ComboFix 15-02-13.02 - Sourcing 02/14/2015 22:17:42.1.2 - x86 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3582.2316 [GMT 8:00] Running from: c:\users\Sourcing\Downloads\ComboFix.exe AV: 360 Total Security *Disabled/Updated* {2B66EE1E-E5C8-C2F7-648F-4E55AC68D37D} AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A} SP: 360 Total Security *Disabled/Updated* {90070FFA-C3F2-CD79-5E3F-7527D7EF99C0} SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\Downloaded Program Files\125076625 c:\windows\Downloaded Program Files\125076625\BaiduSetupAx_0.dll c:\windows\Downloaded Program Files\125076625\npxbdsetup.dll c:\windows\Downloaded Program Files\94215665 c:\windows\Downloaded Program Files\94215665\BaiduSetupAx_0.dll c:\windows\Downloaded Program Files\94215665\npxbdsetup.dll c:\windows\Downloaded Program Files\stampedeaod . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_PROTECTOR -------\Legacy_RKHIT . . ((((((((((((((((((((((((( Files Created from 2015-01-14 to 2015-02-14 ))))))))))))))))))))))))))))))) . . 2015-02-14 14:28 . 2015-02-14 14:28 39464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B4637D2-7B3A-4FAC-B29A-3A13B4065CA7}\MpKsl7651f318.sys 2015-02-14 14:26 . 2015-02-14 14:29 -------- d-----w- c:\users\Sourcing\AppData\Local\temp 2015-02-14 14:26 . 2015-02-14 14:26 -------- d-----w- c:\users\Public.ESTAR-PRIVATE\AppData\Local\temp 2015-02-14 05:50 . 2010-03-08 10:10 9216 ----a-w- c:\windows\system32\ffnd.exe 2015-02-14 02:55 . 2014-12-02 11:01 9054624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B4637D2-7B3A-4FAC-B29A-3A13B4065CA7}\mpengine.dll 2015-02-13 07:16 . 2014-11-20 22:14 51928 ----a-w- c:\windows\system32\drivers\mwac.sys 2015-02-13 07:16 . 2014-11-20 22:14 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2015-02-13 07:15 . 2015-02-14 05:42 114904 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2015-02-13 07:15 . 2015-02-13 07:17 -------- d-----w- c:\users\Sourcing\AppData\Roaming\Malwarebytes 2015-02-13 07:15 . 2015-02-13 07:16 -------- d-----w- c:\programdata\Malwarebytes 2015-02-13 07:15 . 2014-11-20 22:14 23256 ----a-w- c:\windows\system32\drivers\mbam.sys 2015-02-13 03:24 . 2015-01-09 02:04 49152 ----a-w- c:\windows\system32\csrsrv.dll 2015-02-13 03:24 . 2015-01-09 00:17 78848 ----a-w- c:\windows\system32\drivers\dfsc.sys 2015-02-13 03:24 . 2015-01-09 02:04 578560 ----a-w- c:\windows\system32\gpsvc.dll 2015-02-13 03:24 . 2015-01-09 02:04 75264 ----a-w- c:\windows\system32\gpapi.dll 2015-02-13 03:24 . 2015-01-09 00:17 81408 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys 2015-02-13 03:24 . 2015-01-09 00:18 64000 ----a-w- c:\windows\system32\smss.exe 2015-02-13 03:24 . 2015-01-09 00:17 217088 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2015-02-13 03:24 . 2015-01-09 00:17 225792 ----a-w- c:\windows\system32\drivers\rdbss.sys 2015-02-13 03:24 . 2015-01-09 00:17 107008 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2015-02-13 03:24 . 2015-01-09 02:09 82880 ----a-w- c:\windows\system32\drivers\mup.sys 2015-02-13 03:24 . 2015-01-09 02:09 3604408 ----a-w- c:\windows\system32\ntkrnlpa.exe 2015-02-13 03:24 . 2015-01-09 02:09 3552184 ----a-w- c:\windows\system32\ntoskrnl.exe 2015-02-12 18:23 . 2014-12-02 11:01 9054624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2015-02-12 04:12 . 2015-02-12 13:59 -------- d-----w- C:\Reg-edit 2015-02-11 23:23 . 2015-01-23 03:00 1810944 ----a-w- c:\windows\system32\jscript9.dll 2015-02-11 21:16 . 2015-02-11 21:31 -------- d-----w- c:\programdata\360TotalSecurity 2015-02-11 12:42 . 2014-11-26 02:05 564224 ----a-w- c:\windows\system32\oleaut32.dll 2015-02-11 12:42 . 2015-01-09 00:20 2063360 ----a-w- c:\windows\system32\win32k.sys 2015-02-11 12:42 . 2015-01-13 01:39 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll 2015-02-11 12:41 . 2015-01-15 04:13 440760 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2015-02-11 12:40 . 2014-12-08 01:59 306176 ----a-w- c:\windows\system32\scesrv.dll 2015-02-11 10:28 . 2014-09-17 07:29 908840 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B08D1AAF-CDC9-4936-B025-C94427D5C093}\gapaengine.dll 2015-02-10 12:25 . 2015-02-10 12:25 -------- d-----w- c:\windows\Sun 2015-02-10 12:24 . 2015-02-10 12:24 -------- d-----w- c:\windows\system32\RTCOM 2015-02-10 12:20 . 2015-02-10 12:20 -------- d-----w- C:\DD-Driver_Win8_Win7 2015-02-10 12:13 . 2015-02-10 12:13 -------- d-----w- c:\program files\Renesas Electronics 2015-02-10 12:12 . 2015-02-10 12:12 -------- d-----w- c:\users\Sourcing\AppData\Roaming\InstallShield 2015-02-10 09:41 . 2015-02-10 09:41 -------- d-----w- c:\users\Sourcing\AppData\Local\Intel 2015-02-10 09:38 . 2015-02-10 09:38 -------- d-----w- c:\program files\Intel Driver Update Utility 2015-02-10 09:38 . 2015-02-10 09:38 -------- d-----w- c:\programdata\Package Cache 2015-02-10 07:40 . 2015-02-14 07:03 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2015-02-10 07:40 . 2015-02-10 07:40 -------- d-----w- c:\programdata\RogueKiller 2015-02-10 07:06 . 2015-02-10 07:06 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys 2015-02-08 04:26 . 2015-02-08 04:26 -------- d-----w- c:\programdata\Kaspersky Lab 2015-02-07 20:41 . 2015-02-07 20:41 -------- d-----w- c:\users\Administrator\AppData\Roaming\QuickScan 2015-02-07 19:45 . 2015-02-07 19:03 885160 ----a-w- c:\windows\system32\npdeployJava1.dll 2015-02-07 19:45 . 2015-02-07 19:03 808360 ----a-w- c:\windows\system32\deployJava1.dll 2015-02-07 19:04 . 2015-02-07 19:04 -------- d-----w- c:\program files\Common Files\Java 2015-02-07 15:32 . 2015-02-10 10:50 -------- d-----w- c:\users\Sourcing\AppData\Local\ElevatedDiagnostics 2015-02-07 12:21 . 2015-02-07 12:21 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files 2015-02-07 07:33 . 2015-02-14 06:08 -------- d-----w- C:\AdwCleaner 2015-02-06 15:21 . 2015-02-10 12:26 -------- d-----w- c:\programdata\NVIDIA 2015-02-06 14:27 . 2014-08-04 15:19 4389664 ----a-w- c:\windows\system32\nvcpl.dll 2015-02-06 14:27 . 2014-08-04 15:19 3062104 ----a-w- c:\windows\system32\nvsvc.dll 2015-02-06 14:27 . 2014-08-04 15:18 672712 ----a-w- c:\windows\system32\nvvsvc.exe 2015-02-06 14:27 . 2014-08-04 15:18 62752 ----a-w- c:\windows\system32\nvshext.dll 2015-02-06 14:27 . 2014-08-04 15:18 2556360 ----a-w- c:\windows\system32\nvsvcr.dll 2015-02-06 14:27 . 2014-08-04 15:18 376280 ----a-w- c:\windows\system32\nvmctray.dll 2015-02-06 14:27 . 2014-07-31 21:13 3932167 ----a-w- c:\windows\system32\nvcoproc.bin 2015-02-06 14:16 . 2015-02-06 14:16 -------- d-----w- c:\programdata\NVIDIA Corporation 2015-01-28 16:11 . 2015-01-28 16:11 -------- d-----w- c:\users\Administrator\AppData\Roaming\WinBatch 2015-01-28 15:59 . 2001-09-26 03:03 12981 ----a-w- c:\windows\system32\REALPKT.VXD 2015-01-28 15:59 . 2007-04-26 06:05 100000 ----a-w- c:\windows\system32\EAPPkt9x.VXD 2015-01-28 15:59 . 2010-12-01 01:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe 2015-01-19 18:24 . 2015-01-19 18:24 -------- d-----w- c:\program files\Microsoft Silverlight 2015-01-18 17:46 . 2015-01-18 17:46 -------- d-----w- c:\users\Administrator\AppData\Roaming\dlg 2015-01-18 16:40 . 