Author Topic: [Inactive - K] "bad image" problem with .exe file in windows 8.1  (Read 4772 times)

Offline bigworld005

  • Bronze Member
  • Posts: 14
Hi, All,
  I have a Lenovo x240 laptop with windows 8.1 home. Three months back, I turned off my anti-virus software and forget to turn it back on. then I found out when I start my laptop, it keeps poping up warnings like "xxx.exe bad image",  it says "secur32.dll" is not registered something. I tried to go back to some restore point like 2 weeks back, it did not solve the problem. I wonder if anyone has some ideas.

regards,
tao
« Last Edit: March 20, 2015, 01:47:33 PM by kevinf80 »

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #1 on: March 05, 2015, 05:00:57 PM »
Hello tao and welcome to SpywareHammer,

Use the instructions in the following link to show hidden files:

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Thanks,

Kevin...

Offline bigworld005

  • Bronze Member
  • Posts: 14
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #2 on: March 05, 2015, 10:00:47 PM »
here is the scan result/FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2015 01
Ran by tao (administrator) on THINKPADX240 on 05-03-2015 21:42:46
Running from C:\User\tao\Downloads
Loaded Profiles: tao (Available profiles: tao)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe
(Infowatch) C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Juniper Networks) C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
(Lenovo) C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe
() C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe
(LENOVO INCORPORATED.) C:\Program Files\Lenovo\SystemAgent\SystemAgentService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControlMasterSvc.exe
(Raith GmbH) C:\Windows\SysWOW64\RaithDPGENService.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Synaptics Incorporated) C:\Windows\System32\valWBFPolicyService.exe
(Synaptics Incorporated) C:\Windows\System32\valWbioSyncSvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControlService.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControlInput.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControlInput.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(LENOVO INCORPORATED.) C:\Program Files\Lenovo\QuickSnipService\QuickSnipService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
() C:\Program Files (x86)\Lenovo\LocationAware\loctaskmgr.exe
(Lenovo) C:\Program Files\Lenovo\QuickSnipService\QuickSnipInput.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControl.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Program Files (x86)\Lenovo\LocationAware\lpdagent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\extapsup.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Pokki) C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
(Lenovo) C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\acrotray.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Pokki) C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\HostAppService.exe
(Pokki) C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\HostAppService.exe
(Pokki) C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\HostAppService.exe
(Pokki) C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\StartMenuIndexer.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Pinyin 2\GooglePinyinDaemon.exe
(Raith GmbH) C:\RAITH150-TWO\Bin\RAITH150-TWO.EXE
() C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCTaskService.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LenovoOptMouseUpdate] => C:\Program Files\Lenovo\HOTKEY\extapsup.exe [255480 2013-06-20] (Lenovo Group Limited)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [TpShocks] => C:\WINDOWS\system32\TpShocks.exe [382248 2013-06-20] (Lenovo.)
HKLM\...\Run: [LENOVO.TPKNRRES] => rundll32.exe "C:\Program Files\Lenovo\Communications Utility\LibStartStub.dll",AVStartupStub
HKLM\...\Run: [Trend Micro Client Framework] => "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
HKLM-x32\...\Run: [Integrated Camera_Monitor] => C:\Program Files (x86)\Integrated Camera\monitor.exe [1719968 2014-02-19] (SunplusIT, Inc.)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [134616 2013-07-01] (Intel Corporation)
HKLM-x32\...\Run: [Fastboot] => C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe [738032 2014-01-09] (Lenovo)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Acrobat Assistant 7.0] => C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [483328 2004-12-14] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AVP] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\runner_avp.exe [24256 2013-11-11] (Kaspersky Lab ZAO)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\Run: [Google Update] => C:\Users\tao_zheng_2000\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-06-10] (Google Inc.)
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\RunOnce: [Application Restart #2] => C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\HostAppService.exe [7846216 2015-02-19] (Pokki)
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\RunOnce: [Application Restart #1] => C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\HostAppService.exe [7846216 2015-02-19] (Pokki)
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\MountPoints2: D - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\MountPoints2: {5b4e9e3c-8245-11e3-be78-7c7a9104e23b} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\MountPoints2: {bef53511-80a9-11e3-be74-abb41238b129} - "D:\autorun.exe"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-2052-0000-7760-100000000002}\SC_Acrobat.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
ShellIconOverlayIdentifiers: [KAVOverlayIcon] -> {dd230880-495a-11d1-b064-008048ec2fc5} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\shellex.dll (Kaspersky Lab ZAO)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers-x32: [KAVOverlayIcon] -> {dd230880-495a-11d1-b064-008048ec2fc5} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\shellex.dll (Kaspersky Lab ZAO)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-487566617-3313998233-832641343-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo13-comm.msn.com/?pc=LNJB
HKU\S-1-5-21-487566617-3313998233-832641343-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo13-comm.msn.com/?pc=LNJB
HKU\S-1-5-21-487566617-3313998233-832641343-1001\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://home.lenovo.com
HKU\S-1-5-21-487566617-3313998233-832641343-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://home.lenovo.com/
SearchScopes: HKU\S-1-5-21-487566617-3313998233-832641343-1001 -> DefaultScope {1ABB865E-2749-4921-BDCE-E725C6090AE2} URL =
SearchScopes: HKU\S-1-5-21-487566617-3313998233-832641343-1001 -> {1ABB865E-2749-4921-BDCE-E725C6090AE2} URL =
BHO: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO: TmIEPlugInBHO Class -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files\Trend Micro\AMSP\module\20013\3.0.1313\1.6.1102\TmopIEPlg.dll No File
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1173\8.0.1173\TmBpIe64.dll No File
BHO: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO-x32: TmIEPlugInBHO Class -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files\Trend Micro\AMSP\module\20013\3.0.1313\1.6.1102\TmopIEPlg32.dll No File
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO-x32: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1173\8.0.1173\TmBpIe32.dll No File
BHO-x32: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-487566617-3313998233-832641343-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} https://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1173\8.0.1173\TmBpIe32.dll No File
Handler: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files\Trend Micro\AMSP\module\20013\3.0.1313\1.6.1102\TmopIEPlg32.dll No File
Tcpip\Parameters: [DhcpNameServer] 10.182.70.24 10.180.14.69

