Jump to content

I have virus

Recommended Posts

  • Root Admin

Hello and :welcome:

If you've not already done so please start here and post back the 2 log files DDS.txt and Attach.txt

P2P/Piracy Warning:

If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.


Link to post
Share on other sites

ComboFix 13-10-08.01 - Çördük 09.10.2013  10:28:47.1.2 - x64

Microsoft Windows 8 Pro  6.2.9200.0.1254.90.1033.18.4090.3029 [GMT 3:00]

Running from: c:\users\Çördük\Downloads\ComboFix.exe

AV: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))



c:\users\Çördük\AppData\Local\Google\Chrome\User Data\Default\Preferences






(((((((((((((((((((((((((   Files Created from 2013-09-09 to 2013-10-09  )))))))))))))))))))))))))))))))



2013-10-09 07:36 . 2013-10-09 07:36 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp

2013-10-09 07:36 . 2013-10-09 07:36 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-10-09 07:13 . 2013-10-09 07:13 -------- d-----w- c:\users\Çördük\AppData\Roaming\GetRightToGo

2013-10-09 07:06 . 2013-06-11 17:08 9552976 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{25F2F7D1-1B40-4F76-917E-08116E9CC2B0}\mpengine.dll

2013-10-09 07:01 . 2013-10-09 07:01 -------- d-----w- c:\users\Çördük\AppData\Roaming\Malwarebytes

2013-10-09 07:01 . 2013-10-09 07:01 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-10-09 07:01 . 2013-10-09 07:01 -------- d-----w- c:\programdata\Malwarebytes

2013-10-09 07:01 . 2013-04-04 11:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-10-08 08:17 . 2013-10-08 08:17 -------- d-----w- c:\program files\CCleaner

2013-10-06 15:09 . 2013-10-06 15:09 -------- d-----w- c:\users\Çördük\AppData\Roaming\TeamViewer

2013-10-03 18:28 . 2013-10-03 18:28 290480 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10219.bin

2013-10-03 18:12 . 2013-10-03 18:12 -------- d-----w- c:\program files (x86)\Common Files\logishrd

2013-10-03 18:11 . 2013-10-03 18:12 -------- d-----w- c:\program files\Common Files\logishrd

2013-10-03 18:11 . 2013-10-06 18:57 -------- d-----w- c:\programdata\PRICache

2013-10-01 17:33 . 2013-10-01 17:48 -------- d--h--w- c:\windows\AxInstSV

2013-09-30 16:35 . 2013-09-30 16:35 -------- d-----w- c:\programdata\ATI

2013-09-30 16:35 . 2013-09-30 16:35 -------- d-----w- c:\programdata\IObit

2013-09-29 18:30 . 2013-09-29 21:37 -------- d-----w- c:\users\Çördük\AppData\Roaming\RIFT

2013-09-29 18:30 . 2013-10-04 21:03 -------- d-----w- c:\program files (x86)\RIFT

2013-09-29 01:04 . 2013-09-29 01:04 -------- d-----w- c:\users\Çördük\AppData\Local\Overwolf

2013-09-29 00:45 . 2013-10-04 21:05 -------- d-----w- c:\program files (x86)\Runes of Magic

2013-09-28 11:21 . 2013-09-29 08:38 -------- d-----w- c:\users\Çördük\AppData\Roaming\Nico Mak Computing

2013-09-28 11:21 . 2013-02-13 08:07 19840 ----a-w- c:\windows\system32\roboot64.exe

2013-09-27 13:44 . 2013-09-27 13:44 -------- d-----w- c:\users\RDK~3

2013-09-21 17:02 . 2013-09-21 17:32 -------- d-----w- c:\users\Çördük\AppData\Roaming\PhotoScape

2013-09-21 17:02 . 2013-09-21 17:02 -------- d-----w- c:\program files (x86)\PhotoScape

2013-09-21 17:02 . 2013-09-21 17:02 -------- d-----w- c:\users\Çördük\AppData\Roaming\EasyPhotoEffects

2013-09-15 15:52 . 2005-09-29 13:27 23936 ----a-w- c:\windows\SysWow64\drivers\usbcamd2.sys

2013-09-15 14:49 . 2006-08-01 13:35 1558656 ----a-w- c:\windows\system32\drivers\usbVM303.sys

2013-09-15 14:49 . 2005-04-30 15:46 81920 ----a-w- c:\windows\system32\VM303STI.dll

2013-09-15 12:18 . 2013-10-08 08:42 -------- d-----w- c:\program files (x86)\Homepage

2013-09-15 09:03 . 2013-09-15 09:03 -------- d-----w- c:\users\Çördük\AppData\Local\Deployment

2013-09-15 09:03 . 2013-09-15 09:03 -------- d-----w- c:\users\Çördük\AppData\Local\Apps

2013-09-13 17:20 . 2013-09-13 17:20 -------- d-----w- c:\users\Çördük\AppData\Local\Alpemix

2013-09-11 19:21 . 2013-09-11 19:21 -------- d-----w- c:\program files (x86)\MAXKO




((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))


2013-07-31 06:01 . 2013-07-31 06:01 2560 ----a-w- c:\windows\_MSRSTRT.EXE



(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown 



[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]



2013-07-08 16:37 222832 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]



2013-07-08 16:37 222832 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]



2013-07-08 16:37 222832 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll


c:\programdata\Microsoft\Windows\Start Menu\Programs\StartUp\AutorunsDisabled\

DSLMON.lnk - c:\program files (x86)\Analog Devices\Minton ADSL USB MODEM\dslmon.exe [2013-6-19 929889]

ShortKeys 3.lnk - c:\program files (x86)\ShortKeys 3\shortkey.exe [2013-7-31 4341416]



"EnableUIADesktopToggle"= 0 (0x0)

"EnableCursorSuppression"= 1 (0x1)

"ConsentPromptBehaviorUser"= 3 (0x3)

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)


R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]

R3 amdkmafd;AMD Audio Bus Lower Filter;c:\windows\System32\drivers\amdkmafd.sys;c:\windows\SYSNATIVE\drivers\amdkmafd.sys [x]

R3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2x64.sys;c:\windows\SYSNATIVE\DRIVERS\Amps2x64.sys [x]

