squa41 Posted October 8, 2013 ID:739352 Share Posted October 8, 2013 Hello dear valuable MalwareBytes staff,I guess I have an annoying virus on my computer which slows down it a lot. It says that I'm using the cpu over %60 percent. May you please help me on this issue. Thanks in advanceBest regards, Muslum Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 8, 2013 Root Admin ID:739353 Share Posted October 8, 2013 Hello and If you've not already done so please start here and post back the 2 log files DDS.txt and Attach.txtP2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.Before we proceed further, please read all of the following instructions carefully.If there is anything that you do not understand kindly ask before proceeding.If needed please print out these instructions.Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text. If the log is too large then you can use attachments by clicking on the More Reply Options button. Please enable your system to show hidden files: How to see hidden files in Windows Make sure you're subscribed to this topic:Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)STEP 0RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processesso that your normal security software can then run and clean your computer of infections.When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policiesthat stop us from using certain tools. When finished it will display a log file that shows the processes that wereterminated while the program was running.As RKill only terminates a program's running process, and does not delete any files, after running it you should not rebootyour computer as any malware processes that are configured to start automatically will just be started again.Instead, after running RKill you should immediately scan your computer using the requested scans I've included.Please download Rkill by Grinler from one of the links below and save it to your desktop.Link 1Link 2On Windows XP double-click on the Rkill desktop icon to run the tool. On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. If not, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs. If the tool does not run from any of the links provided, please let me know. Do not reboot the computer, you will need to run the application again.STEP 01Backup the Registry:Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.Please download ERUNT from one of the following links: Link1 | Link2 | Link3 ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed. Double click on erunt-setup.exe to Install ERUNT by following the prompts. NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process. Choose a location for the backup.Note: the default location is C:\Windows\ERDNT which is acceptable. [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exeSTEP 02Please download RogueKiller and save it to your desktop.You can check here if you're not sure if your computer is 32-bit or 64-bitRogueKiller 32-bit | RogueKiller 64-bit Quit all running programs. For Windows XP, double-click to start. For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run. Read and accept the EULA (End User Licene Agreement) Click Scan to scan the system. When the scan completes Close the program > Don't Fix anything! Don't run any other options, they're not all bad!! Post back the report which should be located on your desktop. Link to post Share on other sites More sharing options...
atessu16 Posted October 8, 2013 ID:739507 Share Posted October 8, 2013 Hello, he is my friend. He is working and really busy right now. He will answer with in 2 days. I am really sorry for any inconvenience and thank you very much for helping him out. Link to post Share on other sites More sharing options...
squa41 Posted October 9, 2013 Author ID:739763 Share Posted October 9, 2013 ComboFix 13-10-08.01 - Çördük 09.10.2013 10:28:47.1.2 - x64Microsoft Windows 8 Pro 6.2.9200.0.1254.90.1033.18.4090.3029 [GMT 3:00]Running from: c:\users\Çördük\Downloads\ComboFix.exeAV: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\users\Çördük\AppData\Local\Google\Chrome\User Data\Default\Preferencesc:\windows\PFRO.logc:\windows\system\MFC42D.DLLc:\windows\SysWow64\frapsvid.dll..((((((((((((((((((((((((( Files Created from 2013-09-09 to 2013-10-09 )))))))))))))))))))))))))))))))..2013-10-09 07:36 . 2013-10-09 07:36 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp2013-10-09 07:36 . 2013-10-09 07:36 -------- d-----w- c:\users\Default\AppData\Local\temp2013-10-09 07:13 . 2013-10-09 07:13 -------- d-----w- c:\users\Çördük\AppData\Roaming\GetRightToGo2013-10-09 07:06 . 2013-06-11 17:08 9552976 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{25F2F7D1-1B40-4F76-917E-08116E9CC2B0}\mpengine.dll2013-10-09 07:01 . 2013-10-09 07:01 -------- d-----w- c:\users\Çördük\AppData\Roaming\Malwarebytes2013-10-09 07:01 . 2013-10-09 07:01 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2013-10-09 07:01 . 2013-10-09 07:01 -------- d-----w- c:\programdata\Malwarebytes2013-10-09 07:01 . 2013-04-04 11:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys2013-10-08 08:17 . 2013-10-08 08:17 -------- d-----w- c:\program files\CCleaner2013-10-06 15:09 . 2013-10-06 15:09 -------- d-----w- c:\users\Çördük\AppData\Roaming\TeamViewer2013-10-03 18:28 . 2013-10-03 18:28 290480 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10219.bin2013-10-03 18:12 . 2013-10-03 18:12 -------- d-----w- c:\program files (x86)\Common Files\logishrd2013-10-03 18:11 . 2013-10-03 18:12 -------- d-----w- c:\program files\Common Files\logishrd2013-10-03 18:11 . 2013-10-06 18:57 -------- d-----w- c:\programdata\PRICache2013-10-01 17:33 . 2013-10-01 17:48 -------- d--h--w- c:\windows\AxInstSV2013-09-30 16:35 . 2013-09-30 16:35 -------- d-----w- c:\programdata\ATI2013-09-30 16:35 . 2013-09-30 16:35 -------- d-----w- c:\programdata\IObit2013-09-29 18:30 . 2013-09-29 21:37 -------- d-----w- c:\users\Çördük\AppData\Roaming\RIFT2013-09-29 18:30 . 2013-10-04 21:03 -------- d-----w- c:\program files (x86)\RIFT2013-09-29 01:04 . 2013-09-29 01:04 -------- d-----w- c:\users\Çördük\AppData\Local\Overwolf2013-09-29 00:45 . 2013-10-04 21:05 -------- d-----w- c:\program files (x86)\Runes of Magic2013-09-28 11:21 . 2013-09-29 08:38 -------- d-----w- c:\users\Çördük\AppData\Roaming\Nico Mak Computing2013-09-28 11:21 . 2013-02-13 08:07 19840 ----a-w- c:\windows\system32\roboot64.exe2013-09-27 13:44 . 2013-09-27 13:44 -------- d-----w- c:\users\RDK~32013-09-21 17:02 . 2013-09-21 17:32 -------- d-----w- c:\users\Çördük\AppData\Roaming\PhotoScape2013-09-21 17:02 . 2013-09-21 17:02 -------- d-----w- c:\program files (x86)\PhotoScape2013-09-21 17:02 . 2013-09-21 17:02 -------- d-----w- c:\users\Çördük\AppData\Roaming\EasyPhotoEffects2013-09-15 15:52 . 2005-09-29 13:27 23936 ----a-w- c:\windows\SysWow64\drivers\usbcamd2.sys2013-09-15 14:49 . 2006-08-01 13:35 1558656 ----a-w- c:\windows\system32\drivers\usbVM303.sys2013-09-15 14:49 . 2005-04-30 15:46 81920 ----a-w- c:\windows\system32\VM303STI.dll2013-09-15 12:18 . 2013-10-08 08:42 -------- d-----w- c:\program files (x86)\Homepage2013-09-15 09:03 . 2013-09-15 09:03 -------- d-----w- c:\users\Çördük\AppData\Local\Deployment2013-09-15 09:03 . 2013-09-15 09:03 -------- d-----w- c:\users\Çördük\AppData\Local\Apps2013-09-13 17:20 . 2013-09-13 17:20 -------- d-----w- c:\users\Çördük\AppData\Local\Alpemix2013-09-11 19:21 . 2013-09-11 19:21 -------- d-----w- c:\program files (x86)\MAXKO...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-07-31 06:01 . 2013-07-31 06:01 2560 ----a-w- c:\windows\_MSRSTRT.EXE..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]2013-07-08 16:37 222832 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]2013-07-08 16:37 222832 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]2013-07-08 16:37 222832 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll.c:\programdata\Microsoft\Windows\Start Menu\Programs\StartUp\AutorunsDisabled\DSLMON.lnk - c:\program files (x86)\Analog Devices\Minton ADSL USB MODEM\dslmon.exe [2013-6-19 929889]ShortKeys 3.lnk - c:\program files (x86)\ShortKeys 3\shortkey.exe [2013-7-31 4341416].