Solved Need help to remove svchost.exe trojan

jays.traas · Jan 10, 2013

Thanks in advance for helping me with this issue.

A few days ago UnhackMe's RegRun reanimator told me I had a suspicious program, it identified it as svchost.exe running from the temp folder in my appdata folder. I've tried everything. Killed the processes, deleted the files that it creates in the temp folder, did file searches etc, restart the computer and its back there again. The is the first virus/trojan/malware that I've found on my computer that I have not been able to track down and delete from the source.. but I'm no computer expert, far from it... just an average user. Any and all help is very appreciated.

I used Rkiller to kill the processes - Here's the log on that:

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/10/2013 06:23:22 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\ADMN~1\AppData\Local\Temp\svchost.exe (PID: 3444) [SFI]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* Windows Firewall (MpsSvc) is not Running.
Startup Type set to: Disabled

* Security Center (wscsvc) is not Running.
Startup Type set to: Disabled

* Windows Update (wuauserv) is not Running.
Startup Type set to: Automatic (Delayed Start)

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 01/10/2013 06:23:35 PM
Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)

jays.traas · Jan 10, 2013

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.10.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
admın :: ADMıN-PC [administrator]

1/10/2013 6:27:57 PM
mbam-log-2013-01-10 (18-27-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230605
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\admın\AppData\Local\Temp\svchost.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

(end)

jays.traas · Jan 10, 2013

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.5.0
Run by admın at 18:33:40 on 2013-01-10
Microsoft Windows 7 Ultimate 6.1.7601.1.1254.90.1055.18.2046.274 [GMT 2:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\Notepad.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\admın\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\admın\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=110021&tt=280612_6_&babsrc=HP_ss&mntrId=1a813b21000000000000001cf0c9416a
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
TB: Babylon Toolbar: {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
uRun: [Google Update] "C:\Users\admın\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe" -autorun
uRun: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [Adobe] C:\ProgramData\Adobe\3D422E.vbe
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mRunServicesOnce: [] C:\Windows\GIGATEMP\Patch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Microsoft Excel'e &Ver - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: line6.net
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{26D9982C-60BF-4A1A-B593-D428CF93A2A0} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{87342CD1-FF71-409D-A95B-74347ABAA8CE} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{BBEAA541-9425-4117-8BE9-94DA26EFE021} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{D52D4DA9-6AFE-4683-AF44-A9FD49C0FF39} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0}\55E6C696D696475646C4F66756 : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0}\A5565656565656 : DHCPNameServer = 195.175.39.40
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\admın\AppData\Roaming\Mozilla\Firefox\Profiles\zdcv06km.default\
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-6-27 283200]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
R3 l6TportUX8;Service - Line 6 TonePort UX8;C:\Windows\System32\drivers\l6TportUX864.sys [2012-3-26 772224]
R3 netr7364;Vista Için ASUS USB Kablosuz LAN Kartı Sürücüsü;C:\Windows\System32\drivers\netr7364.sys [2009-6-10 707072]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-6-28 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-12 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-5 1255736]
SUnknown tsusbhub;tsusbhub; [x]
.
=============== Created Last 30 ================
.
2013-01-10 16:33:42--------d-----w-C:\Users\adm²n\AppData\Local\Microsoft
2013-01-10 16:26:4124176----a-w-C:\Windows\System32\drivers\mbam.sys
2013-01-10 16:26:41--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-10 14:53:15972264----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E1D0B32E-1388-4D41-A7A4-E254C7629429}\gapaengine.dll
2013-01-10 14:53:129125352----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D3227F92-5703-4524-AB88-D6F3A073FB31}\mpengine.dll
2013-01-10 14:50:28--------d-----w-C:\Program Files (x86)\Microsoft Security Client
2013-01-10 14:50:19--------d-----w-C:\Program Files\Microsoft Security Client
2013-01-10 11:29:50--------d-----w-C:\TDSSKiller_Quarantine
2013-01-10 09:04:42750592----a-w-C:\Windows\System32\win32spl.dll
2013-01-10 09:04:42492032----a-w-C:\Windows\SysWow64\win32spl.dll
2013-01-10 09:04:312002432----a-w-C:\Windows\System32\msxml6.dll
2013-01-10 09:04:311882624----a-w-C:\Windows\System32\msxml3.dll
2013-01-10 09:04:311389568----a-w-C:\Windows\SysWow64\msxml6.dll
2013-01-10 09:04:311236992----a-w-C:\Windows\SysWow64\msxml3.dll
2013-01-10 09:04:30307200----a-w-C:\Windows\System32\ncrypt.dll
2013-01-10 09:04:30220160----a-w-C:\Windows\SysWow64\ncrypt.dll
2013-01-10 09:04:1568608----a-w-C:\Windows\System32\taskhost.exe
2013-01-10 09:04:153149824----a-w-C:\Windows\System32\win32k.sys
2013-01-09 16:17:23--------d-----w-C:\Windows\RestoreSafeDeleted
2013-01-08 10:26:029125352----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2D8193DC-25CD-4FB6-ABA3-09913F07888E}\mpengine.dll
2012-12-25 23:50:37--------d-----w-C:\Users\admın\AppData\Roaming\Sports Interactive
2012-12-21 18:56:0946080----a-w-C:\Windows\System32\atmlib.dll
2012-12-21 18:56:09367616----a-w-C:\Windows\System32\atmfd.dll
2012-12-21 18:56:0934304----a-w-C:\Windows\SysWow64\atmlib.dll
2012-12-21 18:56:08295424----a-w-C:\Windows\SysWow64\atmfd.dll
2012-12-18 16:33:38--------d-----w-C:\Program Files (x86)\NVIDIA Corporation
2012-12-18 16:33:23--------d-----w-C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-12-18 16:33:2178680----a-w-C:\Windows\System32\XAPOFX1_4.dll
2012-12-18 16:33:2174072----a-w-C:\Windows\SysWow64\XAPOFX1_4.dll
2012-12-18 16:33:21530776----a-w-C:\Windows\System32\XAudio2_6.dll
2012-12-18 16:33:21528216----a-w-C:\Windows\SysWow64\XAudio2_6.dll
2012-12-18 16:33:2024920----a-w-C:\Windows\System32\X3DAudio1_7.dll
2012-12-18 16:33:20238936----a-w-C:\Windows\SysWow64\xactengine3_6.dll
2012-12-18 16:33:2022360----a-w-C:\Windows\SysWow64\X3DAudio1_7.dll
2012-12-18 16:33:20176984----a-w-C:\Windows\System32\xactengine3_6.dll
2012-12-16 18:45:48--------d-----w-C:\Program Files (x86)\Common Files\Steam
2012-12-16 18:45:39--------d-----w-C:\Program Files (x86)\Steam
2012-12-16 18:44:19--------d-----w-C:\Program Files (x86)\Metro
2012-12-13 00:58:16424960----a-w-C:\Windows\System32\KernelBase.dll
2012-12-13 00:54:502048----a-w-C:\Windows\SysWow64\tzres.dll
2012-12-13 00:54:502048----a-w-C:\Windows\System32\tzres.dll
2012-12-12 23:39:55478208----a-w-C:\Windows\System32\dpnet.dll
2012-12-12 23:39:55376832----a-w-C:\Windows\SysWow64\dpnet.dll
.
==================== Find3M ====================
.
2013-01-10 16:12:402--shatr-C:\Windows\winstart.bat
2013-01-10 16:09:3874248----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-10 16:09:38697864----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
2012-11-26 12:29:47499712----a-w-C:\Windows\SysWow64\msvcp71.dll
2012-11-26 12:29:47348160----a-w-C:\Windows\SysWow64\msvcr71.dll
2012-11-14 06:11:442312704----a-w-C:\Windows\System32\jscript9.dll
2012-11-14 06:04:111392128----a-w-C:\Windows\System32\wininet.dll
2012-11-14 06:02:491494528----a-w-C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46599040----a-w-C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35173056----a-w-C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:402382848----a-w-C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:221800704----a-w-C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:151427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:371129472----a-w-C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27420864----a-w-C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:422382848----a-w-C:\Windows\SysWow64\mshtml.tlb
2012-11-12 12:30:37152576----a-w-C:\Windows\SysWow64\msclmd.dll
2012-11-12 12:30:36175616----a-w-C:\Windows\System32\msclmd.dll
2012-11-11 21:46:04189248----a-w-C:\Windows\SysWow64\PnkBstrB.exe
2012-11-11 21:46:0275136----a-w-C:\Windows\SysWow64\PnkBstrA.exe
.
============= FINISH: 18:34:25.85 ===============

jays.traas · Jan 10, 2013

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 6/28/2012 3:01:30 PM
System Uptime: 1/10/2013 6:21:31 PM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | EX58-UD3R
Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz | Socket 1366 | 1592/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 391 GiB total, 139.038 GiB free.
D: is FIXED (NTFS) - 540 GiB total, 533.586 GiB free.
E: is CDROM (UDF)
F: is CDROM ()
G: is CDROM ()
I: is Removable
J: is Removable
K: is Removable
L: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP150: 1/8/2013 12:19:30 PM - RegRun Virus Scan
RP151: 1/8/2013 12:22:01 PM - RegRun Virus Scan
RP152: 1/8/2013 12:25:29 PM - Windows Update
RP153: 1/9/2013 6:16:50 PM - RegRun Virus Scan
RP154: 1/9/2013 7:22:04 PM - RegRun Virus Scan
RP155: 1/10/2013 10:56:03 AM - RegRun Virus Scan
RP156: 1/10/2013 11:39:54 AM - Installed Microsoft Fix it 50267
RP157: 1/10/2013 12:59:17 PM - Windows Update
RP158: 1/10/2013 1:14:21 PM - RegRun Virus Scan
RP159: 1/10/2013 3:16:02 PM - Windows Update
RP160: 1/10/2013 6:18:53 PM - RegRun Virus Scan
.
==== Installed Programs ======================
.
2YourFace 1.0
Acoustica Mixcraft 6
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.5) - Turkish
AngryBirdsStarWars 1.00
Antares Auto-Tune 3.03 DirectX
Antares Auto-Tune Evo VST
ASIO4ALL
Assassin's Creed Brotherhood
µTorrent
Babylon toolbar on IE
BabylonObjectInstaller
Camel Audio Camel Phat VST v3.15
ConcreteFX QDelay VST v1.0
Cool Edit Pro 2.1
Cuttermusic Revitar VSTi v1.1
D3DX10
Daemon Tools Pro v5.1.0
Dash Signature EMM Knagalis VSTi v1.28
Dash Signature theAbstractGuitar VSTi v1.18
discoDSP Phantom v1.1
discoDSP Vertigo v2.0
Edirol HQ Orchestral v1.01
Edirol Hyper Canvas
Edirol SuperQuartet v1.02
EZdrummer
EZkeys Grand Piano 64
EZkeys Player 64-bit
EZmix 64-bit
EZXClaustrophobic
EZXCocktail
EZXDfh
EZXNashville
EZXPercussion
EZXTwisted
EZXVintage
FL Studio 10
GForce.Software.Minimonsta.RTAS.VSTi.v1.03-DAC
GMedia Music impOSCar VSTi v1.0.0.1
GMediaMusic - Oddity VST2
Google Chrome
GR-55FloorBoard 20120227
IL Download Manager
IL Slicex
Interlok driver setup x64
iZotope Ozone DX Plugin v1.0.0.6
iZotope Ozone v3.02
iZotope Trash v1.02
Java Auto Updater
Java(TM) 7 Update 5
K-Lite Codec Pack 7.1.0 (Full)
Kiesel.Software.Helga.VSTi.v1.1b003-0xdBass
Korg Legacy Collection v1.1.2
Line 6 Uninstaller
Malwarebytes Anti-Malware version 1.70.0.1100
Metro 2033
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (Turkish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Turkish) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (Turkish) 2007
Microsoft Office InfoPath MUI (Turkish) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (Turkish) 2007
Microsoft Office Outlook MUI (Turkish) 2007
Microsoft Office PowerPoint MUI (Turkish) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Turkish) 2007
Microsoft Office Proofing (Turkish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (Turkish) 2007
Microsoft Office Shared 64-bit MUI (Turkish) 2007
Microsoft Office Shared MUI (Turkish) 2007
Microsoft Office Word MUI (Turkish) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mIRC
Mopis VSTi v1.1
Morphine
Mozilla Firefox 17.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
Native Instruments - Rig Kontrol 3 Driver
Native Instruments FM7
Native Instruments Guitar Rig 3
Native Instruments Service Center
Nomad Factory Blue Tubes Bundle v2.0
Nomad Factory Liquid Bundle VST v1.6
Nomad Factory Rock Amp Legends VST v1.0
Novation Bass-Station VSTi v1.10
NVIDIA PhysX
PoiZone
PunkBuster Services
quantum-fx 1.06
Rapture 1.0
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
ReFX Vanguard VSTi v1.03 Retail
ReFX Vanguard VSTi v1.04
Rock EZmix pack
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Steam
Sytrus
Total Commander 64-bit (Remove or Repair)
Toxic Biohazard
ToxicIII v1.0 DEMO
Ubisoft Game Launcher
Unity Session Demo
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760586) 32-Bit Edition
Wasp
Waves 4.0
Windows Live Communications Platform
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Temel Parçalar
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinRAR arşiv yöneticisi
.
==== Event Viewer Messages From Past Week ========
.
1/7/2013 9:23:29 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\DR5.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7034] - The Tanılama Hizmeti Ana Bilgisayarı service terminated unexpectedly. It has done this 1 time(s).
1/5/2013 12:31:40 PM, Error: Service Control Manager [7031] - The WinHTTP Web Proxy Otomatik Bulma Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7031] - The COM+ Olay Sistemi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7031] - The Ağ Listesi Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7031] - The Ağ Depo Arabirimi Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the WinHTTP Web Proxy Otomatik Bulma Hizmeti service to connect.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Ağ Depo Arabirimi Hizmeti service to connect.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Ağ Depo Arabirimi Hizmeti service to connect.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7001] - The Uzaktan Yordam Çağrısı (RPC) service depends on the RPC Bitiş Noktası Eşleştiricisi service which failed to start because of the following error: The service has returned a service-specific error code.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7001] - The Ağ Listesi Hizmeti service depends on the Uzaktan Yordam Çağrısı (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7001] - The Ağ Konumu Tanıma service depends on the Uzaktan Yordam Çağrısı (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7000] - The WinHTTP Web Proxy Otomatik Bulma Hizmeti service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7000] - The Ağ Depo Arabirimi Hizmeti service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/5/2013 12:31:40 PM, Error: Service Control Manager [7000] - The Ağ Depo Arabirimi Hizmeti service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/5/2013 12:31:37 PM, Error: Service Control Manager [7031] - The Uzaktan Yordam Çağrısı (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Makineyi yeniden başlatın.
1/5/2013 12:31:37 PM, Error: Service Control Manager [7031] - The RPC Bitiş Noktası Eşleştiricisi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:33 PM, Error: Service Control Manager [7034] - The Ağ Konumu Tanıma service terminated unexpectedly. It has done this 3 time(s).
1/5/2013 12:31:30 PM, Error: Service Control Manager [7031] - The IPsec İlke Aracısı service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:26 PM, Error: Service Control Manager [7031] - The Ağ Konumu Tanıma service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:17 PM, Error: Service Control Manager [7031] - The Şifreleme Hizmetleri service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:17 PM, Error: Service Control Manager [7031] - The DNS İstemcisi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:17 PM, Error: Service Control Manager [7031] - The Ağ Konumu Tanıma service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:17 PM, Error: Service Control Manager [7031] - The İş İstasyonu service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7034] - The Tanılama Sistemi Ana Bilgisayarı service terminated unexpectedly. It has done this 1 time(s).
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Windows Ses Bitiş Noktası Oluşturucu service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Windows Driver Foundation - Kullanıcı Modu Sürücü Çerçevesi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Taşınabilir Aygıt Numaralandırma Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Program Uyumluluk Yardımcısı Hizmeti service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Masaüstü Pencere Yöneticisi Oturum Yöneticisi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Kablosuz Yerel Ağ Otomatik Yapılandırma service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Hızlı Getirme service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Dağıtılmış Bağlantı İzleme İstemcisi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Çevrimdışı Dosyalar service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The Ağ Bağlantıları service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Hizmeti yeniden başlat.
1/5/2013 12:31:10 PM, Error: Service Control Manager [7031] - The İnsan Arabirim Aygıtı Erişimi service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Hizmeti yeniden başlat.
1/10/2013 12:24:43 PM, Error: Service Control Manager [7000] - The Lavalys EVEREST Kernel Driver service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
1/10/2013 11:40:20 AM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
.
==== End Of File ===========================

Jay Pfoutz · Jan 10, 2013

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
If you have already asked for help somewhere, please post the link to the topic you were helped.
We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

ComboFix scan

Please download ComboFix

by sUBs
From TechSpot

Direct Link (alternative)

Please save the file to your Desktop.

Important information about ComboFix

After the download:

Close any open browsers.
Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on ComboFix.exe & follow the prompts.
When ComboFix finishes, it will produce a report for you.
Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

jays.traas · Jan 10, 2013

Thanks so much. Here is the log from Combofix.

ComboFix 13-01-08.01 - admın 01/10/2013 22:55:35.2.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1254.90.1055.18.2046.971 [GMT 2:00]
Running from: c:\users\admın\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\admın\Documents\~WRL1995.tmp
c:\utopia\Angel\Angel.exe
c:\windows\PFRO.log
.
.
((((((((((((((((((((((((( Files Created from 2012-12-10 to 2013-01-10 )))))))))))))))))))))))))))))))
.
.
2013-01-10 21:01 . 2013-01-10 21:01--------d-----w-c:\users\Default\AppData\Local\temp
2013-01-10 16:33 . 2013-01-10 16:33--------d-----w-c:\users\adm²n
2013-01-10 16:26 . 2013-01-10 16:26--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2013-01-10 16:26 . 2012-12-14 14:4924176----a-w-c:\windows\system32\drivers\mbam.sys
2013-01-10 14:53 . 2013-01-10 14:53972264----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E1D0B32E-1388-4D41-A7A4-E254C7629429}\gapaengine.dll
2013-01-10 14:53 . 2012-11-08 07:249125352----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D3227F92-5703-4524-AB88-D6F3A073FB31}\mpengine.dll
2013-01-10 14:50 . 2013-01-10 14:50--------d-----w-c:\program files (x86)\Microsoft Security Client
2013-01-10 14:50 . 2013-01-10 14:50--------d-----w-c:\program files\Microsoft Security Client
2013-01-10 11:29 . 2013-01-10 11:29--------d-----w-C:\TDSSKiller_Quarantine
2013-01-10 09:04 . 2012-11-09 05:45750592----a-w-c:\windows\system32\win32spl.dll
2013-01-10 09:04 . 2012-11-09 04:43492032----a-w-c:\windows\SysWow64\win32spl.dll
2013-01-10 09:04 . 2012-11-01 05:432002432----a-w-c:\windows\system32\msxml6.dll
2013-01-10 09:04 . 2012-11-01 05:431882624----a-w-c:\windows\system32\msxml3.dll
2013-01-10 09:04 . 2012-11-01 04:471389568----a-w-c:\windows\SysWow64\msxml6.dll
2013-01-10 09:04 . 2012-11-01 04:471236992----a-w-c:\windows\SysWow64\msxml3.dll
2013-01-10 09:04 . 2012-11-20 05:48307200----a-w-c:\windows\system32\ncrypt.dll
2013-01-10 09:04 . 2012-11-20 04:51220160----a-w-c:\windows\SysWow64\ncrypt.dll
2013-01-10 09:04 . 2012-11-23 03:263149824----a-w-c:\windows\system32\win32k.sys
2013-01-10 09:04 . 2012-11-23 03:1368608----a-w-c:\windows\system32\taskhost.exe
2013-01-09 16:17 . 2013-01-10 08:56--------d-----w-c:\windows\RestoreSafeDeleted
2013-01-08 10:26 . 2012-11-08 17:249125352----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{2D8193DC-25CD-4FB6-ABA3-09913F07888E}\mpengine.dll
2012-12-30 00:48 . 2012-12-30 00:48--------d-----w-c:\users\admın\AppData\Local\Programs
2012-12-25 23:50 . 2012-12-25 23:50--------d-----w-c:\users\admın\AppData\Roaming\Sports Interactive
2012-12-21 18:56 . 2012-12-16 17:1146080----a-w-c:\windows\system32\atmlib.dll
2012-12-21 18:56 . 2012-12-16 14:45367616----a-w-c:\windows\system32\atmfd.dll
2012-12-21 18:56 . 2012-12-16 14:1334304----a-w-c:\windows\SysWow64\atmlib.dll
2012-12-21 18:56 . 2012-12-16 14:13295424----a-w-c:\windows\SysWow64\atmfd.dll
2012-12-19 10:00 . 2012-12-19 10:00--------d-----w-c:\users\admın\AppData\Local\4A Games
2012-12-18 16:33 . 2012-12-18 16:33--------d-----w-c:\program files (x86)\NVIDIA Corporation
2012-12-18 16:33 . 2012-12-18 16:33--------d-----w-c:\program files (x86)\Common Files\Wise Installation Wizard
2012-12-18 16:33 . 2012-12-18 16:33--------d-----w-c:\users\admn
2012-12-18 16:33 . 2010-02-04 08:0178680----a-w-c:\windows\system32\XAPOFX1_4.dll
2012-12-18 16:33 . 2010-02-04 08:0174072----a-w-c:\windows\SysWow64\XAPOFX1_4.dll
2012-12-18 16:33 . 2010-02-04 08:01530776----a-w-c:\windows\system32\XAudio2_6.dll
2012-12-18 16:33 . 2010-02-04 08:01528216----a-w-c:\windows\SysWow64\XAudio2_6.dll
2012-12-18 16:33 . 2010-02-04 08:0124920----a-w-c:\windows\system32\X3DAudio1_7.dll
2012-12-18 16:33 . 2010-02-04 08:01238936----a-w-c:\windows\SysWow64\xactengine3_6.dll
2012-12-18 16:33 . 2010-02-04 08:0122360----a-w-c:\windows\SysWow64\X3DAudio1_7.dll
2012-12-18 16:33 . 2010-02-04 08:01176984----a-w-c:\windows\system32\xactengine3_6.dll
2012-12-16 18:45 . 2012-12-16 18:45--------d-----w-c:\program files (x86)\Common Files\Steam
2012-12-16 18:45 . 2013-01-10 21:03--------d-----w-c:\program files (x86)\Steam
2012-12-16 18:44 . 2012-12-18 16:37--------d-----w-c:\program files (x86)\Metro
2012-12-13 00:58 . 2012-10-04 17:45215040----a-w-c:\windows\system32\winsrv.dll
2012-12-13 00:54 . 2012-11-09 05:452048----a-w-c:\windows\system32\tzres.dll
2012-12-13 00:54 . 2012-11-09 04:422048----a-w-c:\windows\SysWow64\tzres.dll
2012-12-12 23:39 . 2012-11-02 05:59478208----a-w-c:\windows\system32\dpnet.dll
2012-12-12 23:39 . 2012-11-02 05:11376832----a-w-c:\windows\SysWow64\dpnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-10 16:12 . 2012-07-02 14:562--shatr-c:\windows\winstart.bat
2013-01-10 16:09 . 2012-06-28 12:0474248----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-10 16:09 . 2012-06-28 12:04697864----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-10 11:04 . 2012-11-12 12:3667599240----a-w-c:\windows\system32\MRT.exe
2012-11-26 12:29 . 2012-06-30 15:31499712----a-w-c:\windows\SysWow64\msvcp71.dll
2012-11-26 12:29 . 2012-06-30 15:31348160----a-w-c:\windows\SysWow64\msvcr71.dll
2012-11-12 12:30 . 2009-07-14 02:36152576----a-w-c:\windows\SysWow64\msclmd.dll
2012-11-12 12:30 . 2009-07-14 02:36175616----a-w-c:\windows\system32\msclmd.dll
2012-11-11 21:46 . 2012-11-11 21:46189248----a-w-c:\windows\SysWow64\PnkBstrB.exe
2012-11-11 21:46 . 2012-11-11 21:4675136----a-w-c:\windows\SysWow64\PnkBstrA.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe" [2012-04-26 3111744]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-12-16 1354736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-11-26 296096]
"Adobe"="c:\programdata\Adobe\3D422E.vbe" [2012-10-02 7147]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"<NO NAME>"="c:\windows\GIGATEMP\Patch.exe" [2001-10-01 148719]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [x]
R3 FILESPY;FILESPY;c:\windows\system32\drivers\FILESPY.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-30 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;tsusbhub [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-07-01 283200]
S3 l6TportUX8;Service - Line 6 TonePort UX8;c:\windows\system32\Drivers\l6TportUX864.sys [2012-03-26 772224]
S3 netr7364;Vista Için ASUS USB Kablosuz LAN Kartı Sürücüsü;c:\windows\system32\DRIVERS\netr7364.sys [2009-06-10 707072]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-01 187392]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-28 16:09]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 1289704]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.babylon.com/?affID=110021&tt=280612_6_&babsrc=HP_ss&mntrId=1a813b21000000000000001cf0c9416a
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Microsoft Excel'e &Ver - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: line6.net
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Utopia Angel - c:\utopia\Angel\Angel.exe
SafeBoot-09100493.sys
SafeBoot-18906872.sys
SafeBoot-66598749.sys
AddRemove-2YourFace - c:\users\admın\AppData\Roaming\2YourFace\uninst.exe
AddRemove-Native Instruments - Rig Kontrol 3 Driver - c:\program files (x86)\Native Instruments\Rig Kontrol 3 Driver\uninst.exe Software\Native Instruments\Rig Kontrol 3 Driver\Setup
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2013-01-10 23:06:53 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-10 21:06
.
Pre-Run: 148,192,014,336 bytes free
Post-Run: 147,939,753,984 bytes free
.
- - End Of File - - 7A859F8F4B3F85A9F694394380C80792

Jay Pfoutz · Jan 10, 2013

Good work!

TDSSKiller Scan

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

jays.traas · Jan 11, 2013

Okay I ran the scan, attached the log. However I've also attached a screen grab, tsskiller didn't detect anything but the svchost.exe file is back in the temp folder again, and the process is still running.

This may be of some help, the way the processes seem to affect my computer is that after some time, anywhere from 20-30 mins to 1 hour of running, my computer will suddenly switch to power saving mode, the screen will switch off, the fans start to run fast as the hdd seems to switch off, pressing the spacebar key will bring the computer back to life again, but sometimes it just automatically then switches into power saving mode again.

Add to this my keyboard going completely whack, random keys being pressed into any available area.. if I open a browser the address bar will fill with random letters that don't stop in a zjzjjzjzjjzjzjjzzjzjzjjzjzjzjjzjzjzzjzjzjzjzjzjjz pattern (different letters every time).

It basically renders the computer unusable. Restarting doesn't help, shutting down for a bit and then rebooting usually holds this sort of craziness for another 30mins to an hour.

Jay Pfoutz · Jan 11, 2013

Hitman Pro

Please download Hitman Pro

After the download completes please double click the program to run it.
Accept the terms of the license agreement and click Next
Let the scan run. It will not take long
When the scan finishes, and all the files have been uploaded to the Scan Cloud, click Next
Click Next again. At the bottom left you will see Export Scan Results To XML File. Click that and save it in a convenient location
Upload log.xml here for review please

Kaspersky Virus Removal Tool

The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

Double-click the Setup file to install it on your computer.
Once it has installed, review and accept the agreement and press the Start button.
You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
Then, choose Save. Also, in the Automatic Report tab, select Save:
Please post the reports in your next reply.
Once you exit, the tool should uninstall automatically.

jays.traas · Jan 11, 2013

Here is the log from HitmanPro (it didn't give me an option to save to an .xml, simply gave me a 'save log' option.

Code:

HitmanPro 3.7.0.185
www.hitmanpro.com

   Computer name . . . . : ADMıN-PC
   Windows . . . . . . . : 6.1.1.7601.X64/8
   User name . . . . . . : admın-pc\admın
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2013-01-12 02:20:00
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 3m 53s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 4
   Traces  . . . . . . . : 129

   Objects scanned . . . : 1,428,449
   Files scanned . . . . : 16,835
   Remnants scanned  . . : 512,374 files / 899,240 keys

Malware _____________________________________________________________________

   C:\Users\admın\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7M6IU78Z\libpdcurses[1].dll -> Quarantined
      Size . . . . . . . : 87,054 bytes
      Age  . . . . . . . : 1.1 days (2013-01-11 00:02:32)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : 94995B0560D2CCDA7951252397EB152B499454746B75D03479BBFA551DEF41E4
    > Ikarus . . . . . . : Trojan-PWS.Keylogger!IK
      Fuzzy  . . . . . . : 108.0

   C:\Users\admın\AppData\Local\Temp\libpdcurses.dll -> Quarantined
      Size . . . . . . . : 87,054 bytes
      Age  . . . . . . . : 1.1 days (2013-01-11 00:02:32)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : 94995B0560D2CCDA7951252397EB152B499454746B75D03479BBFA551DEF41E4
    > Ikarus . . . . . . : Trojan-PWS.Keylogger!IK
      Fuzzy  . . . . . . : 114.0

   C:\Users\admın\Downloads\AngryBirdsStarWars\Patch\angry.birds.all-patch.offline.v1.3.exe -> Quarantined
      Size . . . . . . . : 70,656 bytes
      Age  . . . . . . . : 60.5 days (2012-11-12 14:12:19)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : 72F98D7F31000B4CA8197B0DFB94E5254F0E7F3A7423B75A6C684EE833507A2F
    > Ikarus . . . . . . : Trojan.Win32.Spy!IK
      Fuzzy  . . . . . . : 114.0

   C:\Users\admın\Downloads\Antares Autotune Evo VST RTAS v6.0.9 PROPER -AiR\setup.exe -> Quarantined
      Size . . . . . . . : 4,938,752 bytes
      Age  . . . . . . . : 195.4 days (2012-06-30 17:35:21)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 9A5CED4D63CF26F01D3B88E3F1062A8CA72DEEC4A52249557868853FF5C53199
      Description  . . . :  
      Version  . . . . . : 0.0.0.0
      Copyright  . . . . :  
    > Ikarus . . . . . . : Trojan-Downloader.Win32.Delf!IK
      Fuzzy  . . . . . . : 109.0


Suspicious files ____________________________________________________________

   C:\Users\admın\AppData\Local\Temp\svchost.exe -> Quarantined
      Size . . . . . . . : 370,702 bytes
      Age  . . . . . . . : 1.1 days (2013-01-11 00:02:31)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : BE795C17358B01204E090B57A4E775BA65220191E8201BD2A1B784320D10C3AE
      Source URL . . . . : hxxp://1v401.chickenkiller.com/v4/cgminer.exe
      Running processes  : 3544
      Fuzzy  . . . . . . : 27.0
         Program is impersonating a common Windows system file. This is typical for malware.
         The file is downloaded from the Internet to this computer.
         Program is running but currently exposes no human-computer interface (GUI).
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.


Potential Unwanted Programs _________________________________________________

   C:\Program Files (x86)\BabylonToolbar\ (Babylon)
   C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\ (Babylon)
   C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\ (Babylon)
   C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll (Babylon)
      Size . . . . . . . : 330,240 bytes
      Age  . . . . . . . : 194.6 days (2012-07-01 12:27:38)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : 52CAA8C32555E05191FED8187D74B20C916F44789693CC0B70D7BB09783844ED
      Product  . . . . . : Babylon Toolbar
      Publisher  . . . . : Babylon Ltd.
      Description
      Version  . . . . . : 1.4.35.0
      Copyright  . . . . :  (c) Babylon Ltd.  All rights reserved.
      Fuzzy  . . . . . . : 0.0

   C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe (Babylon)
      Size . . . . . . . : 347,648 bytes
      Age  . . . . . . . : 194.6 days (2012-07-01 12:27:39)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : 27F90D20668D9CA40555C086A5123240022DA0097EE0B3EE766D8FCFCE078EF8
      Product  . . . . . : Babylon Toolbar
      Publisher  . . . . : Babylon Ltd.
      Description
      Version  . . . . . : 1.4.35.0
      Copyright  . . . . :  (c) Babylon Ltd.  All rights reserved.
      Fuzzy  . . . . . . : 0.0

   C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\ (Babylon)
   C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon)
      Size . . . . . . . : 270,960 bytes
      Age  . . . . . . . : 194.6 days (2012-07-01 12:27:38)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : AC6AB10609C702F2ACEDC58E83AFD5E4BD9855071DE8A39CEF31D314F10A09B1
      Product  . . . . . : Babylon Toolbar
      Publisher  . . . . : Babylon BHO
      Description
      Version  . . . . . : 1.4.35.0
      Copyright  . . . . :  (c) Babylon Ltd.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -7.0

   C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\uninstall.exe (Babylon)
      Size . . . . . . . : 82,870 bytes
      Age  . . . . . . . : 194.6 days (2012-07-01 12:27:39)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : CD7D3E9D725511770BC29F27EC73D6D875B5F423896E3A5AF44482B8BD3BCB22
      Product  . . . . . : BabylonToolbar
      Publisher  . . . . : BabylonToolbar
      Version  . . . . . : 1.5.3.17
      Fuzzy  . . . . . . : 8.0

   C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\BabylonTB.xpi (Babylon)
   C:\Users\admin\AppData\LocalLow\BabylonToolbar\ (Babylon)
   C:\Users\admın\AppData\Roaming\Babylon\ (Babylon)
   C:\Users\admın\AppData\Roaming\Babylon\log_file.txt (Babylon)
   C:\Users\admın\AppData\Roaming\BabylonToolbar\ (Babylon)
   C:\Users\admın\AppData\Roaming\BabylonToolbar\CR\ (Babylon)
   C:\Users\admın\AppData\Roaming\BabylonToolbar\CR\BabylonChrome1.crx (Babylon)
   C:\Users\admın\AppData\Roaming\BabylonToolbar\CR\BUSolution.dll (Babylon)
      Size . . . . . . . : 514,048 bytes
      Age  . . . . . . . : 194.6 days (2012-07-01 12:27:56)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : B5AF65918FD8D3C8847E86438D67F1136646033911EE48E6D717C0F2349E8BE7
      Product  . . . . . : BU Dynamic Link Library
      Description  . . . : BU Dynamic Link Library
      Version  . . . . . : 2.0.0.2
      Copyright  . . . . : Copyright (C) 1997-2012
      Fuzzy  . . . . . . : -7.0

   C:\Users\admın\AppData\Roaming\BabylonToolbar\FF\ (Babylon)
   C:\Users\admın\AppData\Roaming\BabylonToolbar\FF\BUSolution.dll (Babylon)
      Size . . . . . . . : 514,048 bytes
      Age  . . . . . . . : 194.6 days (2012-07-01 12:27:56)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : B5AF65918FD8D3C8847E86438D67F1136646033911EE48E6D717C0F2349E8BE7
      Product  . . . . . : BU Dynamic Link Library
      Description  . . . : BU Dynamic Link Library
      Version  . . . . . : 2.0.0.2
      Copyright  . . . . : Copyright (C) 1997-2012
      Fuzzy  . . . . . . : -7.0

   C:\Users\admın\AppData\Roaming\BabylonToolbar\IE\ (Babylon)
   C:\Users\admın\AppData\Roaming\BabylonToolbar\IE\BUSolution.dll (Babylon)
      Size . . . . . . . : 514,048 bytes
      Age  . . . . . . . : 194.6 days (2012-07-01 12:27:56)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : B5AF65918FD8D3C8847E86438D67F1136646033911EE48E6D717C0F2349E8BE7
      Product  . . . . . : BU Dynamic Link Library
      Description  . . . : BU Dynamic Link Library
      Version  . . . . . : 2.0.0.2
      Copyright  . . . . : Copyright (C) 1997-2012
      Fuzzy  . . . . . . : -7.0

   C:\Users\admın\AppData\Roaming\BabylonToolbar\Shared\ (Babylon)
   C:\Users\admın\AppData\Roaming\BabylonToolbar\Shared\BabyTBConf.ini (Babylon)
   C:\Users\admın\AppData\Roaming\BabylonToolbar\Shared\BUSolution.dll (Babylon)
      Size . . . . . . . : 514,048 bytes
      Age  . . . . . . . : 194.6 days (2012-07-01 12:27:56)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : B5AF65918FD8D3C8847E86438D67F1136646033911EE48E6D717C0F2349E8BE7
      Product  . . . . . : BU Dynamic Link Library
      Description  . . . : BU Dynamic Link Library
      Version  . . . . . : 2.0.0.2
      Copyright  . . . . : Copyright (C) 1997-2012
      Fuzzy  . . . . . . : -7.0

   C:\Users\admın\AppData\Roaming\BabylonToolbar\Shared\sign (Babylon)
   HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\escortApp.DLL\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\escortEng.DLL\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\esrv.EXE\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\ (Babylon)
   HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
   HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
   HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
   HKLM\SOFTWARE\Classes\b\ (Babylon)
   HKLM\SOFTWARE\Classes\Babylon.dskBnd.1\ (Babylon)
   HKLM\SOFTWARE\Classes\Babylon.dskBnd\ (Babylon)
   HKLM\SOFTWARE\Classes\bbylnApp.appCore.1\ (Babylon)
   HKLM\SOFTWARE\Classes\bbylnApp.appCore\ (Babylon)
   HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\ (Babylon)
   HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\ (Babylon)
   HKLM\SOFTWARE\Classes\escort.escortIEPane.1\ (Funmoods)
   HKLM\SOFTWARE\Classes\escort.escortIEPane\ (Funmoods)
   HKLM\SOFTWARE\Classes\esrv.BabylonESrvc.1\ (Babylon)
   HKLM\SOFTWARE\Classes\esrv.BabylonESrvc\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ (Babylon)
   HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ (Babylon)
   HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
   HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\ (Babylon)
   HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
   HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\ (Babylon)
   HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escort.DLL\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escortApp.DLL\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escortEng.DLL\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escorTlbr.DLL\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\esrv.EXE\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{291BCCC1-6890-484a-89D3-318C928DAC1B}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
   HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}\ (Babylon)
   HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B2468513CA2D6943A1A233CD3F88CE7\ (Claro)
   HKLM\SOFTWARE\Wow6432Node\Babylon\ (Babylon)
   HKLM\SOFTWARE\Wow6432Node\BabylonToolbar\ (Babylon)
   HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\ (Babylon)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}\ (Babylon)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar\ (Babylon)
   HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\BabylonToolbar\ (Babylon)
   HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC} (Claro)
   HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon)
   HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}\ (Babylon)
   HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}\ (Babylon)

Cookies _____________________________________________________________________

   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\6LEWKBGR.txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\6YSVKKPM.txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\8RL7MQSM.txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\admın@ads.ad4game[2].txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\admın@atdmt[1].txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\admın@c.atdmt[2].txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\admın@serving-sys[1].txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\BH13MTX4.txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\ES7NQ8F9.txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\FUAOWWGM.txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\I4TVPD4E.txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\KE30C9Z2.txt
   C:\Users\admın\AppData\Roaming\Microsoft\Windows\Cookies\WAPQO0U0.txt

jays.traas · Jan 11, 2013

Downloading and running the Kaspersky Virus Removal tool. Will post logs when finished. Thanks so much for your help with this DragonMaster Jay

jays.traas · Jan 12, 2013

Ah, I think I messed up.. While the Kaspersky Virus Removal tool was running I fell asleep, when I woke up the program was gone and I can't find any logs.

Should I run the Kaspersky Virus Removal tool once again and make sure to catch it and save the logs etc?

Jay Pfoutz · Jan 12, 2013

Seems like we're dealing with ZeroAccess or related threat...I'll need an external look please:

Farbar Recovery Scan Tool x64

Download Farbar Recovery Scan Tool and save it to a flash drive.

Please make sure to get the 64-bit version

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to the disclaimer.
Place a check next to List Drivers MD5 as well as the default check marks that are already there
Press Scan button. It will do its scan and save a log on your flash drive.
Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:

When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
Type exit in the Command Prompt window and reboot the computer normally
FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

jays.traas · Jan 12, 2013

Oops, searched 'services' instead of 'services.exe'.

Rebooting to quickly do it again

jays.traas · Jan 12, 2013

Frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013
Ran by SYSTEM at 13-01-2013 00:14:43
Running from G:\
Windows 7 Ultimate (X64) OS Language: 041F
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-11-26] (RealNetworks, Inc.)
HKLM-x32\...\Run: [Adobe] C:\ProgramData\Adobe\3D422E.vbe [7147 2012-10-02] ()
HKU\admın\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe" -autorun [3111744 2012-04-26] (DT Soft Ltd)
HKU\admın\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1354736 2012-12-16] (Valve Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [108904 2013-01-12] (SurfRight B.V.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2012-11-11] ()

==================== Drivers (Whitelisted) =====================

1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-07-01] (DT Soft Ltd)
3 FILESPY; C:\Windows\SysWow64\Drivers\FILESPY.sys [27584 2001-09-27] (NemeSys Music Technology)
3 l6TportUX8; C:\Windows\System32\Drivers\l6TportUX864.sys [772224 2012-03-26] (Line 6)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 EWAVE; \??\C:\Windows\system32\drivers\ew.sys [x]
0 Partizan; C:\Windows\System32\drivers\Partizan.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-13 00:11 - 2013-01-13 00:06 - 00040552 ____A C:\Users\admın\Desktop\FRST.txt
2013-01-13 00:11 - 2013-01-13 00:05 - 00000560 ____A C:\Users\admın\Desktop\Search.txt
2013-01-13 00:01 - 2013-01-13 00:01 - 00000000 ____D C:\FRST
2013-01-12 23:50 - 2013-01-12 23:50 - 01464233 ____A (Farbar) C:\Users\admın\Downloads\FRST64.exe
2013-01-12 10:55 - 2013-01-12 10:55 - 00000000 ____D C:\Users\admın\Downloads\SILVER LININGS DVDRIP EDAW2013
2013-01-12 10:54 - 2013-01-12 11:00 - 00000000 ____D C:\Users\admın\Downloads\Les.Miserables.2012.DVDSCR-EDAW2013
2013-01-12 10:51 - 2013-01-12 11:00 - 00000000 ____D C:\Users\admın\Downloads\Butter LIMITED BDRip XviD-SAPHiRE
2013-01-12 10:50 - 2013-01-12 10:50 - 00058726 ____A C:\Users\admın\Downloads\[kat.ph]butter.limited.bdrip.xvid.saphire.torrent
2013-01-12 10:49 - 2013-01-12 10:49 - 00024555 ____A C:\Users\admın\Downloads\[kat.ph]les.miserables.2012.dvdscr.edaw2013.torrent
2013-01-12 10:49 - 2013-01-12 10:49 - 00017090 ____A C:\Users\admın\Downloads\[kat.ph]silver.linings.playbook.2012.dvdrip.edaw2013.torrent
2013-01-12 03:54 - 2013-01-12 03:57 - 07561130 ____A C:\Users\admın\Downloads\Celldweller - Frozen.flv
2013-01-12 02:32 - 2013-01-12 02:32 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2013-01-12 02:28 - 2013-01-12 02:31 - 151469960 ____A C:\Users\admın\Desktop\setup_11.0.0.1245.x01_2013_01_12_03_36.exe
2013-01-12 02:25 - 2013-01-12 02:25 - 00035250 ____A C:\Users\admın\Desktop\HitmanPro_20130112_0225.log
2013-01-12 02:24 - 2013-01-12 23:48 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-01-12 02:20 - 2013-01-12 02:20 - 00001893 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2013-01-12 02:19 - 2013-01-12 02:25 - 00000000 ____D C:\Users\All Users\HitmanPro
2013-01-12 02:19 - 2013-01-12 02:20 - 00000000 ____D C:\Program Files\HitmanPro
2013-01-12 02:18 - 2013-01-12 02:19 - 09703176 ____A (SurfRight B.V.) C:\Users\admın\Downloads\HitmanPro_x64.exe
2013-01-10 23:07 - 2013-01-10 23:08 - 05019950 ____A (Swearware) C:\Users\admın\Downloads\ComboFix (1).exe
2013-01-10 23:06 - 2013-01-10 23:06 - 00015340 ____A C:\ComboFix.txt
2013-01-10 22:52 - 2013-01-10 22:52 - 00001108 ____A C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
2013-01-10 22:46 - 2013-01-10 23:06 - 00000000 ____D C:\Qoobox
2013-01-10 22:46 - 2013-01-10 23:05 - 00000000 ____D C:\Windows\erdnt
2013-01-10 22:46 - 2011-06-26 08:45 - 00256000 ____A C:\Windows\PEV.exe
2013-01-10 22:46 - 2010-11-07 19:20 - 00208896 ____A C:\Windows\MBR.exe
2013-01-10 22:46 - 2009-04-20 06:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-01-10 22:46 - 2000-08-31 02:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-01-10 22:46 - 2000-08-31 02:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-01-10 22:46 - 2000-08-31 02:00 - 00098816 ____A C:\Windows\sed.exe
2013-01-10 22:46 - 2000-08-31 02:00 - 00080412 ____A C:\Windows\grep.exe
2013-01-10 22:46 - 2000-08-31 02:00 - 00068096 ____A C:\Windows\zip.exe
2013-01-10 22:43 - 2013-01-10 22:43 - 05019950 ____R (Swearware) C:\Users\admın\Downloads\ComboFix.exe
2013-01-10 18:34 - 2013-01-10 18:34 - 00017012 ____A C:\Users\admın\Desktop\attach.txt
2013-01-10 18:34 - 2013-01-10 18:34 - 00013509 ____A C:\Users\admın\Desktop\dds.txt
2013-01-10 18:33 - 2013-01-10 18:33 - 00688992 ____R (Swearware) C:\Users\admın\Downloads\dds.com
2013-01-10 18:33 - 2013-01-10 18:33 - 00000000 ____D C:\users\adm²n
2013-01-10 18:26 - 2013-01-10 18:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-10 18:26 - 2012-12-14 16:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-01-10 18:25 - 2013-01-10 18:26 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\admın\Downloads\mbam-setup-1.70.0.1100.exe
2013-01-10 16:50 - 2013-01-10 16:50 - 00001945 ____A C:\Windows\epplauncher.mif
2013-01-10 16:50 - 2013-01-10 16:50 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-01-10 16:50 - 2013-01-10 16:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-01-10 14:51 - 2013-01-10 15:00 - 13529576 ____A (Microsoft Corporation) C:\Users\admın\Downloads\mseinstall.exe
2013-01-10 14:50 - 2013-01-10 15:00 - 06151248 ____A (Uniblue Systems Ltd ) C:\Users\admın\Downloads\speedupmypc.exe
2013-01-10 13:29 - 2013-01-10 13:29 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-01-10 12:23 - 2013-01-10 12:25 - 00000000 ____D C:\Users\admın\Desktop\EverestTest
2013-01-10 12:22 - 2013-01-10 12:22 - 04402436 ____A C:\Users\admın\Downloads\everesthome220.zip
2013-01-10 11:39 - 2013-01-10 11:39 - 00980480 ____A C:\Users\admın\Downloads\MicrosoftFixit50267.msi
2013-01-10 11:38 - 2013-01-10 11:38 - 00000061 ____A C:\Users\admın\Documents\ashadams.txt
2013-01-10 11:37 - 2013-01-10 11:37 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\admın\Downloads\tdsskiller.exe
2013-01-10 11:36 - 2013-01-12 10:05 - 00002594 ____A C:\Users\admın\Desktop\Rkill.txt
2013-01-10 11:35 - 2013-01-10 11:35 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\admın\Downloads\rkill.exe
2013-01-10 11:04 - 2012-11-23 05:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-01-10 11:04 - 2012-11-23 05:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
2013-01-10 11:04 - 2012-11-20 07:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2013-01-10 11:04 - 2012-11-20 06:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2013-01-10 11:04 - 2012-11-09 07:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-01-10 11:04 - 2012-11-09 06:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-01-10 11:04 - 2012-11-01 07:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2013-01-10 11:04 - 2012-11-01 07:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2013-01-10 11:04 - 2012-11-01 06:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2013-01-10 11:04 - 2012-11-01 06:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2013-01-09 18:17 - 2013-01-10 10:56 - 00000000 ____D C:\Windows\RestoreSafeDeleted
2013-01-09 14:06 - 2013-01-09 14:06 - 00000000 ____D C:\Users\admın\Downloads\Not.Fade.Away.2012.DVDSCR.XviD.AC3-VAiN
2013-01-09 14:04 - 2013-01-09 14:21 - 00000000 ____D C:\Users\admın\Downloads\Branded.2012.LIMITED.DVDRip.XVID-DEPRiVED
2013-01-09 13:37 - 2013-01-09 13:40 - 14205489 ____A C:\Users\admın\Downloads\The Decemberists - Here I Dreamt I Was An Architect (Lyrics)(1).flv
2013-01-09 13:33 - 2013-01-09 13:33 - 00000000 ____D C:\Users\admın\Downloads\DEATH CAB FOR CUTIE - DISCOGRAPHY [CHANNEL NEO]
2013-01-09 13:17 - 2013-01-09 13:20 - 21965189 ____A C:\Users\admın\Downloads\The Rolling Stones - Satisfaction (live).flv
2013-01-09 12:49 - 2013-01-09 12:56 - 189657718 ____A C:\Users\admın\Downloads\Fix You - Coldplay - Acoustic Cover by Tyler Ward _ Boyce Avenue.mp4
2013-01-09 12:43 - 2013-01-09 12:45 - 07500084 ____A C:\Users\admın\Downloads\My Girl - The Temptations.flv
2013-01-09 12:37 - 2013-01-09 12:38 - 03568688 ____A C:\Users\admın\Downloads\Jackson 5 - ABC (Full song).flv
2013-01-07 12:47 - 2013-01-07 13:18 - 597192704 ____A C:\Users\admın\Downloads\Inescapable.avi
2013-01-07 02:41 - 2013-01-07 02:41 - 00000000 ____D C:\Users\admın\Downloads\The.Impossible.2012.DVDSCR.x264.AAC-FooKaS
2013-01-07 02:39 - 2013-01-07 02:50 - 00000000 ____D C:\Users\admın\Downloads\Upside.Down.2012.720p.BRRip.x264.AC3-JYK
2013-01-07 02:38 - 2013-01-07 02:39 - 00000000 ____D C:\Users\admın\Downloads\Zero.Dark.Thirty.2012.DVDSCR.Xvid.Ac3-ADTRG
2013-01-07 02:37 - 2013-01-07 02:57 - 00000000 ____D C:\Users\admın\Downloads\Hitchcock.2012.DVDSCR.XviD-NYDIC
2013-01-07 02:35 - 2013-01-07 02:35 - 00012610 ____A C:\Users\admın\Downloads\[kat.ph]upside.down.2012.720p.brrip.x264.ac3.jyk.torrent
2013-01-07 02:34 - 2013-01-07 02:34 - 00115946 ____A C:\Users\admın\Downloads\[kat.ph]upside.down.2012.brrip.xvid.unique.torrent
2013-01-07 02:34 - 2013-01-07 02:34 - 00000000 ____D C:\Users\admın\Downloads\Django Unchained 2012 DVDSCR X264 AAC-P2P
2013-01-07 02:33 - 2013-01-07 02:33 - 00204069 ____A C:\Users\admın\Downloads\[kat.ph]django.unchained.2012.dvdscr.x264.aac.p2p.torrent
2013-01-07 02:32 - 2013-01-07 02:32 - 00075122 ____A C:\Users\admın\Downloads\[kat.ph]hitchcock.2012.dvdscr.xvid.nydic.torrent
2013-01-07 02:32 - 2013-01-07 02:32 - 00029619 ____A C:\Users\admın\Downloads\[kat.ph]the.impossible.2012.dvdscr.x264.aac.fookas.torrent
2013-01-07 02:32 - 2013-01-07 02:32 - 00025312 ____A C:\Users\admın\Downloads\[kat.ph]zero.dark.thirty.2012.dvdscr.xvid.ac3.adtrg.torrent
2013-01-05 21:27 - 2013-01-05 21:31 - 08542909 ____A C:\Users\admın\Downloads\Riders on the storm the doors lyrics.flv
2013-01-05 20:18 - 2013-01-05 20:21 - 10823982 ____A C:\Users\admın\Downloads\Benji Hughes - Waiting For An Invitation.flv
2013-01-05 17:20 - 2013-01-06 14:25 - 00000000 ____D C:\Users\admın\Documents\Backtracks
2013-01-05 17:18 - 2013-01-05 17:20 - 04602915 ____A C:\Users\admın\Downloads\Dire Straits - Six Blade Knife lyrics.flv
2013-01-05 17:08 - 2013-01-05 17:11 - 26498493 ____A C:\Users\admın\Downloads\ZZ Top - Sharp Dressed Man (Live In Texas).flv
2013-01-05 16:49 - 2013-01-05 16:53 - 08671417 ____A C:\Users\admın\Downloads\Dire Straits - Industrial Disease lyrics.flv
2013-01-05 13:20 - 2013-01-06 16:26 - 00000000 ____D C:\Users\admın\Documents\SongLyrics
2013-01-04 10:39 - 2013-01-04 10:42 - 14205489 ____A C:\Users\admın\Downloads\The Decemberists - Here I Dreamt I Was An Architect (Lyrics).flv
2013-01-04 10:36 - 2013-01-04 10:39 - 06435461 ____A C:\Users\admın\Downloads\SUMMER BREEZE_SEALS AND CROFTS.flv
2013-01-04 10:30 - 2013-01-04 10:32 - 17744311 ____A C:\Users\admın\Downloads\Haunt - Love song ( Lyrics).flv
2013-01-04 10:26 - 2013-01-04 10:29 - 14385955 ____A C:\Users\admın\Downloads\Everlast ~ What It's Like (With Lyrics).flv
2013-01-04 10:23 - 2013-01-04 10:24 - 02905181 ____A C:\Users\admın\Downloads\Death Cab For Cutie I Will Follow You Into The Dark lyrics.flv
2013-01-04 10:20 - 2013-01-04 10:25 - 61915909 ____A C:\Users\admın\Downloads\I Don't Need No Doctor - John Mayer.flv
2013-01-04 10:11 - 2013-01-04 10:13 - 68982786 ____A C:\Users\admın\Downloads\Aloe Blacc - I Need A Dollar - Official Video HQ.mp4
2013-01-04 10:07 - 2013-01-04 10:11 - 39338481 ____A C:\Users\admın\Downloads\Hey Ya (acoustic cover).flv
2013-01-04 10:05 - 2013-01-04 10:07 - 06771800 ____A C:\Users\admın\Downloads\Barbarossa - Stones.flv
2013-01-03 23:15 - 2011-04-25 00:41 - 737107968 ____A C:\Users\admın\Desktop\The Shawshank Redemption[1994]DvDrip[Eng]-FXG.avi
2013-01-02 16:11 - 2013-01-02 16:11 - 02744312 ____A C:\Users\admın\Downloads\mircdev.rar
2013-01-01 16:52 - 2013-01-01 16:52 - 28449468 ____A C:\Users\admın\Desktop\AutumnLeaves.zip
2012-12-27 02:13 - 2013-01-01 15:29 - 00000304 ____A C:\Users\admın\Documents\cmas.txt
2012-12-26 01:53 - 2012-12-26 01:54 - 13669265 ____A C:\Users\admın\Downloads\Football Manager 2013 Crack Only-SKIDROW.rar
2012-12-26 01:50 - 2012-12-26 01:50 - 00000000 ____D C:\Users\admın\AppData\Roaming\Sports Interactive
2012-12-25 15:06 - 2013-01-03 17:58 - 00000603 ____A C:\Users\admın\Documents\song suggestions.txt
2012-12-24 20:57 - 2010-06-02 04:55 - 00527192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
2012-12-24 20:57 - 2010-06-02 04:55 - 00518488 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_7.dll
2012-12-24 20:57 - 2010-06-02 04:55 - 00239960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_7.dll
2012-12-24 20:57 - 2010-06-02 04:55 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_7.dll
2012-12-24 20:57 - 2010-06-02 04:55 - 00077656 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll
2012-12-24 20:57 - 2010-06-02 04:55 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 02526056 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 02401112 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 02106216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 01998168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 01907552 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 01868128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 00511328 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 00470880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 00276832 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_43.dll
2012-12-24 20:57 - 2010-05-26 11:41 - 00248672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2012-12-23 02:17 - 2013-01-04 13:01 - 00000068 ____A C:\Users\admın\Documents\bandnames.txt
2012-12-22 13:03 - 2012-12-23 13:13 - 00000000 ____D C:\Users\admın\Documents\GuitarLessonResource
2012-12-22 13:00 - 2012-12-22 13:00 - 04988686 ____A C:\Users\admın\Downloads\teachwombatdotcomfreestuff2.zip
2012-12-21 20:56 - 2012-12-16 19:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-21 20:56 - 2012-12-16 16:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-21 20:56 - 2012-12-16 16:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-21 20:56 - 2012-12-16 16:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-19 13:54 - 2012-12-19 13:57 - 150719027 ____A C:\Users\admın\Documents\Inception Soundtrack - Time _ Piano _ Sax (Relaxing).mp4
2012-12-19 12:01 - 2012-12-19 12:01 - 00000000 ____D C:\Users\admın\Documents\4A Games
2012-12-19 12:00 - 2012-12-19 12:00 - 00000000 ____D C:\Users\admın\AppData\Local\4A Games
2012-12-19 11:58 - 2012-12-04 09:16 - 00000000 ____D C:\Users\admın\Downloads\metro 2033
2012-12-19 03:12 - 2012-12-19 03:12 - 00013173 ____A C:\Users\admın\Downloads\bifur.zip
2012-12-19 03:05 - 2012-12-19 03:05 - 00477022 ____A C:\Users\admın\Downloads\retro_lined_area.zip
2012-12-19 02:48 - 2012-12-19 02:48 - 00030729 ____A C:\Users\admın\Downloads\beastieboys.zip
2012-12-18 18:33 - 2012-12-18 18:33 - 00000000 ____D C:\users\admn
2012-12-18 18:33 - 2012-12-18 18:33 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-12-18 18:33 - 2010-02-04 10:01 - 00530776 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_6.dll
2012-12-18 18:33 - 2010-02-04 10:01 - 00528216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_6.dll
2012-12-18 18:33 - 2010-02-04 10:01 - 00238936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_6.dll
2012-12-18 18:33 - 2010-02-04 10:01 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_6.dll
2012-12-18 18:33 - 2010-02-04 10:01 - 00078680 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_4.dll
2012-12-18 18:33 - 2010-02-04 10:01 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_4.dll
2012-12-18 18:33 - 2010-02-04 10:01 - 00024920 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_7.dll
2012-12-18 18:33 - 2010-02-04 10:01 - 00022360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
2012-12-17 02:00 - 2012-12-17 02:00 - 00000021 ____A C:\Users\admın\Documents\Metro2033serial.txt
2012-12-16 20:45 - 2013-01-13 00:12 - 00000000 ____D C:\Program Files (x86)\Steam
2012-12-16 20:45 - 2012-12-16 20:45 - 00000917 ____A C:\Users\Public\Desktop\Steam.lnk
2012-12-16 20:44 - 2012-12-18 18:37 - 00000000 ____D C:\Program Files (x86)\Metro
2012-12-16 20:33 - 2012-12-16 20:38 - 74331423 ____A C:\Users\admın\Downloads\metro2033.exe
2012-12-16 12:50 - 2012-12-16 12:52 - 04602915 ____A C:\Users\admın\Documents\Dire Straits - Six Blade Knife lyrics.flv
2012-12-16 12:40 - 2012-12-16 12:45 - 10940032 ____A C:\Users\admın\Documents\Sultans of Swing (with lyrics).flv
2012-12-16 12:36 - 2012-12-16 12:38 - 05912557 ____A C:\Users\admın\Documents\ZZ Top-Sharp Dressed Man Lyrics.flv
2012-12-16 12:22 - 2012-12-16 12:24 - 05771227 ____A C:\Users\admın\Documents\Eric Clapton- Cocaine.flv
2012-12-16 12:17 - 2012-12-16 12:21 - 16634134 ____A C:\Users\admın\Documents\Eric Clapton - Old Love lyrics (Album Version).flv
2012-12-16 12:10 - 2012-12-16 12:10 - 00001289 ____A C:\Users\admın\Documents\You know I'm no good.txt
2012-12-16 12:04 - 2012-12-16 12:04 - 00001311 ____A C:\Users\admın\Documents\Espresso Love.txt
2012-12-16 12:01 - 2012-12-16 12:01 - 00000567 ____A C:\Users\admın\Documents\Cocaine.txt
2012-12-14 15:38 - 2012-12-14 15:38 - 03761317 ____A C:\Users\admın\Downloads\recordings.zip

==================== One Month Modified Files and Folders =======

2013-01-13 00:12 - 2012-12-16 20:45 - 00000000 ____D C:\Program Files (x86)\Steam
2013-01-13 00:12 - 2009-07-14 07:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-13 00:12 - 2009-07-14 06:51 - 00055342 ____A C:\Windows\setupact.log
2013-01-13 00:11 - 2012-06-28 13:59 - 01186076 ____A C:\Windows\WindowsUpdate.log
2013-01-13 00:11 - 2009-07-14 06:45 - 00017360 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-13 00:11 - 2009-07-14 06:45 - 00017360 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-13 00:09 - 2012-06-28 14:04 - 00000814 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-13 00:06 - 2013-01-13 00:11 - 00040552 ____A C:\Users\admın\Desktop\FRST.txt
2013-01-13 00:05 - 2013-01-13 00:11 - 00000560 ____A C:\Users\admın\Desktop\Search.txt
2013-01-13 00:01 - 2013-01-13 00:01 - 00000000 ____D C:\FRST
2013-01-12 23:57 - 2012-11-18 18:41 - 00000000 ____D C:\Users\admın\AppData\Roaming\mIRC
2013-01-12 23:54 - 2009-07-14 14:45 - 00654676 ____A C:\Windows\System32\perfh01F.dat
2013-01-12 23:54 - 2009-07-14 14:45 - 00138932 ____A C:\Windows\System32\perfc01F.dat
2013-01-12 23:54 - 2009-07-14 07:13 - 01564578 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-12 23:51 - 2012-11-18 18:41 - 00000000 ____D C:\Program Files (x86)\mIRC
2013-01-12 23:50 - 2013-01-12 23:50 - 01464233 ____A (Farbar) C:\Users\admın\Downloads\FRST64.exe
2013-01-12 23:48 - 2013-01-12 02:24 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-01-12 23:45 - 2012-11-26 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-01-12 11:49 - 2012-06-30 10:55 - 00000000 ____D C:\Users\admın\AppData\Roaming\uTorrent
2013-01-12 11:00 - 2013-01-12 10:54 - 00000000 ____D C:\Users\admın\Downloads\Les.Miserables.2012.DVDSCR-EDAW2013
2013-01-12 11:00 - 2013-01-12 10:51 - 00000000 ____D C:\Users\admın\Downloads\Butter LIMITED BDRip XviD-SAPHiRE
2013-01-12 10:55 - 2013-01-12 10:55 - 00000000 ____D C:\Users\admın\Downloads\SILVER LININGS DVDRIP EDAW2013
2013-01-12 10:50 - 2013-01-12 10:50 - 00058726 ____A C:\Users\admın\Downloads\[kat.ph]butter.limited.bdrip.xvid.saphire.torrent
2013-01-12 10:49 - 2013-01-12 10:49 - 00024555 ____A C:\Users\admın\Downloads\[kat.ph]les.miserables.2012.dvdscr.edaw2013.torrent
2013-01-12 10:49 - 2013-01-12 10:49 - 00017090 ____A C:\Users\admın\Downloads\[kat.ph]silver.linings.playbook.2012.dvdrip.edaw2013.torrent
2013-01-12 10:05 - 2013-01-10 11:36 - 00002594 ____A C:\Users\admın\Desktop\Rkill.txt
2013-01-12 03:57 - 2013-01-12 03:54 - 07561130 ____A C:\Users\admın\Downloads\Celldweller - Frozen.flv
2013-01-12 03:40 - 2012-12-11 15:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-12 02:55 - 2012-06-30 17:01 - 00000000 ____D C:\Users\admın\Downloads\Daemon Tools Pro Advanced v5.1.0. -[EC]
2013-01-12 02:32 - 2013-01-12 02:32 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2013-01-12 02:31 - 2013-01-12 02:28 - 151469960 ____A C:\Users\admın\Desktop\setup_11.0.0.1245.x01_2013_01_12_03_36.exe
2013-01-12 02:25 - 2013-01-12 02:25 - 00035250 ____A C:\Users\admın\Desktop\HitmanPro_20130112_0225.log
2013-01-12 02:25 - 2013-01-12 02:19 - 00000000 ____D C:\Users\All Users\HitmanPro
2013-01-12 02:24 - 2012-06-30 17:35 - 00000000 ____D C:\Users\admın\Downloads\Antares Autotune Evo VST RTAS v6.0.9 PROPER -AiR
2013-01-12 02:20 - 2013-01-12 02:20 - 00001893 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2013-01-12 02:20 - 2013-01-12 02:19 - 00000000 ____D C:\Program Files\HitmanPro
2013-01-12 02:19 - 2013-01-12 02:18 - 09703176 ____A (SurfRight B.V.) C:\Users\admın\Downloads\HitmanPro_x64.exe
2013-01-11 16:55 - 2012-07-20 13:32 - 00000000 ____D C:\Users\admın\Desktop\Old Sets
2013-01-11 16:19 - 2009-07-14 07:08 - 00032590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-01-10 23:08 - 2013-01-10 23:07 - 05019950 ____A (Swearware) C:\Users\admın\Downloads\ComboFix (1).exe
2013-01-10 23:06 - 2013-01-10 23:06 - 00015340 ____A C:\ComboFix.txt
2013-01-10 23:06 - 2013-01-10 22:46 - 00000000 ____D C:\Qoobox
2013-01-10 23:06 - 2012-11-14 17:00 - 00000000 ____D C:\users\adm
2013-01-10 23:06 - 2009-07-14 05:20 - 00000000 __RHD C:\users\Default
2013-01-10 23:05 - 2013-01-10 22:46 - 00000000 ____D C:\Windows\erdnt
2013-01-10 23:03 - 2009-07-14 04:34 - 00000258 ____A C:\Windows\system.ini
2013-01-10 22:52 - 2013-01-10 22:52 - 00001108 ____A C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
2013-01-10 22:43 - 2013-01-10 22:43 - 05019950 ____R (Swearware) C:\Users\admın\Downloads\ComboFix.exe
2013-01-10 18:34 - 2013-01-10 18:34 - 00017012 ____A C:\Users\admın\Desktop\attach.txt
2013-01-10 18:34 - 2013-01-10 18:34 - 00013509 ____A C:\Users\admın\Desktop\dds.txt
2013-01-10 18:33 - 2013-01-10 18:33 - 00688992 ____R (Swearware) C:\Users\admın\Downloads\dds.com
2013-01-10 18:33 - 2013-01-10 18:33 - 00000000 ____D C:\users\adm²n
2013-01-10 18:26 - 2013-01-10 18:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-10 18:26 - 2013-01-10 18:25 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\admın\Downloads\mbam-setup-1.70.0.1100.exe
2013-01-10 18:23 - 2012-07-02 16:56 - 00000000 ____D C:\Program Files (x86)\UnHackMe
2013-01-10 18:22 - 2012-07-02 16:56 - 00000000 ____D C:\Users\All Users\RegRun
2013-01-10 18:21 - 2012-07-02 16:58 - 00000618 ____A C:\Windows\SysWOW64\PARTIZAN.TXT
2013-01-10 18:19 - 2012-07-02 16:56 - 00000000 ____D C:\Users\admın\Documents\RegRun2
2013-01-10 18:12 - 2012-07-02 16:56 - 00000002 RASHOT C:\Windows\winstart.bat
2013-01-10 18:12 - 2012-07-02 16:56 - 00000002 RASHOT C:\Windows\SysWOW64\CONFIG.NT
2013-01-10 18:12 - 2012-07-02 16:56 - 00000002 RASHOT C:\Windows\SysWOW64\AUTOEXEC.NT
2013-01-10 18:11 - 2012-06-30 17:05 - 00000000 ____D C:\Program Files (x86)\Daemon Tools Pro v5.1.0
2013-01-10 18:09 - 2012-06-28 14:04 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-01-10 18:09 - 2012-06-28 14:04 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-01-10 16:50 - 2013-01-10 16:50 - 00001945 ____A C:\Windows\epplauncher.mif
2013-01-10 16:50 - 2013-01-10 16:50 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-01-10 16:50 - 2013-01-10 16:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-01-10 15:17 - 2012-06-28 14:06 - 00000000 ____D C:\Users\All Users\Microsoft Help
2013-01-10 15:00 - 2013-01-10 14:51 - 13529576 ____A (Microsoft Corporation) C:\Users\admın\Downloads\mseinstall.exe
2013-01-10 15:00 - 2013-01-10 14:50 - 06151248 ____A (Uniblue Systems Ltd ) C:\Users\admın\Downloads\speedupmypc.exe
2013-01-10 13:29 - 2013-01-10 13:29 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-01-10 13:13 - 2009-07-14 06:45 - 00342608 ____A C:\Windows\System32\FNTCACHE.DAT
2013-01-10 13:11 - 2012-06-30 19:16 - 01542464 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-01-10 13:04 - 2012-11-12 14:36 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-01-10 13:02 - 2012-07-10 10:53 - 00000000 ____D C:\Users\admın\Desktop\New
2013-01-10 12:28 - 2012-11-12 14:21 - 00000000 ____D C:\Games
2013-01-10 12:25 - 2013-01-10 12:23 - 00000000 ____D C:\Users\admın\Desktop\EverestTest
2013-01-10 12:22 - 2013-01-10 12:22 - 04402436 ____A C:\Users\admın\Downloads\everesthome220.zip
2013-01-10 11:39 - 2013-01-10 11:39 - 00980480 ____A C:\Users\admın\Downloads\MicrosoftFixit50267.msi
2013-01-10 11:38 - 2013-01-10 11:38 - 00000061 ____A C:\Users\admın\Documents\ashadams.txt
2013-01-10 11:37 - 2013-01-10 11:37 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\admın\Downloads\tdsskiller.exe
2013-01-10 11:35 - 2013-01-10 11:35 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\admın\Downloads\rkill.exe
2013-01-10 10:56 - 2013-01-09 18:17 - 00000000 ____D C:\Windows\RestoreSafeDeleted
2013-01-09 18:33 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\System32\NDF
2013-01-09 14:21 - 2013-01-09 14:04 - 00000000 ____D C:\Users\admın\Downloads\Branded.2012.LIMITED.DVDRip.XVID-DEPRiVED
2013-01-09 14:06 - 2013-01-09 14:06 - 00000000 ____D C:\Users\admın\Downloads\Not.Fade.Away.2012.DVDSCR.XviD.AC3-VAiN
2013-01-09 13:40 - 2013-01-09 13:37 - 14205489 ____A C:\Users\admın\Downloads\The Decemberists - Here I Dreamt I Was An Architect (Lyrics)(1).flv
2013-01-09 13:33 - 2013-01-09 13:33 - 00000000 ____D C:\Users\admın\Downloads\DEATH CAB FOR CUTIE - DISCOGRAPHY [CHANNEL NEO]
2013-01-09 13:20 - 2013-01-09 13:17 - 21965189 ____A C:\Users\admın\Downloads\The Rolling Stones - Satisfaction (live).flv
2013-01-09 12:56 - 2013-01-09 12:49 - 189657718 ____A C:\Users\admın\Downloads\Fix You - Coldplay - Acoustic Cover by Tyler Ward _ Boyce Avenue.mp4
2013-01-09 12:45 - 2013-01-09 12:43 - 07500084 ____A C:\Users\admın\Downloads\My Girl - The Temptations.flv
2013-01-09 12:38 - 2013-01-09 12:37 - 03568688 ____A C:\Users\admın\Downloads\Jackson 5 - ABC (Full song).flv
2013-01-07 13:18 - 2013-01-07 12:47 - 597192704 ____A C:\Users\admın\Downloads\Inescapable.avi
2013-01-07 02:57 - 2013-01-07 02:37 - 00000000 ____D C:\Users\admın\Downloads\Hitchcock.2012.DVDSCR.XviD-NYDIC
2013-01-07 02:50 - 2013-01-07 02:39 - 00000000 ____D C:\Users\admın\Downloads\Upside.Down.2012.720p.BRRip.x264.AC3-JYK
2013-01-07 02:41 - 2013-01-07 02:41 - 00000000 ____D C:\Users\admın\Downloads\The.Impossible.2012.DVDSCR.x264.AAC-FooKaS
2013-01-07 02:39 - 2013-01-07 02:38 - 00000000 ____D C:\Users\admın\Downloads\Zero.Dark.Thirty.2012.DVDSCR.Xvid.Ac3-ADTRG
2013-01-07 02:35 - 2013-01-07 02:35 - 00012610 ____A C:\Users\admın\Downloads\[kat.ph]upside.down.2012.720p.brrip.x264.ac3.jyk.torrent
2013-01-07 02:34 - 2013-01-07 02:34 - 00115946 ____A C:\Users\admın\Downloads\[kat.ph]upside.down.2012.brrip.xvid.unique.torrent
2013-01-07 02:34 - 2013-01-07 02:34 - 00000000 ____D C:\Users\admın\Downloads\Django Unchained 2012 DVDSCR X264 AAC-P2P
2013-01-07 02:33 - 2013-01-07 02:33 - 00204069 ____A C:\Users\admın\Downloads\[kat.ph]django.unchained.2012.dvdscr.x264.aac.p2p.torrent
2013-01-07 02:32 - 2013-01-07 02:32 - 00075122 ____A C:\Users\admın\Downloads\[kat.ph]hitchcock.2012.dvdscr.xvid.nydic.torrent
2013-01-07 02:32 - 2013-01-07 02:32 - 00029619 ____A C:\Users\admın\Downloads\[kat.ph]the.impossible.2012.dvdscr.x264.aac.fookas.torrent
2013-01-07 02:32 - 2013-01-07 02:32 - 00025312 ____A C:\Users\admın\Downloads\[kat.ph]zero.dark.thirty.2012.dvdscr.xvid.ac3.adtrg.torrent
2013-01-06 16:26 - 2013-01-05 13:20 - 00000000 ____D C:\Users\admın\Documents\SongLyrics
2013-01-06 14:25 - 2013-01-05 17:20 - 00000000 ____D C:\Users\admın\Documents\Backtracks
2013-01-06 10:53 - 2009-07-14 04:34 - 00000523 ____A C:\Windows\win.ini
2013-01-05 21:31 - 2013-01-05 21:27 - 08542909 ____A C:\Users\admın\Downloads\Riders on the storm the doors lyrics.flv
2013-01-05 20:21 - 2013-01-05 20:18 - 10823982 ____A C:\Users\admın\Downloads\Benji Hughes - Waiting For An Invitation.flv
2013-01-05 17:20 - 2013-01-05 17:18 - 04602915 ____A C:\Users\admın\Downloads\Dire Straits - Six Blade Knife lyrics.flv
2013-01-05 17:11 - 2013-01-05 17:08 - 26498493 ____A C:\Users\admın\Downloads\ZZ Top - Sharp Dressed Man (Live In Texas).flv
2013-01-05 16:53 - 2013-01-05 16:49 - 08671417 ____A C:\Users\admın\Downloads\Dire Straits - Industrial Disease lyrics.flv
2013-01-04 13:01 - 2012-12-23 02:17 - 00000068 ____A C:\Users\admın\Documents\bandnames.txt
2013-01-04 10:42 - 2013-01-04 10:39 - 14205489 ____A C:\Users\admın\Downloads\The Decemberists - Here I Dreamt I Was An Architect (Lyrics).flv
2013-01-04 10:39 - 2013-01-04 10:36 - 06435461 ____A C:\Users\admın\Downloads\SUMMER BREEZE_SEALS AND CROFTS.flv
2013-01-04 10:32 - 2013-01-04 10:30 - 17744311 ____A C:\Users\admın\Downloads\Haunt - Love song ( Lyrics).flv
2013-01-04 10:29 - 2013-01-04 10:26 - 14385955 ____A C:\Users\admın\Downloads\Everlast ~ What It's Like (With Lyrics).flv
2013-01-04 10:25 - 2013-01-04 10:20 - 61915909 ____A C:\Users\admın\Downloads\I Don't Need No Doctor - John Mayer.flv
2013-01-04 10:24 - 2013-01-04 10:23 - 02905181 ____A C:\Users\admın\Downloads\Death Cab For Cutie I Will Follow You Into The Dark lyrics.flv
2013-01-04 10:13 - 2013-01-04 10:11 - 68982786 ____A C:\Users\admın\Downloads\Aloe Blacc - I Need A Dollar - Official Video HQ.mp4
2013-01-04 10:11 - 2013-01-04 10:07 - 39338481 ____A C:\Users\admın\Downloads\Hey Ya (acoustic cover).flv
2013-01-04 10:07 - 2013-01-04 10:05 - 06771800 ____A C:\Users\admın\Downloads\Barbarossa - Stones.flv
2013-01-03 17:58 - 2012-12-25 15:06 - 00000603 ____A C:\Users\admın\Documents\song suggestions.txt
2013-01-02 16:11 - 2013-01-02 16:11 - 02744312 ____A C:\Users\admın\Downloads\mircdev.rar
2013-01-01 17:49 - 2012-12-09 21:55 - 00000000 ____D C:\Users\admın\Documents\Mixcraft Projects
2013-01-01 16:52 - 2013-01-01 16:52 - 28449468 ____A C:\Users\admın\Desktop\AutumnLeaves.zip
2013-01-01 15:29 - 2012-12-27 02:13 - 00000304 ____A C:\Users\admın\Documents\cmas.txt
2012-12-26 15:34 - 2012-11-11 23:43 - 00080251 ____A C:\Windows\DirectX.log
2012-12-26 01:54 - 2012-12-26 01:53 - 13669265 ____A C:\Users\admın\Downloads\Football Manager 2013 Crack Only-SKIDROW.rar
2012-12-26 01:50 - 2012-12-26 01:50 - 00000000 ____D C:\Users\admın\AppData\Roaming\Sports Interactive
2012-12-26 00:28 - 2012-06-28 14:04 - 00000000 ___HD C:\Users\All Users\Adobe
2012-12-23 13:13 - 2012-12-22 13:03 - 00000000 ____D C:\Users\admın\Documents\GuitarLessonResource
2012-12-22 22:48 - 2012-12-13 00:39 - 00000000 ____D C:\Users\admın\Downloads\Castle Season 1 and 2
2012-12-22 13:00 - 2012-12-22 13:00 - 04988686 ____A C:\Users\admın\Downloads\teachwombatdotcomfreestuff2.zip
2012-12-21 11:37 - 2012-06-30 10:56 - 00000000 ____D C:\Program Files (x86)\uTorrent
2012-12-19 13:57 - 2012-12-19 13:54 - 150719027 ____A C:\Users\admın\Documents\Inception Soundtrack - Time _ Piano _ Sax (Relaxing).mp4
2012-12-19 12:01 - 2012-12-19 12:01 - 00000000 ____D C:\Users\admın\Documents\4A Games
2012-12-19 12:00 - 2012-12-19 12:00 - 00000000 ____D C:\Users\admın\AppData\Local\4A Games
2012-12-19 11:59 - 2012-07-01 20:56 - 00000000 ____D C:\Users\admın\AppData\Roaming\NVIDIA
2012-12-19 03:12 - 2012-12-19 03:12 - 00013173 ____A C:\Users\admın\Downloads\bifur.zip
2012-12-19 03:05 - 2012-12-19 03:05 - 00477022 ____A C:\Users\admın\Downloads\retro_lined_area.zip
2012-12-19 02:48 - 2012-12-19 02:48 - 00030729 ____A C:\Users\admın\Downloads\beastieboys.zip
2012-12-18 18:37 - 2012-12-16 20:44 - 00000000 ____D C:\Program Files (x86)\Metro
2012-12-18 18:33 - 2012-12-18 18:33 - 00000000 ____D C:\users\admn
2012-12-18 18:33 - 2012-12-18 18:33 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-12-17 02:00 - 2012-12-17 02:00 - 00000021 ____A C:\Users\admın\Documents\Metro2033serial.txt
2012-12-16 20:45 - 2012-12-16 20:45 - 00000917 ____A C:\Users\Public\Desktop\Steam.lnk
2012-12-16 20:38 - 2012-12-16 20:33 - 74331423 ____A C:\Users\admın\Downloads\metro2033.exe
2012-12-16 19:11 - 2012-12-21 20:56 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-16 16:45 - 2012-12-21 20:56 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 16:13 - 2012-12-21 20:56 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-16 16:13 - 2012-12-21 20:56 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-16 14:35 - 2012-11-26 14:29 - 00000000 ____D C:\Users\admın\AppData\Roaming\Real
2012-12-16 14:35 - 2012-11-26 14:28 - 00000000 ____D C:\Users\All Users\Real
2012-12-16 12:52 - 2012-12-16 12:50 - 04602915 ____A C:\Users\admın\Documents\Dire Straits - Six Blade Knife lyrics.flv
2012-12-16 12:45 - 2012-12-16 12:40 - 10940032 ____A C:\Users\admın\Documents\Sultans of Swing (with lyrics).flv
2012-12-16 12:38 - 2012-12-16 12:36 - 05912557 ____A C:\Users\admın\Documents\ZZ Top-Sharp Dressed Man Lyrics.flv
2012-12-16 12:24 - 2012-12-16 12:22 - 05771227 ____A C:\Users\admın\Documents\Eric Clapton- Cocaine.flv
2012-12-16 12:21 - 2012-12-16 12:17 - 16634134 ____A C:\Users\admın\Documents\Eric Clapton - Old Love lyrics (Album Version).flv
2012-12-16 12:10 - 2012-12-16 12:10 - 00001289 ____A C:\Users\admın\Documents\You know I'm no good.txt
2012-12-16 12:04 - 2012-12-16 12:04 - 00001311 ____A C:\Users\admın\Documents\Espresso Love.txt
2012-12-16 12:01 - 2012-12-16 12:01 - 00000567 ____A C:\Users\admın\Documents\Cocaine.txt
2012-12-14 16:49 - 2013-01-10 18:26 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-12-14 15:38 - 2012-12-14 15:38 - 03761317 ____A C:\Users\admın\Downloads\recordings.zip

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-08 12:19:40
Restore point made on: 2013-01-08 12:22:10
Restore point made on: 2013-01-08 12:25:43
Restore point made on: 2013-01-09 18:17:00
Restore point made on: 2013-01-09 19:22:15
Restore point made on: 2013-01-10 10:56:16
Restore point made on: 2013-01-10 11:40:09
Restore point made on: 2013-01-10 12:59:29
Restore point made on: 2013-01-10 13:14:41
Restore point made on: 2013-01-10 15:16:14
Restore point made on: 2013-01-10 18:19:07

==================== Memory info ===========================

Percentage of memory in use: 26%
Total physical RAM: 2046.49 MB
Available physical RAM: 1504.79 MB
Total Pagefile: 2046.49 MB
Available Pagefile: 1477.73 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:391.37 GB) (Free:130.89 GB) NTFS
2 Drive e: () (Fixed) (Total:540.04 GB) (Free:533.59 GB) NTFS
3 Drive f: (13 Ara 2012) (CDROM) (Total:1.46 GB) (Free:0 GB) UDF
4 Drive g: (NAAAAAAAAPP) (Removable) (Total:7.45 GB) (Free:0.3 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (Sistem Ayrıldı) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Telif Hakk (C) 1999-2008 Bilgisayar: MININT-L8M2O1V

Disk ### Durum Boyut BoŸ Din Gpt
-------- ------------- ------- ------- --- ---
Disk 0 €evrimi‡I 931 GB 0 B
Disk 1 €evrimi‡I 7634 MB 0 B
Disk 2 Medya Yok 0 B 0 B
Disk 3 Medya Yok 0 B 0 B
Disk 4 Medya Yok 0 B 0 B
Disk 5 Medya Yok 0 B 0 B

DiskPart'tan ‡klyor...

Partitions of Disk 0:
===============

Telif Hakk (C) 1999-2008 Bilgisayar: MININT-L8M2O1V

Disk 0 Ÿimdi se‡ili disk.

B”lm ### Tr Boyut Ofset
------------- ---------------- ------- -------
B”lm 1 Birincil 100 MB 1024 KB
B”lm 2 Birincil 391 GB 101 MB
B”lm 3 Birincil 540 GB 391 GB

DiskPart'tan ‡klyor...

==================================================================================

Partitions of Disk 1:
===============

Telif Hakk (C) 1999-2008 Bilgisayar: MININT-L8M2O1V

Disk 1 Ÿimdi se‡ili disk.

B”lm ### Tr Boyut Ofset
------------- ---------------- ------- -------
B”lm 1 Birincil 7634 MB 31 KB

DiskPart'tan ‡klyor...

==================================================================================

Last Boot: 2013-01-04 11:42

==================== End Of Log =============================

jays.traas · Jan 12, 2013

Search.txt

Farbar Recovery Scan Tool (x64) Version: 09-01-2013
Ran by SYSTEM at 2013-01-13 00:15:33
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-14 01:19] - [2009-07-14 03:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-14 01:19] - [2009-07-14 03:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\erdnt\cache64\services.exe
[2013-01-10 23:05] - [2009-07-14 03:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Jay Pfoutz · Jan 13, 2013

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page for performing a scan.
Caution: This is a beta version so also read the disclaimer and back up all your data before using.
When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.

OTL Quick Scan

Please download OTL by OldTimer to your Desktop.

Close all windows and double click OTL.exe.
Click Quick Scan button and let the program run uninterrupted.
It will produce a log for you called OTL.txt, please post it in your next reply.
You may need to use two posts to get it all.

jays.traas · Jan 14, 2013

I scanned 3 times with the mbar anti-rootkit, all three times it found the svchost.exe but interestingly it didn't notice libpdcurses.dll which I'm sure you know, is a keylogger.

Attached are the logs

jays.traas · Jan 14, 2013

OTL.txt

OTL logfile created on: 1/14/2013 4:24:17 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admın\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.70 Gb Available Physical Memory | 34.83% Memory free
4.00 Gb Paging File | 2.56 Gb Available in Paging File | 63.95% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 391.37 Gb Total Space | 132.61 Gb Free Space | 33.88% Space Free | Partition Type: NTFS
Drive D: | 540.04 Gb Total Space | 533.58 Gb Free Space | 98.80% Space Free | Partition Type: NTFS
Drive E: | 1.46 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: ADMıN-PC | User Name: admın | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
PRC - [2013/01/14 01:42:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
PRC - [2012/12/21 11:38:11 | 000,541,760 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2012/12/18 16:28:22 | 000,038,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe
PRC - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/12/16 20:46:07 | 001,354,736 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
PRC - [2012/11/26 14:29:48 | 000,296,096 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
PRC - [2012/11/11 23:46:02 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2012/04/26 14:33:38 | 003,111,744 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe

========== Modules (No Company Name) ==========

MOD - [2013/01/14 16:23:51 | 000,249,344 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\libcurl-4.dll
MOD - [2013/01/14 16:23:51 | 000,087,054 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\libpdcurses.dll
MOD - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
MOD - [2012/12/21 11:38:15 | 000,647,168 | ---- | M] () -- C:\Program Files (x86)\Steam\sdl.dll
MOD - [2012/12/21 11:38:11 | 020,320,240 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\libcef.dll
MOD - [2012/12/21 11:38:11 | 001,100,800 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avcodec-53.dll
MOD - [2012/12/21 11:38:11 | 000,969,280 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\chromehtml.dll
MOD - [2012/12/21 11:38:11 | 000,192,000 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avformat-53.dll
MOD - [2012/12/21 11:38:11 | 000,124,416 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avutil-51.dll

========== Services (SafeList) ==========

SRV:64bit: - [2012/09/12 21:21:48 | 000,368,896 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/09/12 21:21:48 | 000,022,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2013/01/12 03:40:16 | 000,115,760 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/01/10 18:09:38 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/21 11:38:11 | 000,541,760 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/12/18 16:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/11/11 23:46:02 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/08/30 22:03:48 | 000,128,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/07/01 12:00:43 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2012/03/26 22:00:18 | 000,772,224 | ---- | M] (Line 6) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\l6TportUX864.sys -- (l6TportUX8)
DRV:64bit: - [2012/03/01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2010/11/20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 15:32:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 15:32:46 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010/11/20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 13:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 22:35:38 | 000,707,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr7364.sys -- (netr7364)
DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/03/01 22:05:32 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2001/09/27 16:00:32 | 000,027,584 | ---- | M] (NemeSys Music Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\filespy.sys -- (FILESPY)
DRV - [2001/09/27 15:48:46 | 000,738,976 | ---- | M] (Conexant Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\ew.sys -- (EWAVE)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = tr
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 65 61 69 48 26 55 CD 01 [binary data]
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searc...SP_ss&mntrId=1a813b21000000000000001cf0c9416a
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B0153E448-190B-4987-BDE1-F256CADA672F%7D:15.0.6
FF - prefs.js..extensions.enabledAddons: %7Bb9bfaf1c-a63f-47cd-8b9a-29526ced9060%7D:1.4.15
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\admın\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\admın\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\support@2yourface.com: C:\Users\admın\AppData\Roaming\2YourFace\ffextension
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/11/26 14:29:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/01/12 03:40:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\support@2yourface.com: C:\Users\admın\AppData\Roaming\2YourFace\ffextension

[2012/11/26 14:53:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admın\AppData\Roaming\Mozilla\Extensions
[2013/01/11 00:02:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admın\AppData\Roaming\Mozilla\Firefox\Profiles\zdcv06km.default\extensions
[2013/01/11 00:02:41 | 000,013,552 | ---- | M] () (No name found) -- C:\Users\admın\AppData\Roaming\Mozilla\Firefox\Profiles\zdcv06km.default\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
[2012/12/11 15:25:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/11/26 14:29:58 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
File not found (No name found) -- C:\USERS\ADMÄ±N\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\ZDCV06KM.DEFAULT\EXTENSIONS\{B9BFAF1C-A63F-47CD-8B9A-29526CED9060}.XPI
[2013/01/12 03:40:17 | 000,262,704 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/11/20 08:17:14 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/11/20 08:17:14 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google

riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Chrome\Application\23.0.1271.97\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Users\adm\u0131n\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java Deployment Toolkit 7.0.50.5 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\admın\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

O1 HOSTS File: ([2013/01/10 23:03:21 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe] C:\ProgramData\Adobe\3D422E.vbe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000..\Run: [DAEMON Tools Pro Agent] C:\Program Files (x86)\Daemon Tools Pro v5.1.0\DTAgent.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - HKLM..\RunServicesOnce: [] C:\Windows\GIGATEMP\Patch.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..Trusted Domains: line6.net ([]* in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{26D9982C-60BF-4A1A-B593-D428CF93A2A0}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87342CD1-FF71-409D-A95B-74347ABAA8CE}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BBEAA541-9425-4117-8BE9-94DA26EFE021}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D52D4DA9-6AFE-4683-AF44-A9FD49C0FF39}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FF913288-5A1B-4CB8-BC7B-1068999963B0}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/14 13:47:53 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
[2013/01/14 01:42:24 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
[2013/01/14 01:25:34 | 000,000,000 | ---D | C] -- C:\Users\admın\Desktop\mbar
[2013/01/13 00:01:10 | 000,000,000 | ---D | C] -- C:\FRST
[2013/01/12 02:32:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2013/01/12 02:19:30 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/01/10 23:06:55 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/01/10 23:03:23 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2013/01/10 22:46:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/01/10 22:46:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/01/10 22:46:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/01/10 22:46:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/01/10 22:46:12 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/01/10 18:26:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/01/10 18:26:41 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013/01/10 18:26:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013/01/10 16:50:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2013/01/10 16:50:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/01/10 13:29:50 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2013/01/10 12:23:44 | 000,000,000 | ---D | C] -- C:\Users\admın\Desktop\EverestTest
[2013/01/09 18:17:23 | 000,000,000 | ---D | C] -- C:\Windows\RestoreSafeDeleted
[2013/01/05 17:20:14 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\Backtracks
[2013/01/05 13:20:51 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\SongLyrics
[2012/12/30 02:48:51 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Local\Programs
[2012/12/26 01:50:37 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Roaming\Sports Interactive
[2012/12/24 20:57:49 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\Common Files\EAInstaller
[2012/12/22 13:03:26 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\GuitarLessonResource
[2012/12/19 12:01:03 | 000,000,000 | ---D | C] -- C:\Users\admın\Documents\4A Games
[2012/12/19 12:00:02 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Local\4A Games
[2012/12/18 18:33:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2012/12/18 18:33:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
[2012/12/16 21:50:49 | 000,000,000 | ---D | C] -- C:\Users\admın\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
[2012/12/16 20:45:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Steam
[2012/12/16 20:45:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012/12/16 20:45:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Steam
[2012/12/16 20:44:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Metro
[1 C:\Users\admın\Desktop\*.tmp files -> C:\Users\admın\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/14 16:23:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/01/14 16:23:20 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/14 14:08:03 | 000,017,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/01/14 14:08:03 | 000,017,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/01/14 13:47:53 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
[2013/01/14 09:15:03 | 000,000,814 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/01/14 01:42:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\admın\Desktop\OTL.exe
[2013/01/14 00:31:25 | 001,564,578 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/01/14 00:31:25 | 000,654,676 | ---- | M] () -- C:\Windows\SysNative\perfh01F.dat
[2013/01/14 00:31:25 | 000,652,180 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/01/14 00:31:25 | 000,138,932 | ---- | M] () -- C:\Windows\SysNative\perfc01F.dat
[2013/01/14 00:31:25 | 000,121,112 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/01/13 02:01:12 | 251,439,298 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/01/13 01:24:04 | 000,000,228 | ---- | M] () -- C:\Windows\SysNative\.crusader
[2013/01/12 02:31:45 | 151,469,960 | ---- | M] () -- C:\Users\admın\Desktop\setup_11.0.0.1245.x01_2013_01_12_03_36.exe
[2013/01/11 12:47:23 | 000,021,132 | ---- | M] () -- C:\Users\admın\Documents\Am Pentatonic scale.png
[2013/01/11 11:58:42 | 000,420,187 | ---- | M] () -- C:\Users\admın\Desktop\Svchost.jpg
[2013/01/10 23:03:21 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2013/01/10 22:52:03 | 000,001,108 | ---- | M] () -- C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
[2013/01/10 18:26:47 | 000,001,133 | ---- | M] () -- C:\Users\admın\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
[2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\CONFIG.NT
[2013/01/10 18:12:40 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\AUTOEXEC.NT
[2013/01/10 16:50:55 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/01/10 13:13:29 | 000,342,608 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/01/10 13:11:32 | 001,542,464 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/01/03 12:23:01 | 000,040,162 | ---- | M] () -- C:\Users\admın\Documents\nicee (2).jpg
[2013/01/01 23:30:55 | 000,055,885 | ---- | M] () -- C:\Users\admın\Documents\nn.jpg
[2013/01/01 16:52:39 | 028,449,468 | ---- | M] () -- C:\Users\admın\Desktop\AutumnLeaves.zip
[2012/12/31 11:09:02 | 000,098,545 | ---- | M] () -- C:\Users\admın\Documents\ikini.jpg
[2012/12/29 19:18:54 | 000,036,370 | ---- | M] () -- C:\Users\admın\Documents\yum.jpg
[2012/12/28 21:42:39 | 000,209,288 | ---- | M] () -- C:\Users\admın\Documents\nicee.jpg
[2012/12/27 21:24:38 | 000,100,801 | ---- | M] () -- C:\Users\admın\Documents\bik.jpg
[2012/12/27 00:28:51 | 000,081,736 | ---- | M] () -- C:\Users\admın\Documents\407970_525477294152683_1014306641_n.jpg
[2012/12/19 13:57:52 | 150,719,027 | ---- | M] () -- C:\Users\admın\Documents\Inception Soundtrack - Time _ Piano _ Sax (Relaxing).mp4
[2012/12/19 12:53:22 | 000,075,354 | ---- | M] () -- C:\Users\admın\Documents\Nice.jpg
[2012/12/16 20:45:52 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2012/12/16 12:52:51 | 004,602,915 | ---- | M] () -- C:\Users\admın\Documents\Dire Straits - Six Blade Knife lyrics.flv
[2012/12/16 12:45:00 | 010,940,032 | ---- | M] () -- C:\Users\admın\Documents\Sultans of Swing (with lyrics).flv
[2012/12/16 12:38:56 | 005,912,557 | ---- | M] () -- C:\Users\admın\Documents\ZZ Top-Sharp Dressed Man Lyrics.flv
[2012/12/16 12:24:32 | 005,771,227 | ---- | M] () -- C:\Users\admın\Documents\Eric Clapton- Cocaine.flv
[2012/12/16 12:21:42 | 016,634,134 | ---- | M] () -- C:\Users\admın\Documents\Eric Clapton - Old Love lyrics (Album Version).flv
[1 C:\Users\admın\Desktop\*.tmp files -> C:\Users\admın\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/13 00:23:41 | 000,000,228 | ---- | C] () -- C:\Windows\SysNative\.crusader
[2013/01/12 02:28:27 | 151,469,960 | ---- | C] () -- C:\Users\admın\Desktop\setup_11.0.0.1245.x01_2013_01_12_03_36.exe
[2013/01/11 12:47:04 | 000,021,132 | ---- | C] () -- C:\Users\admın\Documents\Am Pentatonic scale.png
[2013/01/11 11:58:42 | 000,420,187 | ---- | C] () -- C:\Users\admın\Desktop\Svchost.jpg
[2013/01/10 22:52:03 | 000,001,108 | ---- | C] () -- C:\Users\admın\Desktop\ComboFix - Shortcut.lnk
[2013/01/10 22:46:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/01/10 22:46:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/01/10 22:46:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/01/10 22:46:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/01/10 22:46:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/01/10 18:26:47 | 000,001,133 | ---- | C] () -- C:\Users\admın\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2013/01/10 16:50:55 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2013/01/10 16:50:45 | 000,002,117 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/01/03 23:15:37 | 737,107,968 | ---- | C] () -- C:\Users\admın\Desktop\The Shawshank Redemption[1994]DvDrip[Eng]-FXG.avi
[2013/01/03 12:22:50 | 000,040,162 | ---- | C] () -- C:\Users\admın\Documents\nicee (2).jpg
[2013/01/01 23:30:51 | 000,055,885 | ---- | C] () -- C:\Users\admın\Documents\nn.jpg
[2013/01/01 16:52:23 | 028,449,468 | ---- | C] () -- C:\Users\admın\Desktop\AutumnLeaves.zip
[2012/12/31 11:08:57 | 000,098,545 | ---- | C] () -- C:\Users\admın\Documents\ikini.jpg
[2012/12/29 19:18:49 | 000,036,370 | ---- | C] () -- C:\Users\admın\Documents\yum.jpg
[2012/12/28 21:42:29 | 000,209,288 | ---- | C] () -- C:\Users\admın\Documents\nicee.jpg
[2012/12/27 21:24:32 | 000,100,801 | ---- | C] () -- C:\Users\admın\Documents\bik.jpg
[2012/12/27 00:28:50 | 000,081,736 | ---- | C] () -- C:\Users\admın\Documents\407970_525477294152683_1014306641_n.jpg
[2012/12/19 13:54:59 | 150,719,027 | ---- | C] () -- C:\Users\admın\Documents\Inception Soundtrack - Time _ Piano _ Sax (Relaxing).mp4
[2012/12/19 12:53:15 | 000,075,354 | ---- | C] () -- C:\Users\admın\Documents\Nice.jpg
[2012/12/16 20:45:52 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2012/12/16 12:50:56 | 004,602,915 | ---- | C] () -- C:\Users\admın\Documents\Dire Straits - Six Blade Knife lyrics.flv
[2012/12/16 12:40:50 | 010,940,032 | ---- | C] () -- C:\Users\admın\Documents\Sultans of Swing (with lyrics).flv
[2012/12/16 12:36:19 | 005,912,557 | ---- | C] () -- C:\Users\admın\Documents\ZZ Top-Sharp Dressed Man Lyrics.flv
[2012/12/16 12:22:06 | 005,771,227 | ---- | C] () -- C:\Users\admın\Documents\Eric Clapton- Cocaine.flv
[2012/12/16 12:17:04 | 016,634,134 | ---- | C] () -- C:\Users\admın\Documents\Eric Clapton - Old Love lyrics (Album Version).flv
[2012/11/22 01:28:28 | 000,119,840 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2012/11/11 23:46:04 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012/11/11 23:46:02 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012/07/01 16:19:59 | 000,000,359 | ---- | C] () -- C:\Windows\GearBox.ini
[2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\sysprs7.dll
[2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\clauth2.dll
[2012/07/01 12:49:22 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\clauth1.dll
[2012/07/01 12:49:22 | 000,000,205 | ---- | C] () -- C:\Windows\SysWow64\lsprst7.dll
[2012/07/01 12:49:22 | 000,000,073 | ---- | C] () -- C:\Windows\SysWow64\ssprs.dll
[2012/06/30 19:16:51 | 001,542,464 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/06/30 17:40:29 | 000,296,448 | ---- | C] () -- C:\Windows\LOOP.exe
[2012/06/30 17:38:19 | 000,000,113 | ---- | C] () -- C:\Windows\system32.INI
[2012/06/30 11:57:57 | 000,000,031 | ---- | C] () -- C:\Windows\SysWow64\deck.ini
[2012/06/28 14:04:00 | 000,631,808 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2012/06/28 14:04:00 | 000,243,200 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2012/06/28 14:04:00 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2012/06/28 14:04:00 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2012/06/28 14:03:59 | 000,080,896 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2011/07/25 11:48:58 | 000,074,293 | ---- | C] () -- C:\Users\admın\AppData\Roaming\Setup.1.2.exe

========== ZeroAccess Check ==========

[2009/07/14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/12/09 21:45:57 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Acoustica
[2012/07/01 20:42:07 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Antares
[2012/07/01 12:27:16 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Babylon
[2012/07/01 12:27:56 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\BabylonToolbar
[2012/07/01 12:02:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\DAEMON Tools Pro
[2012/06/30 11:28:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\GHISLER
[2012/07/02 15:41:03 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Image-Line
[2012/12/09 21:55:45 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\KORG
[2012/07/03 10:52:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Line 6
[2012/06/30 17:39:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Mopis
[2012/12/09 21:46:32 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\PACE Anti-Piracy
[2012/11/11 23:46:01 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\PunkBuster
[2012/11/12 15:20:58 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Rovio
[2012/12/26 01:50:37 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Sports Interactive
[2012/12/09 21:46:16 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\SynthMaker
[2012/07/02 15:33:30 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Toontrack
[2013/01/12 11:49:44 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\uTorrent
[2012/07/01 20:56:31 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Waves Audio

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 1339 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:WVViVGXyIw88PnYxHA3M
@Alternate Data Stream - 1271 bytes -> C:\ProgramData\Microsoft:Qstur9fW4hys2oFIPsGT1N
@Alternate Data Stream - 1271 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:wA46eoPGPeO4snilK0kc7mMFIYi
@Alternate Data Stream - 1227 bytes -> C:\ProgramData\Microsoft:03yUl3P72JlarMKI5TEPS0783lIG
@Alternate Data Stream - 1176 bytes -> C:\ProgramData\Microsoft:zsUqGa9oZSuGytqJEMvkANc

< End of report >

jays.traas · Jan 14, 2013

And a txt file called extras.txt from the OTL scan.

OTL Extras logfile created on: 1/14/2013 4:24:17 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\admın\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.70 Gb Available Physical Memory | 34.83% Memory free
4.00 Gb Paging File | 2.56 Gb Available in Paging File | 63.95% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 391.37 Gb Total Space | 132.61 Gb Free Space | 33.88% Space Free | Partition Type: NTFS
Drive D: | 540.04 Gb Total Space | 533.58 Gb Free Space | 98.80% Space Free | Partition Type: NTFS
Drive E: | 1.46 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: ADMıN-PC | User Name: admın | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
"{0EFEC96B-A1EF-43D1-B53A-6638B500C5D3}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
"{1018F9A9-287A-4E16-9649-F7C85ECD46F1}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{104FA239-7718-4882-B8DB-3D0F52C28345}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1F47FE60-29EB-41AA-8AAC-8CA2C7A70694}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{23EEC1B2-723E-4E82-A7C4-60C69629009B}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{3046724F-C531-433C-B116-B50DE884570B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{3E83C490-85AA-4202-A1E0-2FDE12591E8A}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
"{5E0DFD48-A40D-4FB6-A2F5-AB52C1C240E1}" = lport=138 | protocol=17 | dir=in | app=system |
"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
"{69721124-79C8-4134-B10B-7916962C6267}" = lport=137 | protocol=17 | dir=in | app=system |
"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
"{82AA8C44-D418-400D-A6EA-B6366C58F61D}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{86FFCE7A-47E5-428A-9152-487C856E4BC5}" = rport=139 | protocol=6 | dir=out | app=system |
"{8FAAD563-F0DC-42B3-B519-A44CFB33ADF7}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{94C9AED1-A1D9-4774-BCAE-FC467C136D89}" = rport=137 | protocol=17 | dir=out | app=system |
"{A08547C2-8D6C-42C3-BC0F-790E6A202513}" = lport=139 | protocol=6 | dir=in | app=system |
"{A1813EC8-768D-4CEF-8164-58352DAD4AD9}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe |
"{A47929D6-CFE8-4E7A-8213-EA2F68ABF8F3}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{AA8FB957-182A-4C68-A348-969B76ADA2E2}" = lport=445 | protocol=6 | dir=in | app=system |
"{AD81F370-3C68-46DC-8BAE-CEC45FA65F3D}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B81B0670-6B5D-4958-A7CB-D844206A7D13}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CDFDC67F-1171-4C1C-A4A1-CD2F4F0EE499}" = rport=445 | protocol=6 | dir=out | app=system |
"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DADFD3FB-BB91-4421-B4C7-66FF571B6045}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{EA575B40-5AED-4462-9082-333563660C76}" = rport=138 | protocol=17 | dir=out | app=system |
"{F05E143A-4753-45CA-B33A-E90D22C1D573}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
"{F78E5195-0367-4BDC-AA4D-47200B76A3C6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{0B3F7E35-AF07-494A-95DD-701756A96961}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{15C8ADBE-B139-447C-AE1F-F4A52B0FE3B5}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\uplaybrowser.exe |
"{19DD56F3-41EE-4537-A950-E5ABF0B1F617}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{1E8557FF-3365-4ECF-A3DA-3614B9CFF52E}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\assassinscreedbrotherhood.exe |
"{32337022-533E-47CE-97A6-DA0CC34C65FA}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{38DFFE07-3088-445E-B559-543BF4D16966}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{3F200497-04BF-42F2-BAC5-E4615EBFE20B}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{489F31DC-FB08-4109-A554-2DF6F336F0E6}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{4AF43A39-6823-4F25-AB55-A52C8698AF8B}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{53D564DF-AF8C-474D-BD65-F7B8F6972496}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{548E9D4A-CE1B-439B-AE7B-310F782A0260}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{64BBE997-03F8-4B81-9EE1-7C26CDB0FB39}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{68821771-8B1F-495B-8611-348911B88837}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\acbmp.exe |
"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{7102EC76-EA38-4D70-B4A9-FB49F7A46728}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\assassinscreedbrotherhood.exe |
"{7A5F8071-7777-4C4D-B35A-8F91A6DD6F19}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{7CE7B0D8-18A1-4E0E-8A2F-F817771D26D1}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\acbmp.exe |
"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{9C7706F1-964E-452B-B0D2-C1B019E4A026}" = protocol=17 | dir=in | app=c:\users\admin\appdata\roaming\2yourface\updater.exe |
"{9F1E640B-C3C6-44B3-ACC7-F14C74FF3F13}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\metro 2033\metro2033.exe |
"{A08CD572-F87D-42C3-9FAB-C889685FF6D9}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{A2AE300E-4546-4726-8E45-6D5372BA78F4}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{B46EF6F4-21ED-4642-924B-DBF36CF6D80E}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\uplaybrowser.exe |
"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
"{C8326631-6A42-4630-9D29-185DFD6D136F}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E83F184A-CB46-456C-A7F3-A407B75B71C9}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EAC0613A-9123-4426-91C9-D99184822A84}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F2214894-AC58-4A0A-8EA0-801979044339}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\acbsp.exe |
"{F2B77355-FC42-4437-A46C-3137A3CE1EBF}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
"{F2D96972-5AC5-44AA-8CF9-70F17A4A5978}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\metro 2033\metro2033.exe |
"{F65DF824-6CC8-4E4A-AF1D-B7415AA050F9}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\assassin's creed brotherhood\acbsp.exe |
"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{FE590843-FDA3-46B2-ACAD-70C616B26B8E}" = protocol=6 | dir=in | app=c:\users\admin\appdata\roaming\2yourface\updater.exe |
"TCP Query User{3A02FDCA-D94C-40E3-8F49-61D04F9816B7}C:\program files (x86)\mirc\mirc.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mirc\mirc.exe |
"UDP Query User{BB6B950C-E08D-4420-A88C-70938C50510F}C:\program files (x86)\mirc\mirc.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mirc\mirc.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{027E5FAB-1476-4C59-AAB4-32EF28520399}" = Windows Live Language Selector
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{23CA8D91-FD3B-4EE6-BBDF-B5924E7E44EB}" = EZkeys Grand Piano 64
"{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x64
"{33691AFF-9ABF-4278-BDB6-902EE07D9237}" = Native Instruments Guitar Rig 3
"{35E5BAC5-47A5-449C-9244-C40659362DCF}" = EZkeys Player 64-bit
"{3D83CC9F-E2E1-47AE-B1AF-F6D3A8825196}" = EZmix 64-bit
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-041F-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (Turkish) 2007
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{C78D3032-9DFD-41D0-9DE9-58EAE750CBA4}" = Microsoft Security Client
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"Totalcmd64" = Total Commander 64-bit (Remove or Repair)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{038B2DB1-2B9C-45C6-A55F-17B60D80C9D2}" = Rock EZmix pack
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{1203DC60-D9BD-44F9-B372-2B8F227E6094}" = Windows Live Temel Parçalar
"{147567F0-8575-4BE0-B5B3-62706C67FA5A}" = EZXCocktail
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java(TM) 7 Update 5
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}" = EZXPercussion
"{430399DC-98BC-4A7F-8F8E-77981CABAE05}" = EZXVintage
"{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}" = EZdrummer
"{443B561F-DE1B-4DEF-ADD9-484B684653C7}" = Windows Live Messenger
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C4D25EB-6513-4702-8355-F4194DE2E1D9}" = Waves 4.0
"{523DF2BB-3A85-4047-9898-29DC8AEB7E69}" = Windows Live UX Platform Language Pack
"{54194F60-988C-4D03-B922-C2B00EFDA39A}" = NVIDIA PhysX
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{8094F7AE-CA21-4AF2-A256-BC918CE0E796}" = EZXClaustrophobic
"{82DF9225-13EC-41BD-BE31-AAB121B38166}" = EZXNashville
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83AA2913-C123-4146-85BD-AD8F93971D39}" = BabylonObjectInstaller
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{85373DA7-834E-4850-8AF5-1D99F7526857}" = Windows Live Photo Common
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0015-041F-0000-0000000FF1CE}" = Microsoft Office Access MUI (Turkish) 2007
"{90120000-0015-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-041F-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Turkish) 2007
"{90120000-0016-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-041F-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Turkish) 2007
"{90120000-0018-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-041F-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Turkish) 2007
"{90120000-0019-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-041F-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Turkish) 2007
"{90120000-001A-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-041F-0000-0000000FF1CE}" = Microsoft Office Word MUI (Turkish) 2007
"{90120000-001B-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-041F-0000-0000000FF1CE}" = Microsoft Office Proof (Turkish) 2007
"{90120000-001F-041F-0000-0000000FF1CE}_ENTERPRISE_{6A61C934-56F9-4AC6-A43B-30E3F9D886F5}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002A-041F-1000-0000000FF1CE}_ENTERPRISE_{8EFDC918-E9A4-43CF-8AE2-95AE63E01DFE}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002C-041F-0000-0000000FF1CE}" = Microsoft Office Proofing (Turkish) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-041F-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Turkish) 2007
"{90120000-0044-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-041F-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Turkish) 2007
"{90120000-006E-041F-0000-0000000FF1CE}_ENTERPRISE_{8EFDC918-E9A4-43CF-8AE2-95AE63E01DFE}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-041F-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Turkish) 2007
"{90120000-00A1-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-041F-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Turkish) 2007
"{90120000-00BA-041F-0000-0000000FF1CE}_ENTERPRISE_{9B14E574-B6BD-48A8-B1C3-124ED5AAD01A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92DE01AB-0E6F-4F47-8159-91B86FAEC218}" = Unity Session Demo
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC76BA86-7AD7-1055-7B44-AA1000000001}" = Adobe Reader X (10.1.5) - Turkish
"{BE4BA698-8533-4F77-9559-C7F3F78C0B05}" = Assassin's Creed Brotherhood
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D1EBF11E-8CE3-4EF5-8E2D-FD5B8D6BD294}" = EZXTwisted
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}" = EZXDfh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{FFF74EC9-1FF4-4456-99E3-4F05129F4FAB}" = Antares Auto-Tune Evo VST
"2YourFace" = 2YourFace 1.0
"Acoustica Mixcraft 6" = Acoustica Mixcraft 6
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AngryBirdsStarWars 1.00" = AngryBirdsStarWars 1.00
"Antares Auto-Tune 3.03 DirectX" = Antares Auto-Tune 3.03 DirectX
"ASIO4ALL" = ASIO4ALL
"BabylonToolbar" = Babylon toolbar on IE
"Cakewalk Rapture_is1" = Rapture 1.0
"Camel Audio Camel Phat VST v3.15" = Camel Audio Camel Phat VST v3.15
"ConcreteFX QDelay VST v1.0" = ConcreteFX QDelay VST v1.0
"Cool Edit Pro 2.1" = Cool Edit Pro 2.1
"Cuttermusic Revitar VSTi v1.1" = Cuttermusic Revitar VSTi v1.1
"Daemon Tools Pro v5.1.0 " = Daemon Tools Pro v5.1.0
"Dash Signature EMM Knagalis VSTi v1.28" = Dash Signature EMM Knagalis VSTi v1.28
"Dash Signature theAbstractGuitar VSTi v1.18" = Dash Signature theAbstractGuitar VSTi v1.18
"db-audioware-quantum-fx-1.06" = quantum-fx 1.06
"discoDSP Phantom_is1" = discoDSP Phantom v1.1
"Edirol HQ Orchestral v1.01" = Edirol HQ Orchestral v1.01
"Edirol Hyper Canvas" = Edirol Hyper Canvas
"Edirol SuperQuartet v1.02" = Edirol SuperQuartet v1.02
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FL Studio 10" = FL Studio 10
"GForce.Software.Minimonsta.RTAS.VSTi.v1.03-DAC" = GForce.Software.Minimonsta.RTAS.VSTi.v1.03-DAC
"GMedia Music impOSCar VSTi v1.0.0.1" = GMedia Music impOSCar VSTi v1.0.0.1
"GR-55FloorBoard" = GR-55FloorBoard 20120227
"IL Download Manager" = IL Download Manager
"IL Slicex" = IL Slicex
"iZotope Ozone DX Plugin v1.0.0.6" = iZotope Ozone DX Plugin v1.0.0.6
"iZotope Ozone v3.02" = iZotope Ozone v3.02
"iZotope Trash v1.02" = iZotope Trash v1.02
"Kiesel.Software.Helga.VSTi.v1.1b003-0xdBass" = Kiesel.Software.Helga.VSTi.v1.1b003-0xdBass
"KLiteCodecPack_is1" = K-Lite Codec Pack 7.1.0 (Full)
"Korg Legacy Collection v1.1.2" = Korg Legacy Collection v1.1.2
"Line 6 Uninstaller" = Line 6 Uninstaller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"mIRC" = mIRC
"Mopis VSTi v1.1" = Mopis VSTi v1.1
"Morphine" = Morphine
"Mozilla Firefox 18.0 (x86 en-US)" = Mozilla Firefox 18.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Native Instruments - Rig Kontrol 3 Driver" = Native Instruments - Rig Kontrol 3 Driver
"Native Instruments FM7" = Native Instruments FM7
"Native Instruments Guitar Rig 3" = Native Instruments Guitar Rig 3
"Native Instruments Service Center" = Native Instruments Service Center
"Nomad Factory Blue Tubes Bundle v2.0" = Nomad Factory Blue Tubes Bundle v2.0
"Nomad Factory Liquid Bundle VST v1.6" = Nomad Factory Liquid Bundle VST v1.6
"Nomad Factory Rock Amp Legends VST v1.0" = Nomad Factory Rock Amp Legends VST v1.0
"Novation Bass-Station VSTi v1.10" = Novation Bass-Station VSTi v1.10
"Oddity VST2" = GMediaMusic - Oddity VST2
"PoiZone" = PoiZone
"PunkBusterSvc" = PunkBuster Services
"RealPlayer 15.0" = RealPlayer
"ReFX Vanguard VSTi v1.03 Retail" = ReFX Vanguard VSTi v1.03 Retail
"ReFX Vanguard VSTi v1.04" = ReFX Vanguard VSTi v1.04
"Steam App 43110" = Metro 2033
"Sytrus" = Sytrus
"Toxic Biohazard" = Toxic Biohazard
"Toxic III_is1" = ToxicIII v1.0 DEMO
"uTorrent" = µTorrent
"vertigo2_is1" = discoDSP Vertigo v2.0
"Wasp" = Wasp
"WinLiveSuite" = Windows Live Temel Parçalar
"WinRAR archiver" = WinRAR arşiv yöneticisi

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/18/2012 7:13:14 PM | Computer Name = admın-pc | Source = Application Hang | ID = 1002
Description = The program FL.exe version 0.0.0.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: a08 Start Time:
01cdc5e2315ae2f7 Termination Time: 70 Application Path: C:\Program Files (x86)\Image-Line\FL
Studio 10\FL.exe Report Id: 85c5f782-31d5-11e2-9347-00241d1093b3

Error - 12/17/2012 10:51:59 AM | Computer Name = admın-pc | Source = Application Error | ID = 1000
Description = Faulting application name: firefox.exe, version: 17.0.1.4715, time
stamp: 0x50b71a4b Faulting module name: xul.dll, version: 17.0.1.4715, time stamp:
0x50b7198b Exception code: 0xc0000005 Fault offset: 0x00144ed8 Faulting process id:
0x1178 Faulting application start time: 0x01cddc5dfc64e810 Faulting application path:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe Faulting module path: C:\Program
Files (x86)\Mozilla Firefox\xul.dll Report Id: 4e8115d4-4859-11e2-a10f-00241d1093b3

Error - 12/25/2012 7:50:48 PM | Computer Name = admın-pc | Source = Application Error | ID = 1000
Description = Faulting application name: fm.exe, version: 13.1.0.55, time stamp:
0x50905fcf Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x000000a4 Faulting process id: 0x4b8 Faulting application
start time: 0x01cde2faa2339ba7 Faulting application path: C:\Program Files (x86)\Football
Manager 2013\fm.exe Faulting module path: unknown Report Id: e7bd924b-4eed-11e2-a104-00241d1093b3

Error - 12/25/2012 7:57:28 PM | Computer Name = admın-pc | Source = Application Error | ID = 1000
Description = Faulting application name: fm.exe, version: 13.1.1.1292, time stamp:
0x5093d780 Faulting module name: fm.exe, version: 13.1.1.1292, time stamp: 0x5093d780
Exception
code: 0xc0000005 Fault offset: 0x017cdc9e Faulting process id: 0xa94 Faulting application
start time: 0x01cde2fb9716b969 Faulting application path: C:\Program Files (x86)\Football
Manager 2013\fm.exe Faulting module path: C:\Program Files (x86)\Football Manager
2013\fm.exe Report Id: d6113596-4eee-11e2-a104-00241d1093b3

Error - 12/26/2012 4:46:53 AM | Computer Name = admın-pc | Source = Application Error | ID = 1000
Description = Faulting application name: fm.exe, version: 13.1.1.1292, time stamp:
0x5093d780 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x00000328 Faulting process id: 0x1054 Faulting application
start time: 0x01cde343605389ec Faulting application path: C:\Program Files (x86)\SEGA\Football
Manager 2013\fm.exe Faulting module path: unknown Report Id: cb35c871-4f38-11e2-930a-00241d1093b3

Error - 1/3/2013 5:08:20 PM | Computer Name = admın-pc | Source = Software Protection Platform Service | ID = 8200
Description = License acquisition failure details. hr=0x80072EE7

Error - 1/3/2013 5:08:20 PM | Computer Name = admın-pc | Source = Software Protection Platform Service | ID = 8208
Description = Acquisition of genuine ticket failed (hr=0x80072EE7) for template
Id 66c92734-d682-4d71-983e-d6ec3f16059f

Error - 1/11/2013 6:50:22 AM | Computer Name = admyn-pc | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17514,
time stamp: 0x4ce7a144 Faulting module name: SHELL32.dll, version: 6.1.7601.17859,
time stamp: 0x4fd2dfec Exception code: 0xc0000005 Fault offset: 0x000000000028cd32
Faulting
process id: 0x780 Faulting application start time: 0x01cdefe1ba3deab7 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\SHELL32.dll
Report
Id: b232baa9-5bdc-11e2-b3f4-00241d1093b3

Error - 1/12/2013 6:21:43 PM | Computer Name = admyn-pc | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17514,
time stamp: 0x4ce7a144 Faulting module name: Explorer.EXE, version: 6.1.7601.17514,
time stamp: 0x4ce7a144 Exception code: 0xc0000005 Fault offset: 0x0000000000067a22
Faulting
process id: 0x588 Faulting application start time: 0x01cdf1132246d46b Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\Explorer.EXE Report
Id: 71710f02-5d06-11e2-b94c-00241d1093b3

Error - 1/13/2013 8:53:27 PM | Computer Name = admyn-pc | Source = Application Error | ID = 1000
Description = Faulting application name: firefox.exe, version: 18.0.0.4752, time
stamp: 0x50e79fbd Faulting module name: xul.dll, version: 18.0.0.4752, time stamp:
0x50e79ecc Exception code: 0xc0000005 Fault offset: 0x000f8eb8 Faulting process id:
0xc2c Faulting application start time: 0x01cdf1dcac058f43 Faulting application path:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe Faulting module path: C:\Program
Files (x86)\Mozilla Firefox\xul.dll Report Id: cde59967-5de4-11e2-b6b3-00241d1093b3

[ System Events ]
Error - 1/10/2013 4:59:33 PM | Computer Name = admın-pc | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 1/10/2013 5:01:33 PM | Computer Name = admın-pc | Source = Application Popup | ID = 1060
Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility
with this system. Please contact your software vendor for a compatible version
of the driver.

Error - 1/10/2013 5:02:02 PM | Computer Name = admın-pc | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 1/10/2013 6:02:03 PM | Computer Name = admyn-pc | Source = EventLog | ID = 6008
Description = The previous system shutdown at 00:00:28 on ?11.?01.?2013 was unexpected.

Error - 1/12/2013 6:25:27 PM | Computer Name = admyn-pc | Source = Service Control Manager | ID = 7024
Description = The HitmanPro 3.7 Crusader (Boot) service terminated with service-specific
error %%0.

Error - 1/12/2013 8:01:16 PM | Computer Name = admyn-pc | Source = EventLog | ID = 6008
Description = The previous system shutdown at 01:59:47 on ?13.?01.?2013 was unexpected.

Error - 1/12/2013 8:01:17 PM | Computer Name = ADMıN-PC | Source = BugCheck | ID = 1001
Description =

Error - 1/12/2013 8:01:21 PM | Computer Name = admyn-pc | Source = Service Control Manager | ID = 7024
Description = The HitmanPro 3.7 Crusader (Boot) service terminated with service-specific
error %%0.

Error - 1/14/2013 10:23:54 AM | Computer Name = admyn-pc | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Steam
Client Service service to connect.

Error - 1/14/2013 10:23:54 AM | Computer Name = admyn-pc | Source = Service Control Manager | ID = 7000
Description = The Steam Client Service service failed to start due to the following
error: %%1053

< End of report >

Jay Pfoutz · Jan 14, 2013

Remove Babylon Toolbar from your Programs, please.

OTL Fix

Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:OTL
MOD - [2013/01/14 16:23:51 | 000,249,344 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\libcurl-4.dll
MOD - [2013/01/14 16:23:51 | 000,087,054 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\libpdcurses.dll
MOD - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
PRC - [2013/01/14 16:23:47 | 000,370,702 | ---- | M] () -- C:\Users\admın\AppData\Local\Temp\svchost.exe
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=11...HP_ss&mntrId=1a813b21000000000000001cf0c9416a
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = tr
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 65 61 69 48 26 55 CD 01 [binary data]
IE - HKU\S-1-5-21-3655514959-12179107-2567171075-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searc...SP_ss&mntrId=1a813b21000000000000001cf0c9416a
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\support@2yourface.com: C:\Users\admın\AppData\Roaming\2YourFace\ffextension
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\support@2yourface.com: C:\Users\admın\AppData\Roaming\2YourFace\ffextension
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
O4 - HKLM..\RunServicesOnce: [] C:\Windows\GIGATEMP\Patch.exe ()
[2012/07/01 12:27:16 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\Babylon
[2012/07/01 12:27:56 | 000,000,000 | ---D | M] -- C:\Users\admın\AppData\Roaming\BabylonToolbar

:files
C:\Users\admın\AppData\Local\Temp\libcurl-4.dll
C:\Users\admın\AppData\Local\Temp\libpdcurses.dll
C:\Users\admın\AppData\Local\Temp\svchost.exe
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:commands
[purity]
[resethosts]
[emptytemp]
[emptyjava]
[emptyflash]
[createrestorepoint]
[reboot]

Click to expand...
Then click the Run Fix button at the top.
Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Also, let me know if it persists...

jays.traas · Jan 14, 2013

Here's the log. I'm afraid the malware is still present in the same AppData\Local\Temp folder after the fix and the reboot.

All processes killed
========== OTL ==========
No active process named svchost.exe was found!
HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache AcceptLangs| /E : value set successfully!
HKU\S-1-5-21-3655514959-12179107-2567171075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3655514959-12179107-2567171075-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry value HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\support@2yourface.com deleted successfully.
File C:\Users\admın\AppData\Roaming\2YourFace\ffextension not found.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\support@2yourface.com deleted successfully.
File C:\Users\admın\AppData\Roaming\2YourFace\ffextension not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{98889811-442D-49dd-99D7-DC866BE87DBC} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ not found.
File C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\\ deleted successfully.
C:\Windows\GIGATEMP\Patch.exe moved successfully.
C:\Users\admın\AppData\Roaming\Babylon folder moved successfully.
Folder C:\Users\admın\AppData\Roaming\BabylonToolbar\ not found.
========== FILES ==========
C:\Users\admın\AppData\Local\Temp\libcurl-4.dll moved successfully.
C:\Users\admın\AppData\Local\Temp\libpdcurses.dll moved successfully.
C:\Users\admın\AppData\Local\Temp\svchost.exe moved successfully.
< ipconfig /flushdns /c >
No captured output from command...
C:\Users\admın\Desktop\cmd.bat deleted successfully.
< netsh int ip reset c:\resetlog.txt /c >
No captured output from command...
C:\Users\admın\Desktop\cmd.bat deleted successfully.
< ipconfig /release /c >
No captured output from command...
C:\Users\admın\Desktop\cmd.bat deleted successfully.
< ipconfig /renew /c >
No captured output from command...
C:\Users\admın\Desktop\cmd.bat deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: adm
->Temp folder emptied: 0 bytes

User: admin
->Temp folder emptied: 0 bytes

User: admn
->Temp folder emptied: 0 bytes

User: adm²n
->Temp folder emptied: 0 bytes

User: admın
->Temp folder emptied: 10420074 bytes
->Temporary Internet Files folder emptied: 1012849 bytes
->Java cache emptied: 22142 bytes
->FireFox cache emptied: 366835515 bytes
->Google Chrome cache emptied: 228613267 bytes
->Flash cache emptied: 13687 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 76732 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 46424135 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 623.00 mb

[EMPTYJAVA]

User: adm

User: admin

User: admn

User: adm²n

User: admın
->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: adm

User: admin

User: admn

User: adm²n

User: admın
->Flash cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 01152013_000725

Files\Folders moved on Reboot...
C:\Users\admın\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Jay Pfoutz · Jan 15, 2013

What's with all these extra accounts:

User: adm

User: admin

User: admn

User: adm²n

??

Farbar Service Scanner

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

jays.traas · Jan 15, 2013

I'm not sure about all the user accounts. I have a feeling its connected to the current problem/trojan. The day before I came here to techspot to ask for help there was a new user account called Azaq which is just wierd, sort of threw up a red flag and I realized I didn't just have a run of the mill spamware trojan but something more serious was attacking my computer.

Here's the log from Farbar Service Scanner ( I left 'Other services' unchecked as it wasn't on the list you included, however I did another scan with 'Other services' checked and will include that log in a 2nd post).

Farbar Service Scanner Version: 05-01-2013
Ran by admın (administrator) on 15-01-2013 at 22:16:09
Running from "C:\Users\admın\Downloads"
Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

jays.traas · Jan 15, 2013

Here's the log from the scan with "Other Services" checked.

Farbar Service Scanner Version: 05-01-2013
Ran by admın (administrator) on 15-01-2013 at 22:21:04
Running from "C:\Users\admın\Downloads"
Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Solved Need help to remove svchost.exe trojan

Posts: 39 +0

Posts: 39 +0

Posts: 39 +0

Posts: 39 +0

Posts: 4,279 +49

Posts: 39 +0

Posts: 4,279 +49

Posts: 39 +0

Attachments

Posts: 4,279 +49

Posts: 39 +0

Posts: 39 +0

Posts: 39 +0

Posts: 4,279 +49

Posts: 39 +0

Posts: 39 +0

Posts: 39 +0

Posts: 4,279 +49

Posts: 39 +0

Attachments

Posts: 39 +0

Posts: 39 +0

Posts: 4,279 +49

Posts: 39 +0

Posts: 4,279 +49

Posts: 39 +0

Posts: 39 +0

Similar threads