Need help to remove svchost.exe trojan

Solved
By jays.traas
Jan 10, 2013
Topic Status:
Not open for further replies.
  1. Thanks in advance for helping me with this issue.

    A few days ago UnhackMe's RegRun reanimator told me I had a suspicious program, it identified it as svchost.exe running from the temp folder in my appdata folder. I've tried everything. Killed the processes, deleted the files that it creates in the temp folder, did file searches etc, restart the computer and its back there again. The is the first virus/trojan/malware that I've found on my computer that I have not been able to track down and delete from the source.. but I'm no computer expert, far from it... just an average user. Any and all help is very appreciated.

    I used Rkiller to kill the processes - Here's the log on that:

    Rkill 2.4.5 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 01/10/2013 06:23:22 PM in x64 mode.
    Windows Version: Windows 7 Ultimate Service Pack 1

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * C:\Users\ADMN~1\AppData\Local\Temp\svchost.exe (PID: 3444) [SFI]

    1 proccess terminated!

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * No issues found.

    Checking Windows Service Integrity:

    * Windows Firewall (MpsSvc) is not Running.
    Startup Type set to: Disabled

    * Security Center (wscsvc) is not Running.
    Startup Type set to: Disabled

    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    * Windows Firewall Authorization Driver (mpsdrv) is not Running.
    Startup Type set to: Manual

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * No issues found.

    Program finished at: 01/10/2013 06:23:35 PM
    Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)
  2. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.01.10.06

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    admın :: ADMıN-PC [administrator]

    1/10/2013 6:27:57 PM
    mbam-log-2013-01-10 (18-27-57).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 230605
    Time elapsed: 3 minute(s), 47 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\admın\AppData\Local\Temp\svchost.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

    (end)
  3. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.5.0
    Run by admın at 18:33:40 on 2013-01-10
    Microsoft Windows 7 Ultimate 6.1.7601.1.1254.90.1055.18.2046.274 [GMT 2:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Security Client\NisSrv.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe
    C:\Utopia\Angel\Angel.exe
    C:\Program Files (x86)\Steam\Steam.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\System32\Notepad.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\admın\Downloads\dds.com
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.babylon.com/?affID=110021&tt=280612_6_&babsrc=HP_ss&mntrId=1a813b21000000000000001cf0c9416a
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    TB: Babylon Toolbar: {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
    uRun: [Google Update] "C:\Users\admın\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe" -autorun
    uRun: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
    uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
    mRun: [Adobe] C:\ProgramData\Adobe\3D422E.vbe
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    mRunServicesOnce: [] C:\Windows\GIGATEMP\Patch.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: HideSCAHealth = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: Microsoft Excel'e &Ver - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    Trusted Zone: line6.net
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{26D9982C-60BF-4A1A-B593-D428CF93A2A0} : DHCPNameServer = 192.168.2.1
    TCP: Interfaces\{87342CD1-FF71-409D-A95B-74347ABAA8CE} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{BBEAA541-9425-4117-8BE9-94DA26EFE021} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{D52D4DA9-6AFE-4683-AF44-A9FD49C0FF39} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0}\55E6C696D696475646C4F66756 : DHCPNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0}\A5565656565656 : DHCPNameServer = 195.175.39.40
    SSODL: WebCheck - <orphaned>
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    x64-SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\admın\AppData\Roaming\Mozilla\Firefox\Profiles\zdcv06km.default\
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-6-27 283200]
    R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
    R3 l6TportUX8;Service - Line 6 TonePort UX8;C:\Windows\System32\drivers\l6TportUX864.sys [2012-3-26 772224]
    R3 netr7364;Vista Için ASUS USB Kablosuz LAN Kartı Sürücüsü;C:\Windows\System32\drivers\netr7364.sys [2009-6-10 707072]
    R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-6-28 20992]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-12 59392]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-5 1255736]
    SUnknown tsusbhub;tsusbhub; [x]
    .
    =============== Created Last 30 ================
    .
    2013-01-10 16:33:42--------d-----w-C:\Users\adm²n\AppData\Local\Microsoft
    2013-01-10 16:26:4124176----a-w-C:\Windows\System32\drivers\mbam.sys
    2013-01-10 16:26:41--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-01-10 14:53:15972264----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E1D0B32E-1388-4D41-A7A4-E254C7629429}\gapaengine.dll
    2013-01-10 14:53:129125352----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D3227F92-5703-4524-AB88-D6F3A073FB31}\mpengine.dll
    2013-01-10 14:50:28--------d-----w-C:\Program Files (x86)\Microsoft Security Client
    2013-01-10 14:50:19--------d-----w-C:\Program Files\Microsoft Security Client
    2013-01-10 11:29:50--------d-----w-C:\TDSSKiller_Quarantine
    2013-01-10 09:04:42750592----a-w-C:\Windows\System32\win32spl.dll
    2013-01-10 09:04:42492032----a-w-C:\Windows\SysWow64\win32spl.dll
    2013-01-10 09:04:312002432----a-w-C:\Windows\System32\msxml6.dll
    2013-01-10 09:04:311882624----a-w-C:\Windows\System32\msxml3.dll
    2013-01-10 09:04:311389568----a-w-C:\Windows\SysWow64\msxml6.dll
    2013-01-10 09:04:311236992----a-w-C:\Windows\SysWow64\msxml3.dll
    2013-01-10 09:04:30307200----a-w-C:\Windows\System32\ncrypt.dll
    2013-01-10 09:04:30220160----a-w-C:\Windows\SysWow64\ncrypt.dll
    2013-01-10 09:04:1568608----a-w-C:\Windows\System32\taskhost.exe
    2013-01-10 09:04:153149824----a-w-C:\Windows\System32\win32k.sys
    2013-01-09 16:17:23--------d-----w-C:\Windows\RestoreSafeDeleted
    2013-01-08 10:26:029125352----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2D8193DC-25CD-4FB6-ABA3-09913F07888E}\mpengine.dll
    2012-12-25 23:50:37--------d-----w-C:\Users\admın\AppData\Roaming\Sports Interactive
    2012-12-21 18:56:0946080----a-w-C:\Windows\System32\atmlib.dll
    2012-12-21 18:56:09367616----a-w-C:\Windows\System32\atmfd.dll
    2012-12-21 18:56:0934304----a-w-C:\Windows\SysWow64\atmlib.dll
    2012-12-21 18:56:08295424----a-w-C:\Windows\SysWow64\atmfd.dll
    2012-12-18 16:33:38--------d-----w-C:\Program Files (x86)\NVIDIA Corporation
    2012-12-18 16:33:23--------d-----w-C:\Program Files (x86)\Common Files\Wise Installation Wizard
    2012-12-18 16:33:2178680----a-w-C:\Windows\System32\XAPOFX1_4.dll
    2012-12-18 16:33:2174072----a-w-C:\Windows\SysWow64\XAPOFX1_4.dll
    2012-12-18 16:33:21530776----a-w-C:\Windows\System32\XAudio2_6.dll
    2012-12-18 16:33:21528216----a-w-C:\Windows\SysWow64\XAudio2_6.dll
    2012-12-18 16:33:2024920----a-w-C:\Windows\System32\X3DAudio1_7.dll
    2012-12-18 16:33:20238936----a-w-C:\Windows\SysWow64\xactengine3_6.dll
    2012-12-18 16:33:2022360----a-w-C:\Windows\SysWow64\X3DAudio1_7.dll
    2012-12-18 16:33:20176984----a-w-C:\Windows\System32\xactengine3_6.dll
    2012-12-16 18:45:48--------d-----w-C:\Program Files (x86)\Common Files\Steam
    2012-12-16 18:45:39--------d-----w-C:\Program Files (x86)\Steam
    2012-12-16 18:44:19--------d-----w-C:\Program Files (x86)\Metro
    2012-12-13 00:58:16424960----a-w-C:\Windows\System32\KernelBase.dll
    2012-12-13 00:54:502048----a-w-C:\Windows\SysWow64\tzres.dll
    2012-12-13 00:54:502048----a-w-C:\Windows\System32\tzres.dll
    2012-12-12 23:39:55478208----a-w-C:\Windows\System32\dpnet.dll
    2012-12-12 23:39:55376832----a-w-C:\Windows\SysWow64\dpnet.dll
    .
    ==================== Find3M ====================
    .
    2013-01-10 16:12:402--shatr-C:\Windows\winstart.bat
    2013-01-10 16:09:3874248----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-01-10 16:09:38697864----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-11-26 12:29:47499712----a-w-C:\Windows\SysWow64\msvcp71.dll
    2012-11-26 12:29:47348160----a-w-C:\Windows\SysWow64\msvcr71.dll
    2012-11-14 06:11:442312704----a-w-C:\Windows\System32\jscript9.dll
    2012-11-14 06:04:111392128----a-w-C:\Windows\System32\wininet.dll
    2012-11-14 06:02:491494528----a-w-C:\Windows\System32\inetcpl.cpl
    2012-11-14 05:57:46599040----a-w-C:\Windows\System32\vbscript.dll
    2012-11-14 05:57:35173056----a-w-C:\Windows\System32\ieUnatt.exe
    2012-11-14 05:52:402382848----a-w-C:\Windows\System32\mshtml.tlb
    2012-11-14 02:09:221800704----a-w-C:\Windows\SysWow64\jscript9.dll
    2012-11-14 01:58:151427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:371129472----a-w-C:\Windows\SysWow64\wininet.dll
    2012-11-14 01:49:25142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27420864----a-w-C:\Windows\SysWow64\vbscript.dll
    2012-11-14 01:44:422382848----a-w-C:\Windows\SysWow64\mshtml.tlb
    2012-11-12 12:30:37152576----a-w-C:\Windows\SysWow64\msclmd.dll
    2012-11-12 12:30:36175616----a-w-C:\Windows\System32\msclmd.dll
    2012-11-11 21:46:04189248----a-w-C:\Windows\SysWow64\PnkBstrB.exe
    2012-11-11 21:46:0275136----a-w-C:\Windows\SysWow64\PnkBstrA.exe
    .
    ============= FINISH: 18:34:25.85 ===============
  4. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/28/2012 3:01:30 PM
    System Uptime: 1/10/2013 6:21:31 PM (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | EX58-UD3R
    Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz | Socket 1366 | 1592/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 391 GiB total, 139.038 GiB free.
    D: is FIXED (NTFS) - 540 GiB total, 533.586 GiB free.
    E: is CDROM (UDF)
    F: is CDROM ()
    G: is CDROM ()
    I: is Removable
    J: is Removable
    K: is Removable
    L: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP150: 1/8/2013 12:19:30 PM - RegRun Virus Scan
    RP151: 1/8/2013 12:22:01 PM - RegRun Virus Scan
    RP152: 1/8/2013 12:25:29 PM - Windows Update
    RP153: 1/9/2013 6:16:50 PM - RegRun Virus Scan
    RP154: 1/9/2013 7:22:04 PM - RegRun Virus Scan
    RP155: 1/10/2013 10:56:03 AM - RegRun Virus Scan
    RP156: 1/10/2013 11:39:54 AM - Installed Microsoft Fix it 50267
    RP157: 1/10/2013 12:59:17 PM - Windows Update
    RP158: 1/10/2013 1:14:21 PM - RegRun Virus Scan
    RP159: 1/10/2013 3:16:02 PM - Windows Update
    RP160: 1/10/2013 6:18:53 PM - RegRun Virus Scan
    .
    ==== Installed Programs ======================
    .
    2YourFace 1.0
    Acoustica Mixcraft 6
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.5) - Turkish
    AngryBirdsStarWars 1.00
    Antares Auto-Tune 3.03 DirectX
    Antares Auto-Tune Evo VST
    ASIO4ALL
    Assassin's Creed Brotherhood
    µTorrent
    Babylon toolbar on IE
    BabylonObjectInstaller
    Camel Audio Camel Phat VST v3.15
    ConcreteFX QDelay VST v1.0
    Cool Edit Pro 2.1
    Cuttermusic Revitar VSTi v1.1
    D3DX10
    Daemon Tools Pro v5.1.0
    Dash Signature EMM Knagalis VSTi v1.28
    Dash Signature theAbstractGuitar VSTi v1.18
    discoDSP Phantom v1.1
    discoDSP Vertigo v2.0
    Edirol HQ Orchestral v1.01
    Edirol Hyper Canvas
    Edirol SuperQuartet v1.02
    EZdrummer
    EZkeys Grand Piano 64
    EZkeys Player 64-bit
    EZmix 64-bit
    EZXClaustrophobic
    EZXCocktail
    EZXDfh
    EZXNashville
    EZXPercussion
    EZXTwisted
    EZXVintage
    FL Studio 10
    GForce.Software.Minimonsta.RTAS.VSTi.v1.03-DAC
    GMedia Music impOSCar VSTi v1.0.0.1
    GMediaMusic - Oddity VST2
    Google Chrome
    GR-55FloorBoard 20120227
    IL Download Manager
    IL Slicex
    Interlok driver setup x64
    iZotope Ozone DX Plugin v1.0.0.6
    iZotope Ozone v3.02
    iZotope Trash v1.02
    Java Auto Updater
    Java(TM) 7 Update 5
    K-Lite Codec Pack 7.1.0 (Full)
    Kiesel.Software.Helga.VSTi.v1.1b003-0xdBass
    Korg Legacy Collection v1.1.2
    Line 6 Uninstaller
    Malwarebytes Anti-Malware version 1.70.0.1100
    Metro 2033
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (Turkish) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (Turkish) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (Turkish) 2007
    Microsoft Office InfoPath MUI (Turkish) 2007
    Microsoft Office Office 64-bit Components 2007
    Microsoft Office OneNote MUI (Turkish) 2007
    Microsoft Office Outlook MUI (Turkish) 2007
    Microsoft Office PowerPoint MUI (Turkish) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Turkish) 2007
    Microsoft Office Proofing (Turkish) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (Turkish) 2007
    Microsoft Office Shared 64-bit MUI (Turkish) 2007
    Microsoft Office Shared MUI (Turkish) 2007
    Microsoft Office Word MUI (Turkish) 2007
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    mIRC
    Mopis VSTi v1.1
    Morphine
    Mozilla Firefox 17.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    Native Instruments - Rig Kontrol 3 Driver
    Native Instruments FM7
    Native Instruments Guitar Rig 3
    Native Instruments Service Center
    Nomad Factory Blue Tubes Bundle v2.0
    Nomad Factory Liquid Bundle VST v1.6
    Nomad Factory Rock Amp Legends VST v1.0
    Novation Bass-Station VSTi v1.10
    NVIDIA PhysX
    PoiZone
    PunkBuster Services
    quantum-fx 1.06
    Rapture 1.0
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    ReFX Vanguard VSTi v1.03 Retail
    ReFX Vanguard VSTi v1.04
    Rock EZmix pack
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
    Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
    Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
    Steam
    Sytrus
    Total Commander 64-bit (Remove or Repair)
    Toxic Biohazard
    ToxicIII v1.0 DEMO
    Ubisoft Game Launcher
    Unity Session Demo
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760586) 32-Bit Edition
    Wasp
    Waves 4.0
    Windows Live Communications Platform
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Temel Parçalar
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    WinRAR arşiv yöneticisi
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/7/2013 9:23:29 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\DR5.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7034] - The Tanılama Hizmeti Ana Bilgisayarı service terminated unexpectedly. It has done this 1 time(s).
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7031] - The WinHTTP Web Proxy Otomatik Bulma Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7031] - The COM+ Olay Sistemi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7031] - The Ağ Listesi Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7031] - The Ağ Depo Arabirimi Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the WinHTTP Web Proxy Otomatik Bulma Hizmeti service to connect.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Ağ Depo Arabirimi Hizmeti service to connect.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Ağ Depo Arabirimi Hizmeti service to connect.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7001] - The Uzaktan Yordam Çağrısı (RPC) service depends on the RPC Bitiş Noktası Eşleştiricisi service which failed to start because of the following error: The service has returned a service-specific error code.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7001] - The Ağ Listesi Hizmeti service depends on the Uzaktan Yordam Çağrısı (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7001] - The Ağ Konumu Tanıma service depends on the Uzaktan Yordam Çağrısı (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7000] - The WinHTTP Web Proxy Otomatik Bulma Hizmeti service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7000] - The Ağ Depo Arabirimi Hizmeti service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/5/2013 12:31:40 PM, Error: Service Control Manager [7000] - The Ağ Depo Arabirimi Hizmeti service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/5/2013 12:31:37 PM, Error: Service Control Manager [7031] - The Uzaktan Yordam Çağrısı (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Makineyi yeniden başlatın.
    1/5/2013 12:31:37 PM, Error: Service Control Manager [7031] - The RPC Bitiş Noktası Eşleştiricisi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:33 PM, Error: Service Control Manager [7034] - The Ağ Konumu Tanıma service terminated unexpectedly. It has done this 3 time(s).
    1/5/2013 12:31:30 PM, Error: Service Control Manager [7031] - The IPsec İlke Aracısı service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:26 PM, Error: Service Control Manager [7031] - The Ağ Konumu Tanıma service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:17 PM, Error: Service Control Manager [7031] - The Şifreleme Hizmetleri service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:17 PM, Error: Service Control Manager [7031] - The DNS İstemcisi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:17 PM, Error: Service Control Manager [7031] - The Ağ Konumu Tanıma service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:17 PM, Error: Service Control Manager [7031] - The İş İstasyonu service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7034] - The Tanılama Sistemi Ana Bilgisayarı service terminated unexpectedly. It has done this 1 time(s).
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Windows Ses Bitiş Noktası Oluşturucu service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Windows Driver Foundation - Kullanıcı Modu Sürücü Çerçevesi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Taşınabilir Aygıt Numaralandırma Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Program Uyumluluk Yardımcısı Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Masaüstü Pencere Yöneticisi Oturum Yöneticisi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Kablosuz Yerel Ağ Otomatik Yapılandırma service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Hızlı Getirme service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Dağıtılmış Bağlantı İzleme İstemcisi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Çevrimdışı Dosyalar service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Ağ Bağlantıları service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Hizmeti yeniden başlat.
    1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The İnsan Arabirim Aygıtı Erişimi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
    1/10/2013 12:24:43 PM, Error: Service Control Manager [7000] - The Lavalys EVEREST Kernel Driver service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
    1/10/2013 11:40:20 AM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    .
    ==== End Of File ===========================
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From TechSpot

    Direct Link (alternative)

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  6. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Thanks so much. Here is the log from Combofix.


    ComboFix 13-01-08.01 - admın 01/10/2013 22:55:35.2.8 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1254.90.1055.18.2046.971 [GMT 2:00]
    Running from: c:\users\admın\Downloads\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\admın\Documents\~WRL1995.tmp
    c:\utopia\Angel\Angel.exe
    c:\windows\PFRO.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-10 to 2013-01-10 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-10 21:01 . 2013-01-10 21:01--------d-----w-c:\users\Default\AppData\Local\temp
    2013-01-10 16:33 . 2013-01-10 16:33--------d-----w-c:\users\adm²n
    2013-01-10 16:26 . 2013-01-10 16:26--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2013-01-10 16:26 . 2012-12-14 14:4924176----a-w-c:\windows\system32\drivers\mbam.sys
    2013-01-10 14:53 . 2013-01-10 14:53972264----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E1D0B32E-1388-4D41-A7A4-E254C7629429}\gapaengine.dll
    2013-01-10 14:53 . 2012-11-08 07:249125352----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D3227F92-5703-4524-AB88-D6F3A073FB31}\mpengine.dll
    2013-01-10 14:50 . 2013-01-10 14:50--------d-----w-c:\program files (x86)\Microsoft Security Client
    2013-01-10 14:50 . 2013-01-10 14:50--------d-----w-c:\program files\Microsoft Security Client
    2013-01-10 11:29 . 2013-01-10 11:29--------d-----w-C:\TDSSKiller_Quarantine
    2013-01-10 09:04 . 2012-11-09 05:45750592----a-w-c:\windows\system32\win32spl.dll
    2013-01-10 09:04 . 2012-11-09 04:43492032----a-w-c:\windows\SysWow64\win32spl.dll
    2013-01-10 09:04 . 2012-11-01 05:432002432----a-w-c:\windows\system32\msxml6.dll
    2013-01-10 09:04 . 2012-11-01 05:431882624----a-w-c:\windows\system32\msxml3.dll
    2013-01-10 09:04 . 2012-11-01 04:471389568----a-w-c:\windows\SysWow64\msxml6.dll
    2013-01-10 09:04 . 2012-11-01 04:471236992----a-w-c:\windows\SysWow64\msxml3.dll
    2013-01-10 09:04 . 2012-11-20 05:48307200----a-w-c:\windows\system32\ncrypt.dll
    2013-01-10 09:04 . 2012-11-20 04:51220160----a-w-c:\windows\SysWow64\ncrypt.dll
    2013-01-10 09:04 . 2012-11-23 03:263149824----a-w-c:\windows\system32\win32k.sys
    2013-01-10 09:04 . 2012-11-23 03:1368608----a-w-c:\windows\system32\taskhost.exe
    2013-01-09 16:17 . 2013-01-10 08:56--------d-----w-c:\windows\RestoreSafeDeleted
    2013-01-08 10:26 . 2012-11-08 17:249125352----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{2D8193DC-25CD-4FB6-ABA3-09913F07888E}\mpengine.dll
    2012-12-30 00:48 . 2012-12-30 00:48--------d-----w-c:\users\admın\AppData\Local\Programs
    2012-12-25 23:50 . 2012-12-25 23:50--------d-----w-c:\users\admın\AppData\Roaming\Sports Interactive
    2012-12-21 18:56 . 2012-12-16 17:1146080----a-w-c:\windows\system32\atmlib.dll
    2012-12-21 18:56 . 2012-12-16 14:45367616----a-w-c:\windows\system32\atmfd.dll
    2012-12-21 18:56 . 2012-12-16 14:1334304----a-w-c:\windows\SysWow64\atmlib.dll
    2012-12-21 18:56 . 2012-12-16 14:13295424----a-w-c:\windows\SysWow64\atmfd.dll
    2012-12-19 10:00 . 2012-12-19 10:00--------d-----w-c:\users\admın\AppData\Local\4A Games
    2012-12-18 16:33 . 2012-12-18 16:33--------d-----w-c:\program files (x86)\NVIDIA Corporation
    2012-12-18 16:33 . 2012-12-18 16:33--------d-----w-c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-12-18 16:33 . 2012-12-18 16:33--------d-----w-c:\users\admn
    2012-12-18 16:33 . 2010-02-04 08:0178680----a-w-c:\windows\system32\XAPOFX1_4.dll
    2012-12-18 16:33 . 2010-02-04 08:0174072----a-w-c:\windows\SysWow64\XAPOFX1_4.dll
    2012-12-18 16:33 . 2010-02-04 08:01530776----a-w-c:\windows\system32\XAudio2_6.dll
    2012-12-18 16:33 . 2010-02-04 08:01528216----a-w-c:\windows\SysWow64\XAudio2_6.dll
    2012-12-18 16:33 . 2010-02-04 08:0124920----a-w-c:\windows\system32\X3DAudio1_7.dll
    2012-12-18 16:33 . 2010-02-04 08:01238936----a-w-c:\windows\SysWow64\xactengine3_6.dll
    2012-12-18 16:33 . 2010-02-04 08:0122360----a-w-c:\windows\SysWow64\X3DAudio1_7.dll
    2012-12-18 16:33 . 2010-02-04 08:01176984----a-w-c:\windows\system32\xactengine3_6.dll
    2012-12-16 18:45 . 2012-12-16 18:45--------d-----w-c:\program files (x86)\Common Files\Steam
    2012-12-16 18:45 . 2013-01-10 21:03--------d-----w-c:\program files (x86)\Steam
    2012-12-16 18:44 . 2012-12-18 16:37--------d-----w-c:\program files (x86)\Metro
    2012-12-13 00:58 . 2012-10-04 17:45215040----a-w-c:\windows\system32\winsrv.dll
    2012-12-13 00:54 . 2012-11-09 05:452048----a-w-c:\windows\system32\tzres.dll
    2012-12-13 00:54 . 2012-11-09 04:422048----a-w-c:\windows\SysWow64\tzres.dll
    2012-12-12 23:39 . 2012-11-02 05:59478208----a-w-c:\windows\system32\dpnet.dll
    2012-12-12 23:39 . 2012-11-02 05:11376832----a-w-c:\windows\SysWow64\dpnet.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-10 16:12 . 2012-07-02 14:562--shatr-c:\windows\winstart.bat
    2013-01-10 16:09 . 2012-06-28 12:0474248----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-01-10 16:09 . 2012-06-28 12:04697864----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-10 11:04 . 2012-11-12 12:3667599240----a-w-c:\windows\system32\MRT.exe
    2012-11-26 12:29 . 2012-06-30 15:31499712----a-w-c:\windows\SysWow64\msvcp71.dll
    2012-11-26 12:29 . 2012-06-30 15:31348160----a-w-c:\windows\SysWow64\msvcr71.dll
    2012-11-12 12:30 . 2009-07-14 02:36152576----a-w-c:\windows\SysWow64\msclmd.dll
    2012-11-12 12:30 . 2009-07-14 02:36175616----a-w-c:\windows\system32\msclmd.dll
    2012-11-11 21:46 . 2012-11-11 21:46189248----a-w-c:\windows\SysWow64\PnkBstrB.exe
    2012-11-11 21:46 . 2012-11-11 21:4675136----a-w-c:\windows\SysWow64\PnkBstrA.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Pro Agent"="c:\program files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe" [2012-04-26 3111744]
    "Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-12-16 1354736]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-11-26 296096]
    "Adobe"="c:\programdata\Adobe\3D422E.vbe" [2012-10-02 7147]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce]
    "<NO NAME>"="c:\windows\GIGATEMP\Patch.exe" [2001-10-01 148719]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [x]
    R3 FILESPY;FILESPY;c:\windows\system32\drivers\FILESPY.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-30 128456]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 tsusbhub;tsusbhub;tsusbhub [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-07-01 283200]
    S3 l6TportUX8;Service - Line 6 TonePort UX8;c:\windows\system32\Drivers\l6TportUX864.sys [2012-03-26 772224]
    S3 netr7364;Vista Için ASUS USB Kablosuz LAN Kartı Sürücüsü;c:\windows\system32\DRIVERS\netr7364.sys [2009-06-10 707072]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-01 187392]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-10 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-28 16:09]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 1289704]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://search.babylon.com/?affID=110021&tt=280612_6_&babsrc=HP_ss&mntrId=1a813b21000000000000001cf0c9416a
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Microsoft Excel'e &Ver - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: line6.net
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath -
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-Utopia Angel - c:\utopia\Angel\Angel.exe
    SafeBoot-09100493.sys
    SafeBoot-18906872.sys
    SafeBoot-66598749.sys
    AddRemove-2YourFace - c:\users\admın\AppData\Roaming\2YourFace\uninst.exe
    AddRemove-Native Instruments - Rig Kontrol 3 Driver - c:\program files (x86)\Native Instruments\Rig Kontrol 3 Driver\uninst.exe Software\Native Instruments\Rig Kontrol 3 Driver\Setup
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Completion time: 2013-01-10 23:06:53 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-01-10 21:06
    .
    Pre-Run: 148,192,014,336 bytes free
    Post-Run: 147,939,753,984 bytes free
    .
    - - End Of File - - 7A859F8F4B3F85A9F694394380C80792
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good work!

    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

    Sometimes these logs can be very large, in that case please attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  8. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Okay I ran the scan, attached the log. However I've also attached a screen grab, tsskiller didn't detect anything but the svchost.exe file is back in the temp folder again, and the process is still running.

    This may be of some help, the way the processes seem to affect my computer is that after some time, anywhere from 20-30 mins to 1 hour of running, my computer will suddenly switch to power saving mode, the screen will switch off, the fans start to run fast as the hdd seems to switch off, pressing the spacebar key will bring the computer back to life again, but sometimes it just automatically then switches into power saving mode again.

    Add to this my keyboard going completely whack, random keys being pressed into any available area.. if I open a browser the address bar will fill with random letters that don't stop in a zjzjjzjzjjzjzjjzzjzjzjjzjzjzjjzjzjzzjzjzjzjzjzjjz pattern (different letters every time).

    It basically renders the computer unusable. Restarting doesn't help, shutting down for a bit and then rebooting usually holds this sort of craziness for another 30mins to an hour.

    Attached Files:

  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hitman Pro

    Please download Hitman Pro

    • After the download completes please double click the program to run it.
    • Accept the terms of the license agreement and click Next
    • Let the scan run. It will not take long
    • When the scan finishes, and all the files have been uploaded to the Scan Cloud, click Next
    • Click Next again. At the bottom left you will see Export Scan Results To XML File. Click that and save it in a convenient location
    • Upload log.xml here for review please


    Kaspersky Virus Removal Tool

    The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

    Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

    • Double-click the Setup file to install it on your computer.
    • Once it has installed, review and accept the agreement and press the Start button.
    • You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
      [​IMG]
    • On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
      [​IMG]
    • On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
      [​IMG]
    • Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
    • Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
      [​IMG]
    • Then, choose Save. Also, in the Automatic Report tab, select Save:
      [​IMG]
    • Please post the reports in your next reply.
    • Once you exit, the tool should uninstall automatically.
  10. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Here is the log from HitmanPro (it didn't give me an option to save to an .xml, simply gave me a 'save log' option.

    Code:
    HitmanPro 3.7.0.185
    www.hitmanpro.com
    
       Computer name . . . . : ADMıN-PC
       Windows . . . . . . . : 6.1.1.7601.X64/8
       User name . . . . . . : admın-pc\admın
       UAC . . . . . . . . . : Disabled
       License . . . . . . . : Trial (30 days left)
    
       Scan date . . . . . . : 2013-01-12 02:20:00
       Scan mode . . . . . . : Normal
       Scan duration . . . . : 3m 53s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 4
       Traces  . . . . . . . : 129
    
       Objects scanned . . . : 1,428,449
       Files scanned . . . . : 16,835
       Remnants scanned  . . : 512,374 files / 899,240 keys
    
    Malware _____________________________________________________________________
    
       C:\Users\admın\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7M6IU78Z\libpdcurses[1].dll -> Quarantined
          Size . . . . . . . : 87,054 bytes
          Age  . . . . . . . : 1.1 days (2013-01-11 00:02:32)
          Entropy  . . . . . : 6.5
          SHA-256  . . . . . : 94995B0560D2CCDA7951252397EB152B499454746B75D03479BBFA551DEF41E4
        > Ikarus . . . . . . : Trojan-PWS.Keylogger!IK
          Fuzzy  . . . . . . : 108.0
    
       C:\Users\admın\AppData\Local\Temp\libpdcurses.dll -> Quarantined
          Size . . . . . . . : 87,054 bytes
          Age  . . . . . . . : 1.1 days (2013-01-11 00:02:32)
          Entropy  . . . . . : 6.5
          SHA-256  . . . . . : 94995B0560D2CCDA7951252397EB152B499454746B75D03479BBFA551DEF41E4
        > Ikarus . . . . . . : Trojan-PWS.Keylogger!IK
          Fuzzy  . . . . . . : 114.0
    
       C:\Users\admın\Downloads\AngryBirdsStarWars\Patch\angry.birds.all-patch.offline.v1.3.exe -> Quarantined
          Size . . . . . . . : 70,656 bytes
          Age  . . . . . . . : 60.5 days (2012-11-12 14:12:19)
          Entropy  . . . . . : 7.9
          SHA-256  . . . . . : 72F98D7F31000B4CA8197B0DFB94E5254F0E7F3A7423B75A6C684EE833507A2F
        > Ikarus . . . . . . : Trojan.Win32.Spy!IK
          Fuzzy  . . . . . . : 114.0
    
       C:\Users\admın\Downloads\Antares Autotune Evo VST RTAS v6.0.9 PROPER -AiR\setup.exe -> Quarantined
          Size . . . . . . . : 4,938,752 bytes
          Age  . . . . . . . : 195.4 days (2012-06-30 17:35:21)
          Entropy  . . . . . : 8.0
          SHA-256  . . . . . : 9A5CED4D63CF26F01D3B88E3F1062A8CA72DEEC4A52249557868853FF5C53199
          Description  . . . :  
          Version  . . . . . : 0.0.0.0
          Copyright  . . . . :  
        > Ikarus . . . . . . : Trojan-Downloader.Win32.Delf!IK
          Fuzzy  . . . . . . : 109.0
    
    
    Suspicious files ____________________________________________________________
    
       C:\Users\admın\AppData\Local\Temp\svchost.exe -> Quarantined
          Size . . . . . . . : 370,702 bytes
          Age  . . . . . . . : 1.1 days (2013-01-11 00:02:31)
          Entropy  . . . . . : 6.4
          SHA-256  . . . . . : BE795C17358B01204E090B57A4E775BA65220191E8201BD2A1B784320D10C3AE
          Source URL . . . . : hxxp://1v401.chickenkiller.com/v4/cgminer.exe
          Running processes  : 3544
          Fuzzy  . . . . . . : 27.0
             Program is impersonating a common Windows system file. This is typical for malware.
             The file is downloaded from the Internet to this computer.
             Program is running but currently exposes no human-computer interface (GUI).
             Authors name is missing in version info. This is not common to most programs.
             Version control is missing. This file is probably created by an individual. This is not typical for most programs.
             Time indicates that the file appeared recently on this computer.
             The file is in use by one or more active processes.
    
