Solved I have the virus win32/small.ca on my PC

March 6, 2013 at 23:55:06
Specs: Windows 7
hi my name is pedram & iam in a big trouble with my system,when running program's they just stop responding at the beginning,sometimes they just work fine & suddenly crash at the middle..& my firefox & explorer crash's in middle rapidly, window says that it coused by virus named :Win32/small.ca and you must remove it! & i have no idea how to do that.
Edit:my OS is windows 7 ultimate service pack1

thanks, Pedram


See More: I have the virus win32/small.ca on my PC

Report •


✔ Best Answer
March 7, 2013 at 04:41:46
1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
A introduction as to what this program does.
http://www.bleepingcomputer.com/for...
For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Run ComboFix & post the contents of the log please.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.



#1
March 7, 2013 at 03:34:51
Try the free version of Malwarebytes Anti-Malware: http://www.malwarebytes.org/product...

Report •

#2
March 7, 2013 at 03:58:43
THANKS FOR you replay phil ,ok iam not a pc expert ..i downloaded that but can u specify more & guide my through this process?

Report •

#3
March 7, 2013 at 04:07:01
1: Make sure you have the Free version, use this link to make sure.
http://www.softpedia.com/dyn-postdo...

2: Doubleclick on the .exe to install it.

3: Use Quick scan. Copy & Paste the contents of the log please.


Report •

Related Solutions

#4
March 7, 2013 at 04:15:16
thank you i did it & here is the log:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.07.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Pedram :: DESKTOP [administrator]

Protection: Enabled

3/7/2013 3:38:52 PM
MBAM-log-2013-03-07 (15-43-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243813
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 24
HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCR\funmoods.funmoodsHlpr.1 (PUP.FunMoods) -> No action taken.
HKCR\funmoods.funmoodsHlpr (PUP.FunMoods) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} (PUP.Funmoods) -> No action taken.
HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoods.dskBnd (PUP.Funmoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> No action taken.
HKCR\f (PUP.Funmoods) -> No action taken.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> No action taken.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> No action taken.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: Funmoods Toolbar -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\Pedram\U1003.exe (Malware.Gen) -> No action taken.
C:\Users\Pedram\U1006.exe (Trojan.Agent) -> No action taken.
C:\Users\Pedram\U1007.exe (Malware.Gen) -> No action taken.
C:\Users\Pedram\u995.exe (PUP.UltraReach) -> No action taken.
C:\Users\Pedram\u997.exe (PUP.UltraReach) -> No action taken.
C:\Users\Pedram\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\Pedram\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\Pedram\AppData\Local\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\Pedram\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> No action taken.

(end)


Report •

#5
March 7, 2013 at 04:26:29
ok what should i do next?sorry for double replay :)

Report •

#6
March 7, 2013 at 04:29:09
"ok what should i do next?sorry for double replay :)"
Once you post the log, I will read it & then advise further.

Report •

#7
March 7, 2013 at 04:31:00
Your MBAM log indicates "No action taken.

Click the Remove Selected button after the scan & post a new log please.


Report •

#8
March 7, 2013 at 04:39:37
ok the list was open & i only push the remove selected here is the log :

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.07.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Pedram :: DESKTOP [administrator]

Protection: Enabled

3/7/2013 3:38:52 PM
mbam-log-2013-03-07 (15-38-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243813
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 24
HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCR\funmoods.funmoodsHlpr.1 (PUP.FunMoods) -> No action taken.
HKCR\funmoods.funmoodsHlpr (PUP.FunMoods) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> No action taken.
HKCR\escort.escortIEPane (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} (PUP.Funmoods) -> No action taken.
HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoods.dskBnd (PUP.Funmoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> No action taken.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> No action taken.
HKCR\f (PUP.Funmoods) -> No action taken.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> No action taken.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> No action taken.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: Funmoods Toolbar -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\Pedram\u995.exe (PUP.UltraReach) -> No action taken.
C:\Users\Pedram\u997.exe (PUP.UltraReach) -> No action taken.
C:\Users\Pedram\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\Pedram\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> No action taken.
C:\Users\Pedram\AppData\Local\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\Pedram\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\Pedram\U1003.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\Users\Pedram\U1006.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Pedram\U1007.exe (Malware.Gen) -> Quarantined and deleted successfully.

(end)


Report •

#9
March 7, 2013 at 04:41:15
"Malwarebytes Anti-Malware (Trial) 1.70.0.1100"
You didn't download the FREE version.

Report •

#10
March 7, 2013 at 04:41:46
✔ Best Answer
1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
A introduction as to what this program does.
http://www.bleepingcomputer.com/for...
For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Run ComboFix & post the contents of the log please.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#11
March 7, 2013 at 04:46:08
soryy it just check only 3 item's in the list & didnt taked action on other( i guess becouse they are regestry file's)should i check all of the list??

Report •

#12
March 7, 2013 at 04:50:52
see the bottom of my log,only 3 was checked & deleted,also malwarebytes says you must restart your system,

Report •

#13
March 7, 2013 at 04:53:52
"soryy it just check only 3 item's in the list & didnt taked action on other"
That's why I have asked you to run Combofix.

Report •

#14
March 7, 2013 at 05:07:38
I am not going to be available for quite a few hours, after you have done all of my post #10, do these.

4: Run Hitman Pro, then Copy & Paste the contents of the log please.
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.surfright.nl/en/HitmanPro
http://www.surfright.nl/en/hitmanpro/
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (64-bit)
http://dl.surfright.nl/HitmanPro35_...
Review
http://www.youtube.com/watch?v=WmPQ...

5: Run TDSSKiller & post the contents of the log.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://support.kaspersky.com/faq/?q...
http://support.kaspersky.com/viruse...

6: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

7: Run Junkware Removal Tool
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. http://www.bleepingcomputer.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the JRT.txt log into your next message.

8: Run MBAM again & post the log.


Report •

#15
March 7, 2013 at 05:18:21
thanks i am done with unhide scanning program will post my logs after finish each step

Report •

#16
March 7, 2013 at 06:33:52
Ok i just ran the combofix,finished the process here is the log:
SORRY its too large it doenst allow me to post the log in replay section(becouse of its size)! i will post it in 2 parts

this is the 1st part,2nd part will be in bottom post :)

ComboFix 13-03-05.01 - Pedram 03/07/2013 17:24:41.1.3 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6144.4299 [GMT 3.5:30]
Running from: c:\users\Pedram\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1ADE72DE98.sys
c:\programdata\DBC05C014B.sys
c:\users\Pedram\6a00e5529de4af88340120a915b97b970b-800wi.jpg
c:\users\Pedram\7023.jpg
c:\users\Pedram\AppData\Roaming\.#
c:\users\Pedram\freedom-20100111-01.exe
c:\users\Pedram\u995.exe
c:\users\Pedram\u997.exe
c:\windows\SysWow64\drivers\hwinterface.sys
c:\windows\SysWow64\tmpA87F.tmp
c:\windows\SysWow64\tmpA8CE.tmp
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
.
Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
.
Infected copy of c:\windows\SysWow64\powrprof.dll was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy5_!Windows!SysWOW64!powrprof.dll
.
c:\windows\SysWow64\mshtml.dll . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
.
.
((((((((((((((((((((((((( Files Created from 2013-02-07 to 2013-03-07 )))))))))))))))))))))))))))))))
.
.
2013-03-07 12:17 . 2013-02-19 00:27 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{916FE8E3-CB89-4A6F-B2CB-D2874E1A5EEC}\mpengine.dll
2013-03-07 12:06 . 2013-03-07 12:06 -------- d-----w- c:\users\Pedram\AppData\Roaming\Malwarebytes
2013-03-07 12:06 . 2013-03-07 12:06 -------- d-----w- c:\programdata\Malwarebytes
2013-03-07 12:06 . 2013-03-07 12:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-07 12:06 . 2012-12-14 13:19 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-07 05:50 . 2013-03-07 05:50 -------- d-----w- c:\program files (x86)\ESET
2013-03-06 20:11 . 2013-03-06 20:11 -------- d-----w- c:\program files\Enigma Software Group
2013-03-06 20:11 . 2013-03-06 21:16 -------- d-----w- c:\windows\6B6C4C461B7E4A419E70ACFBB22B1D81.TMP
2013-03-06 11:26 . 2013-03-06 11:26 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-03-06 11:08 . 2013-03-06 11:08 -------- d-----w- c:\programdata\Logitech
2013-03-06 11:08 . 2013-03-06 11:08 -------- d-----w- c:\program files (x86)\Logitech
2013-03-04 14:42 . 2013-03-04 14:44 -------- d-----w- c:\users\Pedram\AppData\Roaming\Registry Mechanic
2013-03-04 14:06 . 2013-03-04 15:17 -------- d-----w- c:\programdata\Avanquest
2013-03-04 14:06 . 2013-03-04 14:26 -------- d-----w- c:\users\Pedram\AppData\Roaming\Avanquest
2013-02-11 12:06 . 2013-02-11 12:06 477616 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-02-11 12:06 . 2013-02-11 12:06 -------- d-----w- c:\program files (x86)\Java
2013-02-11 12:05 . 2013-02-11 12:05 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-28 07:34 . 2012-12-20 07:49 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-28 07:34 . 2012-06-19 09:30 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-11 12:06 . 2011-06-21 17:51 473520 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-01-22 08:53 . 2013-01-22 08:53 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-01-16 21:58 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
2012-12-29 10:34 . 2013-01-29 19:41 958272 ----a-w- c:\windows\SysWow64\nvumdshim.dll
2012-12-29 10:34 . 2013-01-29 19:41 26931128 ----a-w- c:\windows\system32\nvoglv64.dll
2012-12-29 10:34 . 2013-01-29 19:41 20450232 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2012-12-29 10:34 . 2013-01-29 19:41 12641120 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2012-12-29 10:34 . 2013-01-29 19:41 10997176 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-12-29 10:34 . 2013-01-29 19:41 9389888 ----a-w- c:\windows\system32\nvcuda.dll
2012-12-29 10:34 . 2013-01-29 19:41 7931896 ----a-w- c:\windows\SysWow64\nvcuda.dll
2012-12-29 10:34 . 2013-01-29 19:41 2904504 ----a-w- c:\windows\system32\nvcuvid.dll
2012-12-29 10:34 . 2013-01-29 19:41 2720696 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2012-12-29 10:34 . 2013-01-29 19:41 246024 ----a-w- c:\windows\system32\nvinitx.dll
2012-12-29 10:34 . 2013-01-29 19:41 2344888 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-12-29 10:34 . 2013-01-29 19:41 201728 ----a-w- c:\windows\SysWow64\nvinit.dll
2012-12-29 10:34 . 2013-01-29 19:41 1985976 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2012-12-29 10:34 . 2013-01-29 19:41 18054312 ----a-w- c:\windows\system32\nvd3dumx.dll
2012-12-29 10:34 . 2013-01-29 19:41 15129064 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2012-12-29 10:34 . 2013-01-29 19:41 25256376 ----a-w- c:\windows\system32\nvcompiler.dll
2012-12-29 10:34 . 2013-01-29 19:41 2504248 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-12-29 10:34 . 2013-01-29 19:41 17560504 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2012-12-29 10:34 . 2013-01-29 19:34 7565240 ----a-w- c:\windows\system32\nvopencl.dll
2012-12-29 10:34 . 2013-01-29 19:34 6263784 ----a-w- c:\windows\SysWow64\nvopencl.dll
2012-12-29 10:34 . 2013-01-29 19:34 1504696 ----a-w- c:\windows\system32\nvdispgenco64.dll
2012-12-29 10:34 . 2012-03-05 10:26 1813432 ----a-w- c:\windows\system32\nvdispco64.dll
2012-12-29 10:34 . 2012-03-05 10:26 15052368 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-12-29 10:34 . 2012-03-05 10:26 1107592 ----a-w- c:\windows\system32\nvumdshimx.dll
2012-12-29 10:34 . 2011-05-17 17:35 2824656 ----a-w- c:\windows\system32\nvapi64.dll
2012-12-29 08:40 . 2010-12-19 10:48 6382008 ----a-w- c:\windows\system32\nvcpl.dll
2012-12-29 08:40 . 2010-12-19 10:48 3455416 ----a-w- c:\windows\system32\nvsvc64.dll
2012-12-29 08:40 . 2012-03-05 10:27 2923201 ----a-w- c:\windows\system32\nvcoproc.bin
2012-12-29 08:40 . 2010-12-19 10:48 118712 ----a-w- c:\windows\system32\nvmctray.dll
2012-12-29 08:40 . 2010-12-19 10:48 884152 ----a-w- c:\windows\system32\nvvsvc.exe
2012-12-29 08:40 . 2010-12-19 10:48 63928 ----a-w- c:\windows\system32\nvshext.dll
2012-12-28 23:24 . 2012-12-28 23:24 550328 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-12-11 08:42 . 2012-12-20 08:10 441104 ----a-w- c:\windows\system32\HMIPCore64.dll
2012-12-11 08:42 . 2012-12-20 08:10 342288 ----a-w- c:\windows\SysWow64\HMIPCore.dll
2009-03-09 07:38 . 2012-01-01 22:08 585216 ----a-r- c:\program files (x86)\Uninstall Dead Space.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-07-22 . E6D5C7E4AAC0C682169AA5021386EFF3 . 12273664 . . [9.00.8112.16421] .. c:\windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16434_none_922e2c22293367b8\mshtml.dll
[-] 2011-07-22 . 15683ED6A822BD7BD18CF069FAB9210A . 12273664 . . [9.00.8112.16421] .. c:\windows\SysWOW64\mshtml.dll
[7] 2011-07-22 . F2966190D2C20C585A730F9C0B3C7373 . 12273664 . . [9.00.8112.16421] .. c:\windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.20534_none_92b7c8ed42510782\mshtml.dll
[7] 2011-06-08 . 4DEF8126CABAA6CDC12103CD74C6A919 . 12268544 . . [9.00.8112.16421] .. c:\windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16421_none_9235fb30292dffc2\mshtml.dll
[7] 2011-04-22 . 3F63F95C998F7E1AF409BC74E83D45E5 . 12269056 . . [9.00.8112.16421] .. c:\windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16430_none_922a2afa2937025c\mshtml.dll
[7] 2011-04-22 . 858AD7EC121DBC3D39D4ABFE2E7E789C . 12269056 . . [9.00.8112.16421] .. c:\windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.20530_none_92b3c7c54254a226\mshtml.dll
[7] 2011-03-07 . 3D2F69861D7B24A3C5B0473583FE3D9D . 5981696 . . [8.00.7601.17573] .. c:\windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.17573_none_963629c2e45d4e24\mshtml.dll
[7] 2011-03-07 . 5E87C06B924495F6FA381391FDE0C9D4 . 5981696 . . [8.00.7601.21676] .. c:\windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.21676_none_96c2c76bfd7839f3\mshtml.dll
[7] 2010-11-21 . C50799F0D47DFB9774F721521B6C41D5 . 5977600 . . [8.00.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.17514_none_96780994e42bbfd5\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2013-01-08 3674320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="d:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-02-28 75048]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 16008]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-08-16 19936]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-08-16 13280]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-08 55280]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-01-22 283200]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/05/23 00:23];c:\program files (x86)\CyberLink\PowerDVD9\000.fcl [2009-02-28 15:10 146928]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-05-23 136360]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe [2012-03-28 66560]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-28 383416]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-09-07 1908520]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-04-15 2280312]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-20 07:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 397320]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 2049544]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 3837960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.Tehranbuy.Com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Download All By FlashGet3 - c:\users\Pedram\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download By FlashGet3 - c:\users\Pedram\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
Trusted Zone: kuaiche.com\software
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE}: NameServer = 190.211.253.2 31.7.58.243
TCP: Interfaces\{C2876EB8-944A-4433-865A-FF5CF914DF6B}: NameServer = 8.8.8.8 8.8.4.4
FF - ProfilePath - c:\users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\
FF - prefs.js: browser.search.selectedEngine - uTorrentControl_v2 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.mydtzone.com/startpage
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&CUI=UN20843460938095604&UM=UM_ID&q=
FF - ExtSQL: 2013-01-18 22:04; {7473b6bd-4691-4744-a82b-7854eb3d70b6}; c:\users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
FF - ExtSQL: 2013-02-11 15:36; {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}
FF - user.js: extensions.funmoods.hmpg - false
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutD0AtDyD0CyCzyzyzyzztD0BtC0C0CtBtN0D0Tzu0CtByCtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1909750556
FF - user.js: extensions.funmoods.dfltSrch - false
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - false
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutD0AtDyD0CyCzyzyzyzztD0BtC0C0CtBtN0D0Tzu0CtByCtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1909750556
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutD0AtDyD0CyCzyzyzyzztD0BtC0C0CtBtN0D0Tzu0CtByCtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1909750556&q=
FF - user.js: extensions.funmoods.id - 0A05C699980B1CC2
FF - user.js: extensions.funmoods.instlDay - 15600
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2217:13
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - axl
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - axl
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - (no file)
WebBrowser-{7473B6BD-4691-4744-A82B-7854EB3D70B6} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"=hex:51,66,7a,6c,4c,1d,38,12,de,57,48,
92,d2,3f,7f,03,f2,f1,b4,7f,a5,ec,4a,32
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=hex:51,66,7a,6c,4c,1d,38,12,c2,99,1a,
36,00,8f,58,04,e1,8c,0d,76,4f,1c,0a,03
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{B070D3E3-FEC0-47D9-8E8A-99D4EEB3D3B0}"=hex:51,66,7a,6c,4c,1d,38,12,8d,d0,63,
b4,f2,b0,b7,02,f1,9c,da,94,eb,ed,97,a4
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:40,44,b8,3f,1c,30,cc,01
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.032"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.abr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ani"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.apd"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.arw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bay"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cr2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.crw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cs1"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cur"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dcr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dcx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dib"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.djv"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.djvu"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dng"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.emf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.eps"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.erf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.fff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.fpx"
.


Report •

#17
March 7, 2013 at 06:36:17
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.gif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.hdr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.icl"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.icn"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.iff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ilbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.int"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.inta"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.iw4"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.j2c"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.j2k"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jbr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jfif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jp2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpe"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpeg"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpg"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpk"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.kdc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.lbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mos"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mrw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.nef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.nrw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.orf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pbr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pcd"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pct"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pcx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pgm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pic"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pict"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pix"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.png"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ppm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="Photoshop.Image.12"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.psp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pspbrush"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pspimage"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.raf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ras"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.raw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rgb"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rgba"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rle"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rsb"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rw2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rwl"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.sgi"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.sr2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.srf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.srw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tga"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.thm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tiff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ttc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ttf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40po\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40po"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40pp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40pp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40ppf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40ppf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wbmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wmf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xpm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\SecuROM\License information*]
"datasecu"=hex:23,0a,30,b8,68,e4,bf,01,23,5e,fc,bd,10,b2,be,ee,d2,3b,de,05,5f,
bc,1c,38,3e,15,c6,08,86,3f,e5,56,4e,e7,72,69,0d,a7,60,d7,ee,bd,5e,47,0c,25,\
"rkeysecu"=hex:9a,17,74,8d,a3,6f,53,7f,5c,d4,b1,fa,6c,62,0d,11
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-03-07 17:43:23 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-07 14:13
.
Pre-Run: 15,858,114,560 bytes free
Post-Run: 17,252,737,024 bytes free
.
- - End Of File - - F8D15DF3EB556D023F6AC2A4037149E9

Report •

#18
March 7, 2013 at 09:22:11
MY hitman pro log after scan & remove (i will post it in 2 parts):

[code]
HitmanPro 3.7.2.190
www.hitmanpro.com

Computer name . . . . : DESKTOP
Windows . . . . . . . : 6.1.1.7601.X64/3
User name . . . . . . : DESKTOP\Pedram
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (30 days left)

Scan date . . . . . . : 2013-03-07 18:35:30
Scan mode . . . . . . : Normal
Scan duration . . . . : 1h 14m 33s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 2
Traces . . . . . . . : 346

Objects scanned . . . : 1,810,702
Files scanned . . . . : 47,956
Remnants scanned . . : 445,531 files / 1,317,215 keys

Malware _____________________________________________________________________

C:\Users\Pedram\My Completed Downloads\u96c.exe -> Quarantined
Size . . . . . . . : 487,424 bytes
Age . . . . . . . : 654.0 days (2011-05-23 17:27:27)
Entropy . . . . . : 7.8
SHA-256 . . . . . : BD13538B982629FD09122EFBE958AEBEA6AFEF58D3031CC282E6340763777B2E
> a-Squared . . . . : Trojan.Win32.UltraSurf!A2
Fuzzy . . . . . . : 114.0

C:\Users\Pedram\ultra surf files\u96c.exe -> Quarantined
Size . . . . . . . : 487,424 bytes
Age . . . . . . . : 654.0 days (2011-05-23 17:32:03)
Entropy . . . . . : 7.8
SHA-256 . . . . . : BD13538B982629FD09122EFBE958AEBEA6AFEF58D3031CC282E6340763777B2E
> a-Squared . . . . : Trojan.Win32.UltraSurf!A2
Fuzzy . . . . . . : 114.0


Suspicious files ____________________________________________________________

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
Size . . . . . . . : 1,260,472 bytes
Age . . . . . . . : 367.2 days (2012-03-05 13:58:03)
Entropy . . . . . : 6.4
SHA-256 . . . . . : BFFDEEB7F6442E6086411324CECB59F58904F41EC8CCBF016037AB7247B01B29
Product . . . . . : NVIDIA Update Components
Publisher . . . . : NVIDIA Corporation
Description . . . : NVIDIA Settings Update Manager
Version . . . . . : 1.11.3.0
Copyright . . . . : (C) NVIDIA Corporation. All rights reserved.
RSA Key Size . . . : 2048
Service . . . . . : nvUpdatusService
Parent Name . . . : C:\Windows\system32\services.exe
Authenticode . . . : Invalid
Running processes : 4080
Fuzzy . . . . . . : 23.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
This program is actively listening for inbound network connections.
Starts automatically as a service during system bootup.
Program starts automatically without user intervention.
The file is in use by one or more active processes.
The file appears to be part of an installation package or setup program. This is typical for most programs.
Startup
HKLM\SYSTEM\CurrentControlSet\Services\nvUpdatusService\
Network Ports
127.0.0.1:2559

C:\Users\Pedram\Desktop\unhide.exe
Size . . . . . . . : 398,752 bytes
Age . . . . . . . : 0.1 days (2013-03-07 16:27:11)
Entropy . . . . . : 6.5
SHA-256 . . . . . : 4F68C751CA08888C6CF5EBA888E9385D52F42E0C1A60EC7888C34841A7540B53
Product . . . . . : Unhide
Publisher . . . . : Bleeping Computer, LLC
Description . . . : Unhides files made hidden by FakeHDD Rogues
Version . . . . . : 2.0.0.0
Copyright . . . . : Copyright (C) 2004-2012
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 22.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Time indicates that the file appeared recently on this computer.

C:\Users\Pedram\My Completed Downloads\free sms\Send_Free_Sms_By_CrOwN._NEW_\install this first\widgetsus.exe
Size . . . . . . . : 12,302,384 bytes
Age . . . . . . . : 654.0 days (2011-05-23 17:27:50)
Entropy . . . . . : 8.0
SHA-256 . . . . . : F9DB2115F1DAD684287C46A904A908405A8B1E7C8BF307491BF81D0D42E85B8B
Publisher . . . . : Yahoo! Inc.
Description . . . : Yahoo! Widgets Setup
Version . . . . . : 2007.05.04.01
Copyright . . . . : Copyright (c) 2007 Yahoo! Inc.
RSA Key Size . . . : 1024
Authenticode . . . : Invalid
Fuzzy . . . . . . : 23.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

C:\Users\Pedram\My Completed Downloads\RegCure 2.0.0.0\RegCureSetup_RW.exe
Size . . . . . . . : 2,056,616 bytes
Age . . . . . . . : 654.0 days (2011-05-23 17:28:30)
Entropy . . . . . : 8.0
SHA-256 . . . . . : EAA20081113092CEA171FB43DB226CEC6E23D48EB0DE231BA09857D8474CFE59
Product . . . . . : RegCure
Publisher . . . . : ParetoLogic Inc.
Description . . . : RegCure Installer
Version . . . . . : 2.0.0.0
Copyright . . . . : Copyright © 2009 ParetoLogic Inc.
RSA Key Size . . . : 1024
Authenticode . . . : Invalid
Fuzzy . . . . . . : 28.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

C:\Windows\6B6C4C461B7E4A419E70ACFBB22B1D81.TMP\WiseCustomCall.dll
Size . . . . . . . : 66,956 bytes
Age . . . . . . . : 0.7 days (2013-03-07 00:45:55)
Entropy . . . . . : 6.3
SHA-256 . . . . . : 154F505561123A86FDB50954D2EDFE4878F19BE0CE46AEB7C5AC6BE8AFD4CC08
Publisher . . . . : Symantec, Inc.
Description . . . : WiseDll.dll
Version . . . . . : 8.00.0.214
Copyright . . . . : (c) Symantec, Inc. 2009 All rights reserved.
RSA Key Size . . . : 1024
Authenticode . . . : Invalid
Fuzzy . . . . . . : 22.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Time indicates that the file appeared recently on this computer.

C:\Windows\system32\d3dx9_30.dll
Size . . . . . . . : 3,927,248 bytes
Age . . . . . . . : 516.8 days (2011-10-07 22:42:33)
Entropy . . . . . : 6.4
SHA-256 . . . . . : 7D1374E3B921A70B5028472AB164D9E582E3C3525334235D642664189DA9B157
Product . . . . . : Microsoft® DirectX for Windows®
Publisher . . . . : Microsoft Corporation
Description
Version . . . . . : 9.12.589.0000
Copyright . . . . : © Microsoft Corporation. All rights reserved.
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 22.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.

C:\Windows\SysWOW64\D3DX9_42.dll
Size . . . . . . . : 1,892,184 bytes
Age . . . . . . . : 516.8 days (2011-10-07 22:43:32)
Entropy . . . . . : 6.8
SHA-256 . . . . . : F8B9CFAB7FFFBC8F98E41AA439D72921DC180634A1FEBCA2A9D41A0DF35D3472
Product . . . . . : Microsoft® DirectX for Windows®
Publisher . . . . : Microsoft Corporation
Description . . . : Direct3D 9 Extensions
Version . . . . . : 9.27.952.3001
Copyright . . . . : Copyright © Microsoft Corp. 1994-2007
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 22.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.

C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
Size . . . . . . . : 632,656 bytes
Age . . . . . . . : 408.0 days (2012-01-24 17:57:02)
Entropy . . . . . : 6.9
SHA-256 . . . . . : C3AC989C8489A23BB96400B1856F5325FFC67E844F04651EA5D61BC20A991C6D
Product . . . . . : Microsoft® Visual Studio® 2005
Publisher . . . . : Microsoft Corporation
Description . . . : Microsoft® C Runtime Library
Version . . . . . : 8.00.50727.6195
Copyright . . . . : © Microsoft Corporation. All rights reserved.
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 22.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
The file is in use by one or more active processes.

F:\Downloads\Mass Effect 2 DLC Pack Complete [tyrune18]\ME2_Terminus.exe
Size . . . . . . . : 18,226,976 bytes
Age . . . . . . . : 296.2 days (2012-05-15 13:59:15)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 2144DDD4907E05417C5F3874B0F361B688853C317E6D77879FF792FF619772D2
Product . . . . . : Mass Effect 2
Publisher . . . . : BioWare
Description . . . : Mass Effect 2 Installer
Version . . . . . : 1.03.0.1
Copyright . . . . : © 2010 EA International (Studio and Publishing) Ltd.
RSA Key Size . . . : 1024
Authenticode . . . : Invalid
Fuzzy . . . . . . : 23.0
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
References
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\F:\Downloads\Mass Effect 2 DLC Pack Complete [tyrune18]\ME2_Terminus.exe


Potential Unwanted Programs _________________________________________________

C:\Program Files (x86)\Babylon\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon Toolbar\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon Toolbar\BabylonIEToolBar.dll (Babylon)
Size . . . . . . . : 267,488 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:50)
Entropy . . . . . : 6.3
SHA-256 . . . . . : 86A83C0E9414866C9920F2E72C2A9CEF87A066BC519224AC69D9FB9494676466
Product . . . . . : Babylon IE Toolbar
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Information Toolbar
Version . . . . . : 2.0.1.5
Copyright . . . . : Copyright © Babylon Ltd. 1997-2005
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : -17.0
Startup
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{965B54B0-71E0-4611-8DE7-F73FA0B20E26}
References
HKLM\SOFTWARE\Wow6432Node\Classes\BabylonTBLib.BabylonTB.1\
HKLM\SOFTWARE\Wow6432Node\Classes\BabylonTBLib.BabylonTB\
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{965B54B0-71E0-4611-8DE7-F73FA0B20E26}\
HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}\
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{965B54B0-71E0-4611-8DE7-F73FA0B20E26}\

C:\Program Files (x86)\Babylon\Babylon Toolbar\BabyServices.dll (Babylon)
Size . . . . . . . : 886,272 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:50)
Entropy . . . . . : 5.3
SHA-256 . . . . . : FC31A2EE9C084153DB7C6FAFE87225AC393A4AC19ABF3AFF4397A8AAE91704C0
Product . . . . . : Babylon Client
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Services
Version . . . . . : 7.0.1.4
Copyright . . . . : Copyright © Babylon Ltd. 1997-2005
Fuzzy . . . . . . : -12.0

C:\Program Files (x86)\Babylon\Babylon Toolbar\TBLog.txt (Babylon)
C:\Program Files (x86)\Babylon\Babylon Toolbar\TBStrings.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe (Babylon)
Size . . . . . . . : 891,904 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:46)
Entropy . . . . . : 7.9
SHA-256 . . . . . : 457EE52ED7105F2725B25F0153C54E1229BB65694A6C302BF1249FE199BB1058
Product . . . . . : Babylon Client
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Information Tool
Version . . . . . : 7.0.1.4
Copyright . . . . : Copyright © Babylon Ltd. 1997-2007
Fuzzy . . . . . . : 4.0
References
C:\Users\Pedram\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Babylon.lnk
C:\Users\Pedram\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Babylon Information Tool.lnk
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe

C:\Program Files (x86)\Babylon\Babylon-Pro\BabyServices.dll (Babylon)
Size . . . . . . . : 886,272 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:46)
Entropy . . . . . : 5.3
SHA-256 . . . . . : FC31A2EE9C084153DB7C6FAFE87225AC393A4AC19ABF3AFF4397A8AAE91704C0
Product . . . . . : Babylon Client
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Services
Version . . . . . : 7.0.1.4
Copyright . . . . : Copyright © Babylon Ltd. 1997-2005
Fuzzy . . . . . . : -8.0

C:\Program Files (x86)\Babylon\Babylon-Pro\BContentServer.dll (Babylon)
Size . . . . . . . : 2,107,392 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:46)
Entropy . . . . . : 6.1
SHA-256 . . . . . : 74A1815C7696AB131BAA26562827355FA2973D482FD7F8C0CC808256E852A5C1
Product . . . . . : Babylon Client
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Content
Version . . . . . : 7.0.1.4
Copyright . . . . : Copyright © Babylon Ltd. 1997-2005
Fuzzy . . . . . . : -8.0

C:\Program Files (x86)\Babylon\Babylon-Pro\BException.dll (Babylon)
Size . . . . . . . : 101,376 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:46)
Entropy . . . . . : 6.2
SHA-256 . . . . . : 06752498AEE11584176C6E2ECB9595FCDD7F0AE28800D32F2A5D870735B37191
Product . . . . . : Babylon Client
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon EXception
Version . . . . . : 7.0.1.4
Copyright . . . . : Copyright © Babylon Ltd. 1997-2005
Fuzzy . . . . . . : -8.0

C:\Program Files (x86)\Babylon\Babylon-Pro\captlib.dll (Babylon)
Size . . . . . . . : 178,176 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:46)
Entropy . . . . . : 6.4
SHA-256 . . . . . : 5D8BBD12B734FC75064C6F1B14E56FCEBD8D5FCEA795BE0752814420591A5884
Product . . . . . : Babylon Client
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Information Tool
Version . . . . . : 7.0.1.4
Copyright . . . . : Copyright © Babylon Ltd. 1997-2005
Fuzzy . . . . . . : -8.0

C:\Program Files (x86)\Babylon\Babylon-Pro\Data\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Data\Babylon.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Data\BaseList.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Data\BGLs\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Data\BGLs\BabySs.BGL (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Data\CSConfig.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Data\Features.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Data\Metaphone.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Data\Strings.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\bdcmpers.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\cslock.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT1.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT10.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT13.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT14.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT15.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT16.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT18.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT19.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT20.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT21.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT22.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT23.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT3.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT4.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT5.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT6.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT7.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT8.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Gloss\MRT9.bdc (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Help\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Help\Babylon.chm (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Updates\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Updates\Convert.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Updates\Rates.dat (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\ (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon)
Size . . . . . . . : 121,856 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:47)
Entropy . . . . . : 6.2
SHA-256 . . . . . : 4BF633CAECB715E4F5537993BD177507125BFE28308547E862F4782267E6CC4E
Product . . . . . : Babylon IE Addin
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Internet Explorer Addin
Version . . . . . : 1.0.1.0
Copyright . . . . : Copyright © Babylon Ltd. 1997-2006
Fuzzy . . . . . . : -8.0


Report •

#19
March 7, 2013 at 09:22:46
part 2 :

C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOfficePI.dll (Babylon)
Size . . . . . . . : 179,712 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:47)
Entropy . . . . . : 6.4
SHA-256 . . . . . : 1020B4565F1ED1FE7B6E701ACBCF5660AC0A86E0CF82496CE9D5CF8DB92FEFE4
Product . . . . . : Babylon Office Addin
Publisher . . . . : Babylon Ltd.
Description . . . : Babylon Office Addin
Version . . . . . : 1.0.1.0
Copyright . . . . : Copyright © Babylon Ltd. 1997-2006
Fuzzy . . . . . . : -8.0

C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonRPI.api (Babylon)
Size . . . . . . . : 143,360 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:47)
Entropy . . . . . : 6.4
SHA-256 . . . . . : 3E8A9036E56C320AE26FAC6953DB583A807B7371D29BE5748458AEF04BFC58A7
Product . . . . . : Babylon BabylonRPI
Publisher . . . . : Babylon
Description . . . : Babylon Plug in for Acrobat Reader
Version . . . . . : 1.0.1.0
Copyright . . . . : Copyright © Babylon Ltd. 1997-2006
Fuzzy . . . . . . : -4.0

C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonToolbar.msi (Babylon)
C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\uninstbb.exe (Babylon)
Size . . . . . . . : 302,816 bytes
Age . . . . . . . : 655.4 days (2011-05-22 08:08:46)
Entropy . . . . . : 6.2
SHA-256 . . . . . : 743E604A243076AE9D2D4CC1C497A8F16DBF5281ED71EA66023CE101C4257DDA
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : -13.0

C:\Users\Pedram\AppData\Local\Babylon\ (Babylon)
C:\Users\Pedram\AppData\Local\Babylon\History\ (Babylon)
C:\Users\Pedram\AppData\Local\Babylon\History\bph1.dat (Babylon)
C:\Users\Pedram\AppData\Local\Babylon\History\bph2.dat (Babylon)
C:\Users\Pedram\AppData\Local\Babylon\History\bph3.dat (Babylon)
C:\Users\Pedram\AppData\Local\Babylon\History\bph4.dat (Babylon)
C:\Users\Pedram\AppData\Local\Babylon\History\bph5.dat (Babylon)
C:\Users\Pedram\AppData\Local\funmoods.crx (Funmoods)
C:\Users\Pedram\AppData\Roaming\Babylon\ (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\ (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\08URYUVWF6_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\3ZCCGQGCV2_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\5VPNZNCVB2_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\5VPNZNCVB2_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\APS47U8VUT_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\APS47U8VUT_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\ARV6FUJ2JP_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\BTMJWKZGYE_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\C90E5ZPPQ6_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\C90E5ZPPQ6_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\DJV0B475ZT_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\DJV0B475ZT_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\DM98JDDVAE_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\DM98JDDVAE_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\EPFPNRKD7E_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\EPFPNRKD7E_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\EQ9WDHUY3E_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\EQ9WDHUY3E_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\FHQT5FSZM6_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\FHQT5FSZM6_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\KMCYHDKE6T_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\KMCYHDKE6T_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\N0PTYH7W0E_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\N0PTYH7W0E_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\P27TEAZ6X6_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\P27TEAZ6X6_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\S7HE5XG6JJ_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\S8ERQJDWNX_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\S8ERQJDWNX_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\T8HF0V64DT_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\T8HF0V64DT_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\XCUMWR7TY6_glossary_icon.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\XCUMWR7TY6_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\YBDNAPE8C6_glossary_icon.jpg (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\icons\YBDNAPE8C6_glossary_icon2.ico (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\manuals\ (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\manuals\3ZCCGQGCV2_glossary_manual.pdf (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\Content\manuals\S7HE5XG6JJ_glossary_manual.pdf (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\except.txt (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\FLStat.dat (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\log_file.txt (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\MyList.dat (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\ocr_cache (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\ocr_data (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\updates\ (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\updates\convert.dat (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\updates\rates.dat (Babylon)
C:\Users\Pedram\AppData\Roaming\Babylon\user.dmp (Babylon)
HKLM\SOFTWARE\Classes\AppID\BabylonIEPI.DLL\ (Babylon)
HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escortApp.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escortEng.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{B16632F1-24E0-4D99-A68D-70BFB6447C48}\ (Babylon)
HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods)
HKLM\SOFTWARE\Classes\BabyDict\ (Babylon)
HKLM\SOFTWARE\Classes\BabyGloss\ (Babylon)
HKLM\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin.1\ (Babylon)
HKLM\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin\ (Babylon)
HKLM\SOFTWARE\Classes\BabyOptFile\ (Babylon)
HKLM\SOFTWARE\Classes\escort.escortIEPane.1\ (Funmoods)
HKLM\SOFTWARE\Classes\escort.escortIEPane\ (Funmoods)
HKLM\SOFTWARE\Classes\f\ (Funmoods)
HKLM\SOFTWARE\Classes\funmoods.dskBnd.1\ (Funmoods)
HKLM\SOFTWARE\Classes\funmoods.dskBnd\ (Funmoods)
HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1\ (Funmoods)
HKLM\SOFTWARE\Classes\funmoodsApp.appCore\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{B7EA2226-F876-4BE4-B478-76EBAE2A668A}\ (Babylon)
HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ (Funmoods)
HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ (Funmoods)
HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/bdc\ (Babylon)
HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/bgl\ (Babylon)
HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/bof\ (Babylon)
HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\ (Funmoods)
HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
HKLM\SOFTWARE\Classes\TypeLib\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}\ (Babylon)
HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
HKLM\SOFTWARE\Classes\TypeLib\{F310F027-15CB-4A7F-B10D-3A4AFB5013A5}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\BabylonIEPI.DLL\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escort.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escortApp.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escortEng.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escorTlbr.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{B16632F1-24E0-4D99-A68D-70BFB6447C48}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6AC0BB10-C922-45e2-857D-2A368FE749E5}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{B7EA2226-F876-4BE4-B478-76EBAE2A668A}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{F310F027-15CB-4A7F-B10D-3A4AFB5013A5}\ (Babylon)
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh\ (Funmoods)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Babylon.exe\ (Babylon)
HKLM\SOFTWARE\Wow6432Node\Babylon\ (Babylon)
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh\ (Funmoods)
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (Funmoods)
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\Babylon.exe\ (Babylon)
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ (Funmoods)
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Babylon\ (Babylon)
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Babylon\ (Babylon)
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh\ (Funmoods)
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon)
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Office\Word\Addins\BabylonOfficeAddin.OfficeAddin\ (Babylon)
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ (Funmoods)
HKU\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ (Funmoods)

Cookies _____________________________________________________________________

C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\0S86NJES.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\4PPYU1LI.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\73FV4KQ0.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\8VOUJGHQ.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\ER425UK5.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\MX0VSKKU.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\SS4R36C6.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\TFNYTFNJ.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\US54YE65.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\XHPIT3TS.txt
C:\Users\Pedram\AppData\Roaming\Microsoft\Windows\Cookies\Y7P8WRV6.txt
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:112.2o7.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:247realmedia.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:2o7.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:3181142.fls.doubleclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad-emea.doubleclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.360yield.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.ad-srv.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.adc-serv.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.doubleclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.dyntracker.de
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.mlnadvertising.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.propellerads.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.reklamport.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.uk.doubleclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.yieldmanager.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ad.zanox.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:adbrite.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:adinterax.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.ad4game.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.ad4max.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.adk2.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.audience2media.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.cpxcenter.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.creative-serving.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.eurogamer.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.glispa.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.intergi.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.p161.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.pointroll.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.pubmatic.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ads.undertone.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:adserver.adreactor.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:adserver.adtechus.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:adtech.de
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:adtechus.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:advertising.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:adviva.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:apmebf.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ar.atwola.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:at.atwola.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:atdmt.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:atwola.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:aunica.112.2o7.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:bs.serving-sys.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:burstnet.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:c.atdmt.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:c1.atdmt.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:casalemedia.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:clicksor.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:collective-media.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:diamond-foxxx.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:dmtracker.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:doubleclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:eaeacom.112.2o7.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:eas.apm.emediate.eu
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:emjcd.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:exoclick.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:fastclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:getclicky.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:googleads.g.doubleclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:h.atdmt.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:hearstdigital.122.2o7.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:in.getclicky.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:interclick.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:invitemedia.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:kontera.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:livejasmin.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:media.fastclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:media6degrees.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:mediaplex.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:microsofthalo.122.2o7.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:microsoftsto.112.2o7.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:mm.chitika.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:myroitracking.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:network.realmedia.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:new.livejasmin.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:overture.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:partypoker.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:pointroll.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:questionmarket.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:realmedia.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:revsci.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:rotator.adjuggler.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:ru4.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:server.cpmstar.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:serving-sys.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:sexintheuk.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:smartadserver.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:specificclick.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:statcounter.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:static.getclicky.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:statse.webtrendslive.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:tacoda.at.atwola.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:tacoda.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:track.adform.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:track.effiliation.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:tradedoubler.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:tribalfusion.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:uk.sitestat.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:view.atdmt.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:weborama.fr
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:withings.solution.weborama.fr
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:www.googleadservices.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:www.sexintheuk.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:xiti.com
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:yadro.ru
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:yieldmanager.net
C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\cookies.sqlite:zedo.com


[/code]


Report •

#20
March 7, 2013 at 11:00:48
ok after running combofix everything was ok & fixed,until my 3rd attempt to reboot my windows i just start getteng weired error's at start up again,it seems that malware is activated again..i dont know i just get confused right now! :(

Report •

#21
March 7, 2013 at 11:10:22
We are dismantling the infections, bit by bit.

You have been installing toolbars, a lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom.

9: Run ESET Online Scanner, Copy & Paste the contents of the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a thumb drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...


Report •

#22
March 7, 2013 at 11:18:20
hi again should i repeat the #10 post 's instraction again before doing #21 ? becouse everything is just messed again(see post #20)

Report •

#23
March 7, 2013 at 11:21:45
"hi again should i repeat the #10 post 's instraction again before doing #21 ?"
Hi Pedram, go straight into #21 & run ESET, we can always go back to the others.

Report •

#24
March 7, 2013 at 12:50:05
thank you john for your support,i need to download 1.7 gb for ESET SysRescue CD ..it will take too long with my 128 kb ..when i finished all the steps i will inform you A.s.a.p in this post :) be right back with new logs.

Report •

#25
March 10, 2013 at 11:38:15
hi again ,sorry for late post,i donwloaded (waik) for win 7 twice,but in middle of installation it give's me that error : the cabinet file 'neutral.cab' requared for installation is currept & canot be used !!

please is there any other way to fix my problem ?? i can not install that waik software & without that i can not create rescuecd or usb :/


Report •

#26
March 10, 2013 at 12:01:14
"please is there any other way to fix my problem ??"
Lots of ways, we have to outsmart the virus.

Can you take the drive out & slave it to another computer & run all the programs I give you from the slave comp?


Report •

#27
March 10, 2013 at 12:14:24
unfortunately not right now..you mean installing waik & creating rescuecd in another comp?

Report •

#28
March 10, 2013 at 12:28:26
"unfortunately not right now..you mean installing waik & creating rescuecd in another comp?"
No need to do that, download the ESET tool onto the good comp & then scan the slaved ( infected ) drive.

Report •

#29
March 10, 2013 at 12:31:31
Here are some other tools to try, before you slave, might get lucky & at least get rid of enough infections to run ESET on your infected comp.

http://www.kaspersky.com/security-scan
http://www.f-secure.com/en/web/home...
http://housecall.trendmicro.com/au/
http://www.pandasecurity.com/homeus...
http://www.bitdefender.com/scanner/...

Kaspersky Rescue Disk
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://support.kaspersky.com/viruse...
Create Bootable Kaspersky USB Rescue Disk
http://www.techmixer.com/create-boo...
http://support.kaspersky.com/viruse...
Kaspersky Rescue Disk 10 is designed to scan and disinfect x86 and x64-compatible computers that have been infected.

Avira AntiVir Rescue System
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.free-av.de/en/tools/12/a...
http://www.geckoandfly.com/2008/11/...
http://www.geckoandfly.com/6247/how...
Tutorial
http://forum.avira.com/wbb/index.ph...
* scan the system for virus infections.

F-Secure Rescue CD
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.f-secure.com/en_EMEA/sec...
User guide
http://www.f-secure.com/linux-weblo...
If your computer no longer starts due to malware corrupting the operating system, or you suspect the security software has been compromised, you can use the F-Secure Rescue CD to securely boot up the computer and check the programs installed.

Dr.Web LiveCD
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.freedrweb.com/livecd
Clean a Non-Bootable Windows with DrWeb Live CD
http://www.computing.net/howtos/sho...
Dr.Web LiveCD will clean your computer of infected and suspicious files.

AVG Rescue CD
http://www.softpedia.com/get/PORTAB...
http://www.avg.com/us-en/avg-rescue-cd
Guide
http://www.avg.com/ww-en/226386
http://www.avg.com/us-en/226386
http://www.avg.com/ww-en/226386#utils
http://free.avg.com/us-en/226162
http://www.guidingtech.com/2083/avg...
http://www.techsupportforum.com/for...
Video Tutorial
http://www.youtube.com/watch?v=fGX-...
FAQ
http://free.avg.com/us-en/faq.num-2...
http://www.avg.com/ww-en/faq?num=10...
Download Rescue CD (for CD creation)
http://www.avg.com/us-en/download-f...
Download Rescue CD (for USB stick)
http://www.avg.com/us-en/download-f...
http://reboot.pro/12886/
A powerful toolset for rescue & repair of infected machines.


Report •

#30
March 10, 2013 at 12:46:42
thank you very much john..i will start trying them one by one & will inform you about result's a.s.a.p

Report •

#31
March 10, 2013 at 12:50:46
"thank you very much john..i will start trying them one by one & will inform you about result's a.s.a.p"
Should have mentioned, always try Safe mode, if you can't run normal.

Report •

#32
March 12, 2013 at 15:53:47
hi john ..i try'd to do post #29's steps,but i had problems with booting from usb,anyway i secussfully removed those infected registry files from my system ..but as you can guess i ve got serious problems with opening programs on my windows.
based on my ie8 & some other programs error's & my combofix log i have a problem with : c:\windows\SysWow64\mshtml.dll
(in combofix log its the only file that doesnt replaced or fixed)

can you help me with that?it seems my registry & dll file get currepted after virus removal how can i fix them?


Report •

#33
March 12, 2013 at 15:59:53
pedram, uninstall Combofix, download the new version & run again please.

Uninstall ComboFix.
Start > Run, Copy and Paste > ComboFix /uninstall and click OK.


Report •

#34
March 12, 2013 at 16:07:23
hi john,in middle on unistallation combofix warned me with that massage:there is a newer version of combofix available would you lik to update combofix?

what should i do now?press yes or no?


Report •

#35
March 12, 2013 at 16:12:00
"what should i do now?press yes or no?"
Never heard of that before, so to be safe, say no & go to the site I gave you.

Report •

#36
March 12, 2013 at 16:31:35
i always run combofix on normal mode not safe mode,will it be a problem?even can that program run on safe mod??

Report •

#37
March 12, 2013 at 16:42:19
"will it be a problem?"
Don't know. Trillions of combinations.

"even can that program run on safe mod??"
Yes, but will the infection let you, is another question.

Try Normal & then Safe, if unsuccessful, there are other tricks to outsmart the virus.


Report •

#38
March 12, 2013 at 17:08:05
ok strange thing happend! it fixed & disinfacted c:\windows\SysWow64\mshtml.dll !!

but it failed too fix another file : c:\windows\SysWOW64\ntkrnlpa.exe . . . is infected!!

it seems priviuos problems solved..but as you can see ,failed to fix anther file!


Report •

#39
March 12, 2013 at 17:12:45
i just run the malware bytes now..this time no infections detected here is the log:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.12.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Pedram :: DESKTOP [administrator]

Protection: Disabled

3/13/2013 3:38:25 AM
mbam-log-2013-03-13 (03-38-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252250
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#40
March 12, 2013 at 17:13:02
"ok strange thing happend!"
Not strange at all, no one program can keep up with the badies, they are always in front.

Try ESET again & lets see if it will run.


Report •

#41
March 13, 2013 at 07:10:01
hi john everytime i try to peform full scan with nod32 online scanner or malware bytes full scan in middle of scanning i get blue screen error! any ideas ?also i can not creat rescue disk or usb..:(

Report •

#42
March 13, 2013 at 15:48:11
"malware bytes full scan"
Quick scan is all that's needed.

Quick Scan versus Full Scan
http://forums.malwarebytes.org/inde...
Basically, a quick scan searches in all areas that malware likes to hide. Also, if you run a full scan, some malware has a chance to change itself, so the longer the scan, the longer the malware (if you have this type of malware) has to change.
A full scan will scan everything, and the only thing that a full scan will find that a quick scan will not are already-dead traces of infections that are gone already and items in the system restore area. Items in the system restore area cannot harm your machine unless you use an infected restore point.


Report •

#43
March 13, 2013 at 15:49:17
"i can not creat rescue disk or usb..:("
You have to do that on a good computer.

Report •

#44
March 15, 2013 at 01:56:23
HI john,i just dont know how to thank you for your help & support..i just repeated all the processes again & simply..problem solved!i just tested it whole the day to be sure & no more error's..no more blue screen..no more viruses..my pc even acts better thn before!it seems another malware on my desktop was cruppted & infacted was babylon translate machine & many many ask.toolbars that was installed on my browsers & infected my system 32 section,i removed them with hitman pro & run the newest version of combo fix..combofix detected no more error i checked it with malware bytes too and everything is ok..& til now nothing get wrong..

i am so glad to know you & this comminuty on this site..wish you the best luck john,from now if i get any problem i know who i should talk with :)


Report •

#45
March 15, 2013 at 02:50:17
Bit more to do pedram.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://www.sur-la-toile.com/RogueKi...
http://www.sur-la-toile.com/RogueKi...
Download & SAVE to your Desktop.
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller.


Report •

#46
March 15, 2013 at 04:40:39
Thanks john,here is the log 1 before delete & repair i will pst log2 after delete & repair in 2nd post

RogueKiller V8.5.3 [Mar 13 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Pedram [Admin rights]
Mode : Scan -- Date : 03/15/2013 15:00:35
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{065B45C6-BA24-4379-9A27-40BAE0256DA4} : NameServer (91.98.98.98,8.8.8.8) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE} : NameServer (190.211.253.2 31.7.58.243) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE} : NameServer (190.211.253.2 31.7.58.243) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE} : NameServer (190.211.253.2 31.7.58.243) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD50 00AADS-00M2B SCSI Disk Device +++++
--- User ---
[MBR] 63ebc42dcf0759a0b5d98c4e9fdfef11
[BSP] 01b3b66434ff21f555763ae272604b47 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 204800400 | Size: 376929 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_03152013_02d1500.txt >>
RKreport[1]_S_03152013_02d1500.txt



Report •

#47
March 15, 2013 at 04:41:38
log after repair: (rk report 2)

RogueKiller V8.5.3 [Mar 13 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Pedram [Admin rights]
Mode : Remove -- Date : 03/15/2013 15:02:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{065B45C6-BA24-4379-9A27-40BAE0256DA4} : NameServer (91.98.98.98,8.8.8.8) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE} : NameServer (190.211.253.2 31.7.58.243) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE} : NameServer (190.211.253.2 31.7.58.243) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE} : NameServer (190.211.253.2 31.7.58.243) -> NOT REMOVED, USE DNSFIX
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD50 00AADS-00M2B SCSI Disk Device +++++
--- User ---
[MBR] 63ebc42dcf0759a0b5d98c4e9fdfef11
[BSP] 01b3b66434ff21f555763ae272604b47 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 204800400 | Size: 376929 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_03152013_02d1502.txt >>
RKreport[1]_S_03152013_02d1500.txt ; RKreport[2]_D_03152013_02d1502.txt


Report •

#48
March 15, 2013 at 04:59:50
Still some nasties hanging on, you should now download ESET, from a faster comp if you want to, then copy & paste it onto your desktop.

Double click on it to run.

Run ESET Online Scanner, Copy & Paste the contents of the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...


Report •

#49
March 15, 2013 at 05:10:25
"[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{065B45C6-BA24-4379-9A27-40BAE0256DA4} : NameServer (91.98.98.98,8.8.8.8) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE} : NameServer (190.211.253.2 31.7.58.243) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{B51BC99F-A714-478B-B18E-E529138104EE} : NameServer (190.211.253.2 31.7.58.243) -> NOT REMOVED, USE DNSFIX"

Opp's, USE DNSFIX. Did you? it's on the RogueKiller page.


Report •

#50
March 16, 2013 at 03:51:19
sorry for late post's john,i am currently away from my pc becouse of my work & typing this massage from another pc,i will do dnsfix & other stuff's a.s.a.p & post you the logs.

Report •

#51
March 16, 2013 at 07:39:09
Ok, pedram, when you are ready.

Report •

#52
March 16, 2013 at 12:47:11
hi john,i hit the fix dns & did that,after that,however everything is fine now istead of 1 thing,the infection is just targeting c:\windows\SysWow64\mshtml.dll file..whatever it is it intefare's with 64bit programs that needs to log to internet..and stop it to respond becouse it cuts the connection(for example interner explorer 64bit..crushe's when you closing it,or closing tabs,but explorer 32 bit has no problem)or firefox works fine too,but 64bit program that connects to net has the potancial of crashing in mid..

ok enough of said..whats your advise john?i know i have to do nod32 scan..but any alternate way to fix c:\windows\SysWow64\mshtml.dll ?

here is the rk log after fixdns:
RogueKiller V8.5.3 [Mar 13 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Pedram [Admin rights]
Mode : Scan -- Date : 03/16/2013 19:55:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD50 00AADS-00M2B SCSI Disk Device +++++
--- User ---
[MBR] 63ebc42dcf0759a0b5d98c4e9fdfef11
[BSP] 01b3b66434ff21f555763ae272604b47 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 204800400 | Size: 376929 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[5]_S_03162013_02d1955.txt >>
RKreport[1]_S_03162013_02d1952.txt ; RKreport[2]_D_03162013_02d1953.txt ; RKreport[3]_S_03162013_02d1954.txt ; RKreport[4]_DN_03162013_02d1955.txt ; RKreport[5]_S_03162013_02d1955.txt


Report •

#53
March 16, 2013 at 13:22:50
" fix c:\windows\SysWow64\mshtml.dll ?"
Lots of things we can do, whether they will work before running ESET, I have no idea.

Try Tweaking.com - Windows Repair & Check > Repair Internet Explorer

http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.tweaking.com/
http://www.tweaking.com/content/pag...


Report •

#54
March 17, 2013 at 03:43:12
eset online system files & drive scan log:

# scan_time=1633
sh=174B4984C45177B554D25F8999F44DF5CA771E8C ft=1 fh=de76e9361c4ed4f9 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll"
sh=174B4984C45177B554D25F8999F44DF5CA771E8C ft=1 fh=de76e9361c4ed4f9 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Users\All Users\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll"
sh=97C25E70613F2D26188C781CBC4B07AB79B84C2B ft=0 fh=0000000000000000 vn="Win32/UltraReach application" ac=I fn="C:\Users\Pedram\u1004.zip"
sh=4DA17268B3DF21E56D908AF079A8461A142C3562 ft=0 fh=0000000000000000 vn="Win32/UltraReach application" ac=I fn="C:\Users\Pedram\U1017.rar"
sh=CD131CA5BB0093D56C026CF481B048707FDAA245 ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application" ac=I fn="C:\Users\Pedram\u97.zip"
sh=7818437256FC35C1B20487F40C15FF6BB0930D72 ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application" ac=I fn="C:\Users\Pedram\u993.zip"
sh=A2C3271C8815DD38508AD4866BBACDF26B940F6E ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application" ac=I fn="C:\Users\Pedram\u995.rar"
sh=DB332C6A8B21B94D1BAFB1D42C1BB8AC3E457BFB ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application" ac=I fn="C:\Users\Pedram\u995.zip"
sh=7529719BD3555637BE1A265BC013EF389F2EA604 ft=0 fh=0000000000000000 vn="Win32/UltraReach application" ac=I fn="C:\Users\Pedram\u997.zip"
sh=14E866DACA8A5955A0C381D304F42FFA2CB6B19C ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Users\Pedram\AppData\Local\Downloaded Installations\{C4C56A9A-B09E-4609-A758-D0F6091BA412}\ACDSee Pro 4.msi"
sh=71435DDB11E00D0243380C4902324853FE4ECE8F ft=1 fh=12b0cd2dde452d65 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Users\Pedram\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3O3EJ2W\ApnIC[1].0"
sh=71435DDB11E00D0243380C4902324853FE4ECE8F ft=1 fh=12b0cd2dde452d65 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Users\Pedram\AppData\Local\Temp\AskSLib.dll"
sh=A666E7EFDC1D6B0A73BFB7BCA1A9CBB142196BCE ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\extensions\504f3e07c656a@504f3e07c65a4.info.xpi"
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=438f316392d4644baab5498956df1b07
# engine=13405
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-03-17 09:05:39
# local_time=2013-03-17 01:35:39 (+0330, Iran Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 41667 115142179 0 0
# scanned=163517
# found=34
# cleaned=32
# scan_time=3964
sh=174B4984C45177B554D25F8999F44DF5CA771E8C ft=1 fh=de76e9361c4ed4f9 vn="a variant of Win32/Adware.Yontoo.B application" ac=I fn="C:\Users\All Users\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll"
sh=71435DDB11E00D0243380C4902324853FE4ECE8F ft=1 fh=12b0cd2dde452d65 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ApnIC[1].0"
sh=174B4984C45177B554D25F8999F44DF5CA771E8C ft=1 fh=de76e9361c4ed4f9 vn="a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined)" ac=C fn="C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll"
sh=97C25E70613F2D26188C781CBC4B07AB79B84C2B ft=0 fh=0000000000000000 vn="Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\u1004.zip"
sh=4DA17268B3DF21E56D908AF079A8461A142C3562 ft=0 fh=0000000000000000 vn="Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\U1017.rar"
sh=CD131CA5BB0093D56C026CF481B048707FDAA245 ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\u97.zip"
sh=7818437256FC35C1B20487F40C15FF6BB0930D72 ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\u993.zip"
sh=A2C3271C8815DD38508AD4866BBACDF26B940F6E ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\u995.rar"
sh=DB332C6A8B21B94D1BAFB1D42C1BB8AC3E457BFB ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\u995.zip"
sh=7529719BD3555637BE1A265BC013EF389F2EA604 ft=0 fh=0000000000000000 vn="Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\u997.zip"
sh=708B81215E60A0C76E2E34F638CFE134355555DE ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\AppData\Local\Downloaded Installations\{C4C56A9A-B09E-4609-A758-D0F6091BA412}\ACDSee Pro 4.msi"
sh=A666E7EFDC1D6B0A73BFB7BCA1A9CBB142196BCE ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\extensions\504f3e07c656a@504f3e07c65a4.info.xpi"
sh=03888E451FFE0EC4771C18E1BA7A088FD43171DE ft=1 fh=6964ca0f2a10896a vn="a variant of Win32/Toolbar.Babylon.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\Downloads\Babylon9_setup.exe"
sh=76A33F18410CD93DC994975222AA0AC5606AF1DC ft=1 fh=2b6dd7985b72d1de vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\Downloads\cbsidlm-tr1_5-Freegate-10415391.exe"
sh=454A549CEF2889B563928F6D0EDA190F83526FCF ft=1 fh=bb1f3b8f46c384c8 vn="a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\Downloads\cnet2_antYoutubeDownloader-v0_1_6_24_exe(1).exe"
sh=454A549CEF2889B563928F6D0EDA190F83526FCF ft=1 fh=bb1f3b8f46c384c8 vn="a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\Downloads\cnet2_antYoutubeDownloader-v0_1_6_24_exe.exe"
sh=2E4F9113C34161086CE6BD477D9A529A9B2DF20F ft=1 fh=424767227e06d88b vn="a variant of Win32/Somoto.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\Downloads\Ctrl_Paint_-_Vehicle_Design_Start_To_Finish.part1.exe"
sh=525EB01389C7DA0FDED058BCA3B0A73271E4A700 ft=1 fh=e7e3e19f10c5d52e vn="Win32/TopMedia.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\Downloads\Mass Effect 3 Leviathan DLC-RELOADED_secure.exe"
sh=8CF169377F25E4F8B0A95174A4F8103BF6FF984A ft=0 fh=0000000000000000 vn="Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\Downloads\u98.zip"
sh=4E220C813FD9420CDB63C53FC9CF5B743AF75320 ft=0 fh=0000000000000000 vn="Win32/HackTool.Patcher.A application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\My Completed Downloads\RegCure 2.0.0.0.rar"
sh=DD1FCCB97D90F4AA00A2BED174DBA1E4D9E87DF4 ft=1 fh=420678feded6f007 vn="a variant of Win32/UltraReach.AC application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\My Completed Downloads\U95.exe"
sh=D369651B7E6FFB08F8A2BC5300A46E105B86259B ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach.AC application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\My Completed Downloads\u95.zip"
sh=7B6D5E2AAD897B2DFBC5D596202F93CAE6B87E67 ft=1 fh=1481a5ceb34efb30 vn="a variant of Win32/UltraReach application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\My Completed Downloads\u96.exe"
sh=A339A8D517EA12FBE3950AB50BEE9C9EE5CAC2F6 ft=0 fh=0000000000000000 vn="Win32/UltraReach.AC application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\My Completed Downloads\u96c.rar"
sh=DB231C6084FBE123AD30CAAD4C33AA397D5A921A ft=0 fh=0000000000000000 vn="Win32/UltraReach.AC application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\ultra surf files\u96c.rar"
sh=C2CBC2C68A9D2AE6FA4C0DFBE5FD7B8E92C25112 ft=1 fh=ac46c652b38887ae vn="a variant of Win32/UltraReach application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\ultra surf files\u97.exe"
sh=CD131CA5BB0093D56C026CF481B048707FDAA245 ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\ultra surf files\u97.zip"
sh=BC8400E38F44DE62E1CD6BA7656EAC1EF251B424 ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\ultra surf files\u99.zip"
sh=A386D9FC2663BC4A9A77BA5231193EE667659536 ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\ultra surf files\u991.zip"
sh=7818437256FC35C1B20487F40C15FF6BB0930D72 ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\ultra surf files\u993.zip"
sh=79F0B75482A086C831ADFF7A33DF19C912EF4BAA ft=1 fh=efd141c9c34240ce vn="a variant of Win32/UltraReach application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Pedram\ultra surf files\u995.exe"
sh=DB332C6A8B21B94D1BAFB1D42C1BB8AC3E457BFB ft=0 fh=0000000000000000 vn="a variant of Win32/UltraReach application (deleted - quarantined)" ac=C fn="C:\Users\Pedram\ultra surf files\u995.zip"
sh=708B81215E60A0C76E2E34F638CFE134355555DE ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask application (deleted - quarantined)" ac=C fn="C:\Windows\Installer\38099.msi"
sh=71435DDB11E00D0243380C4902324853FE4ECE8F ft=1 fh=12b0cd2dde452d65 vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ApnIC[1].0"
ESETSmartInstaller@High as downloader log:
all ok


Report •

#55
March 17, 2013 at 03:46:33
I'm here pedram, stay close, whilst I get my head around everything.

Do any other outstanding jobs I've asked you to do.


Report •

#56
March 17, 2013 at 03:51:39
Ok, here are some as per my post #14 that have not been run.

TDSSKiller
AdwCleaner
Junkware Removal Tool


Report •

#57
March 17, 2013 at 05:55:26
hi john thank you i doing them step by step will informing you asap

Report •

#58
March 17, 2013 at 06:18:41
tds killer didint report any problem

here is the log of adwcleaner:

# AdwCleaner v2.114 - Logfile created 03/17/2013 at 17:42:54
# Updated 05/03/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Pedram - DESKTOP
# Boot Mode : Normal
# Running from : C:\Users\Pedram\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\searchplugins\daemon-search.xml
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\DAEMON Tools Toolbar
Folder Deleted : C:\Program Files (x86)\uTorrentControl_v2
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Pedram\AppData\Local\Conduit
Folder Deleted : C:\Users\Pedram\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Pedram\AppData\LocalLow\uTorrentControl_v2
Folder Deleted : C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\CT3220468
Folder Deleted : C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
Folder Deleted : C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\extensions\DTToolbar@toolbarnet.com
Folder Deleted : C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\Smartbar

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\uTorrentControl_v2
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{537F4F0B-3542-4C7D-A3E5-CF121482696C}
Key Deleted : HKLM\Software\uTorrentControl_v2
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{537F4F0B-3542-4C7D-A3E5-CF121482696C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9B97D5B7-4BB9-4AAF-A4E4-B6DEC1B6F143}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9F6F8AC3-D8D4-422A-9724-8121FAE7916B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentControl_v2 Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\prefs.js

C:\Users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\user.js ... Deleted !

Deleted : user_pref("CT3220468.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.FirstTime", "true");
Deleted : user_pref("CT3220468.FirstTimeFF3", "true");
Deleted : user_pref("CT3220468.LoginRevertSettingsEnabled", true);
Deleted : user_pref("CT3220468.RevertSettingsEnabled", true);
Deleted : user_pref("CT3220468.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]
Deleted : user_pref("CT3220468.UserID", "UN20843460938095604");
Deleted : user_pref("CT3220468.addressBarTakeOverEnabledInHidden", "true");
Deleted : user_pref("CT3220468.browser.search.defaultthis.engineName", true);
Deleted : user_pref("CT3220468.enableAlerts", "always");
Deleted : user_pref("CT3220468.enableFix404ByUser", "FALSE");
Deleted : user_pref("CT3220468.firstTimeDialogOpened", "true");
Deleted : user_pref("CT3220468.fixPageNotFoundErrorByUser", "TRUE");
Deleted : user_pref("CT3220468.fixPageNotFoundErrorInHidden", "true");
Deleted : user_pref("CT3220468.fixUrls", true);
Deleted : user_pref("CT3220468.installType", "Unknown");
Deleted : user_pref("CT3220468.isCheckedStartAsHidden", true);
Deleted : user_pref("CT3220468.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.isFirstTimeToolbarLoading", "false");
Deleted : user_pref("CT3220468.isNewTabEnabled", false);
Deleted : user_pref("CT3220468.isPerformedSmartBarTransition", "true");
Deleted : user_pref("CT3220468.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Deleted : user_pref("CT3220468.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.keyword", true);
Deleted : user_pref("CT3220468.lastVersion", "10.14.370.524");
Deleted : user_pref("CT3220468.migrateAppsAndComponents", true);
Deleted : user_pref("CT3220468.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"\",\"[...]
Deleted : user_pref("CT3220468.newSettings", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.searchInNewTabEnabled", "false");
Deleted : user_pref("CT3220468.searchInNewTabEnabledByUser", "false");
Deleted : user_pref("CT3220468.searchInNewTabEnabledInHidden", "true");
Deleted : user_pref("CT3220468.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Deleted : user_pref("CT3220468.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Deleted : user_pref("CT3220468.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1362409762770");
Deleted : user_pref("CT3220468.serviceLayer_services_appsMetadata_lastUpdate", "1362411971850");
Deleted : user_pref("CT3220468.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1362409762774");
Deleted : user_pref("CT3220468.serviceLayer_services_location_lastUpdate", "1363425950521");
Deleted : user_pref("CT3220468.serviceLayer_services_login_10.13.40.15_lastUpdate", "1358497317003");
Deleted : user_pref("CT3220468.serviceLayer_services_login_10.14.370.524_lastUpdate", "1363425943625");
Deleted : user_pref("CT3220468.serviceLayer_services_login_10.14.40.128_lastUpdate", "1359720494286");
Deleted : user_pref("CT3220468.serviceLayer_services_login_10.14.42.7_lastUpdate", "1360953423225");
Deleted : user_pref("CT3220468.serviceLayer_services_login_10.14.65.43_lastUpdate", "1363339485558");
Deleted : user_pref("CT3220468.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1362409762803");
Deleted : user_pref("CT3220468.serviceLayer_services_searchAPI_lastUpdate", "1362409763000");
Deleted : user_pref("CT3220468.serviceLayer_services_serviceMap_lastUpdate", "1363425941530");
Deleted : user_pref("CT3220468.serviceLayer_services_setupAPI_lastUpdate", "1362411967447");
Deleted : user_pref("CT3220468.serviceLayer_services_toolbarContextMenu_lastUpdate", "1362409762731");
Deleted : user_pref("CT3220468.serviceLayer_services_toolbarSettings_lastUpdate", "1363425947874");
Deleted : user_pref("CT3220468.serviceLayer_services_translation_lastUpdate", "1363425958190");
Deleted : user_pref("CT3220468.settingsINI", true);
Deleted : user_pref("CT3220468.smartbar.CTID", "CT3220468");
Deleted : user_pref("CT3220468.smartbar.Uninstall", "0");
Deleted : user_pref("CT3220468.smartbar.isHidden", true);
Deleted : user_pref("CT3220468.smartbar.toolbarName", "uTorrentControl_v2 ");
Deleted : user_pref("CT3220468.toolbarBornServerTime", "11-12-2012");
Deleted : user_pref("CT3220468.toolbarCurrentServerTime", "16-3-2013");
Deleted : user_pref("CT3220468.toolbarLoginClientTime", "Fri Mar 15 2013 13:01:26 GMT+0330 (Iran Standard Time[...]
Deleted : user_pref("CT3220468_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "uTorrentControl_v2 Customized Web Search");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468[...]
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");
Deleted : user_pref("browser.search.selectedEngine", "uTorrentControl_v2 Customized Web Search");
Deleted : user_pref("extensions.504f3e07c6617.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...]
Deleted : user_pref("extensions.funmoods.aflt", "axl");
Deleted : user_pref("extensions.funmoods.autoRvrt", false);
Deleted : user_pref("extensions.funmoods.dfltLng", "");
Deleted : user_pref("extensions.funmoods.dfltSrch", false);
Deleted : user_pref("extensions.funmoods.dnsErr", true);
Deleted : user_pref("extensions.funmoods.envrmnt", "production");
Deleted : user_pref("extensions.funmoods.excTlbr", false);
Deleted : user_pref("extensions.funmoods.hmpg", false);
Deleted : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2[...]
Deleted : user_pref("extensions.funmoods.id", "0A05C699980B1CC2");
Deleted : user_pref("extensions.funmoods.instlDay", "15600");
Deleted : user_pref("extensions.funmoods.instlRef", "axl");
Deleted : user_pref("extensions.funmoods.isdcmntcmplt", true);
Deleted : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
Deleted : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=axl&chnl=axl&cd=2XzuyEt[...]
Deleted : user_pref("extensions.funmoods.prdct", "funmoods");
Deleted : user_pref("extensions.funmoods.prtnrId", "funmoods");
Deleted : user_pref("extensions.funmoods.srchPrvdr", "Search");
Deleted : user_pref("extensions.funmoods.tlbrId", "base");
Deleted : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=axl&chnl=axl&cd=2Xzuy[...]
Deleted : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
Deleted : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
Deleted : user_pref("extensions.funmoods_i.newTab", false);
Deleted : user_pref("extensions.funmoods_i.smplGrp", "none");
Deleted : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2217:13:38");
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&CU[...]
Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]
Deleted : user_pref("smartbar.machineId", "2IVDT//5IBNW50XPNMZVUJTAAO2/OV7YQ6FVYYUM0CFJF8PTAAQDHDJIEUHYQ0WW2MT[...]
Deleted : user_pref("smartbar.originalSearchAddressUrl", "");
Deleted : user_pref("smartbar.originalSearchEngine", false);

*************************

AdwCleaner[R1].txt - [12974 octets] - [17/03/2013 17:40:10]
AdwCleaner[S1].txt - [13150 octets] - [17/03/2013 17:42:54]

########## EOF - C:\AdwCleaner[S1].txt - [13211 octets] ##########


Report •

#59
March 17, 2013 at 06:38:53
my JRT log :

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.2 (03.15.2013:1)
OS: Windows 7 Ultimate x64
Ran by Pedram on Sun 03/17/2013 at 18:00:11.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{965b54b0-71e0-4611-8de7-f73fa0b20e26}

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\fixcleaner
Successfully deleted: [Registry Key] hkey_local_machine\software\fixcleaner
Successfully deleted: [Registry Key] hkey_local_machine\software\systweak

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Pedram\AppData\Roaming\fixcleaner"
Successfully deleted: [Folder] "C:\Users\Pedram\AppData\Roaming\registry mechanic"
Successfully deleted: [Folder] "C:\Program Files (x86)\fixcleaner"

~~~ FireFox

Emptied folder: C:\Users\Pedram\AppData\Roaming\mozilla\firefox\profiles\3zvxy2lz.default\minidumps [106 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 03/17/2013 at 18:07:03.85
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#60
March 17, 2013 at 08:05:02
my MBAM LOG FULL SCAN:
Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 600871
Time elapsed: 57 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 8
C:\Users\Pedram\ultra surf files\U993.exe (PUP.UltraReach) -> No action taken.
D:\ADOBE\Patch.exe (Trojan.StartPage.SMR) -> No action taken.
D:\op\my usb data\U1017.exe (PUP.HackTool.Proxy) -> No action taken.
D:\op\my usb data\u995.exe (PUP.UltraReach) -> No action taken.
D:\op\my usb data\u997.exe (PUP.UltraReach) -> No action taken.
E:\Deus.EX.Human.Revolution.Augmented.Edition.STEAM.UNLOCKED-ALI213\ÓÎÏÀÍøNETSHOW.exe (Trojan.Agent) -> No action taken.
E:\Program Files (x86)\ABM\Battlefield Bad Company 2\Battlefield Bad Company 2\rld-bbc2.exe (RiskWare.Tool.HCK) -> No action taken.
F:\Perfect resize\OnOne Perfect Resize 7.0.7 Professional Edition\KeyGen.exe (RiskWare.Tool.CK) -> No action taken.

(end)


Report •

#61
March 17, 2013 at 08:24:03
should i reinstall my graphic dirvers & etc john,or running combofix?seems windows acting weired also internet explorer errors again :I

Report •

#62
March 17, 2013 at 09:20:03
combofix log:

ComboFix 13-03-17.01 - Pedram 03/17/2013 20:29:46.7.3 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6144.4785 [GMT 4.5:30]
Running from: c:\users\Pedram\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2013-02-17 to 2013-03-17 )))))))))))))))))))))))))))))))
.
.
2013-03-17 16:13 . 2013-03-17 16:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-17 15:53 . 2013-03-17 15:53 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{54A233C1-46A6-4F90-91CC-F49F12E5BBB8}\offreg.dll
2013-03-17 13:30 . 2013-03-17 13:30 -------- d-----w- c:\windows\ERUNT
2013-03-17 13:29 . 2013-03-17 13:30 -------- d-----w- C:\JRT
2013-03-17 10:03 . 2010-11-11 23:10 29288 ----a-w- c:\windows\system32\nvhdap64.dll
2013-03-17 10:03 . 2010-11-11 23:10 155752 ----a-w- c:\windows\system32\drivers\nvhda64v.sys
2013-03-17 10:01 . 2013-03-17 10:01 -------- d-----w- c:\programdata\NVIDIA Corporation
2013-03-17 10:00 . 2010-12-19 22:22 67176 ----a-w- c:\windows\system32\OpenCL.dll
2013-03-17 10:00 . 2010-12-19 22:22 57960 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-03-17 10:00 . 2010-12-19 22:22 7728744 ----a-w- c:\windows\system32\nvwgf2umx.dll
2013-03-17 10:00 . 2010-12-19 22:22 5653096 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2013-03-17 09:39 . 2013-03-17 09:39 12872 ----a-w- c:\windows\system32\bootdelete.exe
2013-03-13 17:39 . 2013-03-13 17:39 274453 ----a-w- c:\windows\softgozarvpn Uninstaller.exe
2013-03-13 14:46 . 2013-02-19 00:27 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{54A233C1-46A6-4F90-91CC-F49F12E5BBB8}\mpengine.dll
2013-03-12 22:32 . 2013-03-13 10:37 -------- d-----w- c:\program files (x86)\softgozarvpn
2013-03-12 15:14 . 2013-03-12 15:14 -------- d-----w- C:\WTablet
2013-03-07 15:05 . 2013-03-07 15:05 -------- d-----w- c:\program files\HitmanPro
2013-03-07 15:03 . 2013-03-13 13:42 -------- d-----w- c:\programdata\HitmanPro
2013-03-07 12:06 . 2013-03-07 12:06 -------- d-----w- c:\users\Pedram\AppData\Roaming\Malwarebytes
2013-03-07 12:06 . 2013-03-07 12:06 -------- d-----w- c:\programdata\Malwarebytes
2013-03-07 12:06 . 2013-03-13 00:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-07 12:06 . 2012-12-14 13:19 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-07 05:50 . 2013-03-07 05:50 -------- d-----w- c:\program files (x86)\ESET
2013-03-06 20:11 . 2013-03-06 20:11 -------- d-----w- c:\program files\Enigma Software Group
2013-03-06 20:11 . 2013-03-06 21:16 -------- d-----w- c:\windows\6B6C4C461B7E4A419E70ACFBB22B1D81.TMP
2013-03-06 11:26 . 2013-03-09 07:23 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-03-06 11:08 . 2013-03-06 11:08 -------- d-----w- c:\programdata\Logitech
2013-03-06 11:08 . 2013-03-06 11:08 -------- d-----w- c:\program files (x86)\Logitech
2013-03-04 14:06 . 2013-03-04 15:17 -------- d-----w- c:\programdata\Avanquest
2013-03-04 14:06 . 2013-03-04 14:26 -------- d-----w- c:\users\Pedram\AppData\Roaming\Avanquest
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-28 07:34 . 2012-12-20 07:49 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-28 07:34 . 2012-06-19 09:30 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-11 12:06 . 2013-02-11 12:06 477616 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-02-11 12:06 . 2011-06-21 17:51 473520 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-01-22 08:53 . 2013-01-22 08:53 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-01-16 21:58 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
2009-03-09 07:38 . 2012-01-01 22:08 585216 ----a-r- c:\program files (x86)\Uninstall Dead Space.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 08DFDBD2FD4EA951DC46B1C7661ED35A . 145408 . . [6.1.7600.16385] .. c:\windows\erdnt\cache86\powrprof.dll
[-] 2009-07-14 . CDB47913C624465F8E7A6ACE158B2FD2 . 145408 . . [6.1.7600.16385] .. c:\windows\SysWOW64\powrprof.dll
[7] 2009-07-14 . 08DFDBD2FD4EA951DC46B1C7661ED35A . 145408 . . [6.1.7600.16385] .. c:\windows\winsxs\x86_microsoft-windows-userpowermanagement_31bf3856ad364e35_6.1.7600.16385_none_a2eff4845e2bf4e2\powrprof.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2013-01-08 3674320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="d:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-02-28 75048]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 16008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-08-16 19936]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-08-16 13280]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-08 55280]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-01-22 283200]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/05/23 00:23];c:\program files (x86)\CyberLink\PowerDVD9\000.fcl [2009-02-28 15:10 146928]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-03-17 108904]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe [2012-03-28 66560]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-12-19 378984]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-09-07 1908520]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-04-15 2280312]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - hitmanpro37
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-20 07:34]
.
2013-03-12 c:\windows\Tasks\User_Feed_Synchronization-{FD3F4B56-F026-4511-B3D2-8DBA2D68B233}.job
- c:\windows\system32\msfeedssync.exe [2011-06-08 08:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 397320]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 2049544]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 3837960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Download All By FlashGet3 - c:\users\Pedram\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download By FlashGet3 - c:\users\Pedram\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
Trusted Zone: kuaiche.com\software
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C2876EB8-944A-4433-865A-FF5CF914DF6B}: NameServer = 8.8.8.8 8.8.4.4
FF - ProfilePath - c:\users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mydtzone.com/startpage
FF - ExtSQL: 2013-02-11 15:36; {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-DAEMON Tools Toolbar - c:\program files (x86)\DAEMON Tools Toolbar\uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"=hex:51,66,7a,6c,4c,1d,38,12,de,57,48,
92,d2,3f,7f,03,f2,f1,b4,7f,a5,ec,4a,32
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=hex:51,66,7a,6c,4c,1d,38,12,c2,99,1a,
36,00,8f,58,04,e1,8c,0d,76,4f,1c,0a,03
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{B070D3E3-FEC0-47D9-8E8A-99D4EEB3D3B0}"=hex:51,66,7a,6c,4c,1d,38,12,8d,d0,63,
b4,f2,b0,b7,02,f1,9c,da,94,eb,ed,97,a4
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:40,44,b8,3f,1c,30,cc,01
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.032"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.abr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ani"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.apd"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.arw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bay"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cr2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.crw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cs1"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cur"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dcr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dcx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dib"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.djv"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.djvu"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dng"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.emf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.eps"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.erf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.fff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.fpx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.gif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.hdr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.icl"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.icn"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.iff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ilbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.int"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.inta"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.iw4"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.j2c"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.j2k"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jbr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jfif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jp2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpe"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpeg"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpg"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpk"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.kdc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.lbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mos"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mrw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.nef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.nrw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.orf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pbr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pcd"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pct"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pcx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pgm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pic"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pict"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pix"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.png"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ppm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="Photoshop.Image.12"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.psp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pspbrush"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pspimage"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.raf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ras"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.raw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rgb"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rgba"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rle"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rsb"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rw2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rwl"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.sgi"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.sr2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.srf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.srw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tga"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.thm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tiff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ttc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ttf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40po\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40po"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40pp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40pp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40ppf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40ppf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wbmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wmf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xpm"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-17 20:46:14
ComboFix-quarantined-files.txt 2013-03-17 16:16
ComboFix2.txt 2013-03-16 17:12
ComboFix3.txt 2013-03-13 18:16
ComboFix4.txt 2013-03-13 09:16
ComboFix5.txt 2013-03-17 15:57
.
Pre-Run: 16,612,028,416 bytes free
Post-Run: 15,794,208,768 bytes free
.
- - End Of File - - DB5995848D08BD86A053A96AB72D860F


Report •

#63
March 17, 2013 at 11:59:15
"should i reinstall my graphic dirvers & etc john,or running combofix?seems windows acting weired also internet explorer errors again :I"
Lets just try & get you clean first pedram.

Run Defogger
http://majorgeeks.com/Defogger_d708...
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
http://www.bleepingcomputer.com/for...
http://www.bleepingcomputer.com/dow...
http://www.bleepingcomputer.com/for...
http://www.antimalwarehelp.be/eng/c...

10: Uninstall ComboFix. The other tools you can keep, particually ESET, just update before using. The reason we remove Combofix, is that a new version comes out nearly every day.
Turn off all active protection software.
Push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
Please copy and past the following into the box ComboFix /Uninstall and click OK.
Or,
Start > Run, Copy and Paste > ComboFix /uninstall and click OK.
Or,
Start > All Programs > Accessories > Command Prompt, Copy and Paste > ComboFix /uninstall and hit > Enter.
Qoobox is a folder created by Combofix to quarantine any infected files.

11: Download the latest version of Combofix & Run. They have new versions coming out all the time.


Report •

#64
March 17, 2013 at 12:08:00
#60

"Files Detected: 8
C:\Users\Pedram\ultra surf files\U993.exe (PUP.UltraReach) -> No action taken.
D:\ADOBE\Patch.exe (Trojan.StartPage.SMR) -> No action taken.
D:\op\my usb data\U1017.exe (PUP.HackTool.Proxy) -> No action taken.
D:\op\my usb data\u995.exe (PUP.UltraReach) -> No action taken.
D:\op\my usb data\u997.exe (PUP.UltraReach) -> No action taken.
E:\Deus.EX.Human.Revolution.Augmented.Edition.STEAM.UNLOCKED-ALI213\ÓÎÏÀÍøNETSHOW.exe (Trojan.Agent) -> No action taken.
E:\Program Files (x86)\ABM\Battlefield Bad Company 2\Battlefield Bad Company 2\rld-bbc2.exe (RiskWare.Tool.HCK) -> No action taken.
F:\Perfect resize\OnOne Perfect Resize 7.0.7 Professional Edition\KeyGen.exe (RiskWare.Tool.CK) -> No action taken"

You didn't follow my instructions in post #7.


Report •

#65
March 17, 2013 at 12:17:40
sorry john i did,its a log before removal ,i removed them all right after this..

Report •

#66
March 17, 2013 at 12:20:21
I was just about to go back to bed, are you staying with me for a while pedram,?

Report •

#67
March 17, 2013 at 12:25:51
yes iam with you john

Report •

#68
March 17, 2013 at 12:28:36
doing the post #63 stuff's right now! will inform you asap

Report •

#69
March 17, 2013 at 12:29:05
Ok pedram, shall wait for results of my post #63

Report •

#70
March 17, 2013 at 13:14:57
here it is:
first defogger before combo scan :

efogger_disable by jpshortstuff (23.02.10.1)
Log created at 00:03 on 18/03/2013 (Pedram)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
HKCU:DAEMON Tools Lite -> Removed

Checking for services/drivers...


-=E.O.F=-


Report •

#71
March 17, 2013 at 13:18:50
"HKCU:DAEMON Tools Lite -> Removed"

Good, now Combofix will be able to run properly.


Report •

#72
March 17, 2013 at 13:25:53
ComboFix 13-03-17.01 - Pedram 03/18/2013 0:12.8.3 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6144.4684 [GMT 4.5:30]
Running from: c:\users\Pedram\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache86\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-02-17 to 2013-03-17 )))))))))))))))))))))))))))))))
.
.
2013-03-17 20:04 . 2013-03-17 20:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-17 18:19 . 2013-02-19 00:27 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AF68BDAA-48C6-4449-8004-97B0741A3624}\mpengine.dll
2013-03-17 18:13 . 2013-03-17 18:13 -------- d-----w- c:\program files (x86)\AGEIA Technologies
2013-03-17 18:12 . 2013-02-09 13:25 3035306 ----a-w- c:\windows\system32\nvcoproc.bin
2013-03-17 17:26 . 2013-03-17 17:26 -------- d-----w- c:\users\Pedram\AppData\Local\ESET
2013-03-17 17:24 . 2013-03-17 17:24 -------- d-----w- c:\program files\ESET
2013-03-17 17:06 . 2013-03-17 17:06 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-03-17 16:16 . 2013-03-17 17:36 -------- d-----w- c:\users\UpdatusUser
2013-03-17 13:30 . 2013-03-17 13:30 -------- d-----w- c:\windows\ERUNT
2013-03-17 13:29 . 2013-03-17 18:01 -------- d-----w- C:\JRT
2013-03-17 10:01 . 2013-03-17 10:01 -------- d-----w- c:\programdata\NVIDIA Corporation
2013-03-17 10:00 . 2010-12-19 22:22 67176 ----a-w- c:\windows\system32\OpenCL.dll
2013-03-17 10:00 . 2010-12-19 22:22 57960 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-03-17 10:00 . 2013-02-10 03:25 15275744 ----a-w- c:\windows\system32\nvwgf2umx.dll
2013-03-17 09:59 . 2010-12-19 22:22 11240 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2013-03-17 09:59 . 2013-02-10 03:25 2854344 ----a-w- c:\windows\system32\nvapi64.dll
2013-03-17 09:39 . 2013-03-17 09:39 12872 ----a-w- c:\windows\system32\bootdelete.exe
2013-03-13 17:39 . 2013-03-13 17:39 274453 ----a-w- c:\windows\softgozarvpn Uninstaller.exe
2013-03-12 22:32 . 2013-03-13 10:37 -------- d-----w- c:\program files (x86)\softgozarvpn
2013-03-12 15:14 . 2013-03-12 15:14 -------- d-----w- C:\WTablet
2013-03-07 15:05 . 2013-03-07 15:05 -------- d-----w- c:\program files\HitmanPro
2013-03-07 15:03 . 2013-03-13 13:42 -------- d-----w- c:\programdata\HitmanPro
2013-03-07 12:06 . 2013-03-07 12:06 -------- d-----w- c:\users\Pedram\AppData\Roaming\Malwarebytes
2013-03-07 12:06 . 2013-03-07 12:06 -------- d-----w- c:\programdata\Malwarebytes
2013-03-07 12:06 . 2013-03-13 00:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-07 12:06 . 2012-12-14 13:19 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-07 05:50 . 2013-03-07 05:50 -------- d-----w- c:\program files (x86)\ESET
2013-03-06 20:11 . 2013-03-06 20:11 -------- d-----w- c:\program files\Enigma Software Group
2013-03-06 20:11 . 2013-03-06 21:16 -------- d-----w- c:\windows\6B6C4C461B7E4A419E70ACFBB22B1D81.TMP
2013-03-06 11:08 . 2013-03-06 11:08 -------- d-----w- c:\programdata\Logitech
2013-03-06 11:08 . 2013-03-06 11:08 -------- d-----w- c:\program files (x86)\Logitech
2013-03-04 14:06 . 2013-03-04 15:17 -------- d-----w- c:\programdata\Avanquest
2013-03-04 14:06 . 2013-03-04 14:26 -------- d-----w- c:\users\Pedram\AppData\Roaming\Avanquest
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-28 07:34 . 2012-12-20 07:49 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-28 07:34 . 2012-06-19 09:30 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-11 12:06 . 2013-02-11 12:06 477616 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-02-11 12:06 . 2011-06-21 17:51 473520 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-10 01:04 . 2010-12-19 10:48 6393120 ----a-w- c:\windows\system32\nvcpl.dll
2013-02-10 01:04 . 2010-12-19 10:48 3472672 ----a-w- c:\windows\system32\nvsvc64.dll
2013-02-10 01:04 . 2010-12-19 10:48 237856 ----a-w- c:\windows\system32\nvmctray.dll
2013-02-10 01:04 . 2010-12-19 10:48 877856 ----a-w- c:\windows\system32\nvvsvc.exe
2013-02-10 01:04 . 2010-12-19 10:48 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-02-09 14:13 . 2013-02-09 14:13 555808 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2013-01-22 08:53 . 2013-01-22 08:53 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-01-16 21:58 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
2009-03-09 07:38 . 2012-01-01 22:08 585216 ----a-r- c:\program files (x86)\Uninstall Dead Space.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="d:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-02-28 75048]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 16008]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-08-16 19936]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-08-16 13280]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-08 55280]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-01-22 283200]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2011/05/23 00:23];c:\program files (x86)\CyberLink\PowerDVD9\000.fcl [2009-02-28 15:10 146928]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-03-17 108904]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe [2012-03-28 66560]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-02-09 383264]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-09-07 1908520]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-04-15 2280312]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2013-03-17 32152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO37
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-20 07:34]
.
2013-03-12 c:\windows\Tasks\User_Feed_Synchronization-{FD3F4B56-F026-4511-B3D2-8DBA2D68B233}.job
- c:\windows\system32\msfeedssync.exe [2011-06-08 08:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 397320]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 2049544]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 3837960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Download All By FlashGet3 - c:\users\Pedram\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download By FlashGet3 - c:\users\Pedram\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
Trusted Zone: kuaiche.com\software
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C2876EB8-944A-4433-865A-FF5CF914DF6B}: NameServer = 8.8.8.8 8.8.4.4
FF - ProfilePath - c:\users\Pedram\AppData\Roaming\Mozilla\Firefox\Profiles\3zvxy2lz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mydtzone.com/startpage
FF - ExtSQL: 2013-02-11 15:36; {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-DAEMON Tools Toolbar - c:\program files (x86)\DAEMON Tools Toolbar\uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"=hex:51,66,7a,6c,4c,1d,38,12,de,57,48,
92,d2,3f,7f,03,f2,f1,b4,7f,a5,ec,4a,32
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=hex:51,66,7a,6c,4c,1d,38,12,c2,99,1a,
36,00,8f,58,04,e1,8c,0d,76,4f,1c,0a,03
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{B070D3E3-FEC0-47D9-8E8A-99D4EEB3D3B0}"=hex:51,66,7a,6c,4c,1d,38,12,8d,d0,63,
b4,f2,b0,b7,02,f1,9c,da,94,eb,ed,97,a4
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:40,44,b8,3f,1c,30,cc,01
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.032"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.abr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ani"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.apd"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.arw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bay"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.bw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cr2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.crw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cs1"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.cur"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dcr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dcx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dib"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.djv"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.djvu"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.dng"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.emf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.eps"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.erf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.fff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.fpx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.gif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.hdr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.icl"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.icn"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.iff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ilbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.int"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.inta"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.iw4"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.j2c"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.j2k"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jbr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jfif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jp2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpe"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpeg"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpg"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpk"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.jpx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.kdc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.lbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mos"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.mrw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.nef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.nrw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.orf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pbr"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pcd"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pct"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pcx"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pef"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pgm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pic"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pict"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pix"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.png"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ppm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="Photoshop.Image.12"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.psp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pspbrush"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.pspimage"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.raf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ras"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.raw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rgb"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rgba"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rle"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rsb"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rw2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.rwl"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.sgi"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.sr2"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.srf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.srw"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tga"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.thm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.tiff"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ttc"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (S-1-5-21-1793089506-2317700198-1074794676-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.ttf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40po\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40po"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40pp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40pp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v40ppf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.v40ppf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wbmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.wmf"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xbm"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xif"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xmp"
.
[HKEY_USERS\S-1-5-21-1793089506-2317700198-1074794676-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 4.xpm"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-03-18 00:40:30 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-17 20:10
ComboFix2.txt 2013-03-17 16:16
ComboFix3.txt 2013-03-16 17:12
ComboFix4.txt 2013-03-13 18:16
ComboFix5.txt 2013-03-17 19:41
.
Pre-Run: 15,002,632,192 bytes free
Post-Run: 14,420,955,136 bytes free
.
- - End Of File - - 1B4D8703D71DB6DC2FE1EAD5319098E6

Report •

#73
March 17, 2013 at 13:27:32
just got blue screen as reward recently after all #63 stuffs:l,lil disappointed

Report •

#74
March 17, 2013 at 13:44:06
You are starting to look like you may have an unremovable infection, lets try this.

Run ESET Hidden File System Reader
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.eset.com/download/utilit...


Report •

#75
March 17, 2013 at 14:11:24
whats the solution if it is unremovable infaction?(i hope its not)can reinstalling windows fix it?

Report •

#76
March 17, 2013 at 14:21:27
"whats the solution if it is unremovable infaction?(i hope its not)can reinstalling windows fix it?"
Yes reinstalling windows can fix, but it has to be done a special way, I shall explain that after we have finished trying to remove.

Report •

#77
March 17, 2013 at 14:25:43
thanks for your your help john i will not be here maybe for a day,but i will try to get back as soon as possible..

Report •

#78
March 17, 2013 at 14:29:33
Ok pedram.

Also, what sort of computer do you have.

Is it a PC desktop?
Laptop?
Or other?
Is it a brand name, the EXACT model please.


Report •

#79
March 17, 2013 at 14:39:09
ita a pc,with amd phenom x3 cpu,6gb ram ddr2,

Report •


Ask Question