Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer, removed some virus but still serious malware


  • Please log in to reply
14 replies to this topic

#1 kbatu

kbatu

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 23 August 2016 - 02:07 PM

Hi. I recently made a topic at "Am I infected" page of the forums. They directed me here. ESET online scanner found some malware in the windows files and quarantined it. I'm attaching both the old logs and the new FRST logs too if you ever need them. You can check the old post too if you want.

 

 

This is ESET quarantine picture which is the reason why I am redirected to this section.

http://imgur.com/a/Sn31i (also attached)
 

 

Here is the previous post:

http://www.bleepingcomputer.com/forums/t/624552/adwcleaner-found-infected-registry/

 

FRST log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01
Ran by Batuhan (administrator) on BATUHAN-PC (23-08-2016 22:01:51)
Running from C:\Users\Batuhan\Desktop
Loaded Profiles: Batuhan (Available Profiles: Batuhan)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\Windows\SysWOW64\PnkBstrB.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Disc Soft Ltd) C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
() C:\Users\Batuhan\AppData\Local\NVIDIA\NvBackend\Packages\00009292\DAO.21080368.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2754704 2015-06-17] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\nvspcap64.dll [1571696 2015-06-17] (NVIDIA Corporation)
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKLM\...\Policies\Explorer: [DontSetAutoplayCheckbox] 1
HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie\SbieCtrl.exe [797328 2016-06-15] (Sandboxie Holdings, LLC)
HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8358680 2015-06-01] (Piriform Ltd)
HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\Run: [Spotify Web Helper] => C:\Users\Batuhan\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1554032 2016-07-25] (Spotify Ltd)
HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [4468056 2015-06-18] (Disc Soft Ltd)
AppInit_DLLs: C:\Windows\System32\nvinitx.dll => C:\Windows\System32\nvinitx.dll [176904 2015-06-17] (NVIDIA Corporation)
AppInit_DLLs: , C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [176904 2015-06-17] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [155280 2015-06-17] (NVIDIA Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{0F0D7AFA-031F-4D19-B2FD-382A95B77208}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{6A6C2B52-3C29-45D1-A009-9C652E715E06}: [DhcpNameServer] 192.168.1.1 0.0.0.0
Tcpip\..\Interfaces\{88FAAF32-5316-40F6-AD9C-F7A2B4DE5DE0}: [DhcpNameServer] 192.168.2.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-4134522837-3305369566-1149214307-1000 -> DefaultScope {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = 
 