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableUIADesktopToggle"= 0 (0x0)"EnableCursorSuppression"= 1 (0x1)"ConsentPromptBehaviorUser"= 3 (0x3)"ConsentPromptBehaviorAdmin"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1).R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]R3 amdkmafd;AMD Audio Bus Lower Filter;c:\windows\System32\drivers\amdkmafd.sys;c:\windows\SYSNATIVE\drivers\amdkmafd.sys [x]R3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2x64.sys;c:\windows\SYSNATIVE\DRIVERS\Amps2x64.sys [x]R3 DFX11_1;DFX Audio Enhancer 11.1;c:\windows\system32\drivers\dfx11_1x64.sys;c:\windows\SYSNATIVE\drivers\dfx11_1x64.sys [x]R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys;c:\windows\SYSNATIVE\DRIVERS\taphss6.sys [x]R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]R4 andnetadb;ADB Interface DriverNet;c:\windows\System32\Drivers\lgandnetadb.sys;c:\windows\SYSNATIVE\Drivers\lgandnetadb.sys [x]R4 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetdiag64.sys [x]R4 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetmodem64.sys [x]R4 andnetndis;LGE AndroidNet NDIS Ethernet Adapter;c:\windows\system32\DRIVERS\lgandnetndis64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetndis64.sys [x]R4 AODDriver4.2;AODDriver4.2;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]R4 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\System32\drivers\dtsoftbus01.sys;c:\windows\SYSNATIVE\drivers\dtsoftbus01.sys [x]R4 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]R4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [x]R4 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys;c:\windows\SYSNATIVE\DRIVERS\idmwfp.sys [x]S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW86.sys;c:\windows\SYSNATIVE\drivers\AtihdW86.sys [x]S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]S3 LVUVC64;@oem50.inf,%PID_081B_DD%(UVC);Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]S3 RTL8168;Realtek 8168 NT Sürücüsü;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys [x]..[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]apphost REG_MULTI_SZ apphostsvciissvcs REG_MULTI_SZ w3svc was.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\AutorunsDisabled\{8A69D345-D564-463c-AFF1-A69D9E530F96}]2013-10-05 16:02 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe.Contents of the 'Scheduled Tasks' folder.2013-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-14 02:23].2013-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-14 02:23]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]2013-07-08 16:37 261744 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]2013-07-08 16:37 261744 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]2013-07-08 16:37 261744 ----a-w- c:\users\Çördük\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]2013-06-27 13:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-05-29 6545552].------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SysWOW64\blank.htmuInternet Settings,ProxyOverride = <local>IE: Bütün linkleri IDM ile indir - c:\program files (x86)\Internet Download Manager\IEGetAll.htmIE: IDM ile indir - c:\program files (x86)\Internet Download Manager\IEExt.htmIE: Microsoft Excel'e &Ver - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000IE: OneNote'a G&önder - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105LSP: c:\users\c7,f6,rdfc,k\AppData\Roaming\Fast Hide IP\FastHideIP\FastIPLib.dllTrusted Zone: aeriagames.comTCP: DhcpNameServer = 192.168.2.1TCP: Interfaces\{1F64AECC-A8A9-4BE9-8675-E6F3B288FA76}: NameServer = 8.8.8.8,8.8.4.4.- - - - ORPHANS REMOVED - - - -.Toolbar-{91397D20-1446-11D4-8AF4-0040CA1127B6} - c:\program files (x86)\Yandex\Elements\bartab.dllToolbar-{CA9B9C89-4662-4ADC-9C23-A452BECD5D19} - (no file)Wow6432Node-HKCU-Run-AdobeBridge - (no file)WebBrowser-{91397D20-1446-11D4-8AF4-0040CA1127B6} - (no file)ShellIconOverlayIdentifiers-{CDC95B92-E27C-4745-A8C5-64A52A78855D} - c:\program files (x86)\Internet Download Manager\IDMShellExt64.dllAddRemove-Cheat Engine 6.1_is1 - c:\program files (x86)\Cheat Engine 6.1\unins000.exeAddRemove-Collective Thief: DS Texture Pack by John P. 1.03 - c:\program files (x86)\Thief - Deadly Shadows\Collective Texture Pack Uninstaller.exeAddRemove-Internet Download Manager - c:\program files (x86)\Internet Download Manager\Uninstall.exeAddRemove-Nokia PC Suite - c:\programdata\Installations\{866C4563-ED53-43F3-A29D-8BEE2BD1BA3C}\Nokia_PC_Suite_ALL.exeAddRemove-Scribblenauts Unlimited_is1 - e:\oyun\Scribblenauts Unlimited\unins000.exeAddRemove-SpeakyChat - c:\users\Çördük\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SpeakyChat\uninstall.exeAddRemove-{11EF25D3-21AF-88EC-FDA9-57641E53AF38} - c:\progra~3\INSTAL~2\{E6B8C~1\Setup.exeAddRemove-{7B890804-B58C-47C2-A529-FDAEA06A2AF2} - c:\progra~3\INSTAL~2\{7B890~1\Setup.exeAddRemove-{956E927E-B566-AA83-852B-F95FB51BD025} - c:\progra~3\INSTAL~2\{BE5BD~1\Setup.exeAddRemove-{A2F166A0-F031-4E27-A057-C69733219436}_is1 - c:\games\RaiderZ\unins000.exeAddRemove-{A98A4A7E-8F97-E66E-83B3-B81C250AC724} - c:\progra~3\INSTAL~2\{F8C3B~1\Setup.exeAddRemove-{DCDA9518-78EC-8C83-CCCE-A75C3F447185} - c:\progra~3\INSTAL~2\{CFDE5~1\Setup.exe...[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\X6va012]"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va012".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-2914279751-1493668412-170166720-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\SecuROM\License information*]"datasecu"=hex:75,72,8d,79,cf,bf,17,b6,83,94,96,59,bb,57,fd,18,3e,5c,56,48,b8, 1a,a3,30,2c,f5,0d,c6,48,a4,7c,5c,ac,63,9a,4a,a2,4f,12,d0,de,7a,33,34,f5,bc,\"rkeysecu"=hex:e2,b3,f4,03,90,2a,4b,0b,95,05,3d,f1,ec,24,b4,4a.[HKEY_USERS\S-1-5-21-2914279751-1493668412-170166720-1001_Classes\Wow6432Node\CLSID\{4045b94f-f075-42c6-a054-189138238502}]@Denied: (Full) (Everyone)@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (S-1-15-2-1)"Model"=dword:000000cd"Therad"=dword:00000009"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a, 1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\.[HKEY_USERS\S-1-5-21-2914279751-1493668412-170166720-1001_Classes\Wow6432Node\CLSID\{5a55833a-edf0-4316-89bf-70fad70b4430}]@Denied: (Full) (Everyone)@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (S-1-15-2-1)"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26, 38,95,44,53,4e,1a,5b,76,50,55,59,c5,66,e4,0a,1b,3a,ef,ae,7c,ea,55,58,50,8b,\"Model"=dword:0000000e"Therad"=dword:0000001e.[HKEY_USERS\S-1-5-21-2914279751-1493668412-170166720-1001_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]@Denied: (Full) (Everyone)@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (S-1-15-2-1)"scansk"=hex(0):4d,b9,3d,18,4e,f9,9d,30,0e,f1,25,21,0b,f0,d6,fe,2c,bb,19,1c,85, 77,ef,b1,60,57,1d,fa,39,3f,77,de,07,0c,a3,15,79,9c,b5,50,00,00,00,00,00,00,\.[HKEY_USERS\S-1-5-21-2914279751-1493668412-170166720-1001_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]@Denied: (Full) (Everyone)"scansk"=hex(0):a3,73,3a,9a,f8,b4,37,28,6a,cc,43,0f,61,85,6f,c3,41,c6,46,f0,bc, 00,02,4e,5c,09,5f,7c,5f,85,0e,53,e7,23,47,d8,de,d1,83,39,00,00,00,00,00,00,\.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0001\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone)@SACL=(02 0000).Completion time: 2013-10-09 10:40:02ComboFix-quarantined-files.txt 2013-10-09 07:40.Pre-Run: 67.816.816.640 bytes freePost-Run: 67.190.480.896 bytes free.- - End Of File - - 0A71DBA536852AFFA24367FBC2D5E9115FB38429D5D77768867C76DCBDB35194 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 9, 2013 Root Admin ID:739769 Share Posted October 9, 2013 Why did you run Combofix? No one asked you to run this. Link to post Share on other sites More sharing options...
squa41 Posted October 9, 2013 Author ID:739771 Share Posted October 9, 2013 Rkill 2.6.1 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2013 BleepingComputer.comMore Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 10/09/2013 11:34:53 AM in x64 mode.Windows Version: Windows 8 Pro Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * No malware processes found to kill. Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: * HdAudAddService [Missing Service] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 localhost Program finished at: 10/09/2013 11:35:01 AMExecution time: 0 hours(s), 0 minute(s), and 8 seconds(s) Link to post Share on other sites More sharing options...
