dgcs.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\dh.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\euw.leagueoflegends.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\euw.leagueoflegends.com.ico.koal
c:\users\FW56E\AppData\Roaming\360SE\data\ico\exchange.cherrycredits.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\farm.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\hao.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\hero.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\imgcache.qq.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\jobseekers.direct.gov.uk.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\mcsd.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\me.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\os.qzs.qq.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\photo.qq.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\plsm.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\poker.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\q.pps.tv.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\se.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\search8.taobao.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\support.google.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\tv.sohu.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\u.xcy8.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.advfn.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.baidu.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.bbcgoodfood.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.bing.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.buytickets.eastmidlandstrains.co.uk.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.gamefaqs.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.google.com.hk.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.happy-wholesale.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.hbo.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.minitokyo.net.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.pimco.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.qihoo.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.renren.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.sogou.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\www.youdao.com.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\wxfy.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\y.pps.tv.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\yahoo.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\ico\zqjl.wan.360.cn.ico
c:\users\FW56E\AppData\Roaming\360SE\data\IECompat.dat
c:\users\FW56E\AppData\Roaming\360SE\data\IEXCompat.dat
c:\users\FW56E\AppData\Roaming\360SE\data\newskin.dat
c:\users\FW56E\AppData\Roaming\360SE\data\plate\26f0182be760ef3bed71dbd3d3912ffd.png
c:\users\FW56E\AppData\Roaming\360SE\data\preset.dat
c:\users\FW56E\AppData\Roaming\360SE\data\preset_j.dat
c:\users\FW56E\AppData\Roaming\360SE\data\SafeProtect.dat
c:\users\FW56E\AppData\Roaming\360SE\data\seu.dll
c:\users\FW56E\AppData\Roaming\360SE\data\seupdr.dat
c:\users\FW56E\AppData\Roaming\360SE\data\SkinMisc\IE6Default_preview.png
c:\users\FW56E\AppData\Roaming\360SE\data\SkinUpdate\Preview0.png
c:\users\FW56E\AppData\Roaming\360SE\data\SkinUpdate\Preview1.png
c:\users\FW56E\AppData\Roaming\360SE\data\SkinUpdate\preview2.png
c:\users\FW56E\AppData\Roaming\360SE\data\SkinUpdate\preview3.png
c:\users\FW56E\AppData\Roaming\360SE\data\SkinUpdate\Preview4.png
c:\users\FW56E\AppData\Roaming\360SE\data\SkinUpdate\update.ini
c:\users\FW56E\AppData\Roaming\360SE\data\snapcache\snap.ini
c:\users\FW56E\AppData\Roaming\360SE\data\superguard_2.dat
c:\users\FW56E\AppData\Roaming\360SE\data\switch.ini
c:\users\FW56E\AppData\Roaming\360SE\data\urls.dat
c:\users\FW56E\AppData\Roaming\360SE\data\URLTitle.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\bank3.dll
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\bankbox.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\bankbox_up.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\banklist.dll
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\bankmode3.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\ExtBank.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\icon\tip.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\stat.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\stat_bankbox.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtBank\up_temp.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\360Doctor.exe
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\ax.dat
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\doctor.dl_
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\doctor.dll
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\doctor.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\ExtDoctor.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\HttpClientW.dll
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\rule.dat
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDoctor\rule.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDownload\ExtDownload.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtDownload\livep.dat
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\app_stat.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\barbg.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\closebar.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\barbg.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\barbg2.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\btnweb.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\button.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\button_title.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\enginemask.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\line.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\menu_bg.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\menu_line.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\images\menumask.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\item.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\menu.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\menu_item.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\360buy.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\360video.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\Amazon.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\baidu.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\google.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\jike.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\qihoo.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\sogou.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\soku.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\taobao.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\vancle.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\weibo.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\youdao.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\zonghe.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\search-icon-hot\zonghe1.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\setting.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\settingbar.png
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtSmartWiz\res\subitm.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\360pyx.db
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\adsoft\ExtYouxi_soft.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\adsoft\ExtYouxi_soft2.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\app_stat.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\ExtYouxi.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\ExtYouxi_3.0.1.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\ExtYouxi_url.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\GameCenter.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\GameCenter\360WebGames.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\GameMode\ExtYouxi_GameMode.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\promlib.dll
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\server\360pyx.db
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\server\360pyx2.db
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\server\ExtYouxi_soft2.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\server\game_recomm.html
c:\users\FW56E\AppData\Roaming\360SE\extensions\ExtYouxi\ver.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Favorites.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Favorites2.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Log\360log_2012_04_18.log
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Log\360log_2012_04_19.log
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Log\360log_2012_04_20.log
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Log\360log_2012_05_19.log
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Log\360log_2012_08_04.log
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Log\360log_2012_09_11.log
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Log\360log_2012_10_16.log
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\Quick.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\Favorites\titleopt.dll
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pic\100000002
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pic\100000007
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pic\100000008
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pic\100000018
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pic\100000019
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pic\100000020
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pic\100000021
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pushinfo.xml
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\pushupdate.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\LoginEnrol\Quick.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\SafeCentral\esimple.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\SafeCentral\SafeCentral.ini
c:\users\FW56E\AppData\Roaming\360SE\extensions\SafeCentral\SafeProtect.dat
c:\users\FW56E\AppData\Roaming\360SE\extensions\SafeCentral\trust.dat
c:\users\FW56E\AppData\Roaming\360SE\extensions\SafeCentral\urllib.dat
c:\users\FW56E\AppData\Roaming\360SE\extensions\SafeCentral\urllibauth.dat
c:\users\FW56E\AppData\Roaming\360SE\extensions\SafeCentral\urllibw.dat
c:\users\FW56E\AppData\Roaming\360SE\login.ini
c:\users\FW56E\AppData\Roaming\360SE\pd\se_june2.ini
c:\users\FW56E\AppData\Roaming\360SE\seup.ini
c:\users\FW56E\AppData\Roaming\360SE\stat.ini
c:\users\FW56E\AppData\Roaming\360SE\v3update\updatecfg.ini
c:\users\FW56E\AppData\Roaming\360SE\v3update\v3download\~90A0.tmp
c:\users\FW56E\AppData\Roaming\360SE\v3update\v3download\~A901.tmp
c:\users\FW56E\AppData\Roaming\360SE\v3update\v3download\adfilter.dll
c:\users\FW56E\AppData\Roaming\360SE\v3update\v3download\download.dll
c:\users\FW56E\AppData\Roaming\360SE\v3update\v3update.ini
c:\users\FW56E\AppData\Roaming\360SE\WebCache\hao.360.cn.new
c:\users\FW56E\AppData\Roaming\SogouExplorer
c:\users\FW56E\AppData\Roaming\SogouExplorer\abw
c:\users\FW56E\AppData\Roaming\SogouExplorer\acc.splenkey
c:\users\FW56E\AppData\Roaming\SogouExplorer\adbdata.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\bse_temp\update\msg.ini
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\bse_temp\update\quick.ini
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\bse_temp\update\slow.ini
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\bse_temp\updaterun.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\bseapi.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\bsecfg.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\bsecore.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\bseupd.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\d3dcompiler_43.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\d3dx9_43.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\flash_ie_update.ocx
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\flash_wk.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\framework.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\icudt.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\knsfmon.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\libegl.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\libglesv2.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\malurl.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\p2pclient.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\seapi.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\SoDaLib.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\sogounet.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Bin\video_acc.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\bse_temp\recycle\update\sogou\urlblack.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\bse_temp\update\msg.ini
c:\users\FW56E\AppData\Roaming\SogouExplorer\bse_temp\update\quick.ini
c:\users\FW56E\AppData\Roaming\SogouExplorer\bse_temp\update\slow.ini
c:\users\FW56E\AppData\Roaming\SogouExplorer\bse_temp\updaterun.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\cap.se
c:\users\FW56E\AppData\Roaming\SogouExplorer\CommCfg.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\confdll.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\config.se
c:\users\FW56E\AppData\Roaming\SogouExplorer\config.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\configlocal.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\CrashDump\crashdump_SETask_2348_1696_15320764.zip
c:\users\FW56E\AppData\Roaming\SogouExplorer\CrashDump\crashdump_SETask_3500_1060_15320982.zip
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Dynamark.db.2012.03.25.00
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Extension.db.2012.03.19.17
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Extension.db.2012.03.25.00