FireFox:
========
FF ProfilePath: C:\Users\Batuhan\AppData\Roaming\Mozilla\Firefox\Profiles\pqxuxq52.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_232.dll [2015-08-15] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-15] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.youtube.com/feed/subscriptions","hxxps://www.facebook.com/","hxxp://www.twitch.tv/directory/following"
CHR Profile: C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (BIODIGITAL HUMAN) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\agoenciogemlojlhccbcpcfflicgnaak [2015-07-03]
CHR Extension: (Flash Video Downloader) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc [2016-08-18]
CHR Extension: (YouTube) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Search) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (ZenMate VPN - Güvenli İnternet & Unblock ) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme [2016-07-29]
CHR Extension: (AdBlock) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-07-28]
CHR Extension: (Typing Test - KeyHero) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcieoaeooeidmpaopkpjpjfakidlabm [2015-07-03]
CHR Extension: (3D Functions Plotter) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\naolaacfeloakcdcnenhkeicocefkkfe [2015-07-03]
CHR Extension: (Office Online) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndjpnladcallmjemlbaebfadecfhkepb [2016-07-02]
CHR Extension: (Video Speed Controller) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffaoalbilbmmfgbnbgppjihopabppdk [2016-08-18]
CHR Extension: (Chrome Web Mağazası Ödemeleri) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Origami Player) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiomepakkenneiifjocbinkmmampfbdn [2015-07-18]
CHR Extension: (Gmail) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-03]
CHR Extension: (Chrome Media Router) - C:\Users\Batuhan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-18]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1404936 2016-08-02] ()
R3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1268568 2015-06-18] (Disc Soft Ltd)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [227104 2016-08-19] (EasyAntiCheat Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1152656 2015-06-17] (NVIDIA Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319080 2015-06-04] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1893008 2015-06-17] (NVIDIA Corporation)
S2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [23007376 2015-06-17] (NVIDIA Corporation)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2016-07-15] ()
R2 PnkBstrB; C:\Windows\SysWOW64\PnkBstrB.exe [107832 2016-08-01] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-03-01] (Riverbed Technology, Inc.)
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [197264 2016-06-15] (Sandboxie Holdings, LLC)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2015-09-02] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 h647906; C:\Windows\System32\drivers\h647906.sys [62576 2008-12-01] (Your Corporation)
S3 hid7906; C:\Windows\SysWOW64\drivers\hid7906.sys [41096 2008-12-01] (Your Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-06-17] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [46768 2015-05-19] (NVIDIA Corporation)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [204944 2016-06-15] (Sandboxie Holdings, LLC)
S3 catchme; \??\C:\ratata\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-23 22:01 - 2016-08-23 22:02 - 00012866 _____ C:\Users\Batuhan\Desktop\FRST.txt
2016-08-23 21:59 - 2016-08-23 22:01 - 00000000 ____D C:\FRST
2016-08-23 21:56 - 2016-08-23 21:56 - 02396672 _____ (Farbar) C:\Users\Batuhan\Desktop\FRST64.exe
2016-08-23 16:07 - 2016-08-23 16:08 - 06761600 _____ (ESET spol. s r.o.) C:\Users\Batuhan\Downloads\esetonlinescanner_enu.exe
2016-08-23 16:05 - 2016-08-23 16:05 - 00004718 _____ C:\Users\Batuhan\Desktop\JRT.txt
2016-08-23 16:00 - 2016-08-23 16:00 - 01610560 _____ (Malwarebytes) C:\Users\Batuhan\Desktop\JRT.exe
2016-08-22 22:18 - 2016-08-22 22:18 - 00001946 _____ C:\Users\Batuhan\Downloads\AdwCleanerR1.txt
2016-08-22 22:10 - 2016-08-22 22:10 - 00000000 ____D C:\Program Files (x86)\ESET
2016-08-22 22:00 - 2016-08-22 22:01 - 02870984 _____ (ESET) C:\Users\Batuhan\Downloads\esetsmartinstaller_enu.exe
2016-08-22 21:59 - 2016-08-23 15:54 - 00000000 ____D C:\AdwCleaner
2016-08-22 21:58 - 2016-08-22 21:58 - 03784256 _____ C:\Users\Batuhan\Downloads\adwcleaner_6.000.exe
2016-08-22 21:58 - 2016-08-22 21:58 - 00000000 ____D C:\TDSSKiller_Quarantine
2016-08-22 21:56 - 2016-08-22 21:56 - 00892416 _____ (Farbar) C:\Users\Batuhan\Downloads\MiniToolBox (1).exe