squa41 Posted October 9, 2013 Author ID:739772 Share Posted October 9, 2013 ERUNT - The Emergency Recovery Utility NT========================================= Registry Backup and Restore for Windows NT/2000/2003/XP v1.1j, 10/20/2005, FreewareWritten by Lars Hederere-mail: lars.hederer@t-online.de Look for the latest version here:http://www.larshederer.homepage.t-online.de/erunt To find out what's new in this version, please see the "Versionhistory" section later in this file. Introduction------------ With the invention of Windows 95 Microsoft made the wise decision toorganize all computer- and application-specific data which was spreadover countless INI files before in a centralized Windows database,called the system "registry". The registry is one of the mostimportant parts in every Windows system today, without which the OSwould not even boot. And since the registry is quite sensitive tocorruption, it is very advisable to backup its according files fromtime to time. In MS-DOS based Windows versions (95, 98, Me) the registry consists ofthe files SYSTEM.DAT and USER.DAT (and CLASSES.DAT in Windows Me). Tobackup these files, one can easily go to the Windows folder inExplorer and copy the files to a safe location, for example anotherfolder on the hard disk. Microsoft even supplies a utility called ERUwhich can be used to backup these and a few other critical systemfiles to a safe location. Also, Windows 9x/Me automatically create backups of the registry atstartup, with Windows 95 always backing up the registry from theprevious Windows session, and Windows 98/Me maintaining up to fiveregistry copies from the last five days where Windows was running. Unfortunately, this is not the case with Windows versions based on theNT kernel. In Windows NT and 2000, the registry is never backed upautomatically, and in XP it is backed up only as part of the bloatedand resource hogging System Restore program which cannot even be usedfor a "restore" should a corrupted registry prevent Windows frombooting. It has also become impossible to copy the necessary files,now called "hives" and usually named DEFAULT, SAM, SECURITY, SOFTWARE,SYSTEM in the SYSTEM32\CONFIG folder, to another location because theyare all in use by the OS. And though the registry in an NT-basedWindows is less likely to become corrupted than in other versions, itcan still happen, and for these cases NT is simply missing an optionfor easy registry backup and restore as there is in Windows 9x/Me, toget the system up and running again in no time. In 2001, as Windows XP began to come pre-installed on many new homeuser PCs and was likely to become the new Windows standard over thenext years, I decided to write a program which offers the ease-of-useof Windows 9x/Me ERU by Microsoft (hence the name ERUNT) to backup theregistry, as well as providing an auto-backup capability, for exampleat Windows startup. Or, before installing a new program for testing purposes one couldsave the registry with ERUNT, install and test the program, uninstallit and restore the registry to be 100% sure that no debris is left. Note: The "Export registry" function in Regedit is USELESS (!) formaking a complete backup of the registry. Neither does it export thewhole registry (for example, no information from the "SECURITY" hiveis saved), nor can the exported file be used later to replace thecurrent registry with the old one. Instead, if you re-import the file,it is merged with the current registry without deleting anything thathas been added since the export, leaving you with an absolute mess ofold and new entries. Features-------- - Backup the Windows NT/2000/2003/XP registry to a folder of your choice - System and current user registries selectable - Command line switches for automated registry backup and restoration - Restore the registry in Windows 9x/Me/NT/2000/2003/XP and MS-DOS (all-in-one restore program) or the Windows Recovery Console - Included in this package: NTREGOPT program for optimizing the registry - All programs in this package are completely localizable (translate them into your language), German version included Supported operating systems--------------------------- - Windows NT 3.51- Windows NT 4.0- Windows 2000- Windows 2003- Windows XP- most likely, all future Windows versions based on the NT kernel Additionally supported by the ERDNT restore program:- MS-DOS- Windows 95- Windows 98- Windows Me Installation------------ Use the Setup program to install ERUNT on your computer. Or, if you downloaded the zipped version: Unzip all files into afolder of your choice, and if you want, create shortcuts on yourdesktop to the ERUNT.EXE and NTREGOPT.EXE files. Uninstallation-------------- Use "Add/Remove Programs" in Windows' control panel to remove ERUNTfrom your computer. Or, if you downloaded the zipped version: Delete the ERUNT folder,delete the appropriate desktop icons. (You may also want to delete all restore folders you have previouslycreated with the program.) Backing up the registry with ERUNT---------------------------------- Note: To ensure proper operation of ERUNT, you should be logged in asa system administrator. Start ERUNT, confirm the Welcome message. Type in the name of a restore folder where the backed up registryfiles should be saved, or click "..." to browse your computer's drivesand select a folder. You can also simply leave the default, which is afolder named ERDNT inside your Windows folder, the advantage beingthat you have access to this folder from the Windows Recovery Consolein case Windows does not boot anymore. Note that in the folder edit field, ERUNT by default appends a foldernamed the current date to the restore folder, which allows you to keepas many registry backups as you wish in the same restore folder,separated into the different creation dates. This feature, as well asthe appearance of the date string, can be configured via the ERUNT.INIfile, described later in this document. If you want the registry backupto be created directly in the folder you select, you can also simplyremove the date from the folder edit field before clicking "OK". Next, select the backup options: - System registry: The current system registry, usually consisting of the files DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM. - Current user registy: The registry files for the currently logged-on user, usually NTUSER.DAT and USRCLASS.DAT. - Other open user registries: Sometimes Windows has a few other user registries in memory. Examples for this are "generic" registries, e.g. for user "EVERYONE", or registries of other users if you use Fast Task Switching in Windows XP. Check this option to backup all these additional user registries (if found) as well. Click "OK" and wait until the backup process is complete. (Note thatdepending on your system configuration this may take some time, andthat the first bar is NOT a progress bar, just an indicator that theprogram is still running.) The ERDNT program for later restoration ofthe registry is automatically copied to the restore folder. (Technical information: ERUNT saves only registry files which are inuse by the system. It obtains information about these files fromregistry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist. Registry hives not listed there, for example thoseof other users of the computer, cannot be saved by ERUNT.) ERUNT command line switches--------------------------- ERUNT supports command line switches with which you can perform anautomated registry backup, without user interaction. The syntax forthe ERUNT command line is as follows: ERUNT DestinationFolder [sysreg] [curuser] [otherusers][/noconfirmdelete] [/noprogresswindow] DestinationFolder is required for command line operation of ERUNT,all other switches are optional. If you specify a destination folder on the command line, ERUNTautomatically runs in "silent" mode and with default backup options(system and current user registry). No user interaction is required,EXCEPT the confirmation of the restore folder deletion if it exists,or any error messages. The confirmation question can be suppressedby using /noconfirmdelete (see below). Description of the command line switches: DestinationFolder The name of the folder where the registry backup should be saved. Example: C:\WINDOWS\ERDNT You can use the strings #Date# and #Time# anywhere in the folder name to have ERUNT insert the current date/time at that position. Example: C:\WINDOWS\ERDNT\#Date# Windows' %SystemRoot% environment variable can be used on the command line as a substitute for the name of the Windows folder. Example: %SystemRoot%\ERDNT\#Date# sysreg Backup the system registry curuser Backup the current user registry otherusers Backup other open user registries (Note: If none of the three above options is given on the commandline, ERUNT automatically uses the default backup options, systemand current user registry.) /noconfirmdelete Automatically deletes the contents of the destination folder if it exists, without asking the user. BE CAREFUL and only use this option if you are sure that the contents of that folder may really be deleted! /noprogresswindow Hides the progress window during backup. So, to backup the system registry to folder C:\ERDNT each day of theweek using subfolders with the name of the current day you could usethe integrated scheduler in Windows to schedule seven different ERUNTcalls for each day: For Monday you would use the command line C:\ERUNT\ERUNT.EXE C:\ERDNT\Monday sysreg /noconfirmdelete For Tuesday you would use the command line C:\ERUNT\ERUNT.EXE C:\ERDNT\Tuesday sysreg /noconfirmdelete ... well, you get the idea. Or, to have ERUNT automatically backup the registry on each Windowsstartup to a folder named "ERDNT" inside the Windows folder, includinga folder named the current date, you could place a shortcut like thefollowing in your Start Menu/Programs/Startup folder: C:\ERUNT\ERUNT.EXE %SystemRoot%\ERDNT\#Date# /noconfirmdelete If you want old restore folders created this way to be deletedautomatically from time to time, you can use AUTOBACK.EXE instead ofERUNT.EXE. The AUTOBACK tool is described later in this document.Also, ERUNT Setup offers the choice to add an AutoBackup shortcut tothe Startup folder automatically during the installation process. The ERUNT.INI file------------------ You can configure various ERUNT settings with this file, for examplechange the default destination folder displayed in ERUNT's folder editfield, or disable automatic appendation of the current date there. Use Notepad to create a file named ERUNT.INI in your ERUNT folder, andadd the following line: [ERUNT] Below this line, enter one or more of the following configurationoptions: DefaultDestinationFolder The name of the default folder displayed in ERUNT's folder edit field. You may also use environment variables here, for example %SystemRoot% as a substitute for the name of the Windows folder. Default: %SystemRoot%\ERDNTExample:DefaultDestinationFolder=C:\ERDNT AppendDateToFolderEditField Enable or disable automatic appendation of the current date to ERUNT's folder edit field. 0=disable, 1=enable, default: 1Example:AppendDateToFolderEditField=0 AppendTimeToFolderEditField Enable or disable automatic appendation of the current time to ERUNT's folder edit field. This function can only be enabled in conjunction with AppendDateToFolderEditField also set to 1. 0=disable, 1=enable, default: 0Example:AppendTimeToFolderEditField=1 DateFormatDateSeparator These settings configure the appearance of the date string in ERUNT's folder edit field, or when #Date# is used on the command line. By default, ERUNT uses Windows' regional settings for the short date format. Note that only "." and "-" are allowed as date separators.Example:DateFormat=mm/dd/yyyyDateSeparator=- TimeFormatTimeSeparator These settings configure the appearance of the time string in ERUNT's folder edit field, or when #Time# is used on the command line. By default, ERUNT uses Windows' regional settings for the short time format. Note that only "." and "-" are allowed as time separators.Example:TimeFormat=hh:mm:ssTimeSeparator=. DisableFastBackup On supported operating systems (including Windows XP and Server 2003) ERUNT by default uses a very fast backup algorithm. If you experience any problems during registry backup, you can try to disable this function and revert back to the conventional (but slow) method. This setting has no effect on unsupported operating systems, where the conventional algorithm is always used. 0=fast method, 1=conventional method, default: 0Example:DisableFastBackup=1 The AUTOBACK.EXE tool--------------------- The command line tool AUTOBACK.EXE uses the same syntax as ERUNT butperforms the additional task of deleting old restore folders after thenew backup has been created. For this to work properly, the name of the last folder in the commandline option DestinationFolder must begin with the current date, or the#Date# string, respectively. If this is the case AUTOBACKautomatically searches the parent folder of the newly created backupfor folder names of the same date format and deletes all foldersexcept from the last 30 days where backups have been created. The number of restore folders to keep can be changed using the /days:ncommand line switch, e.g. /days:7 would only keep the folders from thelast 7 backup days. By default AUTOBACK does not create a new backup if one already existsfor the current day. Use the /alwayscreate switch to change thisbehavior and have the program always create a new backup. AUTOBACK is dependent on ERUNT and therefore needs to be executed fromthe same folder. It uses the same settings for the date format asERUNT does, so if you specified a new format in ERUNT.INI it will alsobe used automatically by AUTOBACK. Restoring the registry with ERDNT--------------------------------- Situation: Windows is running normally. To restore a previous registry backup, open Windows Explorer, navigateto the folder where you saved the backup to, and double-click theERDNT.EXE file to start the restoration program. (Each restore folderhas its own copy of ERDNT.EXE in it.) Select which registry componentsto restore, then click "OK" to start restoration. When the process iscomplete, click "OK" to restart the computer and activate the restoredregistry. Note: If you experience any problems restoring the registry, pleaseread "ERDNT technical information" later in this document to learnwhat ERDNT is actually doing during the process, or simply read onthrough the following emergency scenarios for other ways of restoringthe registry. What to do if Windows does not boot anymore?-------------------------------------------- If Windows refuses to boot normally it can be for a variety ofreasons, not the least of which is that the registry is damaged, oryou installed a program or driver which is somewhat incompatible withthe system or buggy, in which case restoring a registry backup from apoint where everything was running smoothly should also help. The first thing to try is to reboot and press the F8 key immediatelybefore the first Windows screen appears, then select the "Last KnownGood" option from the menu and see if Windows boots up with thisoption. If it does, you're all set. If it does not, reboot again with F8, and select the option "SafeMode". If Windows boots up in safe mode, you can restore a registrybackup just as you would in normal mode, as described above. If safe mode also fails, read on... Restoring the registry with ERDNT - Emergency Scenario I-------------------------------------------------------- Situation: Windows fails to boot up in normal and safe mode, but youhave a DOS boot disk or another (working) operating system installedon your PC which is supported by the ERDNT restoration program, andfrom which you have full access to the drive(s) containing the corruptWindows installation and the registry backup. Boot up to the working OS, and open the folder containing the registrybackup you want to restore. If the drive letters are different to as they were in the Windowswhere you created the registry backup, you need to edit the ERDNT.INFfile now to reflect the new drive letters, before trying to restorethe registry backup. For example, if the drive with the corruptWindows installation is now available as D: instead of C:, then youwould change all C:\... references in the INF file to D:\... . Editingthe file can be done in Windows with the Notepad program, and in DOSwith the EDIT command. Now run the ERDNT.EXE file to start the restoration program. Selectwhich registry components to restore (just the system registry will doin most cases), then start restoration. When the process is complete,reboot the computer and check if the other Windows installation isrepaired now. Restoring the registry with ERDNT - Emergency Scenario II--------------------------------------------------------- Situation: Windows fails to boot up in normal and safe mode, and youhave no other working operating system installed on your PC. The following two rescue methods require that your PC is configured sothat it can boot from CD. See your BIOS documentation for moreinformation. 1. Bart's PE BuilderUse another computer with Internet access and CD burning capabilitiesto download this free program from the Internet (do a Google searchfor it), which will create a bootable Windows CD with full access toall drives (including NTFS). Boot from this CD, open the FileManagement Utility and follow the directions in "Emergency Scenario I"to run ERDNT and restore the registry. 2. The Windows Recovery Console (Windows 2000 and higher)Note that you can use this method only if you saved the registrybackup inside the Windows folder, and that using this procedure onlythe system registry is restored. This should however get you back intoWindows, from where you can run the ERDNT program to restore userregistries, if necessary.- Boot your system from the Windows 2000/2003/XP CD-ROM.- At the welcome screen, press "R" (Windows 2000: "R" then "C").- Type in the number of the Windows installation you want to repair (usually 1), then press ENTER.- Type in the Administrator password (leave blank if you are unsure what it is) and press ENTER.- At the command prompt type cd erdnt or whatever you named your restore folder, then press ENTER.- If you enabled automatic registry backup on system boot during ERUNT installation and want to restore one of these backups, type cd autobackup <ENTER>- If you created subfolders for different registry backups (for example, with the different creation dates), type dir <ENTER> to see a list of available folders, then type cd foldername <ENTER> where foldername is the name of a folder listed by the dir command, to open that folder.- Now type batch erdnt.con <ENTER> to restore the system registry from that folder.- Type exit <ENTER> and remove the CD from the CD-ROM drive. The system will now reboot with the restored registry. ERDNT technical information--------------------------- ERDNT knows two restoration modes. The right mode is usually auto-detected each time ERDNT is run, but read on if you are experiencingproblems restoring the registry. "NT" mode is used if you run the ERDNT program from within the samesystem where you made the backup. This is determined by looking at the[systemRoot] entry in the ERDNT.INF file and comparing it to theactual %SystemRoot% environment variable. Using "NT" mode is the onlyway to successfully restore the active registry of the currentlyrunning OS. "File copy" mode is used if the currently running OS is NOT NT-based,or if the [systemRoot] entry does not match the %SystemRoot%environment variable. In this mode the backed up registry files aresimply copied back to their original location. MS-DOS based ERDNT only supports "File copy" mode. Note: In restoration mode "NT" backups of the current registry filesare automatically created, so that option is grayed out. Inrestoration mode "File copy" all saved user registries areautomatically restored, so you cannot choose between "current user"and "other user" registries. The backups of the current registry files are placed in the samelocation as the original and are given the extension ".bak". Experienced users don't even need to use the ERDNT program in otheroperating systems to restore a registry backup. Given access to theappropriate files and folders, the backed up files can simply becopied back to their original location, as that is all ERDNT doesin "File copy" mode anyway. Have a look at the ERDNT.INF file tofind out what the original file locations are. ERDNT command line switches--------------------------- The ERDNT program also supports command line switches for "silent"operation. The syntax for the ERDNT command line is: ERDNT silent [sysreg] [curuser] [otherusers][/mode:nt|filecopy] [/nobackup] [/noprogresswindow] [/reboot] (Switches in brackets are optional.) Description of the command line switches: silent Puts ERDNT into "silent" mode and enables all other switches. sysreg Restore the system registry curuser * Restore the current user registry (This option is ignored in "File copy" restoration mode.) otherusers Restore other saved user registries (Note: If none of the three above options is given on the commandline, ERDNT automatically uses the default restoration options, systemand current user registry.) /mode:nt or /mode:filecopy * Disables automatic detection of the correct restoration mode and uses mode "NT" or "File copy" instead. /nobackup Don't make backups of the current registry files during restoration. (This switch is ignored in "NT" restoration mode.) /noprogresswindow Hides the progress window during restoration. /reboot * Automatically reboots the computer when restoration of the registry is complete. * = Not supported in the DOS version of ERDNT. Optimizing the registry with NTREGOPT------------------------------------- Similar to Windows 9x/Me, the registry files in an NT-based systemcan become fragmented over time, occupying more space on your harddisk than necessary and decreasing overall performance. You shoulduse the NTREGOPT utility regularly, but especially after installingor uninstalling a program, to minimize the size of the registry filesand optimize registry access. The program works by recreating each registry hive "from scratch",thus removing any slack space that may be left from previouslymodified or deleted keys. Note that the program does NOT change the contents of the registry inany way, nor does it physically defrag the registry files on the drive(as the PageDefrag program from SysInternals does). The optimizationdone by NTREGOPT is simply compacting the registry hives to theminimum size possible. To optimize your registry, simply run NTREGOPT, click "OK", and whenthe process is complete click "OK" to reboot the computer. You shoulddo so immediately because any changes made to the registry afterNTREGOPT has been run are lost after the reboot. NTREGOPT command line switches------------------------------ The syntax for the NTREGOPT command line is: NTREGOPT silent [/noprogresswindow] [/reboot] (Switches in brackets are optional.) Description of the command line switches: silent Puts NTREGOPT into "silent" mode and enables the other switches. /noprogresswindow Hides the progress window during optimization. /reboot Automatically reboots the computer when optimization of the registry is complete. Known problems-------------- ERUNT and NTREGOPT sometimes fail with error 1450 - "Insufficientsystem resources exist to complete the requested service" - whentrying to save a registry hive. I have not yet been able to reproducethis error on any PC, and reports from affected users indicate that italso pops up when trying to back up the critical hive usingMicrosoft's REGBACK program. This makes it unlikely that there isanything I can do on my (the programmer's) side. Some users reportedhowever that they were able to work around the problem by runningERUNT/NTREGOPT in Windows' safe mode, and in one case uninstalling aSymantec software suite solved it permanently. One user reported thatincreasing the "IRPStackSize" value as described in MicrosoftKnowledge Base article 177078 fixed the problem on his system. When the system is rebooted after a restoration of the registry withERDNT or optimization with NTREGOPT, Windows Server 2003 will bydefault display the shutdown event tracker during logon asking why thesystem has been shut down unexpectedly. This is because the info thatthe shutdown was in fact an expected one is written to the "old"registry during shutdown of the system which is replaced by therestored/optimized registry next time the system is booted, andtherefore the shutdown info is discarded and shutdown event trackerthinks the system crashed. You may want to disable the tracker toavoid this message in the future (see the Windows help for informationon how to do this). If you experience any other problems, please email me atlars.hederer@t-online.de with a detailed description and I will see ifI can help you. Localization------------ You can translate all programs from this package into your language byediting the appropriate .LOC file. Keep in mind that the LOC files of the three Windows programs (ERUNT,ERDNTWIN, NTREGOPT) should be edited using a Windows based editor(Notepad), and ERDNTDOS.LOC using an MS-DOS based editor (EDIT.COM).This is to ensure that any OEM characters are displayed correctly inthe program. If your language is not yet present on my homepage and you want yourlocalization to be available to the general public, you are welcome tosend the four translated files to me. I will then make them availablefor download, with credits of course. I have included a German language pack. If you want to use the programin German, simply unzip LOC_GER.ZIP into your ERUNT folder. Version history--------------- v1.1j, 10/20/2005- Fixed compatibility issues with 64-bit Windows (many thanks to Ian Smith and Hajo for all testing)- Enhanced error messages- AutoBackup now supports all date formats- ERUNT.INI: "TimeSeparator" fixed; "DefaultDestinationFolder" now supports all environment variables (previously only %SystemRoot% could be used)- ERDNT now displays the source Windows folder in addition to the backup's creation date v1.1i, 08/17/2005- AutoBackup: Improved support for complex date formats- NTREGOPT: Optimization results are now calculated correctly when optimization failed on one or more hives v1.1h, 03/06/2005- Updated homepage address- New ERUNT.INI option: AppendTimeToFolderEditField- Fixed a problem where the current user registry could not be identified on some systems- Changed behavior of AutoBackup's /days:n switch v1.1g, 11/02/2004- ERUNT is now MUCH faster on Windows XP and Server 2003- Added time string support on the command line- AutoBackup now by default skips creating a backup for the current day if one already exists v1.1f, 08/26/2004- Added AUTOBACK.EXE command line tool for automated registry backup and deletion of old restore folders created prior to a specific number of days- Window position is now screen center instead of desktop center, fixing display problem when using multiple monitors (thanks John v1.1e, 07/31/2004- Appearance of the date string can be configured via ERUNT.INI- NTREGOPT: Optimization results: use thousand separator v1.1d, 07/07/2004- Optimized error handling- Combined DOS and Windows ERDNT into a single Win32 executable, fixing problems with the previous 16-bit exe stub on some systems and with BartPE- Added Windows Recovery Console support with ERDNT batch file- Default destination folder can now be configured via file ERUNT.INI, replacing #DestinationFolder command line option- Changed the default destination folder to be inside the Windows folder, for easy recovery console access- New folder named the current date is automatically appended to destination folder (can be disabled in ERUNT.INI)- Rewrote major parts of the documentation v1.1c, 05/10/2004- Fixed problems with dynamic disks- Added browse function for destination folder, as well as the option to change the default name (use #DestinationFolder on the command line)- Re-added support for Windows NT 3.51 (got lost with v1.1) except browse function v1.1b, 04/23/2004- ERUNT and NTREGOPT are now compatible with Windows Server 2003 and Windows XP Service Pack 2- Fixed a problem where the registry hives could not be saved/restored/optimized on some systems- Changed naming convention for user subfolders in the ERDNT folder v1.1a, 10/03/2002- Fixed a problem where the registry hives could not be saved/restored/optimized on some systems v1.1, 09/25/2002- Fixed "Invalid pointer operation" message which occurred on some systems (many thanks to Russ Cordner for his assistance in isolating the problem)- Fixed "Error opening localization file" message when ERUNT.EXE was called from outside the ERUNT folder- Fixed some problems with UNC path names- Added command line support for ERDNT and NTREGOPT- NTREGOPT: show optimization results (initial and new registry size) v1.0, 11/24/2001- Initial release Distribution------------ The ERUNT package (including the programs ERUNT, AUTOBACK, ERDNT andNTREGOPT) is freeware. Please pass it to anyone who you think may findit useful. I explicitly allow this package to be included in any file archive,CD-ROM or other media collection as well as usage in your own programsprovided that all files are kept and remain unchanged. A quick notevia e-mail where my program has been included is appreciated. Donations--------- Though I chose to make my programs freeware so that no one is requiredto pay for using them, I accept and appreciate donations. So, if youfind my programs helpful and want to support further development,simply visit my homepage and click one of the "PayPal" buttons, ordonate directly to my e-mail address via PayPal. Thanks in advance! If you live in Germany and want to make a donation, you may alsotransfer money directly to my bank account. Contact me for moreinformation. Disclaimer---------- Use this software at your own risk. I do not take responsibility foranything that might happen to you or the PC upon use of my programs,including but not limited to: registry destruction, hard disk crash,heart attack... Comments and suggestions via e-mail, however, are always welcome! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 10, 2013 Root Admin ID:740077 Share Posted October 10, 2013 Please go ahead and run through the following steps and post back the logs when ready.STEP 03Please download Malwarebytes Anti-Rootkit from hereUnzip the contents to a folder in a convenient location. Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process. When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txtSTEP 04Please download Junkware Removal Tool to your desktop.Shutdown your antivirus to avoid any conflicts. Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP. The tool will open and start scanning your system. Please be patient as this can take a while to complete. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next reply message When completed make sure to re-enable your antivirusSTEP 05Please download AdwCleaner by Xplode and save to your Desktop.Double click on AdwCleaner.exe to run the tool. Click on the Scan button. AdwCleaner will begin...be patient as the scan may take some time to complete. After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it. Copy and paste the contents of that logfile in your next reply. A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.STEP 06Please go here to run the online antivirus scannner from ESET.Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked Click on Advanced Settings and ensure these options are ticked:Scan for potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth Technology [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.STEP 07Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bitDouble-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Link to post Share on other sites More sharing options...
squa41 Posted October 10, 2013 Author ID:740234 Share Posted October 10, 2013 # AdwCleaner v3.007 - Report created 10/10/2013 at 11:02:29# Updated 09/10/2013 by Xplode# Operating System : Windows 8 Pro (64 bits)# Username : Çördük - CÖRDÜK# Running from : C:\Users\Çördük\Downloads\AdwCleaner.exe# Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\ProgramData\BetterSoftFolder Deleted : C:\ProgramData\StarAppFolder Deleted : C:\ProgramData\Saeayruch-NewTaboFolder Deleted : C:\ProgramData\ssavEnshaoreuFolder Deleted : C:\Program Files (x86)\BabylonFolder Deleted : C:\Program Files (x86)\MovdapFolder Deleted : C:\Program Files (x86)\SearchprotectFolder Deleted : C:\Program Files (x86)\SimilarSitesFolder Deleted : C:\Program Files (x86)\Winamp ToolbarFolder Deleted : C:\Users\Çördük\AppData\LocalLow\ssavEnshaoreuFolder Deleted : C:\Users\Çördük\AppData\Roaming\SimilarSitesFolder Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\Extensions\ffxtlbr@babylon.comFile Deleted : C:\Windows\System32\roboot64.exeFile Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\searchplugins\Babylon.xmlFile Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\searchplugins\conduit-search.xmlFile Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\searchplugins\mixidj.xmlFile Deleted : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\user.jsFile Deleted : C:\Windows\System32\Tasks\Dealply ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [ocr@babylon.com]Key Deleted : HKLM\SOFTWARE\Classes\AppID\BabylonHelper.EXEKey Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCSKey Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCSKey Deleted : HKCU\Software\d558ddbb33dbd10Key Deleted : HKLM\SOFTWARE\d558ddbb33dbd10Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1561552Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}Key Deleted : HKCU\Software\HeadlightKey Deleted : HKCU\Software\UpdateStarKey Deleted : HKLM\Software\ConduitKey Deleted : HKLM\Software\DeltaKey Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Winamp ToolbarKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1 ***** [ Browsers ] ***** -\\ Internet Explorer v10.0.9200.16453 -\\ Mozilla Firefox v [ File : C:\Users\Çördük\AppData\Roaming\Mozilla\Firefox\Profiles\xx62mofb.default\prefs.js ] Line Deleted : user_pref("extensions.delta.admin", false);Line Deleted : user_pref("extensions.delta.aflt", "orgnl");Line Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");Line Deleted : user_pref("extensions.delta.dfltLng", "tr");Line Deleted : user_pref("extensions.delta.excTlbr", false);Line Deleted : user_pref("extensions.delta.ffxUnstlRst", true);Line Deleted : user_pref("extensions.delta.id", "fcc271aa000000000000d43d7e327b92");Line Deleted : user_pref("extensions.delta.instlDay", "15927");Line Deleted : user_pref("extensions.delta.instlRef", "sst");Line Deleted : user_pref("extensions.delta.prdct", "delta");Line Deleted : user_pref("extensions.delta.prtnrId", "delta");Line Deleted : user_pref("extensions.delta.smplGrp", "none");Line Deleted : user_pref("extensions.delta.tlbrId", "base");Line Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");Line Deleted : user_pref("extensions.delta.vrsn", "1.8.22.0");Line Deleted : user_pref("extensions.delta.vrsnTs", "1.8.22.021:20:41");Line Deleted : user_pref("extensions.delta.vrsni", "1.8.22.0");Line Deleted : user_pref("extensions.enabledAddons", "yasearch%40yandex.ru:7.4.2,vb%40yandex.ru:2.2.1,WebSiteRecommendation%40weliketheweb.com:1.0.6,plugin%40getwebcake.com:1.00.01,%7B972ce4c6-7e08-4474-a285-3208198[...] -\\ Google Chrome v30.0.1599.69 [ File : C:\Users\Çördük\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [6737 octets] - [10/10/2013 10:57:50]AdwCleaner[s0].txt - [6674 octets] - [10/10/2013 11:02:29] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [6734 octets] ########## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 6.0.4 (10.06.2013:1)OS: Windows 8 Pro x64Ran by €”rdk on Per 10.10.2013 at 10:42:56,14~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\AppID\babylonhelper.exeFailed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\anchorfreeSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduitSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\deltaSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\dsiteproductsSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\filescoutSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\softonicSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\startsearchSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\winamp toolbarSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbarSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2914279751-1493668412-170166720-1001\Software\SweetIMFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduitFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\deltaSuccessfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\prod.capFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\babylon_rasapi32Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\babylon_rasmancsFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\webcakedesktop_rasapi32Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\webcakedesktop_rasmancsFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\conduitFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\babylon_rasapi32Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\babylon_rasmancsFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\webcakedesktop_rasapi32Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\webcakedesktop_rasmancsFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT1561552Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Babylon_RASAPI32Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Babylon_RASMANCSFailed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\Babylon_RASAPI32Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\Babylon_RASMANCSSuccessfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} ~~~ Files ~~~ Folders Failed to delete: [Folder] "C:\ProgramData\bettersoft"Failed to delete: [Folder] "C:\ProgramData\starapp"Successfully deleted: [Folder] "C:\Users\€”rdk\AppData\Roaming\dsite"Successfully deleted: [Folder] "C:\Users\€”rdk\AppData\Roaming\movdap"Successfully deleted: [Folder] "C:\Users\€”rdk\AppData\Roaming\simplitec"Successfully deleted: [Folder] "C:\Users\€”rdk\appdata\local\conduit"Successfully deleted: [Folder] "C:\Users\€”rdk\appdata\local\searchprotect"Successfully deleted: [Folder] "C:\Users\€”rdk\appdata\locallow\conduit"Failed to delete: [Folder] "C:\Program Files (x86)\babylon"Failed to delete: [Folder] "C:\Program Files (x86)\movdap"Failed to delete: [Folder] "C:\Program Files (x86)\searchprotect"Failed to delete: [Folder] "C:\Program Files (x86)\winamp toolbar"Successfully deleted: [Folder] "C:\Users\€”rdk\AppData\Roaming\microsoft\windows\start menu\programs\dealply"Failed to delete: [Folder] "C:\Windows\syswow64\ai_recyclebin" ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Per 10.10.2013 at 10:49:02,39End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link to post Share on other sites More sharing options...
squa41 Posted October 10, 2013 Author ID:740235 Share Posted October 10, 2013 ---------------------------------------Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 6.2.9200 Windows 8 x64 Account is Administrative Internet Explorer version: 10.0.9200.16466 File system is: NTFSDisk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXEDCPU speed: 3.000000 GHzMemory total: 4288618496, free: 2656808960 =======================================Initializing...------------ Kernel report ------------ 10/10/2013 09:58:04------------ Loaded modules -----------\SystemRoot\system32\ntoskrnl.exe\SystemRoot\system32\hal.dll\SystemRoot\system32\kd.dll\SystemRoot\system32\mcupdate_AuthenticAMD.dll\SystemRoot\System32\drivers\CLFS.SYS\SystemRoot\System32\drivers\tm.sys\SystemRoot\system32\PSHED.dll\SystemRoot\system32\BOOTVID.dll\SystemRoot\system32\CI.dll\SystemRoot\System32\drivers\msrpc.sys\SystemRoot\system32\drivers\Wdf01000.sys\SystemRoot\system32\drivers\WDFLDR.SYS\SystemRoot\System32\Drivers\acpiex.sys\SystemRoot\System32\Drivers\WppRecorder.sys\SystemRoot\System32\drivers\ACPI.sys\SystemRoot\System32\drivers\WMILIB.SYS\SystemRoot\System32\Drivers\cng.sys\SystemRoot\System32\drivers\msisadrv.sys\SystemRoot\System32\drivers\pci.sys\SystemRoot\System32\drivers\vdrvroot.sys\SystemRoot\system32\drivers\pdc.sys\SystemRoot\System32\drivers\partmgr.sys\SystemRoot\System32\drivers\spaceport.sys\SystemRoot\System32\drivers\volmgr.sys\SystemRoot\System32\drivers\volmgrx.sys\SystemRoot\System32\drivers\pciide.sys\SystemRoot\System32\drivers\PCIIDEX.SYS\SystemRoot\System32\drivers\mountmgr.sys\SystemRoot\System32\drivers\atapi.sys\SystemRoot\System32\drivers\ataport.SYS\SystemRoot\System32\drivers\EhStorClass.sys\SystemRoot\system32\drivers\fltmgr.sys\SystemRoot\System32\drivers\fileinfo.sys\SystemRoot\system32\drivers\WdFilter.sys\SystemRoot\System32\Drivers\PxHlpa64.sys\SystemRoot\System32\Drivers\Ntfs.sys\SystemRoot\System32\Drivers\ksecdd.sys\SystemRoot\System32\drivers\pcw.sys\SystemRoot\System32\Drivers\Fs_Rec.sys\SystemRoot\system32\drivers\ndis.sys\SystemRoot\system32\drivers\NETIO.SYS\SystemRoot\System32\Drivers\ksecpkg.sys\SystemRoot\System32\drivers\tcpip.sys\SystemRoot\System32\drivers\fwpkclnt.sys\SystemRoot\system32\DRIVERS\wfplwfs.sys\SystemRoot\System32\DRIVERS\fvevol.sys\SystemRoot\System32\drivers\volsnap.sys\SystemRoot\System32\drivers\rdyboost.sys\SystemRoot\System32\Drivers\mup.sys\SystemRoot\System32\drivers\disk.sys\SystemRoot\System32\drivers\CLASSPNP.SYS\SystemRoot\System32\Drivers\crashdmp.sys\SystemRoot\System32\Drivers\Null.SYS\SystemRoot\System32\Drivers\Beep.SYS\SystemRoot\system32\DRIVERS\Amfltx64.sys\SystemRoot\System32\drivers\BasicRender.sys\SystemRoot\System32\drivers\dxgkrnl.sys\SystemRoot\System32\drivers\watchdog.sys\SystemRoot\System32\drivers\dxgmms1.sys\SystemRoot\System32\drivers\BasicDisplay.sys\SystemRoot\System32\Drivers\Npfs.SYS\SystemRoot\System32\Drivers\Msfs.SYS\SystemRoot\system32\DRIVERS\tdx.sys\SystemRoot\system32\DRIVERS\TDI.SYS\SystemRoot\system32\drivers\ws2ifsl.sys\SystemRoot\System32\DRIVERS\netbt.sys\SystemRoot\system32\drivers\afd.sys\SystemRoot\system32\DRIVERS\pacer.sys\SystemRoot\system32\DRIVERS\vwififlt.sys\SystemRoot\system32\DRIVERS\netbios.sys\SystemRoot\system32\DRIVERS\rdbss.sys\SystemRoot\system32\drivers\csc.sys\SystemRoot\system32\DRIVERS\wanarp.sys\SystemRoot\system32\drivers\nsiproxy.sys\SystemRoot\System32\drivers\npsvctrig.sys\SystemRoot\System32\drivers\mssmbios.sys\SystemRoot\System32\drivers\discache.sys\SystemRoot\System32\Drivers\dfsc.sys\SystemRoot\system32\DRIVERS\ndistapi.sys\SystemRoot\system32\DRIVERS\ndiswan.sys\SystemRoot\system32\DRIVERS\rassstp.sys\SystemRoot\system32\DRIVERS\AgileVpn.sys\SystemRoot\system32\DRIVERS\tunnel.sys\SystemRoot\System32\drivers\CompositeBus.sys\SystemRoot\system32\DRIVERS\kdnic.sys\SystemRoot\System32\drivers\umbus.sys\SystemRoot\System32\drivers\amdppm.sys\SystemRoot\system32\DRIVERS\atikmpag.sys\SystemRoot\system32\DRIVERS\atikmdag.sys\SystemRoot\System32\drivers\HDAudBus.sys\SystemRoot\system32\DRIVERS\Rt630x64.sys\SystemRoot\System32\drivers\usbohci.sys\SystemRoot\System32\drivers\USBPORT.SYS\SystemRoot\System32\drivers\usbehci.sys\SystemRoot\System32\drivers\serial.sys\SystemRoot\System32\drivers\serenum.sys\SystemRoot\System32\drivers\parport.sys\SystemRoot\System32\drivers\i8042prt.sys\SystemRoot\System32\drivers\kbdclass.sys\SystemRoot\System32\drivers\wmiacpi.sys\SystemRoot\system32\DRIVERS\raspptp.sys\SystemRoot\system32\DRIVERS\rasl2tp.sys\SystemRoot\system32\DRIVERS\raspppoe.sys\SystemRoot\System32\drivers\swenum.sys\SystemRoot\System32\drivers\ks.sys\SystemRoot\System32\drivers\rdpbus.sys\SystemRoot\System32\Drivers\NDProxy.SYS\SystemRoot\System32\drivers\usbhub.sys\SystemRoot\System32\drivers\USBD.SYS\SystemRoot\system32\drivers\AtihdW86.sys\SystemRoot\system32\drivers\portcls.sys\SystemRoot\system32\drivers\drmk.sys\SystemRoot\system32\drivers\ksthunk.sys\SystemRoot\system32\drivers\RTKVHD64.sys\SystemRoot\System32\drivers\usbccgp.sys\SystemRoot\System32\drivers\hidusb.sys\SystemRoot\System32\drivers\HIDCLASS.SYS\SystemRoot\System32\drivers\HIDPARSE.SYS\SystemRoot\system32\DRIVERS\lvuvc64.sys\SystemRoot\system32\drivers\usbaudio.sys\SystemRoot\system32\DRIVERS\lvrs64.sys\SystemRoot\System32\drivers\kbdhid.sys\SystemRoot\System32\drivers\mouhid.sys\SystemRoot\System32\drivers\mouclass.sys\SystemRoot\System32\Drivers\fastfat.SYS\SystemRoot\System32\win32k.sys\SystemRoot\System32\Drivers\dump_dumpata.sys\SystemRoot\System32\Drivers\dump_atapi.sys\SystemRoot\System32\Drivers\dump_dumpfve.sys\SystemRoot\system32\DRIVERS\monitor.sys\SystemRoot\System32\TSDDD.dll\SystemRoot\System32\ATMFD.DLL\SystemRoot\system32\drivers\luafv.sys\??\C:\Windows\system32\drivers\mbam.sys\??\C:\Program Files\Sandboxie\SbieDrv.sys\SystemRoot\system32\DRIVERS\lltdio.sys\SystemRoot\system32\DRIVERS\nwifi.sys\SystemRoot\system32\DRIVERS\ndisuio.sys\SystemRoot\system32\DRIVERS\rspndr.sys\SystemRoot\system32\drivers\HTTP.sys\SystemRoot\system32\DRIVERS\bowser.sys\SystemRoot\System32\drivers\mpsdrv.sys\SystemRoot\system32\DRIVERS\mrxsmb.sys\SystemRoot\system32\DRIVERS\mrxsmb10.sys\SystemRoot\system32\DRIVERS\mrxsmb20.sys\SystemRoot\system32\DRIVERS\idmwfp.sys\SystemRoot\system32\drivers\Ndu.sys\SystemRoot\system32\drivers\peauth.sys\SystemRoot\System32\Drivers\secdrv.SYS\SystemRoot\System32\DRIVERS\srvnet.sys\SystemRoot\System32\drivers\tcpipreg.sys\SystemRoot\System32\DRIVERS\srv2.sys\SystemRoot\System32\DRIVERS\srv.sys\SystemRoot\System32\drivers\condrv.sys\??\C:\Windows\system32\Drivers\PROCEXP113.SYS\SystemRoot\system32\DRIVERS\netr28ux.sys\SystemRoot\System32\drivers\vwifibus.sys\SystemRoot\system32\DRIVERS\vwifimp.sys\SystemRoot\System32\drivers\rdpvideominiport.sys\SystemRoot\system32\drivers\MSPQM.sys\SystemRoot\System32\cdd.dll\??\C:\Windows\system32\drivers\mbamchameleon.sys\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys----------- End -----------Done!<<<1>>>Upper Device Name: \Device\Harddisk0\DR0Upper Device Object: 0xfffffa8004bb15b0Upper Device Driver Name: \Driver\disk\Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\Lower Device Object: 0xfffffa8004a69060Lower Device Driver Name: \Driver\atapi\<<<2>>>Physical Sector Size: 512Drive: 0, DevicePointer: 0xfffffa8004bb15b0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\--------- Disk Stack ------DevicePointer: 0xfffffa8004ba1040, DeviceName: Unknown, DriverName: \Driver\partmgr\DevicePointer: 0xfffffa8004bb15b0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\DevicePointer: 0xfffffa8004a4f510, DeviceName: Unknown, DriverName: \Driver\ACPI\DevicePointer: 0xfffffa8004a69060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\------------ End ----------Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\Upper DeviceData: 0x0, 0x0, 0x0Lower DeviceData: 0x0, 0x0, 0x0<<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes<<<2>>><<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesScanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...<<<2>>><<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesDone!Drive 0Scanning MBR on drive 0...Inspecting partition table:This drive is a GPT Drive.MBR Signature: 55AADisk Signature: 7DCF768A GPT Protective MBR Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 4294967295 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 3343807738 GPT Header CurrentLba = 1 BackupLba 976773167 GPT Header FirstUsableLba 34 LastUsableLba 976773134 GPT Header Guid f690a2f0-f528-4723-82fb-b2e1304bd0f5 GPT Header Contains 128 partition entries starting at LBA 2 GPT Header Partition entry size = 128 Backup GPT header Signature 4546492050415254 Backup GPT header Revision 65536 Size 92 CRC 3343807738 Backup GPT header CurrentLba = 976773167 BackupLba 1 Backup GPT header FirstUsableLba 34 LastUsableLba 976773134 Backup GPT header Guid f690a2f0-f528-4723-82fb-b2e1304bd0f5 Backup GPT header Contains 128 partition entries starting at LBA 976773135 Backup GPT header Partition entry size = 128 Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac Partition ID 42301d63-652-4b67-a032-c57bba2246b FirstLBA 2048 Last LBA 616447 Attributes 1 Partition Name Basic data partition Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b Partition ID dafbd759-d86-4c10-aed5-df1bc0aeca4 FirstLBA 616448 Last LBA 821247 Attributes 0 Partition Name EFI system partition GPT Partition 1 is bootable Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae Partition ID 8c1ad0a4-74c2-4b95-8dd1-2d7311209e1f FirstLBA 821248 Last LBA 1083391 Attributes 0 Partition Name Microsoft reserved partition Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID f06cffe0-d475-4c53-aa83-d68bffb211b7 FirstLBA 1083392 Last LBA 409602047 Attributes 0 Partition Name Basic data partition Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID c621461c-cda7-4f49-8390-bafce1e6c23 FirstLBA 409602048 Last LBA 976773119 Attributes 0 Partition Name Basic data partition Disk Size: 500107862016 bytesSector size: 512 bytes Done!Infected: C:\Users\Çördük\Desktop\müslüm\resım\İncim\İncim.exe --> [Worm.Autorun]Scan finishedCreating System Restore point...Cleaning up...Removal scheduling successful. System shutdown needed.System shutdown occurred======================================= Removal queue found; removal startedRemoving C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...Removal finished---------------------------------------Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 6.2.9200 Windows 8 x64 Account is Administrative Internet Explorer version: 10.0.9200.16466 File system is: NTFSDisk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXEDCPU speed: 3.000000 GHzMemory total: 4288618496, free: 3000315904 ======================================= Malwarebytes Anti-Rootkit BETA 1.07.0.1005www.malwarebytes.org Database version: v2013.07.26.06 Windows 8 x64 NTFSInternet Explorer 10.0.9200.16466Çördük :: CÖRDÜK [administrator] 10.10.2013 09:58:10mbar-log-2013-10-10 (09-58-10).txt Scan type: Quick scanScan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/ShurikenScan options disabled: Objects scanned: 353196Time elapsed: 34 minute(s), 32 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 0(No malicious items detected) Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 0(No malicious items detected) Folders Detected: 0(No malicious items detected) Files Detected: 1C:\Users\Çördük\Desktop\müslüm\resım\İncim\İncim.exe (Worm.Autorun) -> Delete on reboot. Physical Sectors Detected: 0(No malicious items detected) (end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 10, 2013 Root Admin ID:740389 Share Posted October 10, 2013 It looks like you did not run JRT with Admin rights. Please restart the computer and run the tool again but this time make sure you right click over the program and choose "Run as administrator" Then post back the ESET log and the FRST logs Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 16, 2013 Root Admin ID:742566 Share Posted October 16, 2013 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts