TechSpot

Need help to remove svchost.exe trojan

Solved
By jays.traas
Jan 10, 2013
Topic Status:
Not open for further replies.
  1. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Try this in SystemLook, please:

    :dir /s
    C:\Users\admın\AppData\Local\Temp
  2. jays.traas

    jays.traas TS Rookie Topic Starter Posts: 39

    I think I figured it out. I ran this:

    :dir
    C:\Users\admın\AppData\Local\Temp /s /MD5

    Here is the log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 03:05 on 23/01/2013 by admın
    Administrator - Elevation successful

    ========== dir ==========

    C:\Users\admın\AppData\Local\Temp - Parameters: "/s /MD5"

    ---Files---
    AdobeARM.log --a---- 1382 bytes [07:02 22/01/2013] [20:11 22/01/2013] 11B60A6BB273146BD1EC98898C18BDBE
    FXSAPIDebugLogFile.txt --a---- 0 bytes [12:02 28/06/2012] [00:08 17/01/2013] D41D8CD98F00B204E9800998ECF8427E
    jusched.log --a---- 848 bytes [21:29 21/01/2013] [20:17 22/01/2013] 66E752DE8F270DE10562C1091611B6D5

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir d------ [21:29 21/01/2013]

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\Cookies d--hs-- [23:40 22/01/2013]
    index.dat --ahs-- 16384 bytes [23:40 22/01/2013] [20:12 22/01/2013] D7A950FEFD60DBAA01DF2D85FEFB3862

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\History d--hs-- [23:40 22/01/2013]

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\History\History.IE5 d--hs-- [23:40 22/01/2013]
    desktop.ini --a---- 145 bytes [23:40 22/01/2013] [23:40 22/01/2013] BA96961F5E22882527919E19DAEA510F
    index.dat --ahs-- 16384 bytes [23:40 22/01/2013] [20:12 22/01/2013] D7A950FEFD60DBAA01DF2D85FEFB3862

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files d--hs-- [23:40 22/01/2013]

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5 d--hs-- [23:40 22/01/2013]
    desktop.ini ---hs-- 67 bytes [23:40 22/01/2013] [23:40 22/01/2013] 4A3DEB274BB5F0212C2419D3D8D08612
    index.dat --ahs-- 32768 bytes [23:40 22/01/2013] [20:12 22/01/2013] AD4CB9B829E87C0B72403BA870990D84

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\U57297I6 d--hs-- [23:40 22/01/2013]
    desktop.ini ---hs-- 67 bytes [23:40 22/01/2013] [23:40 22/01/2013] 4A3DEB274BB5F0212C2419D3D8D08612

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\XEP7TGJP d--hs-- [23:40 22/01/2013]
    desktop.ini ---hs-- 67 bytes [23:40 22/01/2013] [23:40 22/01/2013] 4A3DEB274BB5F0212C2419D3D8D08612

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\ZQ2BXN5J d--hs-- [23:40 22/01/2013]
    desktop.ini ---hs-- 67 bytes [23:40 22/01/2013] [23:40 22/01/2013] 4A3DEB274BB5F0212C2419D3D8D08612

    C:\Users\admın\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\ZWAORJMZ d--hs-- [23:40 22/01/2013]
    desktop.ini ---hs-- 67 bytes [23:40 22/01/2013] [23:40 22/01/2013] 4A3DEB274BB5F0212C2419D3D8D08612

    C:\Users\admın\AppData\Local\Temp\mozilla-temp-files d------ [07:53 22/01/2013]

    C:\Users\admın\AppData\Local\Temp\plugtmp d------ [20:12 22/01/2013]

    C:\Users\admın\AppData\Local\Temp\scoped_dir20242 d------ [20:12 22/01/2013]

    C:\Users\admın\AppData\Local\Temp\scoped_dir29959 d------ [20:12 22/01/2013]

    C:\Users\admın\AppData\Local\Temp\scoped_dir7574 d------ [20:12 22/01/2013]

    C:\Users\admın\AppData\Local\Temp\scoped_dir7649 d------ [20:12 22/01/2013]

    C:\Users\admın\AppData\Local\Temp\WPDNSE d------ [20:12 22/01/2013]

    -= EOF =-
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Awesome...good job!

    Now, post new OTL log from Quick Scan...I think we're good here...
  4. jays.traas

    jays.traas TS Rookie Topic Starter Posts: 39

    Yay! Here is the OTL log:

    OTL logfile created on: 1/24/2013 12:08:55 AM - Run 3
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admın\Desktop
    64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 0.91 Gb Available Physical Memory | 45.42% Memory free
    4.00 Gb Paging File | 2.32 Gb Available in Paging File | 58.15% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 391.37 Gb Total Space | 124.10 Gb Free Space | 31.71% Space Free | Partition Type: NTFS
    Drive D: | 540.04 Gb Total Space | 533.58 Gb Free Space | 98.80% Space Free | Partition Type: NTFS
    Drive E: | 276.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: ADMıN-PC | User Name: admın | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/01/19 21:03:03 | 000,917,400 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    PRC - [2013/01/18 16:58:23 | 000,541,608 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    PRC - [2013/01/16 11:47:39 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
    PRC - [2013/01/10 18:09:38 | 001,808,392 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe
    PRC - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2012/12/16 20:46:07 | 001,354,736 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
    PRC - [2012/11/26 14:29:48 | 000,296,096 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
    PRC - [2012/11/11 23:46:02 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
    PRC - [2012/10/20 14:33:42 | 003,281,528 | ---- | M] (mIRC Co. Ltd.) -- C:\Program Files (x86)\mIRC\mirc.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/01/19 21:03:03 | 003,022,232 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
    MOD - [2013/01/18 16:58:46 | 000,647,168 | ---- | M] () -- C:\Program Files (x86)\Steam\sdl.dll
    MOD - [2013/01/18 16:58:23 | 020,320,240 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\libcef.dll
    MOD - [2013/01/18 16:58:22 | 001,100,800 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avcodec-53.dll
    MOD - [2013/01/18 16:58:22 | 000,969,640 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\chromehtml.dll
    MOD - [2013/01/18 16:58:22 | 000,192,000 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avformat-53.dll
    MOD - [2013/01/18 16:58:22 | 000,124,416 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avutil-51.dll
    MOD - [2013/01/10 18:09:37 | 014,586,888 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll


    ========== Services (SafeList) ==========

    SRV:64bit: - [2012/09/12 21:21:48 | 000,368,896 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2012/09/12 21:21:48 | 000,022,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2009/07/14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
    SRV - [2013/01/19 21:03:03 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2013/01/18 16:58:23 | 000,541,608 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2013/01/10 18:09:38 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2012/11/11 23:46:02 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
    SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/08/30 22:03:48 | 000,128,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2012/07/01 12:00:43 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
    DRV:64bit: - [2012/03/26 22:00:18 | 000,772,224 | ---- | M] (Line 6) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\l6TportUX864.sys -- (l6TportUX8)
    DRV:64bit: - [2012/03/01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2010/11/20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 15:32:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/20 15:32:46 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2010/11/20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 13:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
    DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 22:35:38 | 000,707,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr7364.sys -- (netr7364)
    DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/03/01 22:05:32 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV - [2013/01/20 14:37:23 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\hpnjjs.sys -- (uvnm)
    DRV - [2013/01/20 14:31:14 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\isjrp.sys -- (pjebtj)
    DRV - [2013/01/20 14:25:19 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\mirvt.sys -- (qlze)
    DRV - [2013/01/20 14:22:26 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\emiiwwkh.sys -- (rypkbkgv)
    DRV - [2013/01/20 14:18:18 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\dpoukdds.sys -- (gttwa)
    DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
    DRV - [2001/09/27 16:00:32 | 000,027,584 | ---- | M] (NemeSys Music Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\filespy.sys -- (FILESPY)
    DRV - [2001/09/27 15:48:46 | 000,738,976 | ---- | M] (Conexant Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\ew.sys -- (EWAVE)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs =
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =
    IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledAddons: %7B0153E448-190B-4987-BDE1-F256CADA672F%7D:15.0.6
    FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
    FF - user.js - File not found

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\admın\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\admın\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/11/26 14:29:58 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/01/19 21:03:03 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

    [2012/11/26 14:53:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admın\AppData\Roaming\Mozilla\Extensions
    [2013/01/16 11:30:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admın\AppData\Roaming\Mozilla\Firefox\Profiles\zdcv06km.default\extensions
    [2012/12/11 15:25:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2013/01/19 18:26:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\updated\extensions
    [2013/01/19 18:26:31 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\updated\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    [2012/11/26 14:29:58 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
    [2013/01/19 21:03:03 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/11/20 08:17:14 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/11/20 08:17:14 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - homepage: http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
    CHR - homepage: http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\gcswf32.dll
    CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    CHR - plugin: Google Update (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    CHR - plugin: Java Deployment Toolkit 7.0.50.5 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
    CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\admın\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

    O1 HOSTS File: ([2013/01/15 00:07:27 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [Adobe] C:\ProgramData\Adobe\3D422E.vbe ()
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
    O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O13 - gopher Prefix: missing
    O15 - HKCU\..Trusted Domains: line6.net ([]* in Trusted sites)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{26D9982C-60BF-4A1A-B593-D428CF93A2A0}: DhcpNameServer = 192.168.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87342CD1-FF71-409D-A95B-74347ABAA8CE}: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BBEAA541-9425-4117-8BE9-94DA26EFE021}: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D52D4DA9-6AFE-4683-AF44-A9FD49C0FF39}: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0}: DhcpNameServer = 192.168.1.1
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/01/21 23:17:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
    [2013/01/21 23:17:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FileASSASSIN
    [2013/01/21 12:09:48 | 001,153,912 | ---- | C] (Emsi Software GmbH) -- C:\Users\admın\Desktop\BlitzBlank.exe
    [2013/01/20 22:08:09 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Local\Diagnostics
    [2013/01/19 20:33:54 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
    [2013/01/16 11:58:22 | 000,000,000 | ---D | C] -- C:\_OTL
    [2013/01/16 11:47:38 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
    [2013/01/15 00:02:32 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt
    [2013/01/14 13:47:53 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
    [2013/01/14 01:25:34 | 000,000,000 | ---D | C] -- C:\Users\admın\Desktop\mbar
    [2013/01/12 02:32:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
    [2013/01/12 02:19:30 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
    [2013/01/10 23:06:55 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2013/01/10 23:03:23 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2013/01/10 22:46:12 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2013/01/10 18:26:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2013/01/10 18:26:41 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2013/01/10 18:26:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2013/01/10 16:50:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
    [2013/01/10 16:50:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2013/01/10 13:29:50 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2013/01/10 12:23:44 | 000,000,000 | ---D | C] -- C:\Users\admın\Desktop\EverestTest
    [2013/01/09 18:17:23 | 000,000,000 | ---D | C] -- C:\Windows\RestoreSafeDeleted
    [2013/01/05 17:20:14 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\Backtracks
    [2013/01/05 13:20:51 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\SongLyrics
    [2012/12/30 02:48:51 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Local\Programs
    [2012/12/26 01:50:37 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Roaming\Sports Interactive
    [1 C:\Users\admın\Desktop\*.tmp files -> C:\Users\admın\Desktop\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/01/24 00:09:00 | 000,000,814 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2013/01/23 23:58:51 | 001,564,578 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2013/01/23 23:58:51 | 000,654,676 | ---- | M] () -- C:\Windows\SysNative\perfh01F.dat
    [2013/01/23 23:58:51 | 000,652,180 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2013/01/23 23:58:51 | 000,138,932 | ---- | M] () -- C:\Windows\SysNative\perfc01F.dat
    [2013/01/23 23:58:51 | 000,121,112 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2013/01/23 23:47:59 | 000,017,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/01/23 23:47:59 | 000,017,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/01/23 23:40:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2013/01/23 23:40:40 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
    [2013/01/21 23:29:18 | 000,165,376 | ---- | M] () -- C:\Users\admın\Desktop\SystemLook_x64.exe
    [2013/01/21 23:17:55 | 000,001,055 | ---- | M] () -- C:\Users\Public\Desktop\FileASSASSIN.lnk
    [2013/01/21 18:18:44 | 000,074,240 | ---- | M] () -- C:\Windows\SysNative\blzblk.exe
    [2013/01/21 18:18:44 | 000,000,370 | ---- | M] () -- C:\Windows\SysNative\blzblk.dat
    [2013/01/21 18:16:52 | 000,000,017 | ---- | M] () -- C:\Users\admın\AppData\Local\resmon.resmoncfg
    [2013/01/21 12:09:57 | 001,153,912 | ---- | M] (Emsi Software GmbH) -- C:\Users\admın\Desktop\BlitzBlank.exe
    [2013/01/20 14:37:23 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\hpnjjs.sys
    [2013/01/20 14:37:23 | 000,019,286 | ---- | M] () -- C:\cleanup.exe
    [2013/01/20 14:31:14 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\isjrp.sys
    [2013/01/20 14:25:19 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\mirvt.sys
    [2013/01/20 14:22:26 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\emiiwwkh.sys
    [2013/01/20 14:18:18 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\dpoukdds.sys
    [2013/01/20 14:17:42 | 000,139,264 | ---- | M] () -- C:\Users\admın\Desktop\SystemLook.exe
    [2013/01/20 14:13:59 | 000,000,192 | ---- | M] () -- C:\Users\admın\defogger_reenable
    [2013/01/16 11:47:39 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
    [2013/01/15 00:07:27 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
    [2013/01/14 13:47:53 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
    [2013/01/13 02:01:12 | 251,439,298 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2013/01/11 12:47:23 | 000,021,132 | ---- | M] () -- C:\Users\admın\Documents\Am Pentatonic scale.png
    [2013/01/11 11:58:42 | 000,420,187 | ---- | M] () -- C:\Users\admın\Desktop\Svchost.jpg
    [2013/01/10 22:52:03 | 000,001,108 | ---- | M] () -- C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
    [2013/01/10 18:26:47 | 000,001,133 | ---- | M] () -- C:\Users\admın\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
    [2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\CONFIG.NT
    [2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\AUTOEXEC.NT
    [2013/01/10 16:50:55 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2013/01/10 13:13:29 | 000,342,608 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2013/01/10 13:11:32 | 001,542,464 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2013/01/03 12:23:01 | 000,040,162 | ---- | M] () -- C:\Users\admın\Documents\nicee (2).jpg
    [2013/01/01 23:30:55 | 000,055,885 | ---- | M] () -- C:\Users\admın\Documents\nn.jpg
    [2013/01/01 16:52:39 | 028,449,468 | ---- | M] () -- C:\Users\admın\Desktop\AutumnLeaves.zip
    [2012/12/31 11:09:02 | 000,098,545 | ---- | M] () -- C:\Users\admın\Documents\ikini.jpg
    [2012/12/29 19:18:54 | 000,036,370 | ---- | M] () -- C:\Users\admın\Documents\yum.jpg
    [2012/12/28 21:42:39 | 000,209,288 | ---- | M] () -- C:\Users\admın\Documents\nicee.jpg
    [2012/12/27 21:24:38 | 000,100,801 | ---- | M] () -- C:\Users\admın\Documents\bik.jpg
    [2012/12/27 00:28:51 | 000,081,736 | ---- | M] () -- C:\Users\admın\Documents\407970_525477294152683_1014306641_n.jpg
    [1 C:\Users\admın\Desktop\*.tmp files -> C:\Users\admın\Desktop\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/01/21 23:29:17 | 000,165,376 | ---- | C] () -- C:\Users\admın\Desktop\SystemLook_x64.exe
    [2013/01/21 23:17:55 | 000,001,055 | ---- | C] () -- C:\Users\Public\Desktop\FileASSASSIN.lnk
    [2013/01/21 18:16:52 | 000,000,017 | ---- | C] () -- C:\Users\admın\AppData\Local\resmon.resmoncfg
    [2013/01/21 12:14:21 | 000,074,240 | ---- | C] () -- C:\Windows\SysNative\blzblk.exe
    [2013/01/21 12:14:21 | 000,000,370 | ---- | C] () -- C:\Windows\SysNative\blzblk.dat
    [2013/01/20 14:37:23 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\hpnjjs.sys
    [2013/01/20 14:31:14 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\isjrp.sys
    [2013/01/20 14:31:14 | 000,019,286 | ---- | C] () -- C:\cleanup.exe
    [2013/01/20 14:25:19 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\mirvt.sys
    [2013/01/20 14:22:26 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\emiiwwkh.sys
    [2013/01/20 14:18:17 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\dpoukdds.sys
    [2013/01/20 14:17:42 | 000,139,264 | ---- | C] () -- C:\Users\admın\Desktop\SystemLook.exe
    [2013/01/20 14:14:27 | 000,731,136 | ---- | C] () -- C:\Users\admın\Desktop\avenger.exe
    [2013/01/20 14:13:59 | 000,000,192 | ---- | C] () -- C:\Users\admın\defogger_reenable
    [2013/01/11 12:47:04 | 000,021,132 | ---- | C] () -- C:\Users\admın\Documents\Am Pentatonic scale.png
    [2013/01/11 11:58:42 | 000,420,187 | ---- | C] () -- C:\Users\admın\Desktop\Svchost.jpg
    [2013/01/10 22:52:03 | 000,001,108 | ---- | C] () -- C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
    [2013/01/10 18:26:47 | 000,001,133 | ---- | C] () -- C:\Users\admın\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2013/01/10 16:50:55 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
    [2013/01/10 16:50:45 | 000,002,117 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2013/01/03 12:22:50 | 000,040,162 | ---- | C] () -- C:\Users\admın\Documents\nicee (2).jpg
    [2013/01/01 23:30:51 | 000,055,885 | ---- | C] () -- C:\Users\admın\Documents\nn.jpg
    [2013/01/01 16:52:23 | 028,449,468 | ---- | C] () -- C:\Users\admın\Desktop\AutumnLeaves.zip
    [2012/12/31 11:08:57 | 000,098,545 | ---- | C] () -- C:\Users\admın\Documents\ikini.jpg
    [2012/12/29 19:18:49 | 000,036,370 | ---- | C] () -- C:\Users\admın\Documents\yum.jpg
    [2012/12/28 21:42:29 | 000,209,288 | ---- | C] () -- C:\Users\admın\Documents\nicee.jpg
    [2012/12/27 21:24:32 | 000,100,801 | ---- | C] () -- C:\Users\admın\Documents\bik.jpg
    [2012/12/27 00:28:50 | 000,081,736 | ---- | C] () -- C:\Users\admın\Documents\407970_525477294152683_1014306641_n.jpg
    [2012/11/22 01:28:28 | 000,119,840 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
    [2012/11/11 23:46:04 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
    [2012/11/11 23:46:02 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
    [2012/07/01 16:19:59 | 000,000,359 | ---- | C] () -- C:\Windows\GearBox.ini
    [2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\sysprs7.dll
    [2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\clauth2.dll
    [2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\clauth1.dll
    [2012/07/01 12:49:22 | 000,000,205 | ---- | C] () -- C:\Windows\SysWow64\lsprst7.dll
    [2012/07/01 12:49:22 | 000,000,073 | ---- | C] () -- C:\Windows\SysWow64\ssprs.dll
    [2012/06/30 19:16:51 | 001,542,464 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2012/06/30 17:40:29 | 000,296,448 | ---- | C] () -- C:\Windows\LOOP.exe
    [2012/06/30 17:38:19 | 000,000,113 | ---- | C] () -- C:\Windows\system32.INI
    [2012/06/30 11:57:57 | 000,000,031 | ---- | C] () -- C:\Windows\SysWow64\deck.ini
    [2012/06/28 14:04:00 | 000,631,808 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
    [2012/06/28 14:04:00 | 000,243,200 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
    [2012/06/28 14:04:00 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
    [2012/06/28 14:04:00 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
    [2012/06/28 14:03:59 | 000,080,896 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
    [2011/07/25 11:48:58 | 000,074,293 | ---- | C] () -- C:\Users\admın\AppData\Roaming\Setup.1.2.exe

    ========== ZeroAccess Check ==========

    [2009/07/14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    ========== LOP Check ==========

    [2012/12/09 21:45:57 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Acoustica
    [2012/07/01 20:42:07 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Antares
    [2012/07/01 12:02:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\DAEMON Tools Pro
    [2012/06/30 11:28:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\GHISLER
    [2012/07/02 15:41:03 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Image-Line
    [2012/12/09 21:55:45 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\KORG
    [2012/07/03 10:52:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Line 6
    [2012/06/30 17:39:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Mopis
    [2012/12/09 21:46:32 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\PACE Anti-Piracy
    [2012/11/11 23:46:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\PunkBuster
    [2012/11/12 15:20:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Rovio
    [2012/12/26 01:50:37 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Sports Interactive
    [2012/12/09 21:46:16 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\SynthMaker
    [2012/07/02 15:33:30 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Toontrack
    [2013/01/23 17:39:43 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\uTorrent
    [2012/07/01 20:56:31 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Waves Audio

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 1339 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:WVViVGXyIw88PnYxHA3M
    @Alternate Data Stream - 1271 bytes -> C:\ProgramData\Microsoft:Qstur9fW4hys2oFIPsGT1N
    @Alternate Data Stream - 1271 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:wA46eoPGPeO4snilK0kc7mMFIYi
    @Alternate Data Stream - 1227 bytes -> C:\ProgramData\Microsoft:03yUl3P72JlarMKI5TEPS0783lIG
    @Alternate Data Stream - 1176 bytes -> C:\ProgramData\Microsoft:zsUqGa9oZSuGytqJEMvkANc

    < End of report >
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

    In Chrome, go to Options...change the homepage to something different than Babylon search engine.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create


    Remove tools, temp files, old Restore Points

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL sometimes hides your Desktop and Start menu so the cleanup can be completed. Do not be alerted, as this is normal.
    • It may open a log for you, but I don't need that.

    To remove all of the tools we used and the files and folders they created do the following:
    Double click OTL.exe.
    • Click the CleanUp button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  6. jays.traas

    jays.traas TS Rookie Topic Starter Posts: 39

    Here we go:

    Results of screen317's Security Check version 0.99.57
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.70.0.1100
    Java(TM) 7 Update 5
    Java version out of Date!
    Adobe Flash Player 11.5.502.146
    Adobe Reader 10.1.5 Adobe Reader out of Date!
    Mozilla Firefox (18.0.1)
    Google Chrome 20.0.1132.47
    Google Chrome 22.0.1229.79
    Google Chrome 22.0.1229.94
    Google Chrome 23.0.1271.64
    Google Chrome 23.0.1271.91
    Google Chrome 23.0.1271.95
    Google Chrome 23.0.1271.97
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.


    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems


    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.


    Any other questions before I mark this topic solved?
  8. jays.traas

    jays.traas TS Rookie Topic Starter Posts: 39

    Done and done! Thanks so much DragonMaster Jay!
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You're welcome. Topic marked solved. :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.