2016-08-22 21:54 - 2016-08-22 21:58 - 00711726 _____ C:\TDSSKiller.3.1.0.11_22.08.2016_21.54.54_log.txt
2016-08-22 21:52 - 2016-08-22 21:53 - 00004640 _____ C:\TDSSKiller.3.1.0.11_22.08.2016_21.52.35_log.txt
2016-08-22 21:47 - 2016-08-22 21:50 - 04747704 _____ (AO Kaspersky Lab) C:\Users\Batuhan\Downloads\tdsskiller.exe
2016-08-22 21:45 - 2016-08-22 21:46 - 00034573 _____ C:\Users\Batuhan\Downloads\MTB.txt
2016-08-22 21:44 - 2016-08-22 21:44 - 00892416 _____ (Farbar) C:\Users\Batuhan\Downloads\MiniToolBox.exe
2016-08-22 20:26 - 2016-08-23 15:57 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-22 20:26 - 2016-08-22 20:26 - 00001106 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-08-22 20:26 - 2016-08-22 20:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-22 20:26 - 2016-08-22 20:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-22 20:26 - 2016-08-22 20:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-08-22 20:26 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-08-22 20:26 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-08-22 20:26 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-08-22 20:23 - 2016-08-22 20:25 - 22851472 _____ (Malwarebytes ) C:\Users\Batuhan\Downloads\mbam-setup-2.2.1.1043.exe
2016-08-22 20:09 - 2016-08-22 20:09 - 00000604 _____ C:\Users\Batuhan\Downloads\d6da1b1f75ed9a6bc0c88465fb8f4f83.torrent
2016-08-19 14:28 - 2016-08-19 14:28 - 00000000 ____D C:\Users\Batuhan\AppData\LocalLow\Facepunch Studios LTD
2016-08-19 14:13 - 2016-08-19 14:13 - 00000222 _____ C:\Users\Batuhan\Desktop\Rust.url
2016-08-18 22:35 - 2016-08-22 16:05 - 4132997235 _____ C:\Users\Batuhan\Downloads\EnderalInstall_EN.gz
2016-08-18 22:34 - 2016-08-18 22:34 - 00020704 _____ C:\Users\Batuhan\Downloads\EnderalInstall_EN.torrent
2016-08-18 22:34 - 2016-08-18 22:34 - 00020704 _____ C:\Users\Batuhan\Downloads\EnderalInstall_EN (1).torrent
2016-08-17 17:46 - 2016-08-17 17:46 - 00000000 ____D C:\Users\Batuhan\AppData\LocalLow\GL33k
2016-08-17 13:45 - 2016-07-08 18:32 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-08-17 13:45 - 2016-07-08 18:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-08-14 16:01 - 2016-08-14 16:01 - 00002798 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-08-14 16:01 - 2016-08-14 16:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-08-12 19:06 - 2016-08-16 23:00 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\Tropico 4
2016-08-12 19:06 - 2016-08-12 19:06 - 00000000 ____D C:\ProgramData\RELOADED
2016-08-12 01:49 - 2016-08-12 01:50 - 00011083 _____ C:\Users\Batuhan\Downloads\Naughty Nuru (22.03.2013) 1080p (Madison Ivy, Toni Ribas).mp4.torrent
2016-08-10 15:54 - 2016-08-02 17:54 - 00394440 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-08-10 15:54 - 2016-08-02 17:08 - 00346312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-08-10 15:54 - 2016-08-02 09:54 - 25808384 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-08-10 15:54 - 2016-08-02 09:47 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-08-10 15:54 - 2016-08-02 09:47 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-08-10 15:54 - 2016-08-02 09:32 - 02894336 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-08-10 15:54 - 2016-08-02 09:32 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-08-10 15:54 - 2016-08-02 09:31 - 00572416 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-08-10 15:54 - 2016-08-02 09:31 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-08-10 15:54 - 2016-08-02 09:31 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-08-10 15:54 - 2016-08-02 09:31 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-08-10 15:54 - 2016-08-02 09:24 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-08-10 15:54 - 2016-08-02 09:23 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-08-10 15:54 - 2016-08-02 09:20 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-08-10 15:54 - 2016-08-02 09:19 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-08-10 15:54 - 2016-08-02 09:19 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-08-10 15:54 - 2016-08-02 09:18 - 06047744 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-08-10 15:54 - 2016-08-02 09:18 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-08-10 15:54 - 2016-08-02 09:18 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-08-10 15:54 - 2016-08-02 09:11 - 00969216 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-08-10 15:54 - 2016-08-02 09:08 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-08-10 15:54 - 2016-08-02 09:03 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-08-10 15:54 - 2016-08-02 09:00 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-08-10 15:54 - 2016-08-02 08:59 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-08-10 