DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 8.0.7600.17267 Run by Paterson at 6:48:23 on 2017-03-18 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4091.1371 [GMT 1:00] . AV: Avast Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B} AV: Malwarebytes *Enabled/Updated* {23007AD3-69FE-687C-2629-D584AFFAF72B} AV: 360 Total Security *Enabled/Updated* {0371CA44-3F80-A1D3-BECE-910620B58D50} SP: Malwarebytes *Enabled/Updated* {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: 360 Total Security *Enabled/Updated* {B8102BA0-19BA-AE5D-847E-AA745B32C7ED} SP: Avast Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\Program Files (x86)\Baidu Security\MoboMarket\1.2.8.4379\bassvc.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe C:\Windows\SysWow64\WinFLService.exe C:\Program Files (x86)\baidu\Baidu Browser\sparkservice.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files (x86)\vSnapshot\1.0.0.0\vSnapshotServ.exe C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\SysWOW64\WinFLTray.exe C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\SearchIndexer.exe C:\Program Files (x86)\Baidu Security\MoboMarket\1.2.8.4379\bas_helper.exe C:\Program Files (x86)\USB Disk Security\USBGuard.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Alwil Software\Avast5\avastui.exe C:\Program Files\CCleaner\CCleaner64.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_24_0_0_194.exe C:\Program Files\WinRAR\WinRAR.exe C:\Users\Paterson\AppData\Local\Temp\Rar$EXa0.283\Tcpview.exe C:\Windows\system32\taskhost.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://en.hao123.com/?tn=fa_pro_hp_01_hao123_en&fr=EHc212kXWeFt6BhcHTRq9j1XFvEVdw== mWinlogon: Userinit = userinit.exe, BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll BHO: SafeMon Class: {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files (x86)\360\Total Security\safemon\safemon.dll uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun uRun: [WinFLTray] C:\Windows\SysWow64\WinFLTray.exe uRun: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR mRun: [USB Security] C:\Program Files (x86)\USB Disk Security\USBGuard.exe mRun: [AvastUI.exe] "C:\Program Files\Alwil Software\Avast5\AvastUI.exe" /nogui mRun: [QHSafeTray] "C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /start mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-Explorer: NoActiveDesktopChanges = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-System: SoftwareSASGeneration = dword:1 IE: Add Web Page to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\AcroIEFavStub.dll/AcroIEAppend.html IE: Append Lin&k Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\AcroIEFavStub.dll/AcroIEAppendSelLinks.html IE: Convert &Web Page to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\AcroIEFavStub.dll/AcroIECapture.html IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\AcroIEFavStub.dll/AcroIECaptureSelLinks.html IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} Trusted Zone: localhost Trusted Zone: webcompanion.com TCP: NameServer = 192.168.1.1 0.0.0.0 TCP: Interfaces\{0D44ABDD-CB99-4AEC-8767-6A424F529103} : DHCPNameServer = 192.168.1.1 0.0.0.0 TCP: Interfaces\{0D44ABDD-CB99-4AEC-8767-6A424F529103}\35143514 : DHCPNameServer = 192.168.0.1 TCP: Interfaces\{0D44ABDD-CB99-4AEC-8767-6A424F529103}\65F6461666F6E656D4F62696C65675966496D2241313348303 : DHCPNameServer = 192.168.0.1 192.168.0.1 TCP: Interfaces\{0D44ABDD-CB99-4AEC-8767-6A424F529103}\C65696A7F6 : DHCPNameServer = 192.168.1.1 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll SSODL: WebCheck - SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll x64-BHO: SafeMon Class: {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll x64-Run: [Malwarebytes TrayApp] C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - x64-SSODL: WebCheck - . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Paterson\AppData\Roaming\Mozilla\Firefox\Profiles\dhx6vvym.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo® FF - prefs.js: browser.startup.homepage - google.rs/ FF - plugin: C:\Program Files (x86)\Acrobat Reader DC\Reader\AIR\nppdf32.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_194.dll . ============= SERVICES / DRIVERS =============== . R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2016-2-12 74544] R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswvmm.sys [2016-2-12 293352] R0 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2017-3-18 251840] R1 360AntiHacker;360Safe Anti Hacker Service;C:\Windows\System32\drivers\360AntiHacker64.sys [2016-8-11 151784] R1 360Box64;360Box mini-filter driver;C:\Windows\System32\drivers\360Box64.sys [2016-8-11 330472] R1 360Camera;360Safe Camera Filter Service;C:\Windows\System32\drivers\360Camera64.sys [2016-8-11 40520] R1 360FsFlt;360FsFlt mini-filter driver;C:\Windows\System32\drivers\360fsflt.sys [2016-8-11 391392] R1 aswKbd;aswKbd;C:\Windows\System32\drivers\aswKbd.sys [2016-2-12 37144] R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswsnx.sys [2016-2-12 969184] R1 aswSP;aswSP;C:\Windows\System32\drivers\aswsp.sys [2016-2-12 513632] R1 BAPIDRV;BAPIDRV;C:\Windows\System32\drivers\BAPIDRV64.SYS [2016-8-11 188864] R1 BprotectEx;Baidu ProtectEx;C:\Windows\System32\drivers\BprotectEx.sys [2016-12-17 93512] R1 ESProtectionDriver;Malwarebytes Anti-Exploit;C:\Windows\System32\drivers\mbae64.sys [2017-3-18 77408] R1 ndisrd;WinpkFilter LightWeight Filter;C:\Windows\System32\drivers\ndisrd.sys [2014-8-14 43088] R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2016-2-12 108816] R2 aswStm;aswStm;C:\Windows\System32\drivers\aswStm.sys [2016-2-12 163416] R2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2014-2-7 31192] R2 avast! Antivirus;Avast Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2016-9-26 197128] R2 BASSVC;Baidu MoboMarket Service;C:\Program Files (x86)\Baidu Security\MoboMarket\1.2.8.4379\bassvc.exe [2014-12-17 208928] R2 FLService;FLService;C:\Windows\SysWOW64\WinFLService.exe [2016-2-7 93032] R2 MBAMChameleon;MBAMChameleon;C:\Windows\System32\drivers\MBAMChameleon.sys [2017-3-18 186304] R2 MBAMService;Malwarebytes Service;C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [2017-3-18 4355024] R2 NEWDRIVER;NEWDRIVER;C:\Windows\SysWOW64\WinVDEdrv6.sys [2016-2-7 197648] R2 QHActiveDefense;360 Total Security;C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe [2016-8-11 928168] R2 SparkSvc;Baidu Spark Service;C:\Program Files (x86)\baidu\Baidu Browser\sparkservice.exe [2017-1-3 97080] R2 ThevSnapshotService;The vSnapshot Service;C:\Program Files (x86)\vSnapshot\1.0.0.0\vSnapshotServ.exe [2016-12-24 152264] R2 WinVDEDrv;WinVDEDrv;C:\Windows\SysWOW64\WinVDEdrv.sys [2016-2-7 225680] R3 360AvFlt;360AvFlt mini-filter driver;C:\Windows\System32\drivers\360AvFlt.sys [2016-8-11 86248] R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2009-6-10 270848] R3 MBAMFarflt;MBAMFarflt;C:\Windows\System32\drivers\farflt.sys [2017-3-18 111544] R3 MBAMProtection;MBAMProtection;C:\Windows\System32\drivers\mbam.sys [2017-3-18 43968] R3 MBAMWebProtection;MBAMWebProtection;C:\Windows\System32\drivers\mwac.sys [2017-3-18 82208] R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368] R3 taphss6;Anchorfree HSS VPN Adapter;C:\Windows\System32\drivers\taphss6.sys [2016-3-1 42064] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088] S3 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2016-2-12 37656] S3 Baidu PC Faster FileShredder;Baidu PC Faster FileShredder;C:\Program Files (x86)\PC Faster\5.1.0.0\FileKill_x64.sys [2016-12-17 21824] S3 FlexNet Licensing Service 64;FlexNet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService64.exe [2016-2-1 1357104] S3 hshld;Hotspot Shield Service;C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe [2016-8-24 2710648] S3 IceDragonUpdater;COMODO IceDragon Update Service;C:\Program Files (x86)\Comodo\IceDragon\icedragon_updater.exe [2015-10-5 1972408] S3 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-5-4 503080] S3 PCFApiUtil;PCFApiUtil;C:\Program Files (x86)\PC Faster\5.1.0.0\PCFApiUtil64.sys [2015-3-31 144648] S3 PCFasterSvc_{PCFaster_5.1.0.0};Baidu PC Faster Service 5.1.0.0;C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe [2015-5-7 1714448] S3 SparkUpdater;Baidu Spark Updater;C:\Program Files (x86)\baidu\SparkUpdate\Sparkupdate.exe [2017-1-3 1371960] . =============== File Associations =============== . FileExt: .scr: AutoCADScriptFile=C:\Windows\System32\notepad.exe "%1" ShellExec: SZBrowser.exe: open="C:\Program Files\AVAST Software\SZBrowser\Launcher.exe" "%1" . =============== Created Last 30 ================ . 2017-03-18 04:53:02 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable) 2017-03-18 04:27:48 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A52AB33A-D397-4DD5-BB43-E419F331872A}\offreg.3792.dll 2017-03-18 01:52:22 186304 ----a-w- C:\Windows\System32\drivers\MBAMChameleon.sys 2017-03-18 01:52:14 111544 ----a-w- C:\Windows\System32\drivers\farflt.sys 2017-03-18 01:52:13 82208 ----a-w- C:\Windows\System32\drivers\mwac.sys 2017-03-18 01:52:05 43968 ----a-w- C:\Windows\System32\drivers\mbam.sys 2017-03-18 01:51:58 251840 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys 2017-03-18 01:51:42 77408 ----a-w- C:\Windows\System32\drivers\mbae64.sys 2017-03-18 01:51:35 -------- d-----w- C:\ProgramData\Malwarebytes 2017-03-18 01:51:35 -------- d-----w- C:\Program Files\Malwarebytes 2017-03-18 01:14:12 12654400 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A52AB33A-D397-4DD5-BB43-E419F331872A}\mpengine.dll 2017-03-17 16:32:33 527816 ----a-w- C:\Program Files (x86)\Mozilla Firefox\minidump-analyzer.exe 2017-03-10 03:28:04 12654400 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2017-03-07 13:01:43 -------- d-----w- C:\Users\Paterson\AppData\Roaming\Tools 2017-03-07 13:01:43 -------- d-----w- C:\ProgramData\tools 2017-03-07 13:01:37 -------- d-----w- C:\Program Files (x86)\vSnapshot 2017-03-07 13:01:15 -------- d-----w- C:\Users\Paterson\AppData\Roaming\vSnapshot 2017-03-02 03:00:10 -------- d-----w- C:\Users\Paterson\AppData\Local\Yandex 2017-03-02 02:59:08 -------- d-----w- C:\Users\Paterson\AppData\Roaming\Yandex 2017-03-01 09:48:56 -------- d-----w- C:\Users\Paterson\AppData\Local\gtk-2.0 2017-03-01 09:48:04 -------- d-----w- C:\Users\Paterson\.thumbnails 2017-03-01 09:29:09 -------- d-----w- C:\Users\Paterson\AppData\Local\fontconfig 2017-03-01 09:29:07 -------- d-----w- C:\Users\Paterson\AppData\Local\gegl-0.2 2017-03-01 09:29:07 -------- d-----w- C:\Users\Paterson\.gimp-2.8 2017-03-01 09:28:01 -------- d-----w- C:\Program Files\GIMP 2 2017-02-28 12:34:16 -------- d-----w- C:\Users\Paterson\AppData\Roaming\VDownloader 2017-02-24 03:19:34 -------- d-----w- C:\Users\Paterson\AppData\Roaming\BitTorrent 2017-02-22 09:34:18 -------- d-----w- C:\Users\Paterson\AppData\Roaming\ocenaudio 2017-02-22 09:33:48 -------- d-----w- C:\Users\Paterson\AppData\Local\ocenaudio 2017-02-22 02:41:25 -------- d-----w- C:\Users\Paterson\AppData\Roaming\AIMP 2017-02-22 02:41:06 -------- d-----w- C:\Program Files (x86)\AIMP 2017-02-21 04:26:12 -------- d-----w- C:\Users\Paterson\AppData\Roaming\Rainmeter 2017-02-21 04:25:59 -------- d-----w- C:\Program Files\Rainmeter 2017-02-21 02:19:01 -------- d-----w- C:\Program Files\PeerBlock 2017-02-17 05:00:42 -------- d-----w- C:\Program Files (x86)\KI Expert 2011 . ==================== Find3M ==================== . 2017-02-21 16:12:46 802904 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2017-02-21 16:12:46 144472 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2017-02-06 08:14:59 330472 ----a-w- C:\Windows\System32\drivers\360Box64.sys 2017-02-06 08:14:58 86248 ----a-w- C:\Windows\SysWow64\drivers\360AvFlt.sys 2017-02-06 08:14:58 86248 ----a-w- C:\Windows\System32\drivers\360AvFlt.sys . ============= FINISH: 6:54:12,81 ===============