    
    Potential Unwanted Programs _________________________________________________
    
       C:\Program Files (x86)\BabylonToolbar\ (Babylon)
       C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\ (Babylon)
       C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\ (Babylon)
       C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll (Babylon)
          Size . . . . . . . : 330,240 bytes
          Age  . . . . . . . : 194.6 days (2012-07-01 12:27:38)
          Entropy  . . . . . : 6.3
          SHA-256  . . . . . : 52CAA8C32555E05191FED8187D74B20C916F44789693CC0B70D7BB09783844ED
          Product  . . . . . : Babylon Toolbar
          Publisher  . . . . : Babylon Ltd.
          Description
          Version  . . . . . : 1.4.35.0
          Copyright  . . . . :  (c) Babylon Ltd.  All rights reserved.
          Fuzzy  . . . . . . : 0.0
    
       C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe (Babylon)
          Size . . . . . . . : 347,648 bytes
          Age  . . . . . . . : 194.6 days (2012-07-01 12:27:39)
          Entropy  . . . . . : 6.3
          SHA-256  . . . . . : 27F90D20668D9CA40555C086A5123240022DA0097EE0B3EE766D8FCFCE078EF8
          Product  . . . . . : Babylon Toolbar
          Publisher  . . . . : Babylon Ltd.
          Description
          Version  . . . . . : 1.4.35.0
          Copyright  . . . . :  (c) Babylon Ltd.  All rights reserved.
          Fuzzy  . . . . . . : 0.0
    
       C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\ (Babylon)
       C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon)
          Size . . . . . . . : 270,960 bytes
          Age  . . . . . . . : 194.6 days (2012-07-01 12:27:38)
          Entropy  . . . . . : 6.3
          SHA-256  . . . . . : AC6AB10609C702F2ACEDC58E83AFD5E4BD9855071DE8A39CEF31D314F10A09B1
          Product  . . . . . : Babylon Toolbar
          Publisher  . . . . : Babylon BHO
          Description
          Version  . . . . . : 1.4.35.0
          Copyright  . . . . :  (c) Babylon Ltd.  All rights reserved.
          RSA Key Size . . . : 2048
          Authenticode . . . : Valid
          Fuzzy  . . . . . . : -7.0
    
       C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\uninstall.exe (Babylon)
          Size . . . . . . . : 82,870 bytes
          Age  . . . . . . . : 194.6 days (2012-07-01 12:27:39)
          Entropy  . . . . . : 7.6
          SHA-256  . . . . . : CD7D3E9D725511770BC29F27EC73D6D875B5F423896E3A5AF44482B8BD3BCB22
          Product  . . . . . : BabylonToolbar
          Publisher  . . . . : BabylonToolbar
          Version  . . . . . : 1.5.3.17
          Fuzzy  . . . . . . : 8.0
    
       C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\BabylonTB.xpi (Babylon)
       C:\Users\admin\AppData\LocalLow\BabylonToolbar\ (Babylon)
       C:\Users\admın\AppData\Roaming\Babylon\ (Babylon)
       C:\Users\admın\AppData\Roaming\Babylon\log_file.txt (Babylon)
       C:\Users\admın\AppData\Roaming\BabylonToolbar\ (Babylon)
       C:\Users\admın\AppData\Roaming\BabylonToolbar\CR\ (Babylon)
       C:\Users\admın\AppData\Roaming\BabylonToolbar\CR\BabylonChrome1.crx (Babylon)
       C:\Users\admın\AppData\Roaming\BabylonToolbar\CR\BUSolution.dll (Babylon)
          Size . . . . . . . : 514,048 bytes
          Age  . . . . . . . : 194.6 days (2012-07-01 12:27:56)
          Entropy  . . . . . : 6.3
          SHA-256  . . . . . : B5AF65918FD8D3C8847E86438D67F1136646033911EE48E6D717C0F2349E8BE7
          Product  . . . . . : BU Dynamic Link Library
          Description  . . . : BU Dynamic Link Library
          Version  . . . . . : 2.0.0.2
          Copyright  . . . . : Copyright (C) 1997-2012
          Fuzzy  . . . . . . : -7.0
    
       C:\Users\admın\AppData\Roaming\BabylonToolbar\FF\ (Babylon)
       C:\Users\admın\AppData\Roaming\BabylonToolbar\FF\BUSolution.dll (Babylon)
          Size . . . . . . . : 514,048 bytes
          Age  . . . . . . . : 194.6 days (2012-07-01 12:27:56)
          Entropy  . . . . . : 6.3
          SHA-256  . . . . . : B5AF65918FD8D3C8847E86438D67F1136646033911EE48E6D717C0F2349E8BE7
          Product  . . . . . : BU Dynamic Link Library
          Description  . . . : BU Dynamic Link Library
          Version  . . . . . : 2.0.0.2
          Copyright  . . . . : Copyright (C) 1997-2012
          Fuzzy  . . . . . . : -7.0
    
       C:\Users\admın\AppData\Roaming\BabylonToolbar\IE\ (Babylon)
       C:\Users\admın\AppData\Roaming\BabylonToolbar\IE\BUSolution.dll (Babylon)
          Size . . . . . . . : 514,048 bytes
          Age  . . . . . . . : 194.6 days (2012-07-01 12:27:56)
          Entropy  . . . . . : 6.3
          SHA-256  . . . . . : B5AF65918FD8D3C8847E86438D67F1136646033911EE48E6D717C0F2349E8BE7
          Product  . . . . . : BU Dynamic Link Library
          Description  . . . : BU Dynamic Link Library
          Version  . . . . . : 2.0.0.2
          Copyright  . . . . : Copyright (C) 1997-2012
          Fuzzy  . . . . . . : -7.0
    
       C:\Users\admın\AppData\Roaming\BabylonToolbar\Shared\ (Babylon)
       C:\Users\admın\AppData\Roaming\BabylonToolbar\Shared\BabyTBConf.ini (Babylon)
       C:\Users\admın\AppData\Roaming\BabylonToolbar\Shared\BUSolution.dll (Babylon)
          Size . . . . . . . : 514,048 bytes
          Age  . . . . . . . : 194.6 days (2012-07-01 12:27:56)
          Entropy  . . . . . : 6.3
          SHA-256  . . . . . : B5AF65918FD8D3C8847E86438D67F1136646033911EE48E6D717C0F2349E8BE7
          Product  . . . . . : BU Dynamic Link Library
          Description  . . . : BU Dynamic Link Library
          Version  . . . . . : 2.0.0.2
          Copyright  . . . . : Copyright (C) 1997-2012
          Fuzzy  . . . . . . : -7.0
    
       C:\Users\admın\AppData\Roaming\BabylonToolbar\Shared\sign (Babylon)
       HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods)
       HKLM\SOFTWARE\Classes\AppID\escortApp.DLL\ (Funmoods)
       HKLM\SOFTWARE\Classes\AppID\escortEng.DLL\ (Funmoods)
       HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL\ (Funmoods)
       HKLM\SOFTWARE\Classes\AppID\esrv.EXE\ (Funmoods)
       HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
       HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\ (Babylon)
       HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
       HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
       HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
       HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
       HKLM\SOFTWARE\Classes\b\ (Babylon)
       HKLM\SOFTWARE\Classes\Babylon.dskBnd.1\ (Babylon)
       HKLM\SOFTWARE\Classes\Babylon.dskBnd\ (Babylon)
       HKLM\SOFTWARE\Classes\bbylnApp.appCore.1\ (Babylon)
       HKLM\SOFTWARE\Classes\bbylnApp.appCore\ (Babylon)
       HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\ (Babylon)
       HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\ (Babylon)
       HKLM\SOFTWARE\Classes\escort.escortIEPane.1\ (Funmoods)
       HKLM\SOFTWARE\Classes\escort.escortIEPane\ (Funmoods)
       HKLM\SOFTWARE\Classes\esrv.BabylonESrvc.1\ (Babylon)
       HKLM\SOFTWARE\Classes\esrv.BabylonESrvc\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ (Babylon)
       HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ (Babylon)
       HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
       HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\ (Babylon)
       HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
       HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\ (Babylon)
       HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escort.DLL\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escortApp.DLL\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escortEng.DLL\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escorTlbr.DLL\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\esrv.EXE\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
       HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\ (Babylon)
       HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B2468513CA2D6943A1A233CD3F88CE7\ (Claro)
       HKLM\SOFTWARE\Wow6432Node\Babylon\ (Babylon)
       HKLM\SOFTWARE\Wow6432Node\BabylonToolbar\ (Babylon)
       HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\ (Babylon)
       HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\ (Babylon)
       HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar\ (Babylon)
       HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\BabylonToolbar\ (Babylon)
       HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC} (Claro)
       HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon)
       HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}\ (Babylon)
       HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}\ (Babylon)
    
    Cookies _____________________________________________________________________
    
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\6LEWKBGR.txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\6YSVKKPM.txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\8RL7MQSM.txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\admın@ads.ad4game[2].txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\admın@atdmt[1].txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\admın@c.atdmt[2].txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\admın@serving-sys[1].txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\BH13MTX4.txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\ES7NQ8F9.txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\FUAOWWGM.txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\I4TVPD4E.txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\KE30C9Z2.txt
       C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\WAPQO0U0.txt
    
    
    
  11. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Downloading and running the Kaspersky Virus Removal tool. Will post logs when finished. Thanks so much for your help with this DragonMaster Jay
  12. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Ah, I think I messed up.. While the Kaspersky Virus Removal tool was running I fell asleep, when I woke up the program was gone and I can't find any logs.

    Should I run the Kaspersky Virus Removal tool once again and make sure to catch it and save the logs etc?
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Seems like we're dealing with ZeroAccess or related threat...I'll need an external look please:

    Farbar Recovery Scan Tool x64

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 64-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
     
  14. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Oops, searched 'services' instead of 'services.exe'.

    Rebooting to quickly do it again
  15. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Frst.txt

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013
    Ran by SYSTEM at 13-01-2013 00:14:43
    Running from G:\
    Windows 7 Ultimate (X64) OS Language: 041F
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-11-26] (RealNetworks, Inc.)
    HKLM-x32\...\Run: [Adobe] C:\ProgramData\Adobe\3D422E.vbe [7147 2012-10-02] ()
    HKU\admın\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe" -autorun [3111744 2012-04-26] (DT Soft Ltd)
    HKU\admın\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1354736 2012-12-16] (Valve Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    ==================== Services (Whitelisted) ===================

    2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [108904 2013-01-12] (SurfRight B.V.)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
    2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2012-11-11] ()

    ==================== Drivers (Whitelisted) =====================

    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-07-01] (DT Soft Ltd)
    3 FILESPY; C:\Windows\SysWow64\Drivers\FILESPY.sys [27584 2001-09-27] (NemeSys Music Technology)
    3 l6TportUX8; C:\Windows\System32\Drivers\l6TportUX864.sys [772224 2012-03-26] (Line 6)
    0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
    2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
    3 catchme; \??\C:\ComboFix\catchme.sys [x]
    3 EWAVE; \??\C:\Windows\system32\drivers\ew.sys [x]
    0 Partizan; C:\Windows\System32\drivers\Partizan.sys [x]
    3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2013-01-13 00:11 - 2013-01-13 00:06 - 00040552 ____A C:\Users\admın\Desktop\FRST.txt
    2013-01-13 00:11 - 2013-01-13 00:05 - 00000560 ____A C:\Users\admın\Desktop\Search.txt
    2013-01-13 00:01 - 2013-01-13 00:01 - 00000000 ____D C:\FRST
    2013-01-12 23:50 - 2013-01-12 23:50 - 01464233 ____A (Farbar) C:\Users\admın\Downloads\FRST64.exe
    2013-01-12 10:55 - 2013-01-12 10:55 - 00000000 ____D C:\Users\admın\Downloads\SILVER LININGS DVDRIP EDAW2013
    2013-01-12 10:54 - 2013-01-12 11:00 - 00000000 ____D C:\Users\admın\Downloads\Les.Miserables.2012.DVDSCR-EDAW2013
    2013-01-12 10:51 - 2013-01-12 11:00 - 00000000 ____D C:\Users\admın\Downloads\Butter LIMITED BDRip XviD-SAPHiRE
    2013-01-12 10:50 - 2013-01-12 10:50 - 00058726 ____A C:\Users\admın\Downloads\[kat.ph]butter.limited.bdrip.xvid.saphire.torrent
    2013-01-12 10:49 - 2013-01-12 10:49 - 00024555 ____A C:\Users\admın\Downloads\[kat.ph]les.miserables.2012.dvdscr.edaw2013.torrent
    2013-01-12 10:49 - 2013-01-12 10:49 - 00017090 ____A C:\Users\admın\Downloads\[kat.ph]silver.linings.playbook.2012.dvdrip.edaw2013.torrent
    2013-01-12 03:54 - 2013-01-12 03:57 - 07561130 ____A C:\Users\admın\Downloads\Celldweller - Frozen.flv
    2013-01-12 02:32 - 2013-01-12 02:32 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
    2013-01-12 02:28 - 2013-01-12 02:31 - 151469960 ____A C:\Users\admın\Desktop\setup_11.0.0.1245.x01_2013_01_12_03_36.exe
    2013-01-12 02:25 - 2013-01-12 02:25 - 00035250 ____A C:\Users\admın\Desktop\HitmanPro_20130112_0225.log
    2013-01-12 02:24 - 2013-01-12 23:48 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
    2013-01-12 02:20 - 2013-01-12 02:20 - 00001893 ____A C:\Users\Public\Desktop\HitmanPro.lnk
    2013-01-12 02:19 - 2013-01-12 02:25 - 00000000 ____D C:\Users\All Users\HitmanPro
    2013-01-12 02:19 - 2013-01-12 02:20 - 00000000 ____D C:\Program Files\HitmanPro
    2013-01-12 02:18 - 2013-01-12 02:19 - 09703176 ____A (SurfRight B.V.) C:\Users\admın\Downloads\HitmanPro_x64.exe
    2013-01-10 23:07 - 2013-01-10 23:08 - 05019950 ____A (Swearware) C:\Users\admın\Downloads\ComboFix (1).exe
    2013-01-10 23:06 - 2013-01-10 23:06 - 00015340 ____A C:\ComboFix.txt
    2013-01-10 22:52 - 2013-01-10 22:52 - 00001108 ____A C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
    2013-01-10 22:46 - 2013-01-10 23:06 - 00000000 ____D C:\Qoobox
    2013-01-10 22:46 - 2013-01-10 23:05 - 00000000 ____D C:\Windows\erdnt
    2013-01-10 22:46 - 2011-06-26 08:45 - 00256000 ____A C:\Windows\PEV.exe
    2013-01-10 22:46 - 2010-11-07 19:20 - 00208896 ____A C:\Windows\MBR.exe
    2013-01-10 22:46 - 2009-04-20 06:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2013-01-10 22:46 - 2000-08-31 02:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2013-01-10 22:46 - 2000-08-31 02:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2013-01-10 22:46 - 2000-08-31 02:00 - 00098816 ____A C:\Windows\sed.exe
    2013-01-10 22:46 - 2000-08-31 02:00 - 00080412 ____A C:\Windows\grep.exe
    2013-01-10 22:46 - 2000-08-31 02:00 - 00068096 ____A C:\Windows\zip.exe
    2013-01-10 22:43 - 2013-01-10 22:43 - 05019950 ____R (Swearware) C:\Users\admın\Downloads\ComboFix.exe
    2013-01-10 18:34 - 2013-01-10 18:34 - 00017012 ____A C:\Users\admın\Desktop\attach.txt
    2013-01-10 18:34 - 2013-01-10 18:34 - 00013509 ____A C:\Users\admın\Desktop\dds.txt
    2013-01-10 18:33 - 2013-01-10 18:33 - 00688992 ____R (Swearware) C:\Users\admın\Downloads\dds.com
    2013-01-10 18:33 - 2013-01-10 18:33 - 00000000 ____D C:\users\adm²n
    2013-01-10 18:26 - 2013-01-10 18:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-01-10 18:26 - 2012-12-14 16:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2013-01-10 18:25 - 2013-01-10 18:26 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\admın\Downloads\mbam-setup-1.70.0.1100.exe
    2013-01-10 16:50 - 2013-01-10 16:50 - 00001945 ____A C:\Windows\epplauncher.mif
    2013-01-10 16:50 - 2013-01-10 16:50 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2013-01-10 16:50 - 2013-01-10 16:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2013-01-10 14:51 - 2013-01-10 15:00 - 13529576 ____A (Microsoft Corporation) C:\Users\admın\Downloads\mseinstall.exe
    2013-01-10 14:50 - 2013-01-10 15:00 - 06151248 ____A (Uniblue Systems Ltd ) C:\Users\admın\Downloads\speedupmypc.exe
    2013-01-10 13:29 - 2013-01-10 13:29 - 00000000 ____D C:\TDSSKiller_Quarantine
    2013-01-10 12:23 - 2013-01-10 12:25 - 00000000 ____D C:\Users\admın\Desktop\EverestTest
    2013-01-10 12:22 - 2013-01-10 12:22 - 04402436 ____A C:\Users\admın\Downloads\everesthome220.zip
    2013-01-10 11:39 - 2013-01-10 11:39 - 00980480 ____A C:\Users\admın\Downloads\MicrosoftFixit50267.msi
    2013-01-10 11:38 - 2013-01-10 11:38 - 00000061 ____A C:\Users\admın\Documents\ashadams.txt
    2013-01-10 11:37 - 2013-01-10 11:37 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\admın\Downloads\tdsskiller.exe
    2013-01-10 11:36 - 2013-01-12 10:05 - 00002594 ____A C:\Users\admın\Desktop\Rkill.txt
    2013-01-10 11:35 - 2013-01-10 11:35 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\admın\Downloads\rkill.exe
    2013-01-10 11:04 - 2012-11-23 05:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2013-01-10 11:04 - 2012-11-23 05:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
    2013-01-10 11:04 - 2012-11-20 07:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2013-01-10 11:04 - 2012-11-20 06:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2013-01-10 11:04 - 2012-11-09 07:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
    2013-01-10 11:04 - 2012-11-09 06:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
    2013-01-10 11:04 - 2012-11-01 07:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2013-01-10 11:04 - 2012-11-01 07:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2013-01-10 11:04 - 2012-11-01 06:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2013-01-10 11:04 - 2012-11-01 06:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2013-01-09 18:17 - 2013-01-10 10:56 - 00000000 ____D C:\Windows\RestoreSafeDeleted
    2013-01-09 14:06 - 2013-01-09 14:06 - 00000000 ____D C:\Users\admın\Downloads\Not.Fade.Away.2012.DVDSCR.XviD.AC3-VAiN
    2013-01-09 14:04 - 2013-01-09 14:21 - 00000000 ____D C:\Users\admın\Downloads\Branded.2012.LIMITED.DVDRip.XVID-DEPRiVED
    2013-01-09 13:37 - 2013-01-09 13:40 - 14205489 ____A C:\Users\admın\Downloads\The Decemberists - Here I Dreamt I Was An Architect (Lyrics)(1).flv
    2013-01-09 13:33 - 2013-01-09 13:33 - 00000000 ____D C:\Users\admın\Downloads\DEATH CAB FOR CUTIE - DISCOGRAPHY [CHANNEL NEO]
    2013-01-09 13:17 - 2013-01-09 13:20 - 21965189 ____A C:\Users\admın\Downloads\The Rolling Stones - Satisfaction (live).flv
    2013-01-09 12:49 - 2013-01-09 12:56 - 189657718 ____A C:\Users\admın\Downloads\Fix You - Coldplay - Acoustic Cover by Tyler Ward _ Boyce Avenue.mp4
    2013-01-09 12:43 - 2013-01-09 12:45 - 07500084 ____A C:\Users\admın\Downloads\My Girl - The Temptations.flv
    2013-01-09 12:37 - 2013-01-09 12:38 - 03568688 ____A C:\Users\admın\Downloads\Jackson 5 - ABC (Full song).flv
    2013-01-07 12:47 - 2013-01-07 13:18 - 597192704 ____A C:\Users\admın\Downloads\Inescapable.avi
    2013-01-07 02:41 - 2013-01-07 02:41 - 00000000 ____D C:\Users\admın\Downloads\The.Impossible.2012.DVDSCR.x264.AAC-FooKaS
    2013-01-07 02:39 - 2013-01-07 02:50 - 00000000 ____D C:\Users\admın\Downloads\Upside.Down.2012.720p.BRRip.x264.AC3-JYK
    2013-01-07 02:38 - 2013-01-07 02:39 - 00000000 ____D C:\Users\admın\Downloads\Zero.Dark.Thirty.2012.DVDSCR.Xvid.Ac3-ADTRG
    2013-01-07 02:37 - 2013-01-07 02:57 - 00000000 ____D C:\Users\admın\Downloads\Hitchcock.2012.DVDSCR.XviD-NYDIC
    2013-01-07 02:35 - 2013-01-07 02:35 - 00012610 ____A C:\Users\admın\Downloads\[kat.ph]upside.down.2012.720p.brrip.x264.ac3.jyk.torrent
    2013-01-07 02:34 - 2013-01-07 02:34 - 00115946 ____A C:\Users\admın\Downloads\[kat.ph]upside.down.2012.brrip.xvid.unique.torrent
    2013-01-07 02:34 - 2013-01-07 02:34 - 00000000 ____D C:\Users\admın\Downloads\Django Unchained 2012 DVDSCR X264 AAC-P2P
    2013-01-07 02:33 - 2013-01-07 02:33 - 00204069 ____A C:\Users\admın\Downloads\[kat.ph]django.unchained.2012.dvdscr.x264.aac.p2p.torrent
    2013-01-07 02:32 - 2013-01-07 02:32 - 00075122 ____A C:\Users\admın\Downloads\[kat.ph]hitchcock.2012.dvdscr.xvid.nydic.torrent
    2013-01-07 02:32 - 2013-01-07 02:32 - 00029619 ____A C:\Users\admın\Downloads\[kat.ph]the.impossible.2012.dvdscr.x264.aac.fookas.torrent
    2013-01-07 02:32 - 2013-01-07 02:32 - 00025312 ____A C:\Users\admın\Downloads\[kat.ph]zero.dark.thirty.2012.dvdscr.xvid.ac3.adtrg.torrent
    2013-01-05 21:27 - 2013-01-05 21:31 - 08542909 ____A C:\Users\admın\Downloads\Riders on the storm the doors lyrics.flv
    2013-01-05 20:18 - 2013-01-05 20:21 - 10823982 ____A C:\Users\admın\Downloads\Benji Hughes - Waiting For An Invitation.flv
    2013-01-05 17:20 - 2013-01-06 14:25 - 00000000 ____D C:\Users\admın\Documents\Backtracks
    2013-01-05 17:18 - 2013-01-05 17:20 - 04602915 ____A C:\Users\admın\Downloads\Dire Straits - Six Blade Knife lyrics.flv
    2013-01-05 17:08 - 2013-01-05 17:11 - 26498493 ____A C:\Users\admın\Downloads\ZZ Top - Sharp Dressed Man (Live In Texas).flv
    2013-01-05 16:49 - 2013-01-05 16:53 - 08671417 ____A C:\Users\admın\Downloads\Dire Straits - Industrial Disease lyrics.flv
    2013-01-05 13:20 - 2013-01-06 16:26 - 00000000 ____D C:\Users\admın\Documents\SongLyrics
    2013-01-04 10:39 - 2013-01-04 10:42 - 14205489 ____A C:\Users\admın\Downloads\The Decemberists - Here I Dreamt I Was An Architect (Lyrics).flv
    2013-01-04 10:36 - 2013-01-04 10:39 - 06435461 ____A C:\Users\admın\Downloads\SUMMER BREEZE_SEALS AND CROFTS.flv
    2013-01-04 10:30 - 2013-01-04 10:32 - 17744311 ____A C:\Users\admın\Downloads\Haunt - Love song ( Lyrics).flv
    2013-01-04 10:26 - 2013-01-04 10:29 - 14385955 ____A C:\Users\admın\Downloads\Everlast ~ What It's Like (With Lyrics).flv
    2013-01-04 10:23 - 2013-01-04 10:24 - 02905181 ____A C:\Users\admın\Downloads\Death Cab For Cutie I Will Follow You Into The Dark lyrics.flv
    2013-01-04 10:20 - 2013-01-04 10:25 - 61915909 ____A C:\Users\admın\Downloads\I Don't Need No Doctor - John Mayer.flv
    2013-01-04 10:11 - 2013-01-04 10:13 - 68982786 ____A C:\Users\admın\Downloads\Aloe Blacc - I Need A Dollar - Official Video HQ.mp4
    2013-01-04 10:07 - 2013-01-04 10:11 - 39338481 ____A C:\Users\admın\Downloads\Hey Ya (acoustic cover).flv
    2013-01-04 10:05 - 2013-01-04 10:07 - 06771800 ____A C:\Users\admın\Downloads\Barbarossa - Stones.flv
    2013-01-03 23:15 - 2011-04-25 00:41 - 737107968 ____A C:\Users\admın\Desktop\The Shawshank Redemption[1994]DvDrip[Eng]-FXG.avi
    2013-01-02 16:11 - 2013-01-02 16:11 - 02744312 ____A C:\Users\admın\Downloads\mircdev.rar
    2013-01-01 16:52 - 2013-01-01 16:52 - 28449468 ____A C:\Users\admın\Desktop\AutumnLeaves.zip
    2012-12-27 02:13 - 2013-01-01 15:29 - 00000304 ____A C:\Users\admın\Documents\cmas.txt
    2012-12-26 01:53 - 2012-12-26 01:54 - 13669265 ____A C:\Users\admın\Downloads\Football Manager 2013 Crack Only-SKIDROW.rar
    2012-12-26 01:50 - 2012-12-26 01:50 - 00000000 ____D C:\Users\admın\AppData\Roaming\Sports Interactive
    2012-12-25 15:06 - 2013-01-03 17:58 - 00000603 ____A C:\Users\admın\Documents\song suggestions.txt
    2012-12-24 20:57 - 2010-06-02 04:55 - 00527192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
    2012-12-24 20:57 - 2010-06-02 04:55 - 00518488 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_7.dll
    2012-12-24 20:57 - 2010-06-02 04:55 - 00239960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_7.dll
    2012-12-24 20:57 - 2010-06-02 04:55 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_7.dll
    2012-12-24 20:57 - 2010-06-02 04:55 - 00077656 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll
    2012-12-24 20:57 - 2010-06-02 04:55 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 02526056 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 02401112 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 02106216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 01998168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 01907552 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 01868128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 00511328 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 00470880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 00276832 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_43.dll
    2012-12-24 20:57 - 2010-05-26 11:41 - 00248672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
    2012-12-23 02:17 - 2013-01-04 13:01 - 00000068 ____A C:\Users\admın\Documents\bandnames.txt
    2012-12-22 13:03 - 2012-12-23 13:13 - 00000000 ____D C:\Users\admın\Documents\GuitarLessonResource
    2012-12-22 13:00 - 2012-12-22 13:00 - 04988686 ____A C:\Users\admın\Downloads\teachwombatdotcomfreestuff2.zip
    2012-12-21 20:56 - 2012-12-16 19:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
    2012-12-21 20:56 - 2012-12-16 16:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
    2012-12-21 20:56 - 2012-12-16 16:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
    2012-12-21 20:56 - 2012-12-16 16:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
    2012-12-19 13:54 - 2012-12-19 13:57 - 150719027 ____A C:\Users\admın\Documents\Inception Soundtrack - Time _ Piano _ Sax (Relaxing).mp4
    2012-12-19 12:01 - 2012-12-19 12:01 - 00000000 ____D C:\Users\admın\Documents\4A Games
    2012-12-19 12:00 - 2012-12-19 12:00 - 00000000 ____D C:\Users\admın\AppData\Local\4A Games
    2012-12-19 11:58 - 2012-12-04 09:16 - 00000000 ____D C:\Users\admın\Downloads\metro 2033
    2012-12-19 03:12 - 2012-12-19 03:12 - 00013173 ____A C:\Users\admın\Downloads\bifur.zip
    2012-12-19 03:05 - 2012-12-19 03:05 - 00477022 ____A C:\Users\admın\Downloads\retro_lined_area.zip
    2012-12-19 02:48 - 2012-12-19 02:48 - 00030729 ____A C:\Users\admın\Downloads\beastieboys.zip
    2012-12-18 18:33 - 2012-12-18 18:33 - 00000000 ____D C:\users\admn
    2012-12-18 18:33 - 2012-12-18 18:33 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
    2012-12-18 18:33 - 2010-02-04 10:01 - 00530776 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_6.dll
    2012-12-18 18:33 - 2010-02-04 10:01 - 00528216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_6.dll
    2012-12-18 18:33 - 2010-02-04 10:01 - 00238936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_6.dll
    2012-12-18 18:33 - 2010-02-04 10:01 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_6.dll
    2012-12-18 18:33 - 2010-02-04 10:01 - 00078680 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_4.dll
    2012-12-18 18:33 - 2010-02-04 10:01 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_4.dll
    2012-12-18 18:33 - 2010-02-04 10:01 - 00024920 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_7.dll
    2012-12-18 18:33 - 2010-02-04 10:01 - 00022360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
    2012-12-17 02:00 - 2012-12-17 02:00 - 00000021 ____A C:\Users\admın\Documents\Metro2033serial.txt
    2012-12-16 20:45 - 2013-01-13 00:12 - 00000000 ____D C:\Program Files (x86)\Steam
    2012-12-16 20:45 - 2012-12-16 20:45 - 00000917 ____A C:\Users\Public\Desktop\Steam.lnk
    2012-12-16 20:44 - 2012-12-18 18:37 - 00000000 ____D C:\Program Files (x86)\Metro
    2012-12-16 20:33 - 2012-12-16 20:38 - 74331423 ____A C:\Users\admın\Downloads\metro2033.exe
    2012-12-16 12:50 - 2012-12-16 12:52 - 04602915 ____A C:\Users\admın\Documents\Dire Straits - Six Blade Knife lyrics.flv
    2012-12-16 12:40 - 2012-12-16 12:45 - 10940032 ____A C:\Users\admın\Documents\Sultans of Swing (with lyrics).flv
    2012-12-16 12:36 - 2012-12-16 12:38 - 05912557 ____A C:\Users\admın\Documents\ZZ Top-Sharp Dressed Man Lyrics.flv
    2012-12-16 12:22 - 2012-12-16 12:24 - 05771227 ____A C:\Users\admın\Documents\Eric Clapton- Cocaine.flv
    2012-12-16 12:17 - 2012-12-16 12:21 - 16634134 ____A C:\Users\admın\Documents\Eric Clapton - Old Love lyrics (Album Version).flv
    2012-12-16 12:10 - 2012-12-16 12:10 - 00001289 ____A C:\Users\admın\Documents\You know I'm no good.txt
    2012-12-16 12:04 - 2012-12-16 12:04 - 00001311 ____A C:\Users\admın\Documents\Espresso Love.txt
    2012-12-16 12:01 - 2012-12-16 12:01 - 00000567 ____A C:\Users\admın\Documents\Cocaine.txt
    2012-12-14 15:38 - 2012-12-14 15:38 - 03761317 ____A C:\Users\admın\Downloads\recordings.zip

    ==================== One Month Modified Files and Folders =======

    2013-01-13 00:12 - 2012-12-16 20:45 - 00000000 ____D C:\Program Files (x86)\Steam
    2013-01-13 00:12 - 2009-07-14 07:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-01-13 00:12 - 2009-07-14 06:51 - 00055342 ____A C:\Windows\setupact.log
    2013-01-13 00:11 - 2012-06-28 13:59 - 01186076 ____A C:\Windows\WindowsUpdate.log
    2013-01-13 00:11 - 2009-07-14 06:45 - 00017360 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-01-13 00:11 - 2009-07-14 06:45 - 00017360 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-01-13 00:09 - 2012-06-28 14:04 - 00000814 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-01-13 00:06 - 2013-01-13 00:11 - 00040552 ____A C:\Users\admın\Desktop\FRST.txt
    2013-01-13 00:05 - 2013-01-13 00:11 - 00000560 ____A C:\Users\admın\Desktop\Search.txt
    2013-01-13 00:01 - 2013-01-13 00:01 - 00000000 ____D C:\FRST
    2013-01-12 23:57 - 2012-11-18 18:41 - 00000000 ____D C:\Users\admın\AppData\Roaming\mIRC
    2013-01-12 23:54 - 2009-07-14 14:45 - 00654676 ____A C:\Windows\System32\perfh01F.dat
    2013-01-12 23:54 - 2009-07-14 14:45 - 00138932 ____A C:\Windows\System32\perfc01F.dat
    2013-01-12 23:54 - 2009-07-14 07:13 - 01564578 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-01-12 23:51 - 2012-11-18 18:41 - 00000000 ____D C:\Program Files (x86)\mIRC
    2013-01-12 23:50 - 2013-01-12 23:50 - 01464233 ____A (Farbar) C:\Users\admın\Downloads\FRST64.exe
    2013-01-12 23:48 - 2013-01-12 02:24 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
    2013-01-12 23:45 - 2012-11-26 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-01-12 11:49 - 2012-06-30 10:55 - 00000000 ____D C:\Users\admın\AppData\Roaming\uTorrent
    2013-01-12 11:00 - 2013-01-12 10:54 - 00000000 ____D C:\Users\admın\Downloads\Les.Miserables.2012.DVDSCR-EDAW2013
    2013-01-12 11:00 - 2013-01-12 10:51 - 00000000 ____D C:\Users\admın\Downloads\Butter LIMITED BDRip XviD-SAPHiRE
    2013-01-12 10:55 - 2013-01-12 10:55 - 00000000 ____D C:\Users\admın\Downloads\SILVER LININGS DVDRIP EDAW2013
    2013-01-12 10:50 - 2013-01-12 10:50 - 00058726 ____A C:\Users\admın\Downloads\[kat.ph]butter.limited.bdrip.xvid.saphire.torrent
    2013-01-12 10:49 - 2013-01-12 10:49 - 00024555 ____A C:\Users\admın\Downloads\[kat.ph]les.miserables.2012.dvdscr.edaw2013.torrent
    2013-01-12 10:49 - 2013-01-12 10:49 - 00017090 ____A C:\Users\admın\Downloads\[kat.ph]silver.linings.playbook.2012.dvdrip.edaw2013.torrent
    2013-01-12 10:05 - 2013-01-10 11:36 - 00002594 ____A C:\Users\admın\Desktop\Rkill.txt
    2013-01-12 03:57 - 2013-01-12 03:54 - 07561130 ____A C:\Users\admın\Downloads\Celldweller - Frozen.flv
    2013-01-12 03:40 - 2012-12-11 15:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-01-12 02:55 - 2012-06-30 17:01 - 00000000 ____D C:\Users\admın\Downloads\Daemon Tools Pro Advanced v5.1.0. -[EC]
    2013-01-12 02:32 - 2013-01-12 02:32 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
    2013-01-12 02:31 - 2013-01-12 02:28 - 151469960 ____A C:\Users\admın\Desktop\setup_11.0.0.1245.x01_2013_01_12_03_36.exe
    2013-01-12 02:25 - 2013-01-12 02:25 - 00035250 ____A C:\Users\admın\Desktop\HitmanPro_20130112_0225.log
    2013-01-12 02:25 - 2013-01-12 02:19 - 00000000 ____D C:\Users\All Users\HitmanPro
    2013-01-12 02:24 - 2012-06-30 17:35 - 00000000 ____D C:\Users\admın\Downloads\Antares Autotune Evo VST RTAS v6.0.9 PROPER -AiR
    2013-01-12 02:20 - 2013-01-12 02:20 - 00001893 ____A C:\Users\Public\Desktop\HitmanPro.lnk
    2013-01-12 02:20 - 2013-01-12 02:19 - 00000000 ____D C:\Program Files\HitmanPro
    2013-01-12 02:19 - 2013-01-12 02:18 - 09703176 ____A (SurfRight B.V.) C:\Users\admın\Downloads\HitmanPro_x64.exe
    2013-01-11 16:55 - 2012-07-20 13:32 - 00000000 ____D C:\Users\admın\Desktop\Old Sets
    2013-01-11 16:19 - 2009-07-14 07:08 - 00032590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-01-10 23:08 - 2013-01-10 23:07 - 05019950 ____A (Swearware) C:\Users\admın\Downloads\ComboFix (1).exe
    2013-01-10 23:06 - 2013-01-10 23:06 - 00015340 ____A C:\ComboFix.txt
    2013-01-10 23:06 - 2013-01-10 22:46 - 00000000 ____D C:\Qoobox
    2013-01-10 23:06 - 2012-11-14 17:00 - 00000000 ____D C:\users\adm
    2013-01-10 23:06 - 2009-07-14 05:20 - 00000000 __RHD C:\users\Default
    2013-01-10 23:05 - 2013-01-10 22:46 - 00000000 ____D C:\Windows\erdnt
    2013-01-10 23:03 - 2009-07-14 04:34 - 00000258 ____A C:\Windows\system.ini
    2013-01-10 22:52 - 2013-01-10 22:52 - 00001108 ____A C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
    2013-01-10 22:43 - 2013-01-10 22:43 - 05019950 ____R (Swearware) C:\Users\admın\Downloads\ComboFix.exe
    2013-01-10 18:34 - 2013-01-10 18:34 - 00017012 ____A C:\Users\admın\Desktop\attach.txt
    2013-01-10 18:34 - 2013-01-10 18:34 - 00013509 ____A C:\Users\admın\Desktop\dds.txt
    2013-01-10 18:33 - 2013-01-10 18:33 - 00688992 ____R (Swearware) C:\Users\admın\Downloads\dds.com
    2013-01-10 18:33 - 2013-01-10 18:33 - 00000000 ____D C:\users\adm²n
    2013-01-10 18:26 - 2013-01-10 18:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-01-10 18:26 - 2013-01-10 18:25 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\admın\Downloads\mbam-setup-1.70.0.1100.exe
    2013-01-10 18:23 - 2012-07-02 16:56 - 00000000 ____D C:\Program Files (x86)\UnHackMe
    2013-01-10 18:22 - 2012-07-02 16:56 - 00000000 ____D C:\Users\All Users\RegRun
    2013-01-10 18:21 - 2012-07-02 16:58 - 00000618 ____A C:\Windows\SysWOW64\PARTIZAN.TXT
    2013-01-10 18:19 - 2012-07-02 16:56 - 00000000 ____D C:\Users\admın\Documents\RegRun2
    2013-01-10 18:12 - 2012-07-02 16:56 - 00000002 RASHOT C:\Windows\winstart.bat
    2013-01-10 18:12 - 2012-07-02 16:56 - 00000002 RASHOT C:\Windows\SysWOW64\CONFIG.NT
    2013-01-10 18:12 - 2012-07-02 16:56 - 00000002 RASHOT C:\Windows\SysWOW64\AUTOEXEC.NT
    2013-01-10 18:11 - 2012-06-30 17:05 - 00000000 ____D C:\Program Files (x86)\Daemon Tools Pro v5.1.0
    2013-01-10 18:09 - 2012-06-28 14:04 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-01-10 18:09 - 2012-06-28 14:04 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-01-10 16:50 - 2013-01-10 16:50 - 00001945 ____A C:\Windows\epplauncher.mif
    2013-01-10 16:50 - 2013-01-10 16:50 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2013-01-10 16:50 - 2013-01-10 16:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2013-01-10 15:17 - 2012-06-28 14:06 - 00000000 ____D C:\Users\All Users\Microsoft Help
    2013-01-10 15:00 - 2013-01-10 14:51 - 13529576 ____A (Microsoft Corporation) C:\Users\admın\Downloads\mseinstall.exe
    2013-01-10 15:00 - 2013-01-10 14:50 - 06151248 ____A (Uniblue Systems Ltd ) C:\Users\admın\Downloads\speedupmypc.exe
    2013-01-10 13:29 - 2013-01-10 13:29 - 00000000 ____D C:\TDSSKiller_Quarantine
    2013-01-10 13:13 - 2009-07-14 06:45 - 00342608 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-01-10 13:11 - 2012-06-30 19:16 - 01542464 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2013-01-10 13:04 - 2012-11-12 14:36 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2013-01-10 13:02 - 2012-07-10 10:53 - 00000000 ____D C:\Users\admın\Desktop\New
    2013-01-10 12:28 - 2012-11-12 14:21 - 00000000 ____D C:\Games
    2013-01-10 12:25 - 2013-01-10 12:23 - 00000000 ____D C:\Users\admın\Desktop\EverestTest
    2013-01-10 12:22 - 2013-01-10 12:22 - 04402436 ____A C:\Users\admın\Downloads\everesthome220.zip
    2013-01-10 11:39 - 2013-01-10 11:39 - 00980480 ____A C:\Users\admın\Downloads\MicrosoftFixit50267.msi
    2013-01-10 11:38 - 2013-01-10 11:38 - 00000061 ____A C:\Users\admın\Documents\ashadams.txt
    2013-01-10 11:37 - 2013-01-10 11:37 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\admın\Downloads\tdsskiller.exe
    2013-01-10 11:35 - 2013-01-10 11:35 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\admın\Downloads\rkill.exe
    2013-01-10 10:56 - 2013-01-09 18:17 - 00000000 ____D C:\Windows\RestoreSafeDeleted
    2013-01-09 18:33 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\System32\NDF
    2013-01-09 14:21 - 2013-01-09 14:04 - 00000000 ____D C:\Users\admın\Downloads\Branded.2012.LIMITED.DVDRip.XVID-DEPRiVED
    2013-01-09 14:06 - 2013-01-09 14:06 - 00000000 ____D C:\Users\admın\Downloads\Not.Fade.Away.2012.DVDSCR.XviD.AC3-VAiN
    2013-01-09 13:40 - 2013-01-09 13:37 - 14205489 ____A C:\Users\admın\Downloads\The Decemberists - Here I Dreamt I Was An Architect (Lyrics)(1).flv
    2013-01-09 13:33 - 2013-01-09 13:33 - 00000000 ____D C:\Users\admın\Downloads\DEATH CAB FOR CUTIE - DISCOGRAPHY [CHANNEL NEO]
    2013-01-09 13:20 - 2013-01-09 13:17 - 21965189 ____A C:\Users\admın\Downloads\The Rolling Stones - Satisfaction (live).flv
    2013-01-09 12:56 - 2013-01-09 12:49 - 189657718 ____A C:\Users\admın\Downloads\Fix You - Coldplay - Acoustic Cover by Tyler Ward _ Boyce Avenue.mp4
    2013-01-09 12:45 - 2013-01-09 12:43 - 07500084 ____A C:\Users\admın\Downloads\My Girl - The Temptations.flv
    2013-01-09 12:38 - 2013-01-09 12:37 - 03568688 ____A C:\Users\admın\Downloads\Jackson 5 - ABC (Full song).flv
    2013-01-07 13:18 - 2013-01-07 12:47 - 597192704 ____A C:\Users\admın\Downloads\Inescapable.avi
    2013-01-07 02:57 - 2013-01-07 02:37 - 00000000 ____D C:\Users\admın\Downloads\Hitchcock.2012.DVDSCR.XviD-NYDIC
    2013-01-07 02:50 - 2013-01-07 02:39 - 00000000 ____D C:\Users\admın\Downloads\Upside.Down.2012.720p.BRRip.x264.AC3-JYK
    2013-01-07 02:41 - 2013-01-07 02:41 - 00000000 ____D C:\Users\admın\Downloads\The.Impossible.2012.DVDSCR.x264.AAC-FooKaS
    2013-01-07 02:39 - 2013-01-07 02:38 - 00000000 ____D C:\Users\admın\Downloads\Zero.Dark.Thirty.2012.DVDSCR.Xvid.Ac3-ADTRG
    2013-01-07 02:35 - 2013-01-07 02:35 - 00012610 ____A C:\Users\admın\Downloads\[kat.ph]upside.down.2012.720p.brrip.x264.ac3.jyk.torrent
    2013-01-07 02:34 - 2013-01-07 02:34 - 00115946 ____A C:\Users\admın\Downloads\[kat.ph]upside.down.2012.brrip.xvid.unique.torrent
    2013-01-07 02:34 - 2013-01-07 02:34 - 00000000 ____D C:\Users\admın\Downloads\Django Unchained 2012 DVDSCR X264 AAC-P2P
    2013-01-07 02:33 - 2013-01-07 02:33 - 00204069 ____A C:\Users\admın\Downloads\[kat.ph]django.unchained.2012.dvdscr.x264.aac.p2p.torrent
    2013-01-07 02:32 - 2013-01-07 02:32 - 00075122 ____A C:\Users\admın\Downloads\[kat.ph]hitchcock.2012.dvdscr.xvid.nydic.torrent
    2013-01-07 02:32 - 2013-01-07 02:32 - 00029619 ____A C:\Users\admın\Downloads\[kat.ph]the.impossible.2012.dvdscr.x264.aac.fookas.torrent
    2013-01-07 02:32 - 2013-01-07 02:32 - 00025312 ____A C:\Users\admın\Downloads\[kat.ph]zero.dark.thirty.2012.dvdscr.xvid.ac3.adtrg.torrent
    2013-01-06 16:26 - 2013-01-05 13:20 - 00000000 ____D C:\Users\admın\Documents\SongLyrics
    2013-01-06 14:25 - 2013-01-05 17:20 - 00000000 ____D C:\Users\admın\Documents\Backtracks
    2013-01-06 10:53 - 2009-07-14 04:34 - 00000523 ____A C:\Windows\win.ini
    2013-01-05 21:31 - 2013-01-05 21:27 - 08542909 ____A C:\Users\admın\Downloads\Riders on the storm the doors lyrics.flv
    2013-01-05 20:21 - 2013-01-05 20:18 - 10823982 ____A C:\Users\admın\Downloads\Benji Hughes - Waiting For An Invitation.flv
    2013-01-05 17:20 - 2013-01-05 17:18 - 04602915 ____A C:\Users\admın\Downloads\Dire Straits - Six Blade Knife lyrics.flv
    2013-01-05 17:11 - 2013-01-05 17:08 - 26498493 ____A C:\Users\admın\Downloads\ZZ Top - Sharp Dressed Man (Live In Texas).flv
    2013-01-05 16:53 - 2013-01-05 16:49 - 08671417 ____A C:\Users\admın\Downloads\Dire Straits - Industrial Disease lyrics.flv
    2013-01-04 13:01 - 2012-12-23 02:17 - 00000068 ____A C:\Users\admın\Documents\bandnames.txt
    2013-01-04 10:42 - 2013-01-04 10:39 - 14205489 ____A C:\Users\admın\Downloads\The Decemberists - Here I Dreamt I Was An Architect (Lyrics).flv
    2013-01-04 10:39 - 2013-01-04 10:36 - 06435461 ____A C:\Users\admın\Downloads\SUMMER BREEZE_SEALS AND CROFTS.flv
    2013-01-04 10:32 - 2013-01-04 10:30 - 17744311 ____A C:\Users\admın\Downloads\Haunt - Love song ( Lyrics).flv
    2013-01-04 10:29 - 2013-01-04 10:26 - 14385955 ____A C:\Users\admın\Downloads\Everlast ~ What It's Like (With Lyrics).flv
    2013-01-04 10:25 - 2013-01-04 10:20 - 61915909 ____A C:\Users\admın\Downloads\I Don't Need No Doctor - John Mayer.flv
    2013-01-04 10:24 - 2013-01-04 10:23 - 02905181 ____A C:\Users\admın\Downloads\Death Cab For Cutie I Will Follow You Into The Dark lyrics.flv
    2013-01-04 10:13 - 2013-01-04 10:11 - 68982786 ____A C:\Users\admın\Downloads\Aloe Blacc - I Need A Dollar - Official Video HQ.mp4
    2013-01-04 10:11 - 2013-01-04 10:07 - 39338481 ____A C:\Users\admın\Downloads\Hey Ya (acoustic cover).flv
    2013-01-04 10:07 - 2013-01-04 10:05 - 06771800 ____A C:\Users\admın\Downloads\Barbarossa - Stones.flv
    2013-01-03 17:58 - 2012-12-25 15:06 - 00000603 ____A C:\Users\admın\Documents\song suggestions.txt
    2013-01-02 16:11 - 2013-01-02 16:11 - 02744312 ____A C:\Users\admın\Downloads\mircdev.rar
    2013-01-01 17:49 - 2012-12-09 21:55 - 00000000 ____D C:\Users\admın\Documents\Mixcraft Projects
    2013-01-01 16:52 - 2013-01-01 16:52 - 28449468 ____A C:\Users\admın\Desktop\AutumnLeaves.zip
    2013-01-01 15:29 - 2012-12-27 02:13 - 00000304 ____A C:\Users\admın\Documents\cmas.txt
    2012-12-26 15:34 - 2012-11-11 23:43 - 00080251 ____A C:\Windows\DirectX.log
    2012-12-26 01:54 - 2012-12-26 01:53 - 13669265 ____A C:\Users\admın\Downloads\Football Manager 2013 Crack Only-SKIDROW.rar
    2012-12-26 01:50 - 2012-12-26 01:50 - 00000000 ____D C:\Users\admın\AppData\Roaming\Sports Interactive
    2012-12-26 00:28 - 2012-06-28 14:04 - 00000000 ___HD C:\Users\All Users\Adobe
    2012-12-23 13:13 - 2012-12-22 13:03 - 00000000 ____D C:\Users\admın\Documents\GuitarLessonResource
    2012-12-22 22:48 - 2012-12-13 00:39 - 00000000 ____D C:\Users\admın\Downloads\Castle Season 1 and 2
    2012-12-22 13:00 - 2012-12-22 13:00 - 04988686 ____A C:\Users\admın\Downloads\teachwombatdotcomfreestuff2.zip
    2012-12-21 11:37 - 2012-06-30 10:56 - 00000000 ____D C:\Program Files (x86)\uTorrent
    2012-12-19 13:57 - 2012-12-19 13:54 - 150719027 ____A C:\Users\admın\Documents\Inception Soundtrack - Time _ Piano _ Sax (Relaxing).mp4
    2012-12-19 12:01 - 2012-12-19 12:01 - 00000000 ____D C:\Users\admın\Documents\4A Games
    2012-12-19 12:00 - 2012-12-19 12:00 - 00000000 ____D C:\Users\admın\AppData\Local\4A Games
    2012-12-19 11:59 - 2012-07-01 20:56 - 00000000 ____D C:\Users\admın\AppData\Roaming\NVIDIA
    2012-12-19 03:12 - 2012-12-19 03:12 - 00013173 ____A C:\Users\admın\Downloads\bifur.zip
    2012-12-19 03:05 - 2012-12-19 03:05 - 00477022 ____A C:\Users\admın\Downloads\retro_lined_area.zip
    2012-12-19 02:48 - 2012-12-19 02:48 - 00030729 ____A C:\Users\admın\Downloads\beastieboys.zip
    2012-12-18 18:37 - 2012-12-16 20:44 - 00000000 ____D C:\Program Files (x86)\Metro
    2012-12-18 18:33 - 2012-12-18 18:33 - 00000000 ____D C:\users\admn
    2012-12-18 18:33 - 2012-12-18 18:33 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
    2012-12-17 02:00 - 2012-12-17 02:00 - 00000021 ____A C:\Users\admın\Documents\Metro2033serial.txt
    2012-12-16 20:45 - 2012-12-16 20:45 - 00000917 ____A C:\Users\Public\Desktop\Steam.lnk
    2012-12-16 20:38 - 2012-12-16 20:33 - 74331423 ____A C:\Users\admın\Downloads\metro2033.exe
    2012-12-16 19:11 - 2012-12-21 20:56 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
    2012-12-16 16:45 - 2012-12-21 20:56 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
    2012-12-16 16:13 - 2012-12-21 20:56 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
    2012-12-16 16:13 - 2012-12-21 20:56 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
    2012-12-16 14:35 - 2012-11-26 14:29 - 00000000 ____D C:\Users\admın\AppData\Roaming\Real
    2012-12-16 14:35 - 2012-11-26 14:28 - 00000000 ____D C:\Users\All Users\Real
    2012-12-16 12:52 - 2012-12-16 12:50 - 04602915 ____A C:\Users\admın\Documents\Dire Straits - Six Blade Knife lyrics.flv
    2012-12-16 12:45 - 2012-12-16 12:40 - 10940032 ____A C:\Users\admın\Documents\Sultans of Swing (with lyrics).flv
    2012-12-16 12:38 - 2012-12-16 12:36 - 05912557 ____A C:\Users\admın\Documents\ZZ Top-Sharp Dressed Man Lyrics.flv
    2012-12-16 12:24 - 2012-12-16 12:22 - 05771227 ____A C:\Users\admın\Documents\Eric Clapton- Cocaine.flv
    2012-12-16 12:21 - 2012-12-16 12:17 - 16634134 ____A C:\Users\admın\Documents\Eric Clapton - Old Love lyrics (Album Version).flv
    2012-12-16 12:10 - 2012-12-16 12:10 - 00001289 ____A C:\Users\admın\Documents\You know I'm no good.txt
    2012-12-16 12:04 - 2012-12-16 12:04 - 00001311 ____A C:\Users\admın\Documents\Espresso Love.txt
    2012-12-16 12:01 - 2012-12-16 12:01 - 00000567 ____A C:\Users\admın\Documents\Cocaine.txt
    2012-12-14 16:49 - 2013-01-10 18:26 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-12-14 15:38 - 2012-12-14 15:38 - 03761317 ____A C:\Users\admın\Downloads\recordings.zip

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-01-08 12:19:40
    Restore point made on: 2013-01-08 12:22:10
    Restore point made on: 2013-01-08 12:25:43
    Restore point made on: 2013-01-09 18:17:00
    Restore point made on: 2013-01-09 19:22:15
    Restore point made on: 2013-01-10 10:56:16
    Restore point made on: 2013-01-10 11:40:09
    Restore point made on: 2013-01-10 12:59:29
    Restore point made on: 2013-01-10 13:14:41
    Restore point made on: 2013-01-10 15:16:14
    Restore point made on: 2013-01-10 18:19:07

    ==================== Memory info ===========================

    Percentage of memory in use: 26%
    Total physical RAM: 2046.49 MB
    Available physical RAM: 1504.79 MB
    Total Pagefile: 2046.49 MB
    Available Pagefile: 1477.73 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:391.37 GB) (Free:130.89 GB) NTFS
    2 Drive e: () (Fixed) (Total:540.04 GB) (Free:533.59 GB) NTFS
    3 Drive f: (13 Ara 2012) (CDROM) (Total:1.46 GB) (Free:0 GB) UDF
    4 Drive g: (NAAAAAAAAPP) (Removable) (Total:7.45 GB) (Free:0.3 GB) FAT32
    9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    10 Drive y: (Sistem Ayrıldı) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Telif Hakk (C) 1999-2008 Bilgisayar: MININT-L8M2O1V

    Disk ### Durum Boyut BoŸ Din Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 €evrimi‡I 931 GB 0 B
    Disk 1 €evrimi‡I 7634 MB 0 B
    Disk 2 Medya Yok 0 B 0 B
    Disk 3 Medya Yok 0 B 0 B
    Disk 4 Medya Yok 0 B 0 B
    Disk 5 Medya Yok 0 B 0 B

    DiskPart'tan ‡klyor...

    Partitions of Disk 0:
    ===============

    Telif Hakk (C) 1999-2008 Bilgisayar: MININT-L8M2O1V

    Disk 0 Ÿimdi se‡ili disk.

    B”lm ### Tr Boyut Ofset
    ------------- ---------------- ------- -------
    B”lm 1 Birincil 100 MB 1024 KB
    B”lm 2 Birincil 391 GB 101 MB
    B”lm 3 Birincil 540 GB 391 GB

    DiskPart'tan ‡klyor...

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Telif Hakk (C) 1999-2008 Bilgisayar: MININT-L8M2O1V

    Disk 1 Ÿimdi se‡ili disk.

    B”lm ### Tr Boyut Ofset
    ------------- ---------------- ------- -------
    B”lm 1 Birincil 7634 MB 31 KB

    DiskPart'tan ‡klyor...

    ==================================================================================

    Last Boot: 2013-01-04 11:42

    ==================== End Of Log =============================
  16. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Search.txt

    Farbar Recovery Scan Tool (x64) Version: 09-01-2013
    Ran by SYSTEM at 2013-01-13 00:15:33
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-14 01:19] - [2009-07-14 03:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-14 01:19] - [2009-07-14 03:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\erdnt\cache64\services.exe
    [2013-01-10 23:05] - [2009-07-14 03:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Malwarebytes' Anti-Rootkit

    Please download Malwarebytes' Anti-Rootkit and save it to your desktop.
    • Be sure to print out and follow the instructions provided on that same page for performing a scan.
    • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
    • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
    • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
    • Copy and paste the contents of these two log files in your next reply.


    OTL Quick Scan

    Please download OTL by OldTimer to your Desktop.
    • Close all windows and double click OTL.exe.
    • Click Quick Scan button and let the program run uninterrupted.
    • It will produce a log for you called OTL.txt, please post it in your next reply.
    • You may need to use two posts to get it all.
  18. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    I scanned 3 times with the mbar anti-rootkit, all three times it found the svchost.exe but interestingly it didn't notice libpdcurses.dll which I'm sure you know, is a keylogger.

    Attached are the logs

    Attached Files:

  19. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    OTL.txt

    OTL logfile created on: 1/14/2013 4:24:17 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admın\Desktop
    64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 0.70 Gb Available Physical Memory | 34.83% Memory free
    4.00 Gb Paging File | 2.56 Gb Available in Paging File | 63.95% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 391.37 Gb Total Space | 132.61 Gb Free Space | 33.88% Space Free | Partition Type: NTFS
    Drive D: | 540.04 Gb Total Space | 533.58 Gb Free Space | 98.80% Space Free | Partition Type: NTFS
    Drive E: | 1.46 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

    Computer Name: ADMıN-PC | User Name: admın | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
    PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
    PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
    PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
    PRC - [2013/01/14 01:42:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
    PRC - [2012/12/21 11:38:11 | 000,541,760 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    PRC - [2012/12/18 16:28:22 | 000,038,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe
    PRC - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2012/12/16 20:46:07 | 001,354,736 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
    PRC - [2012/11/26 14:29:48 | 000,296,096 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
    PRC - [2012/11/11 23:46:02 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
    PRC - [2012/04/26 14:33:38 | 003,111,744 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/01/14 16:23:51 | 000,249,344 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\libcurl-4.dll
    MOD - [2013/01/14 16:23:51 | 000,087,054 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\libpdcurses.dll
    MOD - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
    MOD - [2012/12/21 11:38:15 | 000,647,168 | ---- | M] () -- C:\Program Files (x86)\Steam\sdl.dll
    MOD - [2012/12/21 11:38:11 | 020,320,240 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\libcef.dll
    MOD - [2012/12/21 11:38:11 | 001,100,800 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avcodec-53.dll
    MOD - [2012/12/21 11:38:11 | 000,969,280 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\chromehtml.dll
    MOD - [2012/12/21 11:38:11 | 000,192,000 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avformat-53.dll
    MOD - [2012/12/21 11:38:11 | 000,124,416 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avutil-51.dll


    ========== Services (SafeList) ==========

    SRV:64bit: - [2012/09/12 21:21:48 | 000,368,896 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2012/09/12 21:21:48 | 000,022,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2009/07/14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
    SRV - [2013/01/12 03:40:16 | 000,115,760 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2013/01/10 18:09:38 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/12/21 11:38:11 | 000,541,760 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2012/11/11 23:46:02 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
    SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/08/30 22:03:48 | 000,128,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2012/07/01 12:00:43 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
    DRV:64bit: - [2012/03/26 22:00:18 | 000,772,224 | ---- | M] (Line 6) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\l6TportUX864.sys -- (l6TportUX8)
    DRV:64bit: - [2012/03/01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2010/11/20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 15:32:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/20 15:32:46 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2010/11/20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 13:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
    DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 22:35:38 | 000,707,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr7364.sys -- (netr7364)
    DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/03/01 22:05:32 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
    DRV - [2001/09/27 16:00:32 | 000,027,584 | ---- | M] (NemeSys Music Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\filespy.sys -- (FILESPY)
    DRV - [2001/09/27 15:48:46 | 000,738,976 | ---- | M] (Conexant Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\ew.sys -- (EWAVE)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
    IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = tr
    IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 65 61 69 48 26 55 CD 01 [binary data]
    IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
    IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searc...SP_ss&mntrId=1a813b21000000000000001cf0c9416a
    IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledAddons: %7B0153E448-190B-4987-BDE1-F256CADA672F%7D:15.0.6
    FF - prefs.js..extensions.enabledAddons: %7Bb9bfaf1c-a63f-47cd-8b9a-29526ced9060%7D:1.4.15
    FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0
    FF - user.js - File not found

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\admın\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\admın\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\support@2yourface.com: C:\Users\admın\AppData\Roaming\2YourFace\ffextension
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/11/26 14:29:58 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/01/12 03:40:17 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\support@2yourface.com: C:\Users\admın\AppData\Roaming\2YourFace\ffextension

    [2012/11/26 14:53:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admın\AppData\Roaming\Mozilla\Extensions
    [2013/01/11 00:02:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admın\AppData\Roaming\Mozilla\Firefox\Profiles\zdcv06km.default\extensions
    [2013/01/11 00:02:41 | 000,013,552 | ---- | M] () (No name found) -- C:\Users\admın\AppData\Roaming\Mozilla\Firefox\Profiles\zdcv06km.default\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
    [2012/12/11 15:25:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2012/11/26 14:29:58 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
    File not found (No name found) -- C:\USERS\ADMıN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\ZDCV06KM.DEFAULT\EXTENSIONS\{B9BFAF1C-A63F-47CD-8B9A-29526CED9060}.XPI
    [2013/01/12 03:40:17 | 000,262,704 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/11/20 08:17:14 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/11/20 08:17:14 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - homepage: http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
    CHR - homepage: http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\gcswf32.dll
    CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    CHR - plugin: Google Update (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    CHR - plugin: Java Deployment Toolkit 7.0.50.5 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
    CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\admın\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

    O1 HOSTS File: ([2013/01/10 23:03:21 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
    O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [Adobe] C:\ProgramData\Adobe\3D422E.vbe ()
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
    O4 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000..\Run: [DAEMON Tools Pro Agent] C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe (DT Soft Ltd)
    O4 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
    O4 - HKLM..\RunServicesOnce: [] C:\Windows\GIGATEMP\Patch.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O13 - gopher Prefix: missing
    O15 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..Trusted Domains: line6.net ([]* in Trusted sites)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{26D9982C-60BF-4A1A-B593-D428CF93A2A0}: DhcpNameServer = 192.168.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87342CD1-FF71-409D-A95B-74347ABAA8CE}: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BBEAA541-9425-4117-8BE9-94DA26EFE021}: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D52D4DA9-6AFE-4683-AF44-A9FD49C0FF39}: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0}: DhcpNameServer = 192.168.1.1
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/01/14 13:47:53 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
    [2013/01/14 01:42:24 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
    [2013/01/14 01:25:34 | 000,000,000 | ---D | C] -- C:\Users\admın\Desktop\mbar
    [2013/01/13 00:01:10 | 000,000,000 | ---D | C] -- C:\FRST
    [2013/01/12 02:32:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
    [2013/01/12 02:19:30 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
    [2013/01/10 23:06:55 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2013/01/10 23:03:23 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2013/01/10 22:46:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2013/01/10 22:46:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2013/01/10 22:46:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2013/01/10 22:46:34 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2013/01/10 22:46:12 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2013/01/10 18:26:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2013/01/10 18:26:41 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2013/01/10 18:26:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2013/01/10 16:50:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
    [2013/01/10 16:50:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2013/01/10 13:29:50 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2013/01/10 12:23:44 | 000,000,000 | ---D | C] -- C:\Users\admın\Desktop\EverestTest
    [2013/01/09 18:17:23 | 000,000,000 | ---D | C] -- C:\Windows\RestoreSafeDeleted
    [2013/01/05 17:20:14 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\Backtracks
    [2013/01/05 13:20:51 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\SongLyrics
    [2012/12/30 02:48:51 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Local\Programs
    [2012/12/26 01:50:37 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Roaming\Sports Interactive
    [2012/12/24 20:57:49 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\Common Files\EAInstaller
    [2012/12/22 13:03:26 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\GuitarLessonResource
    [2012/12/19 12:01:03 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\4A Games
    [2012/12/19 12:00:02 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Local\4A Games
    [2012/12/18 18:33:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
    [2012/12/18 18:33:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
    [2012/12/16 21:50:49 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
    [2012/12/16 20:45:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Steam
    [2012/12/16 20:45:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
    [2012/12/16 20:45:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Steam
    [2012/12/16 20:44:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Metro
    [1 C:\Users\admın\Desktop\*.tmp files -> C:\Users\admın\Desktop\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/01/14 16:23:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2013/01/14 16:23:20 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
    [2013/01/14 14:08:03 | 000,017,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/01/14 14:08:03 | 000,017,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/01/14 13:47:53 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
    [2013/01/14 09:15:03 | 000,000,814 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2013/01/14 01:42:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
    [2013/01/14 00:31:25 | 001,564,578 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2013/01/14 00:31:25 | 000,654,676 | ---- | M] () -- C:\Windows\SysNative\perfh01F.dat
    [2013/01/14 00:31:25 | 000,652,180 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2013/01/14 00:31:25 | 000,138,932 | ---- | M] () -- C:\Windows\SysNative\perfc01F.dat
    [2013/01/14 00:31:25 | 000,121,112 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2013/01/13 02:01:12 | 251,439,298 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2013/01/13 01:24:04 | 000,000,228 | ---- | M] () -- C:\Windows\SysNative\.crusader
    [2013/01/12 02:31:45 | 151,469,960 | ---- | M] () -- C:\Users\admın\Desktop\setup_11.0.0.1245.x01_2013_01_12_03_36.exe
    [2013/01/11 12:47:23 | 000,021,132 | ---- | M] () -- C:\Users\admın\Documents\Am Pentatonic scale.png
    [2013/01/11 11:58:42 | 000,420,187 | ---- | M] () -- C:\Users\admın\Desktop\Svchost.jpg
    [2013/01/10 23:03:21 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2013/01/10 22:52:03 | 000,001,108 | ---- | M] () -- C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
    [2013/01/10 18:26:47 | 000,001,133 | ---- | M] () -- C:\Users\admın\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
    [2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\CONFIG.NT
    [2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\AUTOEXEC.NT
    [2013/01/10 16:50:55 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2013/01/10 13:13:29 | 000,342,608 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2013/01/10 13:11:32 | 001,542,464 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2013/01/03 12:23:01 | 000,040,162 | ---- | M] () -- C:\Users\admın\Documents\nicee (2).jpg
    [2013/01/01 23:30:55 | 000,055,885 | ---- | M] () -- C:\Users\admın\Documents\nn.jpg
    [2013/01/01 16:52:39 | 028,449,468 | ---- | M] () -- C:\Users\admın\Desktop\AutumnLeaves.zip
    [2012/12/31 11:09:02 | 000,098,545 | ---- | M] () -- C:\Users\admın\Documents\ikini.jpg
    [2012/12/29 19:18:54 | 000,036,370 | ---- | M] () -- C:\Users\admın\Documents\yum.jpg
    [2012/12/28 21:42:39 | 000,209,288 | ---- | M] () -- C:\Users\admın\Documents\nicee.jpg
    [2012/12/27 21:24:38 | 000,100,801 | ---- | M] () -- C:\Users\admın\Documents\bik.jpg
    [2012/12/27 00:28:51 | 000,081,736 | ---- | M] () -- C:\Users\admın\Documents\407970_525477294152683_1014306641_n.jpg
    [2012/12/19 13:57:52 | 150,719,027 | ---- | M] () -- C:\Users\admın\Documents\Inception Soundtrack - Time _ Piano _ Sax (Relaxing).mp4
    [2012/12/19 12:53:22 | 000,075,354 | ---- | M] () -- C:\Users\admın\Documents\Nice.jpg
    [2012/12/16 20:45:52 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
    [2012/12/16 12:52:51 | 004,602,915 | ---- | M] () -- C:\Users\admın\Documents\Dire Straits - Six Blade Knife lyrics.flv
    [2012/12/16 12:45:00 | 010,940,032 | ---- | M] () -- C:\Users\admın\Documents\Sultans of Swing (with lyrics).flv
    [2012/12/16 12:38:56 | 005,912,557 | ---- | M] () -- C:\Users\admın\Documents\ZZ Top-Sharp Dressed Man Lyrics.flv
    [2012/12/16 12:24:32 | 005,771,227 | ---- | M] () -- C:\Users\admın\Documents\Eric Clapton- Cocaine.flv
    [2012/12/16 12:21:42 | 016,634,134 | ---- | M] () -- C:\Users\admın\Documents\Eric Clapton - Old Love lyrics (Album Version).flv
    [1 C:\Users\admın\Desktop\*.tmp files -> C:\Users\admın\Desktop\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/01/13 00:23:41 | 000,000,228 | ---- | C] () -- C:\Windows\SysNative\.crusader
    [2013/01/12 02:28:27 | 151,469,960 | ---- | C] () -- C:\Users\admın\Desktop\setup_11.0.0.1245.x01_2013_01_12_03_36.exe
    [2013/01/11 12:47:04 | 000,021,132 | ---- | C] () -- C:\Users\admın\Documents\Am Pentatonic scale.png
    [2013/01/11 11:58:42 | 000,420,187 | ---- | C] () -- C:\Users\admın\Desktop\Svchost.jpg
    [2013/01/10 22:52:03 | 000,001,108 | ---- | C] () -- C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
    [2013/01/10 22:46:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2013/01/10 22:46:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2013/01/10 22:46:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2013/01/10 22:46:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2013/01/10 22:46:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2013/01/10 18:26:47 | 000,001,133 | ---- | C] () -- C:\Users\admın\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2013/01/10 16:50:55 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
    [2013/01/10 16:50:45 | 000,002,117 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2013/01/03 23:15:37 | 737,107,968 | ---- | C] () -- C:\Users\admın\Desktop\The Shawshank Redemption[1994]DvDrip[Eng]-FXG.avi
    [2013/01/03 12:22:50 | 000,040,162 | ---- | C] () -- C:\Users\admın\Documents\nicee (2).jpg
    [2013/01/01 23:30:51 | 000,055,885 | ---- | C] () -- C:\Users\admın\Documents\nn.jpg
    [2013/01/01 16:52:23 | 028,449,468 | ---- | C] () -- C:\Users\admın\Desktop\AutumnLeaves.zip
    [2012/12/31 11:08:57 | 000,098,545 | ---- | C] () -- C:\Users\admın\Documents\ikini.jpg
    [2012/12/29 19:18:49 | 000,036,370 | ---- | C] () -- C:\Users\admın\Documents\yum.jpg
    [2012/12/28 21:42:29 | 000,209,288 | ---- | C] () -- C:\Users\admın\Documents\nicee.jpg
    [2012/12/27 21:24:32 | 000,100,801 | ---- | C] () -- C:\Users\admın\Documents\bik.jpg
    [2012/12/27 00:28:50 | 000,081,736 | ---- | C] () -- C:\Users\admın\Documents\407970_525477294152683_1014306641_n.jpg
    [2012/12/19 13:54:59 | 150,719,027 | ---- | C] () -- C:\Users\admın\Documents\Inception Soundtrack - Time _ Piano _ Sax (Relaxing).mp4
    [2012/12/19 12:53:15 | 000,075,354 | ---- | C] () -- C:\Users\admın\Documents\Nice.jpg
    [2012/12/16 20:45:52 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
    [2012/12/16 12:50:56 | 004,602,915 | ---- | C] () -- C:\Users\admın\Documents\Dire Straits - Six Blade Knife lyrics.flv
    [2012/12/16 12:40:50 | 010,940,032 | ---- | C] () -- C:\Users\admın\Documents\Sultans of Swing (with lyrics).flv
    [2012/12/16 12:36:19 | 005,912,557 | ---- | C] () -- C:\Users\admın\Documents\ZZ Top-Sharp Dressed Man Lyrics.flv
    [2012/12/16 12:22:06 | 005,771,227 | ---- | C] () -- C:\Users\admın\Documents\Eric Clapton- Cocaine.flv
    [2012/12/16 12:17:04 | 016,634,134 | ---- | C] () -- C:\Users\admın\Documents\Eric Clapton - Old Love lyrics (Album Version).flv
    [2012/11/22 01:28:28 | 000,119,840 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
    [2012/11/11 23:46:04 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
    [2012/11/11 23:46:02 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
    [2012/07/01 16:19:59 | 000,000,359 | ---- | C] () -- C:\Windows\GearBox.ini
    [2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\sysprs7.dll
    [2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\clauth2.dll
    [2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\clauth1.dll
    [2012/07/01 12:49:22 | 000,000,205 | ---- | C] () -- C:\Windows\SysWow64\lsprst7.dll
    [2012/07/01 12:49:22 | 000,000,073 | ---- | C] () -- C:\Windows\SysWow64\ssprs.dll
    [2012/06/30 19:16:51 | 001,542,464 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2012/06/30 17:40:29 | 000,296,448 | ---- | C] () -- C:\Windows\LOOP.exe
    [2012/06/30 17:38:19 | 000,000,113 | ---- | C] () -- C:\Windows\system32.INI
    [2012/06/30 11:57:57 | 000,000,031 | ---- | C] () -- C:\Windows\SysWow64\deck.ini
    [2012/06/28 14:04:00 | 000,631,808 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
    [2012/06/28 14:04:00 | 000,243,200 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
    [2012/06/28 14:04:00 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
    [2012/06/28 14:04:00 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
    [2012/06/28 14:03:59 | 000,080,896 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
    [2011/07/25 11:48:58 | 000,074,293 | ---- | C] () -- C:\Users\admın\AppData\Roaming\Setup.1.2.exe

    ========== ZeroAccess Check ==========

    [2009/07/14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    ========== LOP Check ==========

    [2012/12/09 21:45:57 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Acoustica
    [2012/07/01 20:42:07 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Antares
    [2012/07/01 12:27:16 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Babylon
    [2012/07/01 12:27:56 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\BabylonToolbar
    [2012/07/01 12:02:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\DAEMON Tools Pro
    [2012/06/30 11:28:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\GHISLER
    [2012/07/02 15:41:03 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Image-Line
    [2012/12/09 21:55:45 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\KORG
    [2012/07/03 10:52:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Line 6
    [2012/06/30 17:39:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Mopis
    [2012/12/09 21:46:32 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\PACE Anti-Piracy
    [2012/11/11 23:46:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\PunkBuster
    [2012/11/12 15:20:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Rovio
    [2012/12/26 01:50:37 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Sports Interactive
    [2012/12/09 21:46:16 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\SynthMaker
    [2012/07/02 15:33:30 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Toontrack
    [2013/01/12 11:49:44 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\uTorrent
    [2012/07/01 20:56:31 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Waves Audio

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 1339 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:WVViVGXyIw88PnYxHA3M
    @Alternate Data Stream - 1271 bytes -> C:\ProgramData\Microsoft:Qstur9fW4hys2oFIPsGT1N
    @Alternate Data Stream - 1271 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:wA46eoPGPeO4snilK0kc7mMFIYi
    @Alternate Data Stream - 1227 bytes -> C:\ProgramData\Microsoft:03yUl3P72JlarMKI5TEPS0783lIG
    @Alternate Data Stream - 1176 bytes -> C:\ProgramData\Microsoft:zsUqGa9oZSuGytqJEMvkANc

    < End of report >
  20. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    And a txt file called extras.txt from the OTL scan.

    OTL Extras logfile created on: 1/14/2013 4:24:17 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admın\Desktop
    64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 0.70 Gb Available Physical Memory | 34.83% Memory free
    4.00 Gb Paging File | 2.56 Gb Available in Paging File | 63.95% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 391.37 Gb Total Space | 132.61 Gb Free Space | 33.88% Space Free | Partition Type: NTFS
    Drive D: | 540.04 Gb Total Space | 533.58 Gb Free Space | 98.80% Space Free | Partition Type: NTFS
    Drive E: | 1.46 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

    Computer Name: ADMıN-PC | User Name: admın | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
    .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{0EFEC96B-A1EF-43D1-B53A-6638B500C5D3}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
    "{1018F9A9-287A-4E16-9649-F7C85ECD46F1}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
    "{104FA239-7718-4882-B8DB-3D0F52C28345}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{1F47FE60-29EB-41AA-8AAC-8CA2C7A70694}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{23EEC1B2-723E-4E82-A7C4-60C69629009B}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{3046724F-C531-433C-B116-B50DE884570B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{3E83C490-85AA-4202-A1E0-2FDE12591E8A}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{5E0DFD48-A40D-4FB6-A2F5-AB52C1C240E1}" = lport=138 | protocol=17 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{69721124-79C8-4134-B10B-7916962C6267}" = lport=137 | protocol=17 | dir=in | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{82AA8C44-D418-400D-A6EA-B6366C58F61D}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{86FFCE7A-47E5-428A-9152-487C856E4BC5}" = rport=139 | protocol=6 | dir=out | app=system |
    "{8FAAD563-F0DC-42B3-B519-A44CFB33ADF7}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{94C9AED1-A1D9-4774-BCAE-FC467C136D89}" = rport=137 | protocol=17 | dir=out | app=system |
    "{A08547C2-8D6C-42C3-BC0F-790E6A202513}" = lport=139 | protocol=6 | dir=in | app=system |
    "{A1813EC8-768D-4CEF-8164-58352DAD4AD9}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe |
    "{A47929D6-CFE8-4E7A-8213-EA2F68ABF8F3}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
    "{AA8FB957-182A-4C68-A348-969B76ADA2E2}" = lport=445 | protocol=6 | dir=in | app=system |
    "{AD81F370-3C68-46DC-8BAE-CEC45FA65F3D}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{B81B0670-6B5D-4958-A7CB-D844206A7D13}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CDFDC67F-1171-4C1C-A4A1-CD2F4F0EE499}" = rport=445 | protocol=6 | dir=out | app=system |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{DADFD3FB-BB91-4421-B4C7-66FF571B6045}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{EA575B40-5AED-4462-9082-333563660C76}" = rport=138 | protocol=17 | dir=out | app=system |
    "{F05E143A-4753-45CA-B33A-E90D22C1D573}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F78E5195-0367-4BDC-AA4D-47200B76A3C6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{0B3F7E35-AF07-494A-95DD-701756A96961}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{15C8ADBE-B139-447C-AE1F-F4A52B0FE3B5}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\uplaybrowser.exe |
    "{19DD56F3-41EE-4537-A950-E5ABF0B1F617}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
    "{1E8557FF-3365-4ECF-A3DA-3614B9CFF52E}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\assassinscreedbrotherhood.exe |
    "{32337022-533E-47CE-97A6-DA0CC34C65FA}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{38DFFE07-3088-445E-B559-543BF4D16966}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "{3F200497-04BF-42F2-BAC5-E4615EBFE20B}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{489F31DC-FB08-4109-A554-2DF6F336F0E6}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
    "{4AF43A39-6823-4F25-AB55-A52C8698AF8B}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
    "{53D564DF-AF8C-474D-BD65-F7B8F6972496}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{548E9D4A-CE1B-439B-AE7B-310F782A0260}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{64BBE997-03F8-4B81-9EE1-7C26CDB0FB39}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68821771-8B1F-495B-8611-348911B88837}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\acbmp.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{7102EC76-EA38-4D70-B4A9-FB49F7A46728}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\assassinscreedbrotherhood.exe |
    "{7A5F8071-7777-4C4D-B35A-8F91A6DD6F19}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
    "{7CE7B0D8-18A1-4E0E-8A2F-F817771D26D1}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\acbmp.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{9C7706F1-964E-452B-B0D2-C1B019E4A026}" = protocol=17 | dir=in | app=c:\users\admin\appdata\roaming\2yourface\updater.exe |
    "{9F1E640B-C3C6-44B3-ACC7-F14C74FF3F13}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\metro 2033\metro2033.exe |
    "{A08CD572-F87D-42C3-9FAB-C889685FF6D9}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
    "{A2AE300E-4546-4726-8E45-6D5372BA78F4}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{B46EF6F4-21ED-4642-924B-DBF36CF6D80E}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\uplaybrowser.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{C8326631-6A42-4630-9D29-185DFD6D136F}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E83F184A-CB46-456C-A7F3-A407B75B71C9}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EAC0613A-9123-4426-91C9-D99184822A84}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F2214894-AC58-4A0A-8EA0-801979044339}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\acbsp.exe |
    "{F2B77355-FC42-4437-A46C-3137A3CE1EBF}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
    "{F2D96972-5AC5-44AA-8CF9-70F17A4A5978}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\metro 2033\metro2033.exe |
    "{F65DF824-6CC8-4E4A-AF1D-B7415AA050F9}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\acbsp.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{FE590843-FDA3-46B2-ACAD-70C616B26B8E}" = protocol=6 | dir=in | app=c:\users\admin\appdata\roaming\2yourface\updater.exe |
    "TCP Query User{3A02FDCA-D94C-40E3-8F49-61D04F9816B7}C:\program files (x86)\mirc\mirc.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mirc\mirc.exe |
    "UDP Query User{BB6B950C-E08D-4420-A88C-70938C50510F}C:\program files (x86)\mirc\mirc.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mirc\mirc.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{027E5FAB-1476-4C59-AAB4-32EF28520399}" = Windows Live Language Selector
    "{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
    "{23CA8D91-FD3B-4EE6-BBDF-B5924E7E44EB}" = EZkeys Grand Piano 64
    "{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x64
    "{33691AFF-9ABF-4278-BDB6-902EE07D9237}" = Native Instruments Guitar Rig 3
    "{35E5BAC5-47A5-449C-9244-C40659362DCF}" = EZkeys Player 64-bit
    "{3D83CC9F-E2E1-47AE-B1AF-F6D3A8825196}" = EZmix 64-bit
    "{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
    "{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
    "{90120000-002A-041F-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (Turkish) 2007
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{C78D3032-9DFD-41D0-9DE9-58EAE750CBA4}" = Microsoft Security Client
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Microsoft Security Client" = Microsoft Security Essentials
    "Totalcmd64" = Total Commander 64-bit (Remove or Repair)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{038B2DB1-2B9C-45C6-A55F-17B60D80C9D2}" = Rock EZmix pack
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{1203DC60-D9BD-44F9-B372-2B8F227E6094}" = Windows Live Temel Parçalar
    "{147567F0-8575-4BE0-B5B3-62706C67FA5A}" = EZXCocktail
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java(TM) 7 Update 5
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}" = EZXPercussion
    "{430399DC-98BC-4A7F-8F8E-77981CABAE05}" = EZXVintage
    "{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}" = EZdrummer
    "{443B561F-DE1B-4DEF-ADD9-484B684653C7}" = Windows Live Messenger
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4C4D25EB-6513-4702-8355-F4194DE2E1D9}" = Waves 4.0
    "{523DF2BB-3A85-4047-9898-29DC8AEB7E69}" = Windows Live UX Platform Language Pack
    "{54194F60-988C-4D03-B922-C2B00EFDA39A}" = NVIDIA PhysX
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{8094F7AE-CA21-4AF2-A256-BC918CE0E796}" = EZXClaustrophobic
    "{82DF9225-13EC-41BD-BE31-AAB121B38166}" = EZXNashville
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{83AA2913-C123-4146-85BD-AD8F93971D39}" = BabylonObjectInstaller
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{85373DA7-834E-4850-8AF5-1D99F7526857}" = Windows Live Photo Common
    "{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{90120000-0015-041F-0000-0000000FF1CE}" = Microsoft Office Access MUI (Turkish) 2007
    "{90120000-0015-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-041F-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Turkish) 2007
    "{90120000-0016-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-041F-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Turkish) 2007
    "{90120000-0018-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-041F-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Turkish) 2007
    "{90120000-0019-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-041F-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Turkish) 2007
    "{90120000-001A-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-041F-0000-0000000FF1CE}" = Microsoft Office Word MUI (Turkish) 2007
    "{90120000-001B-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
    "{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-041F-0000-0000000FF1CE}" = Microsoft Office Proof (Turkish) 2007
    "{90120000-001F-041F-0000-0000000FF1CE}_ENTERPRISE_{6A61C934-56F9-4AC6-A43B-30E3F9D886F5}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-002A-041F-1000-0000000FF1CE}_ENTERPRISE_{8EFDC918-E9A4-43CF-8AE2-95AE63E01DFE}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-002C-041F-0000-0000000FF1CE}" = Microsoft Office Proofing (Turkish) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0044-041F-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Turkish) 2007
    "{90120000-0044-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-041F-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Turkish) 2007
    "{90120000-006E-041F-0000-0000000FF1CE}_ENTERPRISE_{8EFDC918-E9A4-43CF-8AE2-95AE63E01DFE}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00A1-041F-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Turkish) 2007
    "{90120000-00A1-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00BA-041F-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Turkish) 2007
    "{90120000-00BA-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{92DE01AB-0E6F-4F47-8159-91B86FAEC218}" = Unity Session Demo
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AC76BA86-7AD7-1055-7B44-AA1000000001}" = Adobe Reader X (10.1.5) - Turkish
    "{BE4BA698-8533-4F77-9559-C7F3F78C0B05}" = Assassin's Creed Brotherhood
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D1EBF11E-8CE3-4EF5-8E2D-FD5B8D6BD294}" = EZXTwisted
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}" = EZXDfh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
    "{FFF74EC9-1FF4-4456-99E3-4F05129F4FAB}" = Antares Auto-Tune Evo VST
    "2YourFace" = 2YourFace 1.0
    "Acoustica Mixcraft 6" = Acoustica Mixcraft 6
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "AngryBirdsStarWars 1.00" = AngryBirdsStarWars 1.00
    "Antares Auto-Tune 3.03 DirectX" = Antares Auto-Tune 3.03 DirectX
    "ASIO4ALL" = ASIO4ALL
    "BabylonToolbar" = Babylon toolbar on IE
    "Cakewalk Rapture_is1" = Rapture 1.0
    "Camel Audio Camel Phat VST v3.15" = Camel Audio Camel Phat VST v3.15
    "ConcreteFX QDelay VST v1.0" = ConcreteFX QDelay VST v1.0
    "Cool Edit Pro 2.1" = Cool Edit Pro 2.1
    "Cuttermusic Revitar VSTi v1.1" = Cuttermusic Revitar VSTi v1.1
    "Daemon Tools Pro v5.1.0 " = Daemon Tools Pro v5.1.0
    "Dash Signature EMM Knagalis VSTi v1.28" = Dash Signature EMM Knagalis VSTi v1.28
    "Dash Signature theAbstractGuitar VSTi v1.18" = Dash Signature theAbstractGuitar VSTi v1.18
    "db-audioware-quantum-fx-1.06" = quantum-fx 1.06
    "discoDSP Phantom_is1" = discoDSP Phantom v1.1
    "Edirol HQ Orchestral v1.01" = Edirol HQ Orchestral v1.01
    "Edirol Hyper Canvas" = Edirol Hyper Canvas
    "Edirol SuperQuartet v1.02" = Edirol SuperQuartet v1.02
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "FL Studio 10" = FL Studio 10
    "GForce.Software.Minimonsta.RTAS.VSTi.v1.03-DAC" = GForce.Software.Minimonsta.RTAS.VSTi.v1.03-DAC
    "GMedia Music impOSCar VSTi v1.0.0.1" = GMedia Music impOSCar VSTi v1.0.0.1
    "GR-55FloorBoard" = GR-55FloorBoard 20120227
    "IL Download Manager" = IL Download Manager
    "IL Slicex" = IL Slicex
    "iZotope Ozone DX Plugin v1.0.0.6" = iZotope Ozone DX Plugin v1.0.0.6
    "iZotope Ozone v3.02" = iZotope Ozone v3.02
    "iZotope Trash v1.02" = iZotope Trash v1.02
    "Kiesel.Software.Helga.VSTi.v1.1b003-0xdBass" = Kiesel.Software.Helga.VSTi.v1.1b003-0xdBass
    "KLiteCodecPack_is1" = K-Lite Codec Pack 7.1.0 (Full)
    "Korg Legacy Collection v1.1.2" = Korg Legacy Collection v1.1.2
    "Line 6 Uninstaller" = Line 6 Uninstaller
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
    "mIRC" = mIRC
    "Mopis VSTi v1.1" = Mopis VSTi v1.1
    "Morphine" = Morphine
    "Mozilla Firefox 18.0 (x86 en-US)" = Mozilla Firefox 18.0 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "Native Instruments - Rig Kontrol 3 Driver" = Native Instruments - Rig Kontrol 3 Driver
    "Native Instruments FM7" = Native Instruments FM7
    "Native Instruments Guitar Rig 3" = Native Instruments Guitar Rig 3
    "Native Instruments Service Center" = Native Instruments Service Center
    "Nomad Factory Blue Tubes Bundle v2.0" = Nomad Factory Blue Tubes Bundle v2.0
    "Nomad Factory Liquid Bundle VST v1.6" = Nomad Factory Liquid Bundle VST v1.6
    "Nomad Factory Rock Amp Legends VST v1.0" = Nomad Factory Rock Amp Legends VST v1.0
    "Novation Bass-Station VSTi v1.10" = Novation Bass-Station VSTi v1.10
    "Oddity VST2" = GMediaMusic - Oddity VST2
    "PoiZone" = PoiZone
    "PunkBusterSvc" = PunkBuster Services
    "RealPlayer 15.0" = RealPlayer
    "ReFX Vanguard VSTi v1.03 Retail" = ReFX Vanguard VSTi v1.03 Retail
    "ReFX Vanguard VSTi v1.04" = ReFX Vanguard VSTi v1.04
    "Steam App 43110" = Metro 2033
    "Sytrus" = Sytrus
    "Toxic Biohazard" = Toxic Biohazard
    "Toxic III_is1" = ToxicIII v1.0 DEMO
    "uTorrent" = µTorrent
    "vertigo2_is1" = discoDSP Vertigo v2.0
    "Wasp" = Wasp
    "WinLiveSuite" = Windows Live Temel Parçalar
    "WinRAR archiver" = WinRAR arşiv yöneticisi

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 11/18/2012 7:13:14 PM | Computer Name = admın-pc | Source = Application Hang | ID = 1002
    Description = The program FL.exe version 0.0.0.0 stopped interacting with Windows
    and was closed. To see if more information about the problem is available, check
    the problem history in the Action Center control panel. Process ID: a08 Start Time:
    01cdc5e2315ae2f7 Termination Time: 70 Application Path: C:\Program Files (x86)\Image-Line\FL
    Studio 10\FL.exe Report Id: 85c5f782-31d5-11e2-9347-00241d1093b3

    Error - 12/17/2012 10:51:59 AM | Computer Name = admın-pc | Source = Application Error | ID = 1000
    Description = Faulting application name: firefox.exe, version: 17.0.1.4715, time
    stamp: 0x50b71a4b Faulting module name: xul.dll, version: 17.0.1.4715, time stamp:
    0x50b7198b Exception code: 0xc0000005 Fault offset: 0x00144ed8 Faulting process id:
    0x1178 Faulting application start time: 0x01cddc5dfc64e810 Faulting application path:
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe Faulting module path: C:\Program
    Files (x86)\Mozilla Firefox\xul.dll Report Id: 4e8115d4-4859-11e2-a10f-00241d1093b3

    Error - 12/25/2012 7:50:48 PM | Computer Name = admın-pc | Source = Application Error | ID = 1000
    Description = Faulting application name: fm.exe, version: 13.1.0.55, time stamp:
    0x50905fcf Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception
    code: 0xc0000005 Fault offset: 0x000000a4 Faulting process id: 0x4b8 Faulting application
    start time: 0x01cde2faa2339ba7 Faulting application path: C:\Program Files (x86)\Football
    Manager 2013\fm.exe Faulting module path: unknown Report Id: e7bd924b-4eed-11e2-a104-00241d1093b3

    Error - 12/25/2012 7:57:28 PM | Computer Name = admın-pc | Source = Application Error | ID = 1000
    Description = Faulting application name: fm.exe, version: 13.1.1.1292, time stamp:
    0x5093d780 Faulting module name: fm.exe, version: 13.1.1.1292, time stamp: 0x5093d780
    Exception
    code: 0xc0000005 Fault offset: 0x017cdc9e Faulting process id: 0xa94 Faulting application
    start time: 0x01cde2fb9716b969 Faulting application path: C:\Program Files (x86)\Football
    Manager 2013\fm.exe Faulting module path: C:\Program Files (x86)\Football Manager
    2013\fm.exe Report Id: d6113596-4eee-11e2-a104-00241d1093b3

    Error - 12/26/2012 4:46:53 AM | Computer Name = admın-pc | Source = Application Error | ID = 1000
    Description = Faulting application name: fm.exe, version: 13.1.1.1292, time stamp:
    0x5093d780 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception
    code: 0xc0000005 Fault offset: 0x00000328 Faulting process id: 0x1054 Faulting application
    start time: 0x01cde343605389ec Faulting application path: C:\Program Files (x86)\SEGA\Football
    Manager 2013\fm.exe Faulting module path: unknown Report Id: cb35c871-4f38-11e2-930a-00241d1093b3

    Error - 1/3/2013 5:08:20 PM | Computer Name = admın-pc | Source = Software Protection Platform Service | ID = 8200
    Description = License acquisition failure details. hr=0x80072EE7

    Error - 1/3/2013 5:08:20 PM | Computer Name = admın-pc | Source = Software Protection Platform Service | ID = 8208
    Description = Acquisition of genuine ticket failed (hr=0x80072EE7) for template
    Id 66c92734-d682-4d71-983e-d6ec3f16059f

    Error - 1/11/2013 6:50:22 AM | Computer Name = admyn-pc | Source = Application Error | ID = 1000
    Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17514,
    time stamp: 0x4ce7a144 Faulting module name: SHELL32.dll, version: 6.1.7601.17859,
    time stamp: 0x4fd2dfec Exception code: 0xc0000005 Fault offset: 0x000000000028cd32
    Faulting
    process id: 0x780 Faulting application start time: 0x01cdefe1ba3deab7 Faulting application
    path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\SHELL32.dll
    Report
    Id: b232baa9-5bdc-11e2-b3f4-00241d1093b3

    Error - 1/12/2013 6:21:43 PM | Computer Name = admyn-pc | Source = Application Error | ID = 1000
    Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17514,
    time stamp: 0x4ce7a144 Faulting module name: Explorer.EXE, version: 6.1.7601.17514,
    time stamp: 0x4ce7a144 Exception code: 0xc0000005 Fault offset: 0x0000000000067a22
    Faulting
    process id: 0x588 Faulting application start time: 0x01cdf1132246d46b Faulting application
    path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\Explorer.EXE Report
    Id: 71710f02-5d06-11e2-b94c-00241d1093b3

    Error - 1/13/2013 8:53:27 PM | Computer Name = admyn-pc | Source = Application Error | ID = 1000
    Description = Faulting application name: firefox.exe, version: 18.0.0.4752, time
    stamp: 0x50e79fbd Faulting module name: xul.dll, version: 18.0.0.4752, time stamp:
    0x50e79ecc Exception code: 0xc0000005 Fault offset: 0x000f8eb8 Faulting process id:
    0xc2c Faulting application start time: 0x01cdf1dcac058f43 Faulting application path:
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe Faulting module path: C:\Program
    Files (x86)\Mozilla Firefox\xul.dll Report Id: cde59967-5de4-11e2-b6b3-00241d1093b3

    [ System Events ]
    Error - 1/10/2013 4:59:33 PM | Computer Name = admın-pc | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 1/10/2013 5:01:33 PM | Computer Name = admın-pc | Source = Application Popup | ID = 1060
    Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility
    with this system. Please contact your software vendor for a compatible version
    of the driver.

    Error - 1/10/2013 5:02:02 PM | Computer Name = admın-pc | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 1/10/2013 6:02:03 PM | Computer Name = admyn-pc | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 00:00:28 on ?11.?01.?2013 was unexpected.

    Error - 1/12/2013 6:25:27 PM | Computer Name = admyn-pc | Source = Service Control Manager | ID = 7024
    Description = The HitmanPro 3.7 Crusader (Boot) service terminated with service-specific
    error %%0.

    Error - 1/12/2013 8:01:16 PM | Computer Name = admyn-pc | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 01:59:47 on ?13.?01.?2013 was unexpected.

    Error - 1/12/2013 8:01:17 PM | Computer Name = ADMıN-PC | Source = BugCheck | ID = 1001
    Description =

    Error - 1/12/2013 8:01:21 PM | Computer Name = admyn-pc | Source = Service Control Manager | ID = 7024
    Description = The HitmanPro 3.7 Crusader (Boot) service terminated with service-specific
    error %%0.

    Error - 1/14/2013 10:23:54 AM | Computer Name = admyn-pc | Source = Service Control Manager | ID = 7009
    Description = A timeout was reached (30000 milliseconds) while waiting for the Steam
    Client Service service to connect.

    Error - 1/14/2013 10:23:54 AM | Computer Name = admyn-pc | Source = Service Control Manager | ID = 7000
    Description = The Steam Client Service service failed to start due to the following
    error: %%1053


    < End of report >
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Remove Babylon Toolbar from your Programs, please.

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
    Also, let me know if it persists...
  22. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Here's the log. I'm afraid the malware is still present in the same AppData\Local\Temp folder after the fix and the reboot.

    All processes killed
    ========== OTL ==========
    No active process named svchost.exe was found!
    HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache AcceptLangs| /E : value set successfully!
    HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully!
    Registry key HKEY_USERS\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
    Registry value HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\support@2yourface.com deleted successfully.
    File C:\Users\admın\AppData\Roaming\2YourFace\ffextension not found.
    Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\support@2yourface.com deleted successfully.
    File C:\Users\admın\AppData\Roaming\2YourFace\ffextension not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{98889811-442D-49dd-99D7-DC866BE87DBC} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ not found.
    File C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\\ deleted successfully.
    C:\Windows\GIGATEMP\Patch.exe moved successfully.
    C:\Users\admın\AppData\Roaming\Babylon folder moved successfully.
    Folder C:\Users\admın\AppData\Roaming\BabylonToolbar\ not found.
    ========== FILES ==========
    C:\Users\admın\AppData\Local\Temp\libcurl-4.dll moved successfully.
    C:\Users\admın\AppData\Local\Temp\libpdcurses.dll moved successfully.
    C:\Users\admın\AppData\Local\Temp\svchost.exe moved successfully.
    < ipconfig /flushdns /c >
    No captured output from command...
    C:\Users\admın\Desktop\cmd.bat deleted successfully.
    < netsh int ip reset c:\resetlog.txt /c >
    No captured output from command...
    C:\Users\admın\Desktop\cmd.bat deleted successfully.
    < ipconfig /release /c >
    No captured output from command...
    C:\Users\admın\Desktop\cmd.bat deleted successfully.
    < ipconfig /renew /c >
    No captured output from command...
    C:\Users\admın\Desktop\cmd.bat deleted successfully.
    ========== COMMANDS ==========
    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: adm
    ->Temp folder emptied: 0 bytes

    User: admin
    ->Temp folder emptied: 0 bytes

    User: admn
    ->Temp folder emptied: 0 bytes

    User: adm²n
    ->Temp folder emptied: 0 bytes

    User: admın
    ->Temp folder emptied: 10420074 bytes
    ->Temporary Internet Files folder emptied: 1012849 bytes
    ->Java cache emptied: 22142 bytes
    ->FireFox cache emptied: 366835515 bytes
    ->Google Chrome cache emptied: 228613267 bytes
    ->Flash cache emptied: 13687 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 76732 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 46424135 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 623.00 mb


    [EMPTYJAVA]

    User: adm

    User: admin

    User: admn

    User: adm²n

    User: admın
    ->Java cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: adm

    User: admin

    User: admn

    User: adm²n

    User: admın
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User

    User: Public

    Total Flash Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 01152013_000725

    Files\Folders moved on Reboot...
    C:\Users\admın\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    What's with all these extra accounts:

    User: adm

    User: admin

    User: admn

    User: adm²n

    ??

    Farbar Service Scanner

    Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  24. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    I'm not sure about all the user accounts. I have a feeling its connected to the current problem/trojan. The day before I came here to techspot to ask for help there was a new user account called Azaq which is just wierd, sort of threw up a red flag and I realized I didn't just have a run of the mill spamware trojan but something more serious was attacking my computer.

    Here's the log from Farbar Service Scanner ( I left 'Other services' unchecked as it wasn't on the list you included, however I did another scan with 'Other services' checked and will include that log in a 2nd post).

    Farbar Service Scanner Version: 05-01-2013
    Ran by admın (administrator) on 15-01-2013 at 22:16:09
    Running from "C:\Users\admın\Downloads"
    Windows 7 Ultimate Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
  25. jays.traas

    jays.traas Newcomer, in training Topic Starter Posts: 39

    Here's the log from the scan with "Other Services" checked.

    Farbar Service Scanner Version: 05-01-2013
    Ran by admın (administrator) on 15-01-2013 at 22:21:04
    Running from "C:\Users\admın\Downloads"
    Windows 7 Ultimate Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\ipnathlp.dll => MD5 is legit
    C:\Windows\System32\iphlpsvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.