FireFox:
========
FF ProfilePath: C:\Users\tao_zheng_2000\AppData\Roaming\Mozilla\Firefox\Profiles\d377c4il.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.1 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @qq.com/npchrome -> C:\Program Files (x86)\Common Files\Tencent\Npchrome\npchrome.dll (Tencent)
FF Plugin-x32: @qq.com/npqscall -> C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll (Tencent)
FF Plugin-x32: @qq.com/TXSSO -> C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.2.1\Bin\npSSOAxCtrlForPTLogin.dll (Tencent)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-487566617-3313998233-832641343-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\tao_zheng_2000\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKU\S-1-5-21-487566617-3313998233-832641343-1001: @talk.google.com/O1DPlugin -> C:\Users\tao_zheng_2000\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-487566617-3313998233-832641343-1001: @tools.google.com/Google Update;version=3 -> C:\Users\tao_zheng_2000\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-487566617-3313998233-832641343-1001: @tools.google.com/Google Update;version=9 -> C:\Users\tao_zheng_2000\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\tao_zheng_2000\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\tao_zheng_2000\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF HKLM\...\Firefox\Extensions: [tmbepff@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1173\8.0.1173\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [tmbepff@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1173\8.0.1173\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [{BBB77B49-9FF4-4d5c-8FE2-92B1D6CD696C}] - C:\Program Files\Trend Micro\AMSP\module\20013\FxExt\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [url_advisor@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\url_advisor@kaspersky.com
FF Extension: Kaspersky URL Advisor - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\url_advisor@kaspersky.com [2015-02-24]
FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\virtual_keyboard@kaspersky.com
FF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\virtual_keyboard@kaspersky.com [2015-02-24]
FF HKLM-x32\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\content_blocker@kaspersky.com
FF Extension: Gevaarlijke websiteblokkering - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\content_blocker@kaspersky.com [2015-02-24]
FF HKLM-x32\...\Firefox\Extensions: [anti_banner@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\anti_banner@kaspersky.com
FF Extension: Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\anti_banner@kaspersky.com [2015-02-24]
FF HKLM-x32\...\Firefox\Extensions: [online_banking@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\online_banking@kaspersky.com
FF Extension: Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\FFExt\online_banking@kaspersky.com [2015-02-24]
FF HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]

Chrome:
=======
CHR Profile: C:\Users\tao_zheng_2000\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\tao_zheng_2000\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-12]
CHR Extension: (Google Drive) - C:\Users\tao_zheng_2000\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-12]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\tao_zheng_2000\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-17]
CHR Extension: (YouTube) - C:\Users\tao_zheng_2000\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-12]
CHR Extension: (Google Search) - C:\Users\tao_zheng_2000\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-12]
CHR Extension: (Google Wallet) - C:\Users\tao_zheng_2000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-18]
CHR Extension: (Gmail) - C:\Users\tao_zheng_2000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-12]
CHR HKLM-x32\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1135\8.0.1135\chrome_tmbep.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - http://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [dchlnpcodkpfdpacogkljefecpegganj] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\ChromeExt\urladvisor.crx [2013-11-11]
CHR HKLM-x32\...\Chrome\Extension: [fmgckcapmffomaifonnhgkfdgljnkpgi] - No Path Or update_url value
CHR HKLM-x32\...\Chrome\Extension: [hakdifolhalapjijoafobooafbilfakh] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\ChromeExt\online_banking_chrome.crx [2013-11-11]
CHR HKLM-x32\...\Chrome\Extension: [hghkgaeecgjhjkannahfamoehjmkjail] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\ChromeExt\content_blocker_chrome.crx [2013-11-11]
CHR HKLM-x32\...\Chrome\Extension: [jagncdcchgajhfhijbbhecadmaiegcmh] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\ChromeExt\virtkbd.crx [2013-11-11]
CHR HKLM-x32\...\Chrome\Extension: [lpoimibckejjdjcfbdnajaicnklhfplh] - https://chrome.google.com/webstore/detail/lpoimibckejjdjcfbdnajaicnklhfplh [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [pjldcfjmnllhmgjclecdnfampinooman] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\ChromeExt\ab.crx [2013-11-11]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AVControlCenter; C:\Program Files\Lenovo\Communications Utility\AVControlCenter32.exe [573488 2014-03-04] (Lenovo Corporation)
R2 AVP; C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe [356128 2013-11-11] (Kaspersky Lab ZAO)
S4 BrcmSetSecurity; C:\Program Files\Intel Corporation\Intel WiDi\BrcmSetSecurity.exe [283296 2013-07-26] (Intel Corporation)
R2 CSObjectsSrv; C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [818888 2013-09-25] (Infowatch)
R2 FastbootService; C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [140016 2014-01-09] (Lenovo)
R2 hasplms; C:\WINDOWS\system32\hasplms.exe [4683144 2014-06-02] (SafeNet Inc.)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel(R) Corporation)
R2 Intel(R) Wireless Bluetooth(R) 4.0 Radio Management; C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe [155448 2013-08-19] (Intel Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe [182760 2013-04-15] ()
S3 iumsvc; C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [174368 2014-02-28] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-07-01] (Intel Corporation)
R2 Lenovo QuickSnip Service; C:\Program Files\lenovo\QuickSnipService\QuickSnipService.exe [219976 2013-06-05] (LENOVO INCORPORATED.)
R2 Lenovo Settings Service; C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe [2085184 2014-03-10] (Lenovo Group Limited)
R2 Lenovo System Agent Service; C:\Program Files\lenovo\SystemAgent\SystemAgentService.exe [562504 2013-06-05] (LENOVO INCORPORATED.)
S3 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [702512 2014-03-04] (Lenovo Corporation)
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [136288 2012-08-10] (Lenovo Group Limited)
R2 LocationTaskManager; C:\Program Files (x86)\Lenovo\LocationAware\loctaskmgr.exe [468288 2013-12-11] ()
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272776 2014-10-16] ()
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273136 2013-08-28] ()
R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-08-17] (Nitro PDF Software)
S2 omniserv; C:\Program Files\Lenovo\Fingerprint Manager Pro\OmniServ.exe [94720 2014-09-25] (Softex Inc.) [File not signed]
R2 QuickControlMasterSvc; C:\Program Files (x86)\Lenovo\QuickControl\QuickControlMasterSvc.exe [59384 2013-07-16] (Lenovo Group Limited)
R3 QuickControlService; C:\Program Files (x86)\Lenovo\QuickControl\QuickControlService.exe [138232 2013-07-16] (Lenovo Group Limited)
R2 RaithSCSIService; C:\WINDOWS\SysWOW64\RaithDPGENService.exe [458752 2010-02-23] (Raith GmbH) [File not signed]
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [24560 2014-06-18] ()
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [49040 2014-09-01] (Synaptics Incorporated)
R2 valWbioSyncSvc; C:\Windows\system32\valWbioSyncSvc.exe [32256 2014-09-01] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3378416 2013-08-28] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1385272 2013-08-01] (Motorola Solutions, Inc.)
R0 CSCrySec; C:\Windows\System32\DRIVERS\CSCrySec.sys [98504 2013-09-25] (Infowatch)
R1 CSVirtualDiskDrv; C:\Windows\system32\DRIVERS\CSVirtualDiskDrv.sys [67784 2013-09-25] (Infowatch)
S3 e1dexpress; C:\Windows\system32\DRIVERS\e1d64x64.sys [457496 2014-03-05] (Intel Corporation)
R0 Fastboot; C:\Windows\System32\DRIVERS\fastboot.sys [66288 2014-01-09] (Windows (R) Win 7 DDK provider)
R2 hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [331608 2014-06-02] (SafeNet Inc.)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [113096 2013-08-06] (Intel Corporation)
R3 ikbevent; C:\Windows\system32\DRIVERS\ikbevent.sys [21048 2013-04-15] ()
R3 imsevent; C:\Windows\system32\DRIVERS\imsevent.sys [21048 2013-04-15] ()
R0 IntelHSWPcc; C:\Windows\System32\drivers\IntelPcc.sys [101976 2013-04-24] (Intel Corporation)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-04-15] ()
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [458336 2015-02-24] (Kaspersky Lab ZAO)
S0 klelam; C:\Windows\System32\DRIVERS\klelam.sys [29792 2013-11-11] (Kaspersky Lab)
U5 klflt; C:\Windows\System32\Drivers\klflt.sys [92768 2015-02-25] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [627264 2015-02-25] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\system32\DRIVERS\klim6.sys [30304 2015-02-25] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\system32\DRIVERS\klkbdflt.sys [29280 2013-11-11] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\system32\DRIVERS\klmouflt.sys [29280 2013-11-11] (Kaspersky Lab ZAO)
R1 klwfp; C:\Windows\system32\DRIVERS\klwfp.sys [50448 2013-11-11] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\system32\DRIVERS\kneps.sys [177864 2015-02-24] (Kaspersky Lab ZAO)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-07-01] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3589600 2013-09-26] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\Netwew02.sys [3648480 2013-10-09] (Intel Corporation)
R1 OMNISMI; C:\windows\SysWOW64\drivers\omnismi.sys [14776 2013-06-28] ()
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [423128 2013-07-24] (Realsil Semiconductor Corporation)
R2 Sentinel64; C:\Windows\System32\Drivers\Sentinel64.sys [145448 2009-09-17] (SafeNet, Inc.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-04-07] (Synaptics Incorporated)
R1 SMIDriver; C:\Windows\System32\drivers\smi.sys [19760 2014-09-01] (Windows (R) Win 7 DDK provider)
S3 SPUVCbv; C:\Windows\System32\Drivers\SPUVCbv_x64.sys [1521312 2014-03-18] (Sunplus)
S3 SWIX64; C:\Program Files (x86)\Lenovo\System Update\tvsuhd64.sys [33856 2012-09-12] (Lenovo Group Limited)
R3 usb3Hub; C:\Windows\System32\drivers\usb3Hub.sys [206744 2013-06-20] (Windows (R) Win 7 DDK provider)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2015-03-04] ()

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-05 21:42 - 2015-03-05 21:45 - 00031391 _____ () C:\Users\tao_zheng_2000\Downloads\FRST.txt
2015-03-05 21:42 - 2015-03-05 21:42 - 00000000 ____D () C:\FRST
2015-03-05 21:37 - 2015-03-05 21:37 - 02092544 _____ (Farbar) C:\Users\tao_zheng_2000\Downloads\FRST64.exe
2015-03-05 03:13 - 2015-03-05 03:16 - 00000000 ____D () C:\a57a7e7788c93e75483987466ae0
2015-03-05 03:13 - 2015-03-05 03:16 - 00000000 ____D () C:\72d108e6e9a676e51d2e4b
2015-03-04 09:50 - 2015-03-04 09:50 - 00000000 ____D () C:\3d1ffa088a46175fd78397c3bfa3
2015-03-04 09:26 - 2015-03-04 09:26 - 00094656 _____ (CACE Technologies) C:\WINDOWS\system32\WPRO_41_2001woem.tmp
2015-03-03 23:37 - 2015-03-03 23:37 - 00000000 __SHD () C:\found.006
2015-03-02 19:41 - 2015-03-02 19:41 - 00000000 __SHD () C:\found.005
2015-02-25 16:41 - 2015-02-25 16:41 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-25 14:44 - 2015-02-25 14:44 - 00937033 _____ () C:\Users\tao_zheng_2000\Downloads\150micron_fixed.zip
2015-02-24 20:10 - 2014-12-13 15:28 - 00513488 _____ () C:\WINDOWS\SysWOW64\locale.nls
2015-02-24 20:10 - 2014-12-13 15:28 - 00513488 _____ () C:\WINDOWS\system32\locale.nls
2015-02-24 20:10 - 2014-10-28 19:27 - 01200128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Globalization.dll
2015-02-24 20:10 - 2014-10-28 19:27 - 00323072 _____ (Microsoft Corporation) C:\WINDOWS\system32\GlobCollationHost.dll
2015-02-24 20:10 - 2014-10-28 19:04 - 00868352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Globalization.dll
2015-02-24 20:10 - 2014-10-28 19:04 - 00200704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GlobCollationHost.dll
2015-02-24 20:05 - 2015-02-24 20:05 - 00001282 _____ () C:\Users\tao_zheng_2000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Kaspersky PURE 3.0.lnk
2015-02-24 20:03 - 2013-11-11 22:18 - 00064856 _____ (Kaspersky Lab) C:\WINDOWS\system32\klfphc.dll
2015-02-24 20:03 - 2013-09-25 12:51 - 00098504 _____ (Infowatch) C:\WINDOWS\system32\Drivers\CSCrySec.sys
2015-02-24 20:03 - 2013-09-25 12:51 - 00067784 _____ (Infowatch) C:\WINDOWS\system32\Drivers\CSVirtualDiskDrv.sys
2015-02-24 20:02 - 2015-03-05 20:17 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2015-02-24 20:02 - 2015-02-25 12:30 - 00627264 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\klif.sys
2015-02-24 20:02 - 2015-02-25 12:30 - 00092768 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\klflt.sys
2015-02-24 20:02 - 2015-02-24 20:02 - 00000000 ____D () C:\Program Files (x86)\Kaspersky Lab
2015-02-21 16:42 - 2015-02-21 16:42 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2015-02-21 12:48 - 2015-02-21 12:48 - 00653672 _____ () C:\Users\tao_zheng_2000\Downloads\150micronwire.zip
2015-02-19 12:14 - 2015-02-19 12:14 - 00072476 _____ () C:\Users\tao_zheng_2000\Downloads\2-19-15HSQ15A4.zip
2015-02-14 19:04 - 2015-01-22 22:41 - 06041600 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-02-14 19:04 - 2015-01-22 21:17 - 04300800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-02-12 17:42 - 2015-02-12 17:42 - 00546840 _____ () C:\Users\tao_zheng_2000\Downloads\morimages_2.zip
2015-02-12 14:07 - 2015-02-12 14:07 - 00059061 _____ () C:\Users\tao_zheng_2000\Downloads\moreimages.zip
2015-02-11 18:59 - 2015-02-11 18:59 - 00408027 _____ () C:\Users\tao_zheng_2000\Downloads\prelim.zip
2015-02-10 16:52 - 2015-01-10 03:10 - 07472960 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-02-10 16:52 - 2015-01-10 03:10 - 01733440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-02-10 16:52 - 2015-01-10 02:28 - 01498360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-02-10 16:52 - 2015-01-10 01:00 - 00430080 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2015-02-10 16:52 - 2015-01-10 00:38 - 00359424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2015-02-10 16:52 - 2014-12-08 21:45 - 00393728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\scesrv.dll
2015-02-10 16:52 - 2014-12-08 19:56 - 00538624 _____ (Microsoft Corporation) C:\WINDOWS\system32\scesrv.dll
2015-02-10 16:52 - 2014-10-28 20:02 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2015-02-10 16:52 - 2014-10-28 20:02 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
2015-02-10 16:52 - 2014-10-28 19:57 - 00016896 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntvdm64.dll
2015-02-10 16:52 - 2014-10-28 19:15 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntvdm64.dll
2015-02-10 16:52 - 2014-10-28 19:13 - 00025600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\setup16.exe
2015-02-10 16:52 - 2014-10-28 19:13 - 00008704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\instnm.exe
2015-02-10 16:51 - 2015-01-19 12:42 - 01487976 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2015-02-10 16:51 - 2015-01-15 16:43 - 00563504 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2015-02-10 16:51 - 2015-01-15 16:43 - 00177984 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2015-02-10 16:51 - 2015-01-13 22:22 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-02-10 16:51 - 2015-01-13 21:53 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-02-10 16:51 - 2015-01-13 16:11 - 01762840 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowsCodecs.dll
2015-02-10 16:51 - 2015-01-13 16:04 - 01489072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WindowsCodecs.dll
2015-02-10 16:51 - 2015-01-11 21:09 - 25056256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-02-10 16:51 - 2015-01-11 20:48 - 02885632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-02-10 16:51 - 2015-01-11 20:48 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-02-10 16:51 - 2015-01-11 20:47 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-02-10 16:51 - 2015-01-11 20:34 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-02-10 16:51 - 2015-01-11 20:25 - 19740160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-02-10 16:51 - 2015-01-11 20:21 - 00490496 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtmsft.dll
2015-02-10 16:51 - 2015-01-11 20:08 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-02-10 16:51 - 2015-01-11 20:07 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-02-10 16:51 - 2015-01-11 20:05 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-02-10 16:51 - 2015-01-11 20:02 - 02277888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-02-10 16:51 - 2015-01-11 19:58 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-02-10 16:51 - 2015-01-11 19:55 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-02-10 16:51 - 2015-01-11 19:51 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-02-10 16:51 - 2015-01-11 19:48 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-02-10 16:51 - 2015-01-11 19:48 - 00718848 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-02-10 16:51 - 2015-01-11 19:48 - 00374272 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-02-10 16:51 - 2015-01-11 19:46 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-02-10 16:51 - 2015-01-11 19:45 - 00418304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtmsft.dll
2015-02-10 16:51 - 2015-01-11 19:43 - 14401024 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-02-10 16:51 - 2015-01-11 19:34 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-02-10 16:51 - 2015-01-11 19:30 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-02-10 16:51 - 2015-01-11 19:27 - 02865152 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2015-02-10 16:51 - 2015-01-11 19:27 - 02358272 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-02-10 16:51 - 2015-01-11 19:25 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-02-10 16:51 - 2015-01-11 19:23 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-02-10 16:51 - 2015-01-11 19:23 - 00688640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-02-10 16:51 - 2015-01-11 19:23 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-02-10 16:51 - 2015-01-11 19:14 - 12829184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-02-10 16:51 - 2015-01-11 19:14 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-02-10 16:51 - 2015-01-11 19:02 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-02-10 16:51 - 2015-01-11 19:00 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-02-10 16:51 - 2015-01-11 18:56 - 01307136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-02-10 16:51 - 2015-01-11 18:55 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-02-10 16:51 - 2015-01-10 02:22 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-02-10 16:51 - 2014-12-19 02:57 - 00788680 _____ (Microsoft Corporation) C:\WINDOWS\system32\oleaut32.dll
2015-02-10 16:51 - 2014-12-19 02:25 - 00602776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\oleaut32.dll
2015-02-10 16:51 - 2014-12-08 17:12 - 00391526 _____ () C:\WINDOWS\system32\ApnDatabase.xml
2015-02-10 16:51 - 2014-10-28 20:51 - 00154112 _____ (Microsoft Corporation) C:\WINDOWS\system32\msaudite.dll
2015-02-10 16:51 - 2014-10-28 20:50 - 00736768 _____ (Microsoft Corporation) C:\WINDOWS\system32\adtschema.dll
2015-02-10 16:51 - 2014-10-28 20:06 - 00736768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\adtschema.dll
2015-02-10 16:51 - 2014-10-28 20:06 - 00154112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msaudite.dll
2015-02-10 16:51 - 2014-10-28 19:31 - 01441792 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2015-02-10 16:51 - 2014-10-28 19:15 - 00005632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wow32.dll
2015-02-10 16:51 - 2014-10-28 19:14 - 00004096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user.exe
2015-02-10 10:13 - 2015-02-10 10:13 - 00014054 _____ () C:\Users\tao_zheng_2000\Downloads\order for Amyl acetate from aldrich 3-13-14.xlsx
2015-02-09 14:46 - 2015-02-09 14:46 - 00993876 _____ () C:\Users\tao_zheng_2000\Downloads\currentdimensions.zip
2015-02-05 15:05 - 2015-02-05 15:05 - 02485201 _____ () C:\Users\tao_zheng_2000\Downloads\FIXED_GateDiameter200microns.zip
2015-02-04 10:08 - 2015-02-04 10:08 - 00597602 _____ () C:\Users\tao_zheng_2000\Downloads\grounded Si(1).zip
2015-02-03 18:19 - 2015-02-03 18:19 - 01830756 _____ () C:\Users\tao_zheng_2000\Downloads\500v-2mm_0.zip
2015-02-03 05:13 - 2015-02-03 05:13 - 00000000 __SHD () C:\found.004