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Favorite2.dat.2012.02.18.23
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Favorite2.dat.2012.02.24.18
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Favorite2.dat.2012.03.07.22
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Favorite2.dat.2012.03.17.16
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Favorite2.dat.2012.03.19.02
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Favorite2.dat.2012.03.19.17
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Favorite2.dat.2012.03.25.00
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Misc.db.2012.03.19.17
c:\users\FW56E\AppData\Roaming\SogouExplorer\DailyBackup\Misc.db.2012.03.25.00
c:\users\FW56E\AppData\Roaming\SogouExplorer\datapack1
c:\users\FW56E\AppData\Roaming\SogouExplorer\datapack2
c:\users\FW56E\AppData\Roaming\SogouExplorer\datapack3
c:\users\FW56E\AppData\Roaming\SogouExplorer\dew
c:\users\FW56E\AppData\Roaming\SogouExplorer\Dynamark.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.privateSurf.sext
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\default-big.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\default.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\manifest.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\privacy_on.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\thumbs.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.quicklink.sext
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\default-big.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\default.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\manifest.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\popup.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.secondAccount.sext
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\backgroundpage.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\default-big.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\default.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\manifest.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share.sext
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\backgroundpage.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\default-big.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\default.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\manifest.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\qzone.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\renren.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\sina.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\sohu.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\tencent.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.share\0.0.0.1\thumbs.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker.sext
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\background.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\callback.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\default-big.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\default.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\manifest.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\pop.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\res\ajax-loader.gif
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\res\bg_rextop.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\res\btn_at.gif
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\res\logo.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\res\logo__.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\res\oauth.css
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\background.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\consumer.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\contentscript.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\error_handler.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\jquery-1.6.1.min.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\md5-min.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth_form.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth_observer.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth_observer_renren.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth_observer_sina.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth_observer_tencent.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth_worker.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth_worker_renren.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\oauth_worker_tencent.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\sha1.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\tranfer_thumdata.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\script\xml2json.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\signin.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator.sext
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\ translate.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\backgroundpage.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\css\translate.css
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\default-big.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\default.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\google_translate.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\ajax-loader.gif
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_left.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_left_active.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_left_hover.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_mid.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_mid_active.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_mid_hover.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_right.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_right_active.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\btn_right_hover.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\change.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\swap.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\swap_hover.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\thumbs.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\title_option.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\title_option2.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\images\translate_logo.gif
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\js\before_googleapi.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\js\before_youdaoapi.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\js\jquery.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\js\translate.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\js\translate.js_
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\js\youdao_translate.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\manifest.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\translate.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\translator.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.3\youdao_translate.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\ translate.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\backgroundpage.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\css\translate.css
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\default-big.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\default.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\google_translate.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\ajax-loader.gif
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_left.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_left_active.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_left_hover.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_mid.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_mid_active.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_mid_hover.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_right.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_right_active.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\btn_right_hover.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\change.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\swap.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\swap_hover.png
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\thumbs.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\title_option_google.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\title_option_youdao.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\translate_logo.gif
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\js\before_googleapi.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\js\before_youdaoapi.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\js\jquery.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\js\translate.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\js\translate.js_
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\js\youdao_translate.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\manifest.xml
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\translate.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\translator.js
c:\users\FW56E\AppData\Roaming\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\youdao_translate.html
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\FavorIcon.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o0.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o1.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o10.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o11.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o12.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o13.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o14.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o15.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o16.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o17.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o18.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o2.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o3.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o4.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o5.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o6.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o7.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o8.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\o9.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s0.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s1.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s10.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s11.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s12.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s13.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s14.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s15.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s16.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s17.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s18.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s2.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s3.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s4.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s5.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s6.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s7.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s8.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\FavIcon\s9.ico
c:\users\FW56E\AppData\Roaming\SogouExplorer\Favorite2.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\FormData.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\hardcode.bin
c:\users\FW56E\AppData\Roaming\SogouExplorer\HistoryUrl.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\liteupdater.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\LocalPage\Error404.zip
c:\users\FW56E\AppData\Roaming\SogouExplorer\LocalPage\MyFavorStartPage.zip
c:\users\FW56E\AppData\Roaming\SogouExplorer\LocalPage\PassportLogin.zip
c:\users\FW56E\AppData\Roaming\SogouExplorer\LocalPage\WKInspector.zip
c:\users\FW56E\AppData\Roaming\SogouExplorer\LocalStorage.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\MCPattern.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\MetaSearch\MetaSearch
c:\users\FW56E\AppData\Roaming\SogouExplorer\MetaSearch\MetaSearch.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\MetaSearch\MetaSearchUpdate1
c:\users\FW56E\AppData\Roaming\SogouExplorer\MetaSearch\MetaSearchUpdate2
c:\users\FW56E\AppData\Roaming\SogouExplorer\Misc.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\netopt.se
c:\users\FW56E\AppData\Roaming\SogouExplorer\p4p.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\playevent.pat
c:\users\FW56E\AppData\Roaming\SogouExplorer\pr.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\preconf.se
c:\users\FW56E\AppData\Roaming\SogouExplorer\rk.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\script.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\SEacc_pattern.txt
c:\users\FW56E\AppData\Roaming\SogouExplorer\ses.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\seupdater.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\bluesky.setheme
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\dolphin.setheme
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\miss.setheme
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\popo.setheme
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\小清新.setheme
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\搜狗浏览器‘Chrome’版.seskin
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\搜狗浏览器IE经典版.seskin
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\搜狗浏览器时尚版.seskin
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\搜狗浏览器水晶全透明版.seskin
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\炫紫.setheme
c:\users\FW56E\AppData\Roaming\SogouExplorer\Skin\粉条纹.setheme
c:\users\FW56E\AppData\Roaming\SogouExplorer\SoDA\Requiem-MomentoMori-20100319-1538.exe.$finfo$
c:\users\FW56E\AppData\Roaming\SogouExplorer\SoDA\Requiem-MomentoMori-20100319-1538.exe.$fmap$
c:\users\FW56E\AppData\Roaming\SogouExplorer\sodaliblite.dll
c:\users\FW56E\AppData\Roaming\SogouExplorer\SogouExplorerSetup.exe
c:\users\FW56E\AppData\Roaming\SogouExplorer\tb
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\054e9438331752b4d446e3971473335d.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\5a329d530824a74e8c5952574d34643d.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\66b410bbaab1f3d42ebcd0318d8e3114.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\6879d4228857399ee1e41caf0e29fc22.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\7957958fc1e3bff16032cfeef3c7965c.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\8c170978fc6ea06a8ce25c151e61d584.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\a7be96176f6fff4c2768dfc7fdd168d3.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\ac20c880657d63bdab8a999045533455.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\af0c0f4c0287d847312db86ef7f56ba2.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\d235290c982d3b3fa796b46729c2f439.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\d41d8cd98f00b204e9800998ecf8427e.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\d8b980b0b10c4d768238fa6828fc31b5.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\dd0aab57f9c5f0709189c13f4cc1ac45.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\dedeb78de9fab4581006df7276eb28d8.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\Thumbnails\e0b74e27a66d8294d31ad7c35c4552ae.jpg
c:\users\FW56E\AppData\Roaming\SogouExplorer\uhistory.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\UpgradeBackup\FormData.dat.2012.03.19.17.51
c:\users\FW56E\AppData\Roaming\SogouExplorer\UpgradeBackup\MCPattern.db.2012.03.19.17.51
c:\users\FW56E\AppData\Roaming\SogouExplorer\UpgradeBackup\Misc.db.2012.03.19.17.51
c:\users\FW56E\AppData\Roaming\SogouExplorer\urlblack.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\urlcache.dat
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Cookies
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\databases\Databases.db
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\databases\http_download.cnet.com_0\2
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\databases\http_www.toshiba.co.uk_0\1
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_bh.contextweb.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_cdn.apture.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_cim.meebo.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_css-tricks.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_map.baidu.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_mediacdn.disqus.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_soundcloud.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_telegraphuk.disqus.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_web.im.baidu.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_weibo.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_wpi.renren.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.avirtualexit.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.bing.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.bloomberg.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.brainyquote.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.google.co.uk_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.groupon.co.uk_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.kongregate.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.lastminute.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.mediafire.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.meebo.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.mobafire.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.sport.co.uk_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.weibo.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.wowwiki.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\http_www.youtube.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\https_cim.meebo.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\https_clients6.google.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\https_secure.shared.live.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\https_static.olark.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Local Storage\https_www.meebo.com_0.localstorage
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\Patches
c:\users\FW56E\AppData\Roaming\SogouExplorer\Webkit\VisitedLinks
c:\users\FW56E\AppData\Roaming\SogouExplorer\whitelist.db
c:\users\postgres\AppData\Roaming\SogouExplorer
c:\users\postgres\AppData\Roaming\SogouExplorer\Bin\flash_wk.dll
c:\users\postgres\AppData\Roaming\SogouExplorer\Bin\malurl.dat
c:\users\postgres\AppData\Roaming\SogouExplorer\datapack1
c:\users\postgres\AppData\Roaming\SogouExplorer\datapack2
c:\users\postgres\AppData\Roaming\SogouExplorer\datapack3
c:\users\postgres\AppData\Roaming\SogouExplorer\MetaSearch\metasearchupdate1
c:\users\postgres\AppData\Roaming\SogouExplorer\MetaSearch\metasearchupdate2
c:\users\postgres\AppData\Roaming\SogouExplorer\script.dat
c:\users\postgres\AppData\Roaming\SogouExplorer\urlblack.dat
c:\windows\Downloaded Program Files\Install.inf
c:\windows\iun6002.exe
c:\windows\patch
c:\windows\patch\update.exe
c:\windows\PFRO.log
c:\windows\SysWow64\orange-install.ico
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\WanPacket.dll
c:\windows\SysWow64\wpcap.dll
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Legacy_TESSAFE
-------\Service_NPF
-------\Service_TesSafe
-------\Service_vcs
.
.
((((((((((((((((((((((((( 2013-03-11 至 2013-04-11 的新的档案 )))))))))))))))))))))))))))))))
.
.
2013-04-11 00:55 . 2013-04-11 00:55 -------- d-----w- C:\360Rec
2013-04-10 18:39 . 2013-04-10 18:39 -------- d-----w- C:\FRST
2013-04-10 17:15 . 2013-04-10 17:15 -------- d-----w- C:\_OTL
2013-04-10 17:12 . 2013-04-10 17:12 -------- d-----w- c:\program files\CCleaner
2013-04-10 16:47 . 2013-04-10 17:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-04-10 15:21 . 2013-04-10 15:21 -------- d-----w- c:\users\FW56E\AppData\Roaming\Malwarebytes
2013-04-10 15:20 . 2013-04-10 15:20 -------- d-----w- c:\programdata\Malwarebytes
2013-04-10 15:20 . 2013-04-04 13:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-10 15:20 . 2013-04-10 15:20 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-04-10 12:37 . 2013-03-02 06:04 1655656 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 12:30 . 2013-02-15 06:08 44032 ----a-w- c:\windows\system32\tsgqec.dll
2013-04-10 12:30 . 2013-02-15 06:02 158720 ----a-w- c:\windows\system32\aaclient.dll
2013-04-10 12:30 . 2013-02-15 04:34 131584 ----a-w- c:\windows\SysWow64\aaclient.dll
2013-04-10 12:30 . 2013-02-15 03:25 36864 ----a-w- c:\windows\SysWow64\tsgqec.dll
2013-04-10 12:30 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 12:30 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\SysWow64\mstscax.dll
2013-04-10 12:23 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-04-10 12:23 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 12:23 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 12:23 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-04-10 12:23 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-04-10 12:23 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe
2013-04-10 12:16 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-04-09 13:52 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F550A8CC-E81D-4426-BA1F-A705CA5DACCE}\mpengine.dll
2013-04-07 20:35 . 2013-04-07 20:35 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-03-28 15:22 . 2012-11-07 17:55 39680 ----a-w- c:\windows\system32\drivers\360LanProtect.sys
2013-03-21 23:45 . 2013-03-21 23:45 -------- d-----w- c:\windows\SysWow64\Adobe
2013-03-14 02:22 . 2013-03-14 02:23 -------- d-----w- c:\program files\Microsoft Silverlight
2013-03-14 02:22 . 2013-03-14 02:23 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-03-13 18:05 . 2013-03-13 18:05 -------- d-----w- c:\users\FW56E\AppData\Roaming\Civitas2
2013-03-13 18:02 . 2013-03-13 18:05 -------- d-----w- c:\program files (x86)\Kalypso Media
2013-03-13 14:23 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-13 14:05 . 2013-02-28 13:57 9061376 ----a-w- c:\windows\system32\mshtml.dll
2013-03-13 14:05 . 2013-02-28 13:57 12296192 ----a-w- c:\windows\system32\ieframe.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-10 12:38 . 2012-04-01 17:54 691592 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-10 12:38 . 2011-05-18 08:58 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-02 12:16 . 2011-02-25 11:51 236248 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
2013-03-14 02:25 . 2010-02-08 23:20 72013344 ----a-w- c:\windows\system32\MRT.exe
2013-03-12 00:10 . 2010-03-23 20:33 282744 ------w- c:\windows\system32\MpSigStub.exe
2013-02-27 15:20 . 2013-02-27 15:20 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-27 15:20 . 2012-05-04 20:29 861088 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-02-27 15:20 . 2010-07-16 08:30 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-12 05:45 . 2013-03-13 14:16 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 14:16 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 05:45 . 2013-03-13 14:16 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-13 14:16 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 04:48 . 2013-03-13 14:16 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 14:16 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-13 21:17 . 2013-02-28 02:57 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 21:17 . 2013-02-28 02:57 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 21:16 . 2013-02-28 02:57 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 21:12 . 2013-02-28 02:57 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 21:11 . 2013-02-28 02:57 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 21:11 . 2013-02-28 02:57 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 21:11 . 2013-02-28 02:57 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 21:11 . 2013-02-28 02:57 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 21:11 . 2013-02-28 02:57 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 20:35 . 2013-02-28 02:57 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 20:35 . 2013-02-28 02:57 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 20:35 . 2013-02-28 02:57 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 20:32 . 2013-02-28 02:57 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 20:31 . 2013-02-28 02:57 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 20:31 . 2013-02-28 02:57 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 20:31 . 2013-02-28 02:57 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 20:31 . 2013-02-28 02:57 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:31 . 2013-02-28 02:57 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 20:31 . 2013-02-28 02:57 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-01-13 20:22 . 2013-02-28 02:57 1988096 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2013-01-13 20:20 . 2013-02-28 02:57 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2013-01-13 20:09 . 2013-02-28 02:57 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2013-01-13 20:08 . 2013-02-28 02:57 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2013-01-13 20:08 . 2013-02-28 02:57 1504768 ----a-w- c:\windows\SysWow64\d3d11.dll
2013-01-13 19:59 . 2013-02-28 02:57 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-01-13 19:58 . 2013-02-28 02:57 1175552 ----a-w- c:\windows\system32\FntCache.dll
2013-01-13 19:54 . 2013-02-28 02:57 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2013-01-13 19:53 . 2013-02-28 02:57 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2013-01-13 19:53 . 2013-02-28 02:57 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-01-13 19:51 . 2013-02-28 02:57 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2013-01-13 19:49 . 2013-02-28 02:57 363008 ----a-w- c:\windows\system32\dxgi.dll
2013-01-13 19:48 . 2013-02-28 02:57 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2013-01-13 19:46 . 2013-02-28 02:57 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll
2013-01-13 19:43 . 2013-02-28 02:57 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2013-01-13 19:38 . 2013-02-28 02:57 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-01-13 19:38 . 2013-02-28 02:57 1887232 ----a-w- c:\windows\system32\d3d11.dll
2013-01-13 19:38 . 2013-02-28 02:57 296960 ----a-w- c:\windows\system32\d3d10core.dll
2013-01-13 19:37 . 2013-02-28 02:57 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
2013-01-13 19:25 . 2013-02-28 02:57 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-01-13 19:24 . 2013-02-28 02:57 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2013-01-13 19:24 . 2013-02-28 02:57 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2013-01-13 19:20 . 2013-02-28 02:57 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2013-01-13 19:20 . 2013-02-28 02:57 1238528 ----a-w- c:\windows\system32\d3d10.dll
2013-01-13 19:15 . 2013-02-28 02:57 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-01-13 19:10 . 2013-02-28 02:57 3928064 ----a-w- c:\windows\system32\d2d1.dll
2013-01-13 19:02 . 2013-02-28 02:57 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-01-13 18:34 . 2013-02-28 02:57 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-01-13 18:32 . 2013-02-28 02:57 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-01-13 18:09 . 2013-02-28 02:57 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-01-13 17:26 . 2013-02-28 02:57 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2013-01-13 17:05 . 2013-02-28 02:57 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{0EA37B17-6B8B-4085-8257-F3A4AA69
 