R3 DFX11_1;DFX Audio Enhancer 11.1;c:\windows\system32\drivers\dfx11_1x64.sys;c:\windows\SYSNATIVE\drivers\dfx11_1x64.sys [x]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys;c:\windows\SYSNATIVE\DRIVERS\taphss6.sys [x]

R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]

R4 andnetadb;ADB Interface DriverNet;c:\windows\System32\Drivers\lgandnetadb.sys;c:\windows\SYSNATIVE\Drivers\lgandnetadb.sys [x]

R4 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetdiag64.sys [x]

R4 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetmodem64.sys [x]

R4 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgandnetndis64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetndis64.sys [x]

R4 AODDriver4.2;AODDriver4.2;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]

R4 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\System32\drivers\dtsoftbus01.sys;c:\windows\SYSNATIVE\drivers\dtsoftbus01.sys [x]

R4 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]

R4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [x]

R4 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]

S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys;c:\windows\SYSNATIVE\DRIVERS\idmwfp.sys [x]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW86.sys;c:\windows\SYSNATIVE\drivers\AtihdW86.sys [x]

S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]

S3 LVUVC64;@oem50.inf,%PID_081B_DD%(UVC);Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]

S3 RTL8168;Realtek 8168 NT Sürücüsü;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys [x]



[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

apphost REG_MULTI_SZ   apphostsvc

iissvcs REG_MULTI_SZ   w3svc was


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\AutorunsDisabled\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-10-05 16:02 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe


Contents of the 'Scheduled Tasks' folder


2013-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-14 02:23]


2013-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-14 02:23]



--------- X64 Entries -----------



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]



2013-07-08 16:37 261744 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]



2013-07-08 16:37 261744 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]



2013-07-08 16:37 261744 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll





2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll





2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll





2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll





2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll





2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll



"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-05-29 6545552]


------- Supplementary Scan -------


uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: Bütün linkleri IDM ile indir - c:\program files (x86)\Internet Download Manager\IEGetAll.htm

IE: IDM ile indir - c:\program files (x86)\Internet Download Manager\IEExt.htm

IE: Microsoft Excel'e &Ver - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: OneNote'a G&önder - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

LSP: c:\users\c7,f6,rdfc,k\AppData\Roaming\Fast Hide IP\FastHideIP\FastIPLib.dll

Trusted Zone: aeriagames.com

TCP: DhcpNameServer =

TCP: Interfaces\{1F64AECC-A8A9-4BE9-8675-E6F3B288FA76}: NameServer =,


- - - - ORPHANS REMOVED - - - -


Toolbar-{91397D20-1446-11D4-8AF4-0040CA1127B6} - c:\program files (x86)\Yandex\Elements\bartab.dll

Toolbar-{CA9B9C89-4662-4ADC-9C23-A452BECD5D19} - (no file)

Wow6432Node-HKCU-Run-AdobeBridge - (no file)

WebBrowser-{91397D20-1446-11D4-8AF4-0040CA1127B6} - (no file)

ShellIconOverlayIdentifiers-{CDC95B92-E27C-4745-A8C5-64A52A78855D} - c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll

AddRemove-Cheat Engine 6.1_is1 - c:\program files (x86)\Cheat Engine 6.1\unins000.exe

AddRemove-Collective Thief: DS Texture Pack by John P. 1.03 - c:\program files (x86)\Thief - Deadly Shadows\Collective Texture Pack Uninstaller.exe

AddRemove-Internet Download Manager - c:\program files (x86)\Internet Download Manager\Uninstall.exe

AddRemove-Nokia PC Suite - c:\programdata\Installations\{866C4563-ED53-43F3-A29D-8BEE2BD1BA3C}\Nokia_PC_Suite_ALL.exe

AddRemove-Scribblenauts Unlimited_is1 - e:\oyun\Scribblenauts Unlimited\unins000.exe

AddRemove-SpeakyChat - c:\users\Çördük\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SpeakyChat\uninstall.exe

AddRemove-{11EF25D3-21AF-88EC-FDA9-57641E53AF38} - c:\progra~3\INSTAL~2\{E6B8C~1\Setup.exe

AddRemove-{7B890804-B58C-47C2-A529-FDAEA06A2AF2} - c:\progra~3\INSTAL~2\{7B890~1\Setup.exe

AddRemove-{956E927E-B566-AA83-852B-F95FB51BD025} - c:\progra~3\INSTAL~2\{BE5BD~1\Setup.exe

AddRemove-{A2F166A0-F031-4E27-A057-C69733219436}_is1 - c:\games\RaiderZ\unins000.exe

AddRemove-{A98A4A7E-8F97-E66E-83B3-B81C250AC724} - c:\progra~3\INSTAL~2\{F8C3B~1\Setup.exe

AddRemove-{DCDA9518-78EC-8C83-CCCE-A75C3F447185} - c:\progra~3\INSTAL~2\{CFDE5~1\Setup.exe







--------------------- LOCKED REGISTRY KEYS ---------------------


[HKEY_USERS\S-1-5-21-2914279751-1493668412-170166720-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\SecuROM\License information*]






@Denied: (Full) (Everyone)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (S-1-15-2-1)







@Denied: (Full) (Everyone)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (S-1-15-2-1)







@Denied: (Full) (Everyone)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (S-1-15-2-1)





@Denied: (Full) (Everyone)




[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)



[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]


"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"



@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)




@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)




@Denied: (Full) (Everyone)

@SACL=(02 0000)


Completion time: 2013-10-09  10:40:02

ComboFix-quarantined-files.txt  2013-10-09 07:40


Pre-Run: 67.816.816.640 bytes free

Post-Run: 67.190.480.896 bytes free


- - End Of File - - 0A71DBA536852AFFA24367FBC2D5E911

Link to post
Share on other sites

Rkill 2.6.1 by Lawrence Abrams (Grinler)

Copyright 2008-2013 BleepingComputer.com

More Information about Rkill can be found at this link:


Program started at: 10/09/2013 11:34:53 AM in x64 mode.

Windows Version: Windows 8 Pro 


Checking for Windows services to stop:


 * No malware services found to stop.


Checking for processes to terminate:


 * No malware processes found to kill.


Checking Registry for malware related settings:


 * No issues found in the Registry.


Resetting .EXE, .COM, & .BAT associations in the Windows Registry.


Performing miscellaneous checks:


 * No issues found.


Checking Windows Service Integrity: 


 * HdAudAddService [Missing Service]


Searching for Missing Digital Signatures: 


 * No issues found.


Checking HOSTS File: 


 * HOSTS file entries found:       localhost


Program finished at: 10/09/2013 11:35:01 AM

Execution time: 0 hours(s), 0 minute(s), and 8 seconds(s)
Link to post
Share on other sites

ERUNT - The Emergency Recovery Utility NT



Registry Backup and Restore for Windows NT/2000/2003/XP


v1.1j, 10/20/2005, Freeware

Written by Lars Hederer

e-mail: lars.hederer@t-online.de


Look for the latest version here:


To find out what's new in this version, please see the "Version

history" section later in this file.







With the invention of Windows 95 Microsoft made the wise decision to

organize all computer- and application-specific data which was spread

over countless INI files before in a centralized Windows database,

called the system "registry". The registry is one of the most

important parts in every Windows system today, without which the OS

would not even boot. And since the registry is quite sensitive to

corruption, it is very advisable to backup its according files from

time to time.


In MS-DOS based Windows versions (95, 98, Me) the registry consists of

the files SYSTEM.DAT and USER.DAT (and CLASSES.DAT in Windows Me). To

backup these files, one can easily go to the Windows folder in

Explorer and copy the files to a safe location, for example another

folder on the hard disk. Microsoft even supplies a utility called ERU

which can be used to backup these and a few other critical system

files to a safe location.


Also, Windows 9x/Me automatically create backups of the registry at

startup, with Windows 95 always backing up the registry from the

previous Windows session, and Windows 98/Me maintaining up to five

registry copies from the last five days where Windows was running.


Unfortunately, this is not the case with Windows versions based on the

NT kernel. In Windows NT and 2000, the registry is never backed up

automatically, and in XP it is backed up only as part of the bloated

and resource hogging System Restore program which cannot even be used

for a "restore" should a corrupted registry prevent Windows from

booting. It has also become impossible to copy the necessary files,

now called "hives" and usually named DEFAULT, SAM, SECURITY, SOFTWARE,

SYSTEM in the SYSTEM32\CONFIG folder, to another location because they

are all in use by the OS. And though the registry in an NT-based

Windows is less likely to become corrupted than in other versions, it

can still happen, and for these cases NT is simply missing an option

for easy registry backup and restore as there is in Windows 9x/Me, to

get the system up and running again in no time.


In 2001, as Windows XP began to come pre-installed on many new home

user PCs and was likely to become the new Windows standard over the

next years, I decided to write a program which offers the ease-of-use

of Windows 9x/Me ERU by Microsoft (hence the name ERUNT) to backup the

registry, as well as providing an auto-backup capability, for example

at Windows startup.


Or, before installing a new program for testing purposes one could

save the registry with ERUNT, install and test the program, uninstall

it and restore the registry to be 100% sure that no debris is left.


Note: The "Export registry" function in Regedit is USELESS (!) for

making a complete backup of the registry. Neither does it export the

whole registry (for example, no information from the "SECURITY" hive

is saved), nor can the exported file be used later to replace the

current registry with the old one. Instead, if you re-import the file,

it is merged with the current registry without deleting anything that

has been added since the export, leaving you with an absolute mess of

old and new entries.







- Backup the Windows NT/2000/2003/XP registry to a folder of your



- System and current user registries selectable


- Command line switches for automated registry backup and restoration


- Restore the registry in Windows 9x/Me/NT/2000/2003/XP and MS-DOS

  (all-in-one restore program) or the Windows Recovery Console


- Included in this package:

  NTREGOPT program for optimizing the registry


- All programs in this package are completely localizable

  (translate them into your language), German version included




Supported operating systems



- Windows NT 3.51

- Windows NT 4.0

- Windows 2000

- Windows 2003

- Windows XP

- most likely, all future Windows versions based on the NT kernel


Additionally supported by the ERDNT restore program:


- Windows 95

- Windows 98

- Windows Me







Use the Setup program to install ERUNT on your computer.


Or, if you downloaded the zipped version: Unzip all files into a

folder of your choice, and if you want, create shortcuts on your

desktop to the ERUNT.EXE and NTREGOPT.EXE files.







Use "Add/Remove Programs" in Windows' control panel to remove ERUNT

from your computer.


Or, if you downloaded the zipped version: Delete the ERUNT folder,

delete the appropriate desktop icons.


(You may also want to delete all restore folders you have previously

created with the program.)




Backing up the registry with ERUNT



Note: To ensure proper operation of ERUNT, you should be logged in as

a system administrator.


Start ERUNT, confirm the Welcome message.


Type in the name of a restore folder where the backed up registry

files should be saved, or click "..." to browse your computer's drives

and select a folder. You can also simply leave the default, which is a

folder named ERDNT inside your Windows folder, the advantage being

that you have access to this folder from the Windows Recovery Console

in case Windows does not boot anymore.


Note that in the folder edit field, ERUNT by default appends a folder

named the current date to the restore folder, which allows you to keep

as many registry backups as you wish in the same restore folder,

separated into the different creation dates. This feature, as well as

the appearance of the date string, can be configured via the ERUNT.INI

file, described later in this document. If you want the registry backup

to be created directly in the folder you select, you can also simply

remove the date from the folder edit field before clicking "OK".


Next, select the backup options:


- System registry: The current system registry, usually consisting of



- Current user registy: The registry files for the currently logged-on

  user, usually NTUSER.DAT and USRCLASS.DAT.


- Other open user registries: Sometimes Windows has a few other user

  registries in memory. Examples for this are "generic" registries,

  e.g. for user "EVERYONE", or registries of other users if you use

  Fast Task Switching in Windows XP. Check this option to backup all

  these additional user registries (if found) as well.


Click "OK" and wait until the backup process is complete. (Note that

depending on your system configuration this may take some time, and

that the first bar is NOT a progress bar, just an indicator that the

program is still running.) The ERDNT program for later restoration of

the registry is automatically copied to the restore folder.


(Technical information: ERUNT saves only registry files which are in

use by the system. It obtains information about these files from

registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\

hivelist. Registry hives not listed there, for example those

of other users of the computer, cannot be saved by ERUNT.)




ERUNT command line switches



ERUNT supports command line switches with which you can perform an

automated registry backup, without user interaction. The syntax for

the ERUNT command line is as follows:


ERUNT DestinationFolder [sysreg] [curuser] [otherusers]

[/noconfirmdelete] [/noprogresswindow]


DestinationFolder is required for command line operation of ERUNT,

all other switches are optional.


If you specify a destination folder on the command line, ERUNT

automatically runs in "silent" mode and with default backup options

(system and current user registry). No user interaction is required,

EXCEPT the confirmation of the restore folder deletion if it exists,

or any error messages. The confirmation question can be suppressed

by using /noconfirmdelete (see below).


Description of the command line switches:



  The name of the folder where the registry backup should be saved.


  You can use the strings #Date# and #Time# anywhere in the folder

  name to have ERUNT insert the current date/time at that position.

  Example: C:\WINDOWS\ERDNT\#Date#

  Windows' %SystemRoot% environment variable can be used on the

  command line as a substitute for the name of the Windows folder.

  Example: %SystemRoot%\ERDNT\#Date#



  Backup the system registry



  Backup the current user registry



  Backup other open user registries


(Note: If none of the three above options is given on the command

line, ERUNT automatically uses the default backup options, system

and current user registry.)



  Automatically deletes the contents of the destination folder if it

  exists, without asking the user. BE CAREFUL and only use this option

  if you are sure that the contents of that folder may really be




  Hides the progress window during backup.


So, to backup the system registry to folder C:\ERDNT each day of the

week using subfolders with the name of the current day you could use

the integrated scheduler in Windows to schedule seven different ERUNT

calls for each day:


For Monday you would use the command line

  C:\ERUNT\ERUNT.EXE C:\ERDNT\Monday sysreg /noconfirmdelete


For Tuesday you would use the command line

  C:\ERUNT\ERUNT.EXE C:\ERDNT\Tuesday sysreg /noconfirmdelete


... well, you get the idea.


Or, to have ERUNT automatically backup the registry on each Windows

startup to a folder named "ERDNT" inside the Windows folder, including

a folder named the current date, you could place a shortcut like the

following in your Start Menu/Programs/Startup folder:


  C:\ERUNT\ERUNT.EXE %SystemRoot%\ERDNT\#Date# /noconfirmdelete


If you want old restore folders created this way to be deleted

automatically from time to time, you can use AUTOBACK.EXE instead of

ERUNT.EXE. The AUTOBACK tool is described later in this document.

Also, ERUNT Setup offers the choice to add an AutoBackup shortcut to

the Startup folder automatically during the installation process.




The ERUNT.INI file



You can configure various ERUNT settings with this file, for example

change the default destination folder displayed in ERUNT's folder edit

field, or disable automatic appendation of the current date there.


Use Notepad to create a file named ERUNT.INI in your ERUNT folder, and

add the following line:




Below this line, enter one or more of the following configuration




  The name of the default folder displayed in ERUNT's folder edit

  field. You may also use environment variables here, for example

  %SystemRoot% as a substitute for the name of the Windows folder.

  Default: %SystemRoot%\ERDNT





  Enable or disable automatic appendation of the current date to

  ERUNT's folder edit field.

  0=disable, 1=enable, default: 1





  Enable or disable automatic appendation of the current time to

  ERUNT's folder edit field. This function can only be enabled in

  conjunction with AppendDateToFolderEditField also set to 1.

  0=disable, 1=enable, default: 0






  These settings configure the appearance of the date string in

  ERUNT's folder edit field, or when #Date# is used on the command

  line. By default, ERUNT uses Windows' regional settings for the

  short date format. Note that only "." and "-" are allowed as date








  These settings configure the appearance of the time string in

  ERUNT's folder edit field, or when #Time# is used on the command

  line. By default, ERUNT uses Windows' regional settings for the

  short time format. Note that only "." and "-" are allowed as time







  On supported operating systems (including Windows XP and Server

  2003) ERUNT by default uses a very fast backup algorithm. If you

  experience any problems during registry backup, you can try to

  disable this function and revert back to the conventional (but slow)

  method. This setting has no effect on unsupported operating systems,

  where the conventional algorithm is always used.

  0=fast method, 1=conventional method, default: 0









The command line tool AUTOBACK.EXE uses the same syntax as ERUNT but

performs the additional task of deleting old restore folders after the

new backup has been created.


For this to work properly, the name of the last folder in the command

line option DestinationFolder must begin with the current date, or the

#Date# string, respectively. If this is the case AUTOBACK

automatically searches the parent folder of the newly created backup

for folder names of the same date format and deletes all folders

except from the last 30 days where backups have been created.


The number of restore folders to keep can be changed using the /days:n

command line switch, e.g. /days:7 would only keep the folders from the

last 7 backup days.


By default AUTOBACK does not create a new backup if one already exists

for the current day. Use the /alwayscreate switch to change this

behavior and have the program always create a new backup.


AUTOBACK is dependent on ERUNT and therefore needs to be executed from

the same folder. It uses the same settings for the date format as

ERUNT does, so if you specified a new format in ERUNT.INI it will also

be used automatically by AUTOBACK.




Restoring the registry with ERDNT



Situation: Windows is running normally.


To restore a previous registry backup, open Windows Explorer, navigate

to the folder where you saved the backup to, and double-click the

ERDNT.EXE file to start the restoration program. (Each restore folder

has its own copy of ERDNT.EXE in it.) Select which registry components

to restore, then click "OK" to start restoration. When the process is

complete, click "OK" to restart the computer and activate the restored



Note: If you experience any problems restoring the registry, please

read "ERDNT technical information" later in this document to learn

what ERDNT is actually doing during the process, or simply read on

through the following emergency scenarios for other ways of restoring

the registry.




What to do if Windows does not boot anymore?



If Windows refuses to boot normally it can be for a variety of

reasons, not the least of which is that the registry is damaged, or

you installed a program or driver which is somewhat incompatible with

the system or buggy, in which case restoring a registry backup from a

point where everything was running smoothly should also help.


The first thing to try is to reboot and press the F8 key immediately

before the first Windows screen appears, then select the "Last Known

Good" option from the menu and see if Windows boots up with this

option. If it does, you're all set.


If it does not, reboot again with F8, and select the option "Safe

Mode". If Windows boots up in safe mode, you can restore a registry

backup just as you would in normal mode, as described above.


If safe mode also fails, read on...




Restoring the registry with ERDNT - Emergency Scenario I



Situation: Windows fails to boot up in normal and safe mode, but you

have a DOS boot disk or another (working) operating system installed

on your PC which is supported by the ERDNT restoration program, and

from which you have full access to the drive(s) containing the corrupt

Windows installation and the registry backup.


Boot up to the working OS, and open the folder containing the registry

backup you want to restore.


If the drive letters are different to as they were in the Windows

where you created the registry backup, you need to edit the ERDNT.INF

file now to reflect the new drive letters, before trying to restore

the registry backup. For example, if the drive with the corrupt

Windows installation is now available as D: instead of C:, then you

would change all C:\... references in the INF file to D:\... . Editing

the file can be done in Windows with the Notepad program, and in DOS

with the EDIT command.


Now run the ERDNT.EXE file to start the restoration program. Select

which registry components to restore (just the system registry will do

in most cases), then start restoration. When the process is complete,

reboot the computer and check if the other Windows installation is

repaired now.




Restoring the registry with ERDNT - Emergency Scenario II



Situation: Windows fails to boot up in normal and safe mode, and you

have no other working operating system installed on your PC.


The following two rescue methods require that your PC is configured so

that it can boot from CD. See your BIOS documentation for more



1. Bart's PE Builder

Use another computer with Internet access and CD burning capabilities

to download this free program from the Internet (do a Google search

for it), which will create a bootable Windows CD with full access to

all drives (including NTFS). Boot from this CD, open the File

Management Utility and follow the directions in "Emergency Scenario I"

to run ERDNT and restore the registry.


2. The Windows Recovery Console (Windows 2000 and higher)

Note that you can use this method only if you saved the registry

backup inside the Windows folder, and that using this procedure only

the system registry is restored. This should however get you back into

Windows, from where you can run the ERDNT program to restore user

registries, if necessary.

- Boot your system from the Windows 2000/2003/XP CD-ROM.

- At the welcome screen, press "R" (Windows 2000: "R" then "C").

- Type in the number of the Windows installation you want to repair

  (usually 1), then press ENTER.

- Type in the Administrator password (leave blank if you are unsure

  what it is) and press ENTER.

- At the command prompt type

    cd erdnt

  or whatever you named your restore folder, then press ENTER.

- If you enabled automatic registry backup on system boot during ERUNT

  installation and want to restore one of these backups, type

    cd autobackup <ENTER>

- If you created subfolders for different registry backups (for

  example, with the different creation dates), type

    dir <ENTER>

  to see a list of available folders, then type

    cd foldername <ENTER>

  where foldername is the name of a folder listed by the dir command,

  to open that folder.

- Now type

    batch erdnt.con <ENTER>

  to restore the system registry from that folder.

- Type

    exit <ENTER>

  and remove the CD from the CD-ROM drive. The system will now reboot

  with the restored registry.




ERDNT technical information



ERDNT knows two restoration modes. The right mode is usually auto-

detected each time ERDNT is run, but read on if you are experiencing

problems restoring the registry.


"NT" mode is used if you run the ERDNT program from within the same

system where you made the backup. This is determined by looking at the

[systemRoot] entry in the ERDNT.INF file and comparing it to the

actual %SystemRoot% environment variable. Using "NT" mode is the only

way to successfully restore the active registry of the currently

running OS.


"File copy" mode is used if the currently running OS is NOT NT-based,

or if the [systemRoot] entry does not match the %SystemRoot%

environment variable. In this mode the backed up registry files are

simply copied back to their original location.


MS-DOS based ERDNT only supports "File copy" mode.


Note: In restoration mode "NT" backups of the current registry files

are automatically created, so that option is grayed out. In

restoration mode "File copy" all saved user registries are

automatically restored, so you cannot choose between "current user"

and "other user" registries.


The backups of the current registry files are placed in the same

location as the original and are given the extension ".bak".


Experienced users don't even need to use the ERDNT program in other

operating systems to restore a registry backup. Given access to the

appropriate files and folders, the backed up files can simply be

copied back to their original location, as that is all ERDNT does

in "File copy" mode anyway. Have a look at the ERDNT.INF file to

find out what the original file locations are.




ERDNT command line switches



The ERDNT program also supports command line switches for "silent"

operation. The syntax for the ERDNT command line is:


ERDNT silent [sysreg] [curuser] [otherusers]

[/mode:nt|filecopy] [/nobackup] [/noprogresswindow] [/reboot]


(Switches in brackets are optional.)


Description of the command line switches:



  Puts ERDNT into "silent" mode and enables all other switches.



  Restore the system registry


curuser *

  Restore the current user registry

  (This option is ignored in "File copy" restoration mode.)



  Restore other saved user registries


(Note: If none of the three above options is given on the command

line, ERDNT automatically uses the default restoration options, system

and current user registry.)


/mode:nt or /mode:filecopy *

  Disables automatic detection of the correct restoration mode and

  uses mode "NT" or "File copy" instead.



  Don't make backups of the current registry files during restoration.

  (This switch is ignored in "NT" restoration mode.)



  Hides the progress window during restoration.


/reboot *

  Automatically reboots the computer when restoration of the registry

  is complete.


* = Not supported in the DOS version of ERDNT.




Optimizing the registry with NTREGOPT



Similar to Windows 9x/Me, the registry files in an NT-based system

can become fragmented over time, occupying more space on your hard

disk than necessary and decreasing overall performance. You should

use the NTREGOPT utility regularly, but especially after installing

or uninstalling a program, to minimize the size of the registry files

and optimize registry access.


The program works by recreating each registry hive "from scratch",

thus removing any slack space that may be left from previously

modified or deleted keys.


Note that the program does NOT change the contents of the registry in

any way, nor does it physically defrag the registry files on the drive

(as the PageDefrag program from SysInternals does). The optimization

done by NTREGOPT is simply compacting the registry hives to the

minimum size possible.


To optimize your registry, simply run NTREGOPT, click "OK", and when

the process is complete click "OK" to reboot the computer. You should

do so immediately because any changes made to the registry after

NTREGOPT has been run are lost after the reboot.




NTREGOPT command line switches



The syntax for the NTREGOPT command line is:


NTREGOPT silent [/noprogresswindow] [/reboot]


(Switches in brackets are optional.)


Description of the command line switches:



  Puts NTREGOPT into "silent" mode and enables the other switches.



  Hides the progress window during optimization.



  Automatically reboots the computer when optimization of the registry

  is complete.




Known problems



ERUNT and NTREGOPT sometimes fail with error 1450 - "Insufficient

system resources exist to complete the requested service" - when

trying to save a registry hive. I have not yet been able to reproduce

this error on any PC, and reports from affected users indicate that it

also pops up when trying to back up the critical hive using

Microsoft's REGBACK program. This makes it unlikely that there is

anything I can do on my (the programmer's) side. Some users reported

however that they were able to work around the problem by running

ERUNT/NTREGOPT in Windows' safe mode, and in one case uninstalling a

Symantec software suite solved it permanently. One user reported that

increasing the "IRPStackSize" value as described in Microsoft

Knowledge Base article 177078 fixed the problem on his system.


When the system is rebooted after a restoration of the registry with

ERDNT or optimization with NTREGOPT, Windows Server 2003 will by

default display the shutdown event tracker during logon asking why the

system has been shut down unexpectedly. This is because the info that

the shutdown was in fact an expected one is written to the "old"

registry during shutdown of the system which is replaced by the

restored/optimized registry next time the system is booted, and

therefore the shutdown info is discarded and shutdown event tracker

thinks the system crashed. You may want to disable the tracker to

avoid this message in the future (see the Windows help for information

on how to do this).


If you experience any other problems, please email me at

lars.hederer@t-online.de with a detailed description and I will see if

I can help you.







You can translate all programs from this package into your language by

editing the appropriate .LOC file.


Keep in mind that the LOC files of the three Windows programs (ERUNT,

ERDNTWIN, NTREGOPT) should be edited using a Windows based editor

(Notepad), and ERDNTDOS.LOC using an MS-DOS based editor (EDIT.COM).

This is to ensure that any OEM characters are displayed correctly in

the program.


If your language is not yet present on my homepage and you want your

localization to be available to the general public, you are welcome to

send the four translated files to me. I will then make them available

for download, with credits of course.


I have included a German language pack. If you want to use the program

in German, simply unzip LOC_GER.ZIP into your ERUNT folder.




Version history



v1.1j, 10/20/2005

- Fixed compatibility issues with 64-bit Windows (many thanks to

  Ian Smith and Hajo for all testing)

- Enhanced error messages

- AutoBackup now supports all date formats

- ERUNT.INI: "TimeSeparator" fixed; "DefaultDestinationFolder" now

  supports all environment variables (previously only %SystemRoot%

  could be used)

- ERDNT now displays the source Windows folder in addition to the

  backup's creation date


v1.1i, 08/17/2005

- AutoBackup: Improved support for complex date formats

- NTREGOPT: Optimization results are now calculated correctly when

  optimization failed on one or more hives


v1.1h, 03/06/2005

- Updated homepage address

- New ERUNT.INI option: AppendTimeToFolderEditField

- Fixed a problem where the current user registry could not be

  identified on some systems

- Changed behavior of AutoBackup's /days:n switch


v1.1g, 11/02/2004

- ERUNT is now MUCH faster on Windows XP and Server 2003

- Added time string support on the command line

- AutoBackup now by default skips creating a backup for the current

  day if one already exists


v1.1f, 08/26/2004

- Added AUTOBACK.EXE command line tool for automated registry backup

  and deletion of old restore folders created prior to a specific

  number of days

- Window position is now screen center instead of desktop center,

  fixing display problem when using multiple monitors (thanks John :)


v1.1e, 07/31/2004

- Appearance of the date string can be configured via ERUNT.INI

- NTREGOPT: Optimization results: use thousand separator


v1.1d, 07/07/2004

- Optimized error handling

- Combined DOS and Windows ERDNT into a single Win32 executable,

  fixing problems with the previous 16-bit exe stub on some systems

  and with BartPE

- Added Windows Recovery Console support with ERDNT batch file

- Default destination folder can now be configured via file ERUNT.INI,

  replacing #DestinationFolder command line option

- Changed the default destination folder to be inside the Windows

  folder, for easy recovery console access

- New folder named the current date is automatically appended to

  destination folder (can be disabled in ERUNT.INI)

- Rewrote major parts of the documentation


v1.1c, 05/10/2004

- Fixed problems with dynamic disks

- Added browse function for destination folder, as well as the option

  to change the default name (use #DestinationFolder on the command


- Re-added support for Windows NT 3.51 (got lost with v1.1) except

  browse function


v1.1b, 04/23/2004

- ERUNT and NTREGOPT are now compatible with Windows Server 2003 and

  Windows XP Service Pack 2

- Fixed a problem where the registry hives could not be

  saved/restored/optimized on some systems

- Changed naming convention for user subfolders in the ERDNT folder


v1.1a, 10/03/2002

- Fixed a problem where the registry hives could not be

  saved/restored/optimized on some systems


v1.1, 09/25/2002

- Fixed "Invalid pointer operation" message which occurred on some

  systems (many thanks to Russ Cordner for his assistance in isolating

  the problem)

- Fixed "Error opening localization file" message when ERUNT.EXE was

  called from outside the ERUNT folder

- Fixed some problems with UNC path names

- Added command line support for ERDNT and NTREGOPT

- NTREGOPT: show optimization results (initial and new registry size)


v1.0, 11/24/2001

- Initial release







The ERUNT package (including the programs ERUNT, AUTOBACK, ERDNT and

NTREGOPT) is freeware. Please pass it to anyone who you think may find

it useful.


I explicitly allow this package to be included in any file archive,

CD-ROM or other media collection as well as usage in your own programs

provided that all files are kept and remain unchanged. A quick note

via e-mail where my program has been included is appreciated.







Though I chose to make my programs freeware so that no one is required

to pay for using them, I accept and appreciate donations. So, if you

find my programs helpful and want to support further development,

simply visit my homepage and click one of the "PayPal" buttons, or

donate directly to my e-mail address via PayPal. Thanks in advance!


If you live in Germany and want to make a donation, you may also

transfer money directly to my bank account. Contact me for more








Use this software at your own risk. I do not take responsibility for

anything that might happen to you or the PC upon use of my programs,

including but not limited to: registry destruction, hard disk crash,

heart attack...


Comments and suggestions via e-mail, however, are always welcome!


Link to post
Share on other sites

  • Root Admin

Please go ahead and run through the following steps and post back the logs when ready.

Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


Please go here to run the online antivirus scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


Link to post
Share on other sites

# AdwCleaner v3.007 - Report created 10/10/2013 at 11:02:29

# Updated 09/10/2013 by Xplode

# Operating System : Windows 8 Pro  (64 bits)

# Username : Çördük - CÖRDÜK

# Running from : C:\Users\Çördük\Downloads\AdwCleaner.exe

# Option : Clean


***** [ Services ] *****



***** [ Files / Folders ] *****


Folder Deleted : C:\ProgramData\BetterSoft

Folder Deleted : C:\ProgramData\StarApp

Folder Deleted : C:\ProgramData\Saeayruch-NewTabo

Folder Deleted : C:\ProgramData\ssavEnshaoreu

Folder Deleted : C:\Program Files (x86)\Babylon

Folder Deleted : C:\Program Files (x86)\Movdap

Folder Deleted : C:\Program Files (x86)\Searchprotect

Folder Deleted : C:\Program Files (x86)\SimilarSites

Folder Deleted : C:\Program Files (x86)\Winamp Toolbar

Folder Deleted : C:\Users\Çördük\AppData\LocalLow\ssavEnshaoreu

Folder Deleted : C:\Users\Çördük\AppData\Roaming\SimilarSites

Folder Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\Extensions\ffxtlbr@babylon.com

File Deleted : C:\Windows\System32\roboot64.exe

File Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\searchplugins\Babylon.xml

File Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\searchplugins\conduit-search.xml

File Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\searchplugins\mixidj.xml

File Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\user.js

File Deleted : C:\Windows\System32\Tasks\Dealply


***** [ Shortcuts ] *****



***** [ Registry ] *****


Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [ocr@babylon.com]

Key Deleted : HKLM\SOFTWARE\Classes\AppID\BabylonHelper.EXE

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS

Key Deleted : HKCU\Software\d558ddbb33dbd10

Key Deleted : HKLM\SOFTWARE\d558ddbb33dbd10

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1561552

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}

Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Headlight

Key Deleted : HKCU\Software\UpdateStar

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\Delta

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Winamp Toolbar

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1


***** [ Browsers ] *****


-\\ Internet Explorer v10.0.9200.16453



-\\ Mozilla Firefox v


[ File : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\prefs.js ]


Line Deleted : user_pref("extensions.delta.admin", false);

Line Deleted : user_pref("extensions.delta.aflt", "orgnl");

Line Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");

Line Deleted : user_pref("extensions.delta.dfltLng", "tr");

Line Deleted : user_pref("extensions.delta.excTlbr", false);

Line Deleted : user_pref("extensions.delta.ffxUnstlRst", true);

Line Deleted : user_pref("extensions.delta.id", "fcc271aa000000000000d43d7e327b92");

Line Deleted : user_pref("extensions.delta.instlDay", "15927");

Line Deleted : user_pref("extensions.delta.instlRef", "sst");

Line Deleted : user_pref("extensions.delta.prdct", "delta");

Line Deleted : user_pref("extensions.delta.prtnrId", "delta");

Line Deleted : user_pref("extensions.delta.smplGrp", "none");

Line Deleted : user_pref("extensions.delta.tlbrId", "base");

Line Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");

Line Deleted : user_pref("extensions.delta.vrsn", "");

Line Deleted : user_pref("extensions.delta.vrsnTs", "");

Line Deleted : user_pref("extensions.delta.vrsni", "");

Line Deleted : user_pref("extensions.enabledAddons", "yasearch%40yandex.ru:7.4.2,vb%40yandex.ru:2.2.1,WebSiteRecommendation%40weliketheweb.com:1.0.6,plugin%40getwebcake.com:1.00.01,%7B972ce4c6-7e08-4474-a285-3208198[...]


-\\ Google Chrome v30.0.1599.69


[ File : C:\Users\Çördük\AppData\Local\Google\Chrome\User Data\Default\preferences ]





AdwCleaner[R0].txt - [6737 octets] - [10/10/2013 10:57:50]

AdwCleaner[s0].txt - [6674 octets] - [10/10/2013 11:02:29]


########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [6734 octets] ##########











































Junkware Removal Tool (JRT) by Thisisu

Version: 6.0.4 (10.06.2013:1)

OS: Windows 8 Pro x64

Ran by €”rdk on Per 10.10.2013 at 10:42:56,14






~~~ Services




~~~ Registry Values




~~~ Registry Keys


Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\AppID\babylonhelper.exe

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\anchorfree

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\delta

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\dsiteproducts

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\filescout

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonic

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\startsearch

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\winamp toolbar

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2914279751-1493668412-170166720-1001\Software\SweetIM

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\delta

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.cap

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\babylon_rasapi32

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\babylon_rasmancs

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\webcakedesktop_rasapi32

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\webcakedesktop_rasmancs

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\conduit

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\babylon_rasapi32

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\babylon_rasmancs

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\webcakedesktop_rasapi32

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\webcakedesktop_rasmancs

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT1561552

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Babylon_RASAPI32

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Babylon_RASMANCS

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\Babylon_RASAPI32

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\Babylon_RASMANCS

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}




~~~ Files




~~~ Folders


Failed to delete: [Folder] "C:\ProgramData\bettersoft"

Failed to delete: [Folder] "C:\ProgramData\starapp"

Successfully deleted: [Folder] "C:\Users\€”rdk\AppData\Roaming\dsite"

Successfully deleted: [Folder] "C:\Users\€”rdk\AppData\Roaming\movdap"

Successfully deleted: [Folder] "C:\Users\€”rdk\AppData\Roaming\simplitec"

Successfully deleted: [Folder] "C:\Users\€”rdk\appdata\local\conduit"

Successfully deleted: [Folder] "C:\Users\€”rdk\appdata\local\searchprotect"

Successfully deleted: [Folder] "C:\Users\€”rdk\appdata\locallow\conduit"

Failed to delete: [Folder] "C:\Program Files (x86)\babylon"

Failed to delete: [Folder] "C:\Program Files (x86)\movdap"

Failed to delete: [Folder] "C:\Program Files (x86)\searchprotect"

Failed to delete: [Folder] "C:\Program Files (x86)\winamp toolbar"

Successfully deleted: [Folder] "C:\Users\€”rdk\AppData\Roaming\microsoft\windows\start menu\programs\dealply"

Failed to delete: [Folder] "C:\Windows\syswow64\ai_recyclebin"




~~~ Event Viewer Logs were cleared







Scan was completed on Per 10.10.2013 at 10:49:02,39

End of JRT log



Link to post
Share on other sites


Malwarebytes Anti-Rootkit BETA


© Malwarebytes Corporation 2011-2012


OS version: 6.2.9200 Windows 8 x64


Account is Administrative


Internet Explorer version: 10.0.9200.16466


File system is: NTFS


CPU speed: 3.000000 GHz

Memory total: 4288618496, free: 2656808960




------------ Kernel report ------------

     10/10/2013 09:58:04

------------ Loaded modules -----------







































































































































\??\C:\Program Files\Sandboxie\SbieDrv.sys





























----------- End -----------



Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8004bb15b0

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa8004a69060

Lower Device Driver Name: \Driver\atapi\


Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa8004bb15b0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8004ba1040, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8004bb15b0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

DevicePointer: 0xfffffa8004a4f510, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8004a69060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

Upper DeviceData: 0x0, 0x0, 0x0

Lower DeviceData: 0x0, 0x0, 0x0


Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes



Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...



Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes


Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

This drive is a GPT Drive.

MBR Signature: 55AA

Disk Signature: 7DCF768A


GPT Protective MBR Partition information:


    Partition 0 type is EFI-GPT (0xee)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 1  Numsec = 4294967295


    Partition 1 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0


    Partition 2 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0


    Partition 3 type is Empty (0x0)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 0  Numsec = 0


GPT Partition information:


    GPT Header Signature 4546492050415254

    GPT Header Revision 65536 Size 92 CRC 3343807738

    GPT Header CurrentLba = 1 BackupLba 976773167

    GPT Header FirstUsableLba 34  LastUsableLba 976773134

    GPT Header Guid f690a2f0-f528-4723-82fb-b2e1304bd0f5

    GPT Header Contains 128 partition entries starting at LBA 2

    GPT Header Partition entry size = 128


    Backup GPT header Signature 4546492050415254

    Backup GPT header Revision 65536 Size 92 CRC 3343807738

    Backup GPT header CurrentLba = 976773167 BackupLba 1

    Backup GPT header FirstUsableLba 34  LastUsableLba 976773134

    Backup GPT header Guid f690a2f0-f528-4723-82fb-b2e1304bd0f5

    Backup GPT header Contains 128 partition entries starting at LBA 976773135

    Backup GPT header Partition entry size = 128


    Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac

    Partition ID 42301d63-652-4b67-a032-c57bba2246b

    FirstLBA 2048  Last LBA 616447

    Attributes 1

    Partition Name                 Basic data partition


    Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b

    Partition ID dafbd759-d86-4c10-aed5-df1bc0aeca4

    FirstLBA 616448  Last LBA 821247

    Attributes 0

    Partition Name                 EFI system partition


    GPT Partition 1 is bootable

    Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae

    Partition ID 8c1ad0a4-74c2-4b95-8dd1-2d7311209e1f

    FirstLBA 821248  Last LBA 1083391

    Attributes 0

    Partition Name         Microsoft reserved partition


    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7

    Partition ID f06cffe0-d475-4c53-aa83-d68bffb211b7

    FirstLBA 1083392  Last LBA 409602047

    Attributes 0

    Partition Name                 Basic data partition


    Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7

    Partition ID c621461c-cda7-4f49-8390-bafce1e6c23

    FirstLBA 409602048  Last LBA 976773119

    Attributes 0

    Partition Name                 Basic data partition


Disk Size: 500107862016 bytes

Sector size: 512 bytes



Infected: C:\Users\Çördük\Desktop\müslüm\resım\İncim\İncim.exe --> [Worm.Autorun]

Scan finished

Creating System Restore point...

Cleaning up...

Removal scheduling successful. System shutdown needed.

System shutdown occurred




Removal queue found; removal started

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...

Removal finished


Malwarebytes Anti-Rootkit BETA


© Malwarebytes Corporation 2011-2012


OS version: 6.2.9200 Windows 8 x64


Account is Administrative


Internet Explorer version: 10.0.9200.16466


File system is: NTFS


CPU speed: 3.000000 GHz

Memory total: 4288618496, free: 3000315904












Malwarebytes Anti-Rootkit BETA



Database version: v2013.07.26.06


Windows 8 x64 NTFS

Internet Explorer 10.0.9200.16466

Çördük :: CÖRDÜK [administrator]


10.10.2013 09:58:10

mbar-log-2013-10-10 (09-58-10).txt


Scan type: Quick scan

Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: 

Objects scanned: 353196

Time elapsed: 34 minute(s), 32 second(s)


Memory Processes Detected: 0

(No malicious items detected)


Memory Modules Detected: 0

(No malicious items detected)


Registry Keys Detected: 0

(No malicious items detected)


Registry Values Detected: 0

(No malicious items detected)


Registry Data Items Detected: 0

(No malicious items detected)


Folders Detected: 0

(No malicious items detected)


Files Detected: 1

C:\Users\Çördük\Desktop\müslüm\resım\İncim\İncim.exe (Worm.Autorun) -> Delete on reboot.


Physical Sectors Detected: 0

(No malicious items detected)




Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.