15:54 - 2016-08-02 08:56 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-08-10 15:54 - 2016-08-02 08:55 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-08-10 15:54 - 2016-08-02 08:54 - 20343808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-08-10 15:54 - 2016-08-02 08:53 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-08-10 15:54 - 2016-08-02 08:51 - 00497664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-08-10 15:54 - 2016-08-02 08:51 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-08-10 15:54 - 2016-08-02 08:51 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-08-10 15:54 - 2016-08-02 08:51 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-08-10 15:54 - 2016-08-02 08:51 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-08-10 15:54 - 2016-08-02 08:50 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-08-10 15:54 - 2016-08-02 08:47 - 02286592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-08-10 15:54 - 2016-08-02 08:45 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-08-10 15:54 - 2016-08-02 08:44 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-08-10 15:54 - 2016-08-02 08:42 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-08-10 15:54 - 2016-08-02 08:41 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-08-10 15:54 - 2016-08-02 08:41 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-08-10 15:54 - 2016-08-02 08:41 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-08-10 15:54 - 2016-08-02 08:40 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-08-10 15:54 - 2016-08-02 08:38 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-08-10 15:54 - 2016-08-02 08:38 - 00724992 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-08-10 15:54 - 2016-08-02 08:37 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-08-10 15:54 - 2016-08-02 08:36 - 02131456 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-08-10 15:54 - 2016-08-02 08:33 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-08-10 15:54 - 2016-08-02 08:29 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-08-10 15:54 - 2016-08-02 08:28 - 15412224 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-08-10 15:54 - 2016-08-02 08:28 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-08-10 15:54 - 2016-08-02 08:26 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-08-10 15:54 - 2016-08-02 08:25 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-08-10 15:54 - 2016-08-02 08:24 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-08-10 15:54 - 2016-08-02 08:23 - 02868224 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-08-10 15:54 - 2016-08-02 08:22 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-08-10 15:54 - 2016-08-02 08:21 - 04608000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-08-10 15:54 - 2016-08-02 08:16 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-08-10 15:54 - 2016-08-02 08:15 - 00692736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-08-10 15:54 - 2016-08-02 08:14 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-08-10 15:54 - 2016-08-02 08:14 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-08-10 15:54 - 2016-08-02 08:11 - 13808128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-08-10 15:54 - 2016-08-02 08:10 - 01550848 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-08-10 15:54 - 2016-08-02 07:59 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-08-10 15:54 - 2016-08-02 07:56 - 02393088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-08-10 15:54 - 2016-08-02 07:53 - 01316352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-08-10 15:54 - 2016-08-02 07:51 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-08-10 15:54 - 2016-07-08 18:37 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-08-10 15:54 - 2016-07-08 18:37 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-08-10 15:54 - 2016-07-08 18:32 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00343552 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-08-10 15:54 - 2016-07-08 18:32 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-08-10 15:54 - 2016-07-08 18:17 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-08-10 15:54 - 2016-07-08 18:17 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00260608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-08-10 15:54 - 2016-07-08 18:16 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-08-10 15:54 - 2016-07-08 18:03 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-08-10 15:54 - 2016-07-08 17:57 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-08-10 15:54 - 2016-07-08 17:56 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-08-10 15:54 - 2016-07-08 17:56 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-08-10 15:54 - 2016-07-08 17:55 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-08-10 15:54 - 2016-07-08 17:55 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-08-10 15:54 - 2016-07-08 17:50 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-08-10 15:53 - 2016-07-08 18:01 - 03218944 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-08-06 03:50 - 2016-08-06 03:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo III
2016-08-06 03:28 - 2016-08-22 12:16 - 00000000 ____D C:\Program Files (x86)\Diablo III
2016-08-06 03:10 - 2016-08-06 03:10 - 00000000 ____D C:\Users\Batuhan\AppData\LocalLow\Blizzard Entertainment
2016-08-06 03:10 - 2016-08-06 03:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hearthstone
2016-08-06 02:58 - 2016-08-09 22:08 - 00000000 ____D C:\Program Files (x86)\Hearthstone
2016-08-06 00:12 - 2016-08-06 00:12 - 00000000 ____D C:\Users\Batuhan\BrawlhallaReplays
2016-08-05 19:17 - 2016-08-05 19:19 - 138404357 _____ C:\Users\Batuhan\Downloads\Arrow Heads_May27.zip
2016-08-05 19:09 - 2016-08-05 19:10 - 26208999 _____ C:\Users\Batuhan\Downloads\LastOneStanding_Win.zip
2016-08-05 18:59 - 2016-08-05 19:01 - 215797523 _____ C:\Users\Batuhan\Downloads\The_Black_Heart_1.2.1.zip
2016-08-05 18:36 - 2016-08-05 18:36 - 00000000 ____D C:\Users\Batuhan\Downloads\LAGWARFARE
2016-08-05 18:33 - 2016-08-05 18:33 - 17409574 _____ C:\Users\Batuhan\Downloads\LAGWARFARE.zip
2016-08-01 17:46 - 2016-08-01 17:46 - 00003118 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2016-08-01 17:46 - 2016-08-01 17:46 - 00003092 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2016-08-01 17:43 - 2016-08-01 17:43 - 43986208 _____ (Microsoft Corporation) C:\Users\Batuhan\Downloads\MouseKeyboardCenter_64bit_ENG_2.7.133.exe
2016-08-01 14:01 - 2016-08-01 14:01 - 00000000 ____D C:\Users\Batuhan\AppData\Local\My Games
2016-08-01 13:40 - 2016-08-01 13:40 - 00178800 _____ (Sony DADC Austria AG.) C:\Windows\SysWOW64\CmdLineExt_x64.dll
2016-08-01 12:15 - 2016-08-01 12:15 - 00019190 _____ C:\Users\Batuhan\Downloads\Far_Cry_2-Razor1911.torrent
2016-08-01 12:08 - 2016-08-01 12:08 - 00023109 _____ C:\Users\Batuhan\Downloads\Far Cry 2 - Fortune's Edition (October 21, 2008).torrent
2016-07-29 11:37 - 2016-07-29 11:37 - 00000000 ___HD C:\Windows\msdownld.tmp
2016-07-29 11:37 - 2016-07-29 11:37 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\World of Tanks
2016-07-29 11:37 - 2016-07-29 11:37 - 00000000 ____D C:\Games
2016-07-29 11:36 - 2016-07-29 11:36 - 04706936 _____ (Wargaming.net ) C:\Users\Batuhan\Downloads\WoT_internet_install_eu.exe
2016-07-28 15:42 - 2016-07-28 15:42 - 00000726 _____ C:\Users\Batuhan\Downloads\JME-EOProxy-master.zip
2016-07-26 23:47 - 2016-07-26 23:47 - 00000000 ____D C:\Users\Batuhan\AppData\Local\spacegame
2016-07-25 21:17 - 2016-07-25 21:17 - 00000000 ___RD C:\Sandbox
2016-07-25 21:15 - 2016-08-17 13:35 - 00001422 _____ C:\Windows\Sandboxie.ini
2016-07-25 21:15 - 2016-08-06 04:24 - 00001002 _____ C:\Users\Batuhan\Desktop\Sandboxed Web Browser.lnk
2016-07-25 21:12 - 2016-07-25 21:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sandboxie
2016-07-25 21:11 - 2016-07-25 21:12 - 00000000 ____D C:\Program Files\Sandboxie
2016-07-25 21:10 - 2016-07-25 21:11 - 08969872 _____ (Sandboxie Holdings, LLC) C:\Users\Batuhan\Downloads\SandboxieInstall.exe
2016-07-25 18:21 - 2016-07-25 18:21 - 00000000 ____D C:\Users\Batuhan\Downloads\Oil Overload 7 - Asa Akira
2016-07-25 17:23 - 2016-08-12 02:08 - 828131874 ____R C:\Users\Batuhan\Downloads\Babes - Nancy - So In Sync.mp4
2016-07-25 17:23 - 2016-07-25 17:23 - 00031872 _____ C:\Users\Batuhan\Downloads\Babes - Nancy - So In Sync.torrent
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-23 22:01 - 2015-08-15 15:30 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-08-23 21:10 - 2015-07-03 23:17 - 00001020 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-23 18:51 - 2016-04-08 16:42 - 00000000 ____D C:\Program Files (x86)\Steam
2016-08-23 18:27 - 2009-07-14 07:45 - 00026576 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-23 18:27 - 2009-07-14 07:45 - 00026576 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-23 15:59 - 2015-09-02 23:54 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\DAEMON Tools Lite
2016-08-23 15:59 - 2015-07-04 11:47 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\uTorrent
2016-08-23 15:59 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\inf
2016-08-23 15:56 - 2015-07-04 00:01 - 00000000 __SHD C:\Users\Batuhan\IntelGraphicsProfiles
2016-08-23 15:56 - 2015-07-03 23:17 - 00001016 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-23 15:56 - 2009-07-14 08:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-23 11:52 - 2016-05-15 22:07 - 00000000 ____D C:\Program Files (x86)\Splashtop
2016-08-23 11:51 - 2015-09-18 16:11 - 00000000 ____D C:\Users\Batuhan\AppData\Local\Viber
2016-08-23 11:51 - 2015-09-18 16:11 - 00000000 ____D C:\Users\Batuhan\AppData\Local\Package Cache
2016-08-23 11:49 - 2015-07-03 23:04 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-08-23 00:11 - 2015-07-04 17:41 - 00000000 ____D C:\Windows\KJ
2016-08-22 22:15 - 2015-08-26 17:12 - 00001139 _____ C:\Users\Batuhan\Desktop\regscanner.cfg
2016-08-22 22:03 - 2009-07-14 08:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-08-22 19:24 - 2016-06-07 18:01 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\discord
2016-08-22 19:17 - 2016-07-17 18:08 - 00000344 _____ C:\Users\Batuhan\Desktop\mzk.txt
2016-08-22 17:39 - 2015-11-05 23:42 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\vlc
2016-08-22 17:02 - 2016-01-17 21:31 - 00000000 ____D C:\Users\Batuhan\AppData\Local\Battle.net
2016-08-22 11:14 - 2016-05-05 19:37 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-08-22 02:55 - 2015-10-13 19:12 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\Spotify
2016-08-22 02:44 - 2015-10-13 19:13 - 00000000 ____D C:\Users\Batuhan\AppData\Local\Spotify
2016-08-19 14:13 - 2016-01-04 21:50 - 00227104 _____ (EasyAntiCheat Ltd) C:\Windows\SysWOW64\EasyAntiCheat.exe
2016-08-19 14:00 - 2009-07-14 08:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-08-18 22:32 - 2015-09-20 18:50 - 00000291 _____ C:\Users\Batuhan\Desktop\chesttim.txt
2016-08-18 15:58 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\rescache
2016-08-17 13:45 - 2015-07-04 13:42 - 00007610 _____ C:\Users\Batuhan\AppData\Local\Resmon.ResmonCfg
2016-08-16 22:38 - 2016-03-10 18:19 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2016-08-14 16:01 - 2015-07-03 23:33 - 00000000 ____D C:\Program Files\CCleaner
2016-08-12 14:00 - 2015-09-16 23:29 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\Skype
2016-08-11 14:17 - 2009-07-14 07:45 - 00268496 _____ C:\Windows\system32\FNTCACHE.DAT
2016-08-11 04:21 - 2015-07-04 13:34 - 00000000 ____D C:\Windows\system32\MRT
2016-08-11 04:16 - 2015-07-04 13:34 - 147640136 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-08-10 23:24 - 2015-07-07 22:41 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\TS3Client
2016-08-08 19:54 - 2016-01-17 21:31 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\Battle.net
2016-08-06 04:20 - 2016-07-13 01:11 - 00003484 _____ C:\Windows\System32\Tasks\shutdown
2016-08-06 00:12 - 2015-07-03 22:54 - 00000000 ____D C:\Users\Batuhan
2016-08-05 15:23 - 2015-08-12 19:53 - 00000000 ____D C:\Users\Batuhan\AppData\Local\Arma 3
2016-08-05 00:14 - 2015-07-03 23:17 - 00002191 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-02 22:00 - 2015-07-21 09:53 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-08-01 23:34 - 2016-06-07 18:01 - 00000000 ____D C:\Users\Batuhan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Hammer & Chisel, Inc
2016-08-01 23:33 - 2016-06-07 18:01 - 00000000 ____D C:\Users\Batuhan\AppData\Local\Discord
2016-08-01 17:46 - 2015-09-20 01:32 - 00003090 _____ C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2016-08-01 13:45 - 2015-07-05 17:23 - 00000000 ____D C:\Users\Batuhan\Documents\My Games
2016-08-01 13:35 - 2016-07-15 16:23 - 02250024 _____ C:\Windows\SysWOW64\pbsvc.exe
2016-08-01 13:35 - 2015-07-07 00:08 - 00107832 _____ C:\Windows\SysWOW64\PnkBstrB.exe
2016-08-01 13:35 - 2015-07-07 00:08 - 00107832 _____ C:\Windows\SysWOW64\PnkBstrB.ex0
2016-07-29 11:37 - 2015-12-23 21:38 - 00000000 ____D C:\Windows\SysWOW64\directx
2016-07-29 03:05 - 2015-07-03 23:17 - 00004016 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-07-29 03:05 - 2015-07-03 23:17 - 00003764 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-07-26 23:47 - 2016-06-12 23:02 - 00000000 ____D C:\Users\Batuhan\AppData\Local\UnrealEngine
2016-07-26 23:46 - 2015-07-03 23:22 - 00000000 ____D C:\ProgramData\Package Cache
2016-07-26 14:24 - 2010-11-21 06:27 - 00504488 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2015-12-15 21:55 - 2015-12-18 21:38 - 0000294 _____ () C:\Users\Batuhan\AppData\Roaming\BreakingPoint_Login.ini
2015-12-15 21:56 - 2015-12-18 22:01 - 0001427 _____ () C:\Users\Batuhan\AppData\Roaming\BreakingPoint_Options.ini
2016-04-16 04:50 - 2016-04-16 04:50 - 0000044 _____ () C:\Users\Batuhan\AppData\Roaming\twow_sysprepdt.dat
2015-08-31 21:47 - 2015-08-31 21:47 - 0000000 ___SH () C:\Users\Batuhan\AppData\Local\LumaEmu
2015-07-04 13:42 - 2016-08-17 13:45 - 0007610 _____ () C:\Users\Batuhan\AppData\Local\Resmon.ResmonCfg
2016-07-15 16:25 - 2016-07-15 16:25 - 0000000 ___SH () C:\ProgramData\.rdata
 
Some files in TEMP:
====================
C:\Users\Batuhan\AppData\Local\Temp\libeay32.dll
C:\Users\Batuhan\AppData\Local\Temp\msvcr120.dll
C:\Users\Batuhan\AppData\Local\Temp\SetupUtil.exe
C:\Users\Batuhan\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-18 15:49
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 27 August 2016 - 04:21 PM

Hello kbatu,

 

The picture of the Eset log you linked to shows mostly hacked/cracked downloads, so since we deal with security issues here (you, me, software developers), please make sure we don't run into any of those installed.

 

You didn't post FRST's Additions.txt. If FRST did not create one, run it again, uncheck everything, but do check Additions.txt. A log will pop up - post that in your next reply.

 

 

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).  

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document.  Once the file is created, open it and rightclick again and choose Paste.  Copy the information and post it here please.

----------------

Download RogueKiller from here to your desktop.

    Close all open programs
    Remember to right click -> run as administrator, and click the downloaded file.

Agree to the language prompt, and place a check next to:

Install 32 and 64 bits versions (Recommended for Technicians).

Then click Next until you get to the Finish button, and click it. RogueKiller will then open.

Click the Start Scan button, then again the Start Scan button.

When the scan finishes click the Open Report button. Then click the Open TXT button. Save that report to your desