FAKE flash player appearing on my toolbar. Flash player virus? Help!

eccle · 09-15-2012, 10:01 PM

There is this fake flash player thing on my toolbar (a white "f" inside a red box) and when I click on it, no flash player update window pops up. It's just plain weird. I am having trouble with Internet Explorer lately probably because of this. Every time I close the IE window, I always get that "Windows IE stopped from working" thing.

A few days ago, I had a blue screen. I restarted my laptop and it's working fine lately but that fake player virus/trojan keeps on appearing on my toolbar and I am scared. Kaspersky 2003 didn't work. I ran it (normal and safe mode) but it didn't remove it. Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_35
Run by Rev at 12:41:43 on 2012-09-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.585 [GMT 8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCRTP.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\program files\kingsoft\kingsoft antivirus\kxescore.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
C:\Program Files\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\ProgramData\DatacardService\HWDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\Smart Bro\OnlineUpdate\ouc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\SMART BRO\AssistantServices.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hotkey Utility\tray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SMART BRO\UIExec.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\kingsoft\kingsoft antivirus\kxetray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Rev\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Program Files\Tencent\QQMusic\QQMusic.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\PPLive\PPTV\PPLive.exe
C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe
C:\Windows\system32\conime.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\System32\svchost.exe -k PPTVServiceGroup
C:\Program Files\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Tencent\QQPCMgr\6.8.2387.401\QQPCWebShield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.hao123.com/?tn=62002018_3_hao_pg
uURLSearchHooks: H - No File
uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Content Blocker Plugin: {5564cc73-efa7-4cbf-918a-5cf7fbbfff4f} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Virtual Keyboard Plugin: {73455575-e40c-433c-9784-c78dc7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Baidu Toolbar BHO: {77fef28e-eb96-44ff-b511-3185dea48697} - c:\program files\baidu\toolbar\BaiduBarX.dll
BHO: QQ?????????: {7c260b4b-f7a0-40b5-b403-befcdc6a4c3b} - c:\program files\tencent\qqpcmgr\6.8.2387.401\TSWebMon.dat
BHO: Safe Money Plugin: {9e6d0d23-3d72-4a94-ae1f-2d167624e3d9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll
BHO: A3AA4C3C-3C93-5013-63C1-DE7B16E904E7 Class: {a3aa4c3c-3c93-5013-63c1-de7b16e904e7} - c:\progra~1\baidu\{a3aa4~1\AddressBar.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTo0.dll
TB: °Ù¶È¹¤¾ßÀ¸: {b580cf65-e151-49c3-b73f-70b13fca8e86} - c:\program files\baidu\toolbar\BaiduBarX.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Facebook Update] "c:\users\rev\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [QQMusic] "c:\program files\tencent\qqmusic\QQMusic.exe" /background
uRun: [PPAP] "c:\program files\common files\pplivenetwork\PPAP.exe" -background
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [FIC HotKey] c:\program files\hotkey utility\tray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UIExec] "c:\program files\smart bro\UIExec.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [PowerDVD12DMREngine] "c:\program files\cyberlink\powerdvd12\kernel\dmr\PowerDVD12DMREngine.exe"
mRun: [PowerDVD12Agent] "c:\program files\cyberlink\powerdvd12\PowerDVD12Agent.exe"
mRun: [ QQPCTray] "c:\program files\tencent\qqpcmgr\6.8.2387.401\QQPCTray.exe" /regrun
mRun: [kxesc] "c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" -autorun
mRun: [SetRoute] c:\program files\l2tphelp\setroute.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"
StartupFolder: c:\users\rev\appdata\roaming\micros~1\windows\startm~1\programs\startup\pptv.lnk - c:\program files\pplive\pptv\PPLive.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:\program files\pplive\pptv\PPLive.exe
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
TCP: Interfaces\{5D47F38F-14A7-4A54-BF32-7CE1D5424C30} : NameServer = 10.10.0.21
TCP: Interfaces\{824ECD50-A390-4846-878B-75A8B0171671} : DhcpNameServer = 202.101.172.46 202.101.172.47
TCP: Interfaces\{ED23D40D-2D7B-4EB6-B2FB-CC7310F911B2} : NameServer = 10.10.0.21 10.10.2.21
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rev\appdata\roaming\mozilla\firefox\profiles\13aujkpt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\tencent\npqscall\npqscall.dll
FF - plugin: c:\program files\common files\tencent\txsso\1.2.1.42\bin\npSSOAxCtrlForPTLogin.dll
FF - plugin: c:\program files\internet explorer\pplite\plugin\1.0.1.1919\npplugin2.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\kingsoft\kingsoft antivirus\npkvip.dll
FF - plugin: c:\program files\kingsoft\kingsoft antivirus\npkws.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\tencent\qqmusic\npQzoneMusic.dll
FF - plugin: c:\users\rev\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 KAVBootC;KAVBootC;c:\windows\system32\drivers\kavbootc.sys [2012-9-4 27240]
R0 TsFltMgr;tencent TsFltMgr;c:\windows\system32\drivers\TsFltMgr.sys [2012-6-7 65624]
R0 TSysCare;TSysCare;c:\windows\system32\drivers\TSysCare.sys [2012-6-7 24824]
R1 KDHacker;KDHacker;c:\program files\kingsoft\kingsoft antivirus\security\kxescan\kdhacker.sys [2012-9-4 127992]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2012-8-2 24408]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]
R1 TCSafeBox;TCSafeBox;c:\program files\tencent\qqpcmgr\6.8.2387.401\TCSafeBox.sys [2012-6-7 53240]
R1 TSCPM;TSCPM;c:\program files\tencent\qqpcmgr\6.8.2387.401\tscpm.sys [2012-6-7 32888]
R1 TSDefenseBt;TSDefenseBt;c:\windows\system32\drivers\TSDefenseBt.sys [2012-9-4 60408]
R1 TSKSP;TSKsp;c:\program files\tencent\qqpcmgr\6.8.2387.401\TSKsp.sys [2012-6-7 153112]
R2 {73526619-C24F-470B-9BED-53D455FBB5C6};Power Control [2012/08/17 08:21:15];c:\program files\cyberlink\powerdvd12\common\navfilter\000.fcl [2012-7-5 88312]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-28 63960]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 218880]
R2 CLHNServiceForPowerDVD12;CLHNServiceForPowerDVD12;c:\program files\cyberlink\powerdvd12\kernel\dmp\clhnserver\CLHNServiceForPowerDVD12.exe [2012-8-17 90640]
R2 CyberLink PowerDVD 12 Media Server Monitor Service;CyberLink PowerDVD 12 Media Server Monitor Service;c:\program files\cyberlink\powerdvd12\kernel\dms\CLMSMonitorServicePDVD12.exe [2012-8-17 78352]
R2 CyberLink PowerDVD 12 Media Server Service;CyberLink PowerDVD 12 Media Server Service;c:\program files\cyberlink\powerdvd12\kernel\dms\CLMSServerPDVD12.exe [2012-8-17 295440]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\datacardservice\HWDeviceService.exe [2011-3-14 271712]
R2 kisknl;kisknl;c:\windows\system32\drivers\kisknl.sys [2012-9-4 165368]
R2 kxescore;Kingsoft Core Service;c:\program files\kingsoft\kingsoft antivirus\kxescore.exe [2012-9-4 128072]
R2 ntk_PowerDVD12;ntk_PowerDVD12;c:\program files\cyberlink\powerdvd12\kernel\dmp\clhnserver\ntk_PowerDVD12.sys [2012-8-17 121208]
R2 QQSysMon;QQSysMon;c:\program files\tencent\qqpcmgr\6.8.2387.401\QQSysMon.sys [2012-6-7 56568]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-6-15 73216]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-5-25 25432]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-7-25 25944]
R3 ksapi;ksapi;c:\windows\system32\drivers\ksapi.sys [2012-9-4 82296]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2012-9-10 22016]
R3 TcHardWare;TcHardWare;c:\program files\tencent\qqpcmgr\6.8.2387.401\QQPCHW.sys [2012-6-7 34168]
R4 TSSysKit;TSSysKit;c:\program files\tencent\qqpcmgr\6.8.2387.401\TSSysKit.sys [2012-6-7 91256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-22 250056]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-6-15 102784]
S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2012-4-10 9216]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-20 114144]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2012-9-10 22016]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-9-16 27192]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\ZTEusbvoice.sys [2012-4-10 107776]
.
=============== File Associations ===============
.
txtfile=c:\windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2012-09-15 17:04:56 -------- d-----w- c:\users\rev\appdata\local\Macromedia
2012-09-15 16:47:56 -------- d-----w- c:\users\rev\appdata\local\VS Revo Group
2012-09-15 16:47:30 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-09-15 16:47:28 -------- d-----w- c:\program files\VS Revo Group
2012-09-14 13:51:29 -------- d-----w- c:\program files\Kaspersky Lab
2012-09-14 13:51:28 -------- d-----w- c:\programdata\Kaspersky Lab
2012-09-14 13:49:03 75096 ----a-w- c:\windows\system32\drivers\klflt.sys
2012-09-14 10:22:13 -------- d-----w- c:\users\rev\appdata\roaming\Wandoujia2
2012-09-10 16:25:35 -------- d-----w- c:\program files\common files\Symantec Shared
2012-09-10 13:33:32 -------- d-----w- c:\programdata\Symantec
2012-09-10 13:33:07 -------- d-----w- c:\programdata\Norton
2012-09-10 13:33:01 -------- d-----w- c:\programdata\NortonInstaller
2012-09-10 12:35:29 22016 ----a-w- c:\windows\system32\drivers\Ndisrd.sys
2012-09-08 02:55:23 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-09-06 14:19:30 61440 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
2012-09-06 14:19:30 61440 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\ARPPRODUCTICON.exe
2012-09-06 14:19:30 106496 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2012-09-06 14:19:30 106496 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2012-09-06 14:19:30 106496 ----a-r- c:\users\rev\appdata\roaming\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2012-09-06 09:17:07 -------- d-----w- c:\windows\system32\Tencent
2012-09-06 05:20:09 -------- d-----w- c:\users\rev\appdata\local\visi_coupon
2012-09-06 00:34:45 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-05 23:59:26 -------- d-----r- c:\program files\Skype
2012-09-05 11:35:46 737280 ----a-w- c:\windows\iun6002.exe
2012-09-05 11:35:45 -------- d-----w- c:\program files\L2TPHelp
2012-09-04 06:27:29 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
2012-09-04 06:18:05 -------- d-----w- C:\PPDownload
2012-09-04 05:59:32 -------- d-----w- C:\FavoriteVideo
2012-09-04 05:59:06 -------- d-----w- c:\programdata\Jlcm
2012-09-04 05:58:36 -------- d-----w- c:\users\rev\appdata\roaming\PPLive
2012-09-04 05:58:36 -------- d-----w- c:\programdata\PPLive
2012-09-04 05:58:07 -------- d-----w- c:\program files\PPLive
2012-09-04 05:58:07 -------- d-----w- c:\program files\common files\PPLiveNetwork
2012-09-04 05:44:51 60408 ----a-w- c:\windows\system32\drivers\TSDefenseBt.sys
2012-09-04 05:42:10 308640 ----a-w- c:\windows\system32\MMInstaller.dll
2012-09-04 05:42:06 -------- d-----w- c:\program files\common files\Tencent
2012-09-04 05:42:05 -------- d-----w- c:\program files\Tencent
2012-09-04 05:41:49 -------- d-----w- c:\users\rev\appdata\roaming\Tencent
2012-09-04 05:41:49 -------- d-----w- c:\programdata\Tencent
2012-09-04 05:41:21 -------- d-----w- c:\program files\Baidu
2012-09-04 05:41:04 -------- d-----w- c:\users\rev\funshion
.
==================== Find3M ====================
.
2012-09-08 08:36:03 82296 ----a-w- c:\windows\system32\drivers\ksapi.sys
2012-09-08 08:31:50 165368 ----a-w- c:\windows\system32\drivers\kisknl.sys
2012-09-08 08:29:30 166776 ----a-w- c:\windows\system32\drivers\kdhacker64.sys
2012-09-08 08:29:23 127992 ----a-w- c:\windows\system32\drivers\kdhacker.sys
2012-09-06 00:34:21 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-04 05:45:15 19352 ----a-w- c:\windows\system32\drivers\ksskrpr.sys
2012-09-04 05:45:14 31848 ----a-w- c:\windows\system32\drivers\kavbootc64.sys
2012-09-04 05:45:14 27240 ----a-w- c:\windows\system32\drivers\kavbootc.sys
2012-09-04 05:45:14 208728 ----a-w- c:\windows\system32\drivers\kisknl64.sys
2012-09-04 05:45:13 24472 ----a-w- c:\windows\system32\drivers\bc.sys
2012-08-18 09:22:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-18 09:22:37 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 07:37:30 491912 ----a-w- c:\windows\system32\PPTVSvc.dll
2012-08-15 07:37:18 2291592 ----a-w- c:\windows\system32\kindling.dll
2012-08-13 08:49:44 144344 ----a-w- c:\windows\system32\drivers\kneps.sys
2012-08-02 07:09:30 24408 ----a-w- c:\windows\system32\drivers\klim6.sys
2012-07-25 06:53:48 25944 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2012-06-19 09:28:12 136024 ----a-w- c:\windows\system32\drivers\kl1.sys
.
============= FINISH: 12:44:47.62 ===============

**chemist** · 09-19-2012, 12:59 PM

Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Do you use conduit engine?

Was kingsoft antivirus a previous install?

------------------------------------------------------

Please download aswMBR.exe to your desktop.

Double-click aswMBR.exe to run it.
When prompted to download the latest Avast! virus definitions, please choose Yes
Click the Scan button to start scan.
Wait until it says, 'Scan finished successfully'. ( Note - do not select any Fix at this time)
Click Save log, and save it to your desktop.
Click Exit.
Please post the contents of that log, aswMBR.txt, in your next reply.

There shall also be a file on your desktop named MBR.dat. Right-click that file and select Send To > Compressed (zipped) folder. Please attach that zipped file in your next reply.

------------------------------------------------------

When you run this tool, remember to choose 'Skip' not 'Cure' if it finds something. We just want a scan, not a fix.

Download tdsskiller.exe and Save it to your Desktop.

Double-click tdsskiller.exe and click 'Run'

Click 'Start scan'.

If no infection is found, click 'Close' and let me know.

If an infection is found, select 'Skip' from the dropdown menu under 'Cure' then click 'Continue' > 'Close' > 'Close'.

It will produce a log here > C:\TDSSKiller.2.8.8.0_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:

@echo off
if exist log.txt del /s/q log.txt
dir /a /s "c:\users\rev\appdata\roaming\Wandoujia2" > log.txt
notepad log.txt
del %0

Save this as peek.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Right-click on peek.bat and choose 'Run as administrator' to allow it to run. A Notepad file will open. Post the contents of that file in your next reply.

------------------------------------------------------

**chemist** · 09-23-2012, 09:28 AM

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------