Fiery

Level 1
Jan 11, 2011
2,007
Good to hear everything is back to normal. The program removed some of your chinese programs, so you may have to re-install them.

In the meantime, your combofix log isn't complete. Can you attach the log? Click "New Reply" and scroll down to the attachment section. Click "Choose file" and select the combofix log
 

Fiery

Level 1
Jan 11, 2011
2,007
Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
 

holaboo

New Member
Thread author
Apr 10, 2013
12
Just ran the Eset scanner which took around 3hours 30mins to finish but no log popped up and I checked the log.txt file there wasn't much in there. Will scan another and post results in around 3 hours. I did see that during the scan it found a threat called win32\spy.zbot.yw trojan. Oh and this is whats in the log.txt file currently.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
 

Fiery

Level 1
Jan 11, 2011
2,007
Ok, that file is fine as it was already quarantined.

If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.




Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link




Keep your system updated
Please go to control panel and uninstall the following:

Java(TM) 6 Update 32
Java 7 Update 15
Adobe Reader X (10.1.5)

Delete older Java version from your computer by downloading JavaRa
  • Run JavaRa.exe, then click Remove JRE.
  • Let the tool run
  • Once it finishes, close JavaRa

Currently, the following programs on your PC are outdated:
  • Java - Update Java here
  • Adobe reader - Update Adobe Reader here
Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:
  • Download and install Update Checker. It will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here


I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.


Other steps that you may want to do to further protect your system/files:
  • Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
  • Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.


Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.


Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask :)

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
 

holaboo

New Member
Thread author
Apr 10, 2013
12
Thanks so much for the time you have spent helping me on this, much appreciation! You have been a wonderful help!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top