2015-01-28 14:57 -------- d-----w- c:\users\Public.ESTAR-PRIVATE\AppData\Roaming\Device Doctor 2015-01-18 16:12 . 2015-01-28 14:50 -------- d-----w- c:\users\Coco\AppData\Roaming\Device Doctor 2015-01-18 13:34 . 2015-01-18 13:34 0 ---ha-w- c:\users\Administrator\AppData\Local\BITB35A.tmp 2015-01-18 10:48 . 2011-06-15 13:11 22120 ----a-w- c:\windows\system32\drivers\RtNdPt60.sys 2015-01-18 10:25 . 2015-02-10 12:22 319456 ----a-w- c:\windows\DIFxAPI.dll 2015-01-18 10:23 . 2015-02-10 12:26 -------- d--h--w- c:\program files\Temp 2015-01-18 10:23 . 2006-02-07 07:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll 2015-01-18 10:23 . 2006-02-07 07:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll 2015-01-18 10:23 . 2006-02-07 07:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll 2015-01-18 10:23 . 2006-02-07 07:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll 2015-01-18 10:23 . 2005-11-13 15:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe 2015-01-18 10:23 . 2015-01-18 10:23 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll 2015-01-18 10:23 . 2015-01-18 10:23 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll 2015-01-18 09:59 . 2015-01-18 09:59 -------- d-----w- c:\users\Administrator\AppData\Local\Intel 2015-01-18 09:21 . 2015-01-18 09:21 32832 ----a-w- c:\windows\system32\rnd_chunk.bin 2015-01-16 14:06 . 2015-01-16 14:06 -------- d-----w- c:\users\Administrator\AppData\Roaming\Easeware 2015-01-16 13:44 . 2008-01-21 02:32 52736 ----a-w- c:\windows\system32\hpzipm12.dll 2015-01-16 13:44 . 2008-01-21 02:32 37376 ----a-w- c:\windows\system32\hpzipr12.dll 2015-01-16 13:44 . 2008-01-21 02:32 53248 ----a-w- c:\windows\system32\hpzidr12.dll 2015-01-16 13:24 . 2015-01-16 13:36 -------- d-----w- c:\users\Administrator\AppData\Roaming\HpUpdate 2015-01-16 13:23 . 2015-01-16 13:23 -------- d-----w- c:\windows\Hewlett-Packard 2015-01-16 13:16 . 2015-01-16 13:16 -------- d-----w- C:\swsetup 2015-01-16 13:03 . 2015-01-16 13:03 -------- d-----w- c:\users\Sourcing\AppData\Local\Hewlett-Packard 11747-11-13 19:58 . 2011-08-04 12:44 -------- d-sh--w- c:\windows\xxclone.arc . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2015-02-13 00:32 . 2012-04-04 05:52 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2015-02-13 00:32 . 2011-11-23 07:13 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2015-02-10 14:14 . 2014-11-25 17:36 58440 ----a-w- c:\windows\system32\drivers\hookport.sys 2015-02-10 14:14 . 2014-11-25 17:36 202312 ----a-w- c:\windows\system32\drivers\360Box.sys 2015-02-10 14:14 . 2014-11-25 17:37 65608 ----a-w- c:\windows\system32\drivers\360AvFlt.sys 2015-02-10 14:14 . 2014-11-25 17:36 169040 ----a-w- c:\windows\system32\drivers\BAPIDRV.SYS 2015-02-07 19:03 . 2014-08-06 00:41 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2015-01-09 02:10 . 2015-02-13 03:24 12800 ----a-w- c:\windows\system32\drivers\en-US\mup.sys.mui 2015-01-03 06:06 . 2010-12-17 17:41 249488 ------w- c:\windows\system32\MpSigStub.exe 2014-12-19 12:01 . 2014-12-19 12:01 481744 ----a-w- c:\windows\system32\PPTVLauncher.exe 2014-12-19 12:00 . 2014-12-19 12:00 2310992 ----a-w- c:\windows\system32\shellfire.dll 2014-12-19 00:25 . 2015-01-14 11:00 115200 ----a-w- c:\windows\system32\drivers\mrxdav.sys 2014-12-10 23:58 . 2015-01-14 11:00 46592 ----a-w- c:\windows\system32\TSWbPrxy.exe 2014-12-06 03:14 . 2015-01-14 11:00 153600 ----a-w- c:\windows\system32\profsvc.dll 2014-12-06 03:14 . 2015-01-14 11:00 48640 ----a-w- c:\windows\system32\nlaapi.dll 2014-12-06 03:14 . 2015-01-14 11:00 174080 ----a-w- c:\windows\system32\nlasvc.dll 2014-12-06 03:14 . 2015-01-14 11:00 93184 ----a-w- c:\windows\system32\ncsi.dll 2014-12-03 02:06 . 2014-12-09 20:43 278528 ----a-w- c:\windows\system32\schannel.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2015-01-29 978520] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-11-13 138784] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-11-13 172064] "Persistence"="c:\windows\system32\igfxpers.exe" [2012-11-13 173600] "EMET 4.1 Agent"="d:\program files\EMET 4.1\EMET_agent.exe" [2013-11-21 78992] "QHSafeTray"="c:\program files\360\Total Security\safemon\QHSafeTray.exe" [2015-02-10 1208944] "NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048] "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI.exe" [2012-12-18 6106336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "EnableUIADesktopToggle"= 0 (0x0) "EnableLUA"= 1 "LocalAccountTokenFilterPolicy"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoScrSavPage"= 0 (0x0) "NoDispApprearancePage"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e00e0804] IME File REG_SZ IMSC40A.IME . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" . R3 360Camera;360Safe Camera Filter Service;c:\windows\system32\Drivers\360Camera.sys [2014-10-16 34888] R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-18 21520] S1 360AntiHacker;360Safe Anti Hacker Service;c:\windows\system32\Drivers\360AntiHacker.sys [2014-10-16 88136] S1 360Box;360Box mini-filter driver;c:\windows\system32\DRIVERS\360Box.sys [2015-02-10 202312] S1 360SelfProtection;360SelfProtection;c:\windows\system32\drivers\360SelfProtection.sys [2014-10-16 174536] S3 360AvFlt;360AvFlt mini-filter driver;c:\windows\system32\DRIVERS\360AvFlt.sys [2015-02-10 65608] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSL7651F318 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache LPDService REG_MULTI_SZ LPDSVC HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 rsmsvcs REG_MULTI_SZ ntmssvc . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - d:\myprog~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 Trusted Zone: advfn.com\investorshub Trusted Zone: alipay.com Trusted Zone: alisoft.com Trusted Zone: dnb.com\iupdate Trusted Zone: linkshare.com\login Trusted Zone: medicare.gov\data Trusted Zone: paypal.com\financing Trusted Zone: piers.com\www Trusted Zone: taobao.com Trusted Zone: yahoo.com\login TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Sourcing\AppData\Roaming\Mozilla\Firefox\Profiles\xablwi5m.default\ FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . SafeBoot-65634677.sys SafeBoot-WudfPf SafeBoot-WudfRd . . . ************************************************************************** scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\program files\Microsoft Security Client\MsMpEng.exe c:\program files\NVIDIA Corporation\Display\nvxdsync.exe c:\windows\system32\nvvsvc.exe c:\windows\system32\CISVC.EXE c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\System32\msdtc.exe c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe c:\windows\System32\tcpsvcs.exe c:\windows\System32\vds.exe c:\windows\system32\conime.exe c:\program files\Microsoft Security Client\NisSrv.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\servicing\TrustedInstaller.exe . ************************************************************************** . Completion time: 2015-02-14 22:35:44 - machine was rebooted ComboFix-quarantined-files.txt 2015-02-14 14:35 . Pre-Run: 32,587,595,776 bytes free Post-Run: 33,627,766,784 bytes free . - - End Of File - - 82DD12624D960EBC132FB8764C3D3806 09CE7397AF23D4C0B331B89D0297CC7E