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-05 21:42 - 2013-08-22 08:46 - 00356857 _____ () C:\WINDOWS\setupact.log
2015-03-05 21:37 - 2014-01-17 23:11 - 00000000 ____D () C:\Users\tao_zheng_2000\AppData\Local\Pokki
2015-03-05 21:10 - 2014-06-10 09:41 - 00000970 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-487566617-3313998233-832641343-1001UA.job
2015-03-05 21:05 - 2014-09-10 10:40 - 00000932 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-05 21:00 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-03-05 20:32 - 2014-01-18 13:18 - 01323667 _____ () C:\WINDOWS\WindowsUpdate.log
2015-03-05 20:05 - 2014-09-10 10:40 - 00000928 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-05 19:10 - 2014-06-10 09:41 - 00000918 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-487566617-3313998233-832641343-1001Core.job
2015-03-05 03:49 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-03-05 03:12 - 2014-01-25 20:05 - 00000000 ____D () C:\Users\tao_zheng_2000\AppData\Local\CrashDumps
2015-03-04 09:38 - 2014-01-09 09:08 - 681992192 ___SH () C:\WINDOWS\lenovo_fastboot.img
2015-03-04 09:35 - 2014-01-17 23:12 - 00000000 ____D () C:\Users\tao_zheng_2000\AppData\Roaming\Nitro PDF
2015-03-04 09:32 - 2014-01-17 23:12 - 00000193 _____ () C:\Users\tao_zheng_2000\AppData\Local\RegisteredPackageInformation.xml
2015-03-04 09:28 - 2013-11-14 01:28 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-03-04 09:26 - 2014-01-09 09:01 - 00034752 _____ () C:\WINDOWS\system32\Drivers\WPRO_41_2001.sys
2015-03-04 09:21 - 2014-01-18 13:07 - 00000000 ____D () C:\ProgramData\Validity
2015-03-04 09:21 - 2013-08-22 08:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-03-04 09:19 - 2013-11-14 01:20 - 01381908 _____ () C:\WINDOWS\PFRO.log
2015-03-04 00:16 - 2014-01-18 13:10 - 00000000 ____D () C:\Users\tao_zheng_2000
2015-03-03 07:17 - 2014-01-23 23:57 - 00295552 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2015-03-02 18:47 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
2015-03-02 18:19 - 2014-07-30 17:40 - 00000000 ____D () C:\Program Files (x86)\SaveSense
2015-03-02 15:55 - 2012-07-26 02:12 - 00000000 ____D () C:\WINDOWS\LiveKernelReports
2015-03-02 11:20 - 2014-06-17 13:08 - 00000000 ____D () C:\WINDOWS\Minidump
2015-03-02 11:19 - 2014-01-09 08:27 - 00171673 ____N () C:\WINDOWS\Minidump\030215-108125-01.dmp
2015-03-02 11:18 - 2014-09-10 10:32 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-25 12:30 - 2013-11-11 22:18 - 00030304 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\klim6.sys
2015-02-25 05:34 - 2012-07-26 01:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-02-24 22:45 - 2014-01-17 23:18 - 00003596 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-487566617-3313998233-832641343-1001
2015-02-24 20:45 - 2013-08-22 07:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-02-24 20:32 - 2013-11-11 22:18 - 00458336 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\kl1.sys
2015-02-24 20:32 - 2013-11-11 22:18 - 00177864 _____ (Kaspersky Lab ZAO) C:\WINDOWS\system32\Drivers\kneps.sys
2015-02-24 20:03 - 2013-08-22 07:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2015-02-24 20:02 - 2012-07-26 02:12 - 00000000 ___HD () C:\WINDOWS\ELAMBKUP
2015-02-24 19:56 - 2014-01-17 23:14 - 00002353 _____ () C:\Users\tao_zheng_2000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
2015-02-21 16:42 - 2013-08-22 09:36 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2015-02-21 16:40 - 2014-01-24 00:04 - 00000000 ____D () C:\Users\tao_zheng_2000\AppData\Local\Trend Micro
2015-02-21 16:40 - 2014-01-24 00:02 - 00000000 ____D () C:\ProgramData\Trend Micro
2015-02-14 17:21 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\rescache
2015-02-14 09:52 - 2013-08-22 08:44 - 00484360 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-02-12 05:13 - 2014-01-18 11:02 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-12 05:04 - 2014-01-18 11:02 - 116773704 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-11 06:27 - 2014-01-19 00:01 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-11 06:27 - 2013-08-22 07:25 - 00000167 _____ () C:\WINDOWS\win.ini
2015-02-10 15:48 - 2014-08-28 16:17 - 00000000 ____D () C:\Users\tao_zheng_2000\Desktop\FED testing system
2015-02-10 10:21 - 2014-08-26 17:28 - 00000000 ____D () C:\Users\tao_zheng_2000\Documents\order request
2015-02-04 20:00 - 2014-09-10 10:40 - 00003904 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-04 20:00 - 2014-09-10 10:40 - 00003668 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-03 19:05 - 2014-06-10 09:41 - 00003934 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-487566617-3313998233-832641343-1001UA
2015-02-03 19:05 - 2014-06-10 09:41 - 00003554 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-487566617-3313998233-832641343-1001Core
2015-02-03 13:31 - 2014-11-30 20:45 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-02-03 13:31 - 2014-11-30 20:45 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2014-01-17 23:12 - 2014-02-08 12:11 - 0007920 _____ () C:\Users\tao_zheng_2000\AppData\Roaming\AbsoluteReminder.xml
2014-01-23 23:59 - 2014-01-23 23:59 - 0000036 _____ () C:\Users\tao_zheng_2000\AppData\Local\housecall.guid.cache
2014-01-17 23:12 - 2015-03-04 09:32 - 0000193 _____ () C:\Users\tao_zheng_2000\AppData\Local\RegisteredPackageInformation.xml
2014-01-09 09:06 - 2014-01-09 09:06 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some content of TEMP:
====================
C:\Users\tao_zheng_2000\AppData\Local\Temp\fp_pl_pfs_installer-1.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\JuniperSetupClientInstaller.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct3A71.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct465C.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct5855.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct59A5.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct752F.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct77FD.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct9B9F.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\octC3E7.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\ose00000.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\qqsafeud.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\vlc-2.1.3-win32.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-03 04:34

==================== End Of Log ============================
« Last Edit: March 05, 2015, 10:16:22 PM by bigworld005 »

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #3 on: March 06, 2015, 03:22:29 AM »
 Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes Select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
  • Now select > Scan > Threat scan > Scan now
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
When the scan is completed from the main GUI click on History > Application Logs. Find your scan log, the date when run will identify it. Checkmark "select" box > then hit the "view" button. The history log window will open. At the bottom of that window are two options, "Copy to clipboard" and "Export"

Next,

Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt. Where n in the scan reference number
Next,

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Next,

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.
If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.
To perform the scan:
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.
Please include this logfile in your next reply.

Don't forget to re-enable security software!

Next,

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.
Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Let me see those logs in your next reply, also give an update on any remaining issues or concerns...

Thank you,

Kevin....





Offline bigworld005

  • Bronze Member
  • Posts: 14
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #4 on: March 07, 2015, 01:30:45 PM »
Kevin,
 here are the results after 6 different scans. thanks.
first, (Fixlog.txt)


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-03-2015 01
Ran by tao_zheng_2000 at 2015-03-07 00:37:25 Run:1
Running from C:\Users\tao_zheng_2000\Downloads
Loaded Profiles: tao_zheng_2000 (Available profiles: tao_zheng_2000)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\RunOnce: [Application Restart #2] => C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\HostAppService.exe [7846216 2015-02-19] (Pokki)
C:\Users\tao_zheng_2000\AppData\Local\Pokki
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\RunOnce: [Application Restart #1] => C:\Users\tao_zheng_2000\AppData\Local\Pokki\Engine\HostAppService.exe [7846216 2015-02-19] (Pokki)
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\MountPoints2: D - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\MountPoints2: {5b4e9e3c-8245-11e3-be78-7c7a9104e23b} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-487566617-3313998233-832641343-1001\...\MountPoints2: {bef53511-80a9-11e3-be74-abb41238b129} - "D:\autorun.exe"
BHO: TmIEPlugInBHO Class -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files\Trend Micro\AMSP\module\20013\3.0.1313\1.6.1102\TmopIEPlg.dll No File
BHO-x32: TmIEPlugInBHO Class -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files\Trend Micro\AMSP\module\20013\3.0.1313\1.6.1102\TmopIEPlg32.dll No File
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1173\8.0.1173\TmBpIe32.dll No File
Toolbar: HKU\S-1-5-21-487566617-3313998233-832641343-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\8.0.1173\8.0.1173\TmBpIe32.dll No File
Handler: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files\Trend Micro\AMSP\module\20013\3.0.1313\1.6.1102\TmopIEPlg32.dll No File
C:\Users\tao_zheng_2000\AppData\Local\Temp\fp_pl_pfs_installer-1.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\JuniperSetupClientInstaller.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct3A71.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct465C.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct5855.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct59A5.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct752F.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct77FD.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct9B9F.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\octC3E7.tmp.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\ose00000.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\qqsafeud.exe
C:\Users\tao_zheng_2000\AppData\Local\Temp\vlc-2.1.3-win32.exe
CustomCLSID: HKU\S-1-5-21-487566617-3313998233-832641343-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\tao_zheng_2000\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-487566617-3313998233-832641343-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\tao_zheng_2000\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-487566617-3313998233-832641343-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\tao_zheng_2000\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-487566617-3313998233-832641343-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\tao_zheng_2000\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\Users\tao\OneDrive:ms-properties
EmptyTemp:
end



*****************

HKU\S-1-5-21-487566617-3313998233-832641343-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Application Restart #2 => value deleted successfully.

"C:\Users\tao_zheng_2000\AppData\Local\Pokki" directory move:

Could not move "C:\Users\tao_zheng_2000\AppData\Local\Pokki" directory. => Scheduled to move on reboot.

HKU\S-1-5-21-487566617-3313998233-832641343-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Application Restart #1 => value deleted successfully.
"HKU\S-1-5-21-487566617-3313998233-832641343-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D" => Key deleted successfully.
"HKU\S-1-5-21-487566617-3313998233-832641343-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5b4e9e3c-8245-11e3-be78-7c7a9104e23b}" => Key deleted successfully.
HKCR\CLSID\{5b4e9e3c-8245-11e3-be78-7c7a9104e23b} => Key not found.
"HKU\S-1-5-21-487566617-3313998233-832641343-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bef53511-80a9-11e3-be74-abb41238b129}" => Key deleted successfully.
HKCR\CLSID\{bef53511-80a9-11e3-be74-abb41238b129} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{959A5673-7971-48e6-AF54-58F745AC4ABC}" => Key deleted successfully.
"HKCR\CLSID\{959A5673-7971-48e6-AF54-58F745AC4ABC}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{959A5673-7971-48e6-AF54-58F745AC4ABC}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{959A5673-7971-48e6-AF54-58F745AC4ABC}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC}" => Key deleted successfully.
HKU\S-1-5-21-487566617-3313998233-832641343-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
"HKCR\PROTOCOLS\Handler\tmbp" => Key deleted successfully.
"HKCR\CLSID\{1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\tmop" => Key deleted successfully.
"HKCR\CLSID\{69FD7CE3-4604-4fe6-967C-49B9735CEE70}" => Key deleted successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\fp_pl_pfs_installer-1.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\fp_pl_pfs_installer.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\JuniperSetupClientInstaller.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\neoNCSetup64.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct3A71.tmp.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct465C.tmp.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct5855.tmp.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct59A5.tmp.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct752F.tmp.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct77FD.tmp.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\oct9B9F.tmp.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\octC3E7.tmp.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\qqsafeud.exe => Moved successfully.
C:\Users\tao_zheng_2000\AppData\Local\Temp\vlc-2.1.3-win32.exe => Moved successfully.
"HKU\S-1-5-21-487566617-3313998233-832641343-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => Key deleted successfully.
"HKU\S-1-5-21-487566617-3313998233-832641343-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.
"HKU\S-1-5-21-487566617-3313998233-832641343-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => Key deleted successfully.
"HKU\S-1-5-21-487566617-3313998233-832641343-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.
C:\Windows => ":nlsPreferences" ADS removed successfully.
"C:\Users\tao\OneDrive" => ":ms-properties" ADS not found.
EmptyTemp: => Removed 6.5 GB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-03-07 01:05:01)<=

C:\Users\tao_zheng_2000\AppData\Local\Pokki => Is moved successfully.

==== End of Fixlog 01:05:01 ====


2nd) is the FSS.txt

Farbar Service Scanner Version: 17-01-2015
Ran by tao_zheng_2000 (administrator) on 07-03-2015 at 13:10:42
Running from "C:\Users\tao_zheng_2000\Downloads"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

Offline bigworld005

  • Bronze Member
  • Posts: 14
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #5 on: March 07, 2015, 01:44:43 PM »
Kevin,
  forget to mention one thing, by the end of "adware scan" or "junkware scan" (I did not remember clearly), I found out the "start menu" button/ shortcut on the task bar of my windows 8.1 is no longer functional. here is the screenshot of the error message when I push it.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #6 on: March 07, 2015, 02:05:46 PM »
I do not see Hostappservice.exe listed as removed in any of the logs you`ve just posted.....

What is the current status of your system, do you have any remaining issues or concerns?

Windows Updates are currently not running, wuauserv service is set to Demand. Do you have it set that way?

Edit....

Now I see what has happened, Pokki was removed, that is resposible for Hostappservice. if you want to keep that you will have to reinstall Pokki from http://www.pokki.com/
« Last Edit: March 07, 2015, 02:13:41 PM by kevinf80 »

Offline bigworld005

  • Bronze Member
  • Posts: 14
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #7 on: March 07, 2015, 02:30:31 PM »
Kevin,
  I turned my computer back on because I shut it down after all the scans. at this moment, besides the not working "start manu" button, when I start up the computer, 2 of the old error message showed( I think it is an improvement because it used to be 5-6 errors). the screen shot of the error message are attached.

I have no idea of the status of "Windows Updates" or" wuauserv service". should I do something about them?

thanks,

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #8 on: March 07, 2015, 04:01:53 PM »
Go to following link: http://www.eightforums.com/tutorials/3047-sfc-scannow-command-run-windows-8-a.html  Scroll to and use "Option 2" to run sfc /scannow. Reboot when complete

Then scroll to "Option 3" from same link to access the log, post that to your reply. Do the errors stop?

Offline bigworld005

  • Bronze Member
  • Posts: 14
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #9 on: March 07, 2015, 05:37:25 PM »
Kevin,
  while I am trying the new scan, there is one more thing about my laptop, when the laptop comes into a "sleep" after long time no activity, I can touch the keyboard or the mouse to wake it up. but the laptop shows a black screen with  white mouse cursor; the cursor moves when you move the mouse. however, the display stays on black screen for ever, I wait for about 30 mins, then I have to turn the laptop off by pressing the power button, then turn it back on.  This thing happened before I went to seek your help.

regards,
tao

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #10 on: March 07, 2015, 06:10:59 PM »
I do not believe that is a malware issue, probably a power setting. Does this happen when the laptop is on battery power or plugged in?

Offline bigworld005

  • Bronze Member
  • Posts: 14
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #11 on: March 07, 2015, 09:44:38 PM »
Kevin,
  I run the sfc/scannow for 3 times because after each scan, it says some of the corrupt files can not be restored. and cbs.log file is attached as you suggested. the 2 old error message which I attached as image are still there.

regards,
tao

Offline bigworld005

  • Bronze Member
  • Posts: 14
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #12 on: March 07, 2015, 10:05:01 PM »
the black screen thing happened when the laptop is plugged or on battery.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #13 on: March 08, 2015, 04:04:00 AM »
Re-register the secr.dll file, see if that action clears the errors at boot:

Select the Windows key and X key together > from the list select Command.exe (Admin)

In the cmd window type or copy/paste the following at the prompt: regsvr32 /u C:\Windows\System32\Secur.dll hit enter key.

In the cmd window type the following at the prompt: regsvr32 C:\Windows\System32\Secur.dll hit enter key.

Reboot, do the alerts clear?

Offline bigworld005

  • Bronze Member
  • Posts: 14
Re: [Inactive - K] "bad image" problem with .exe file in windows 8.1
« Reply #14 on: March 08, 2015, 12:16:25 PM »
Kevin,
  the repair could not be finished, see attached screen shot. I wonder if I should run a disk-scan somehow to make sure my hard drive is not bad at this moment.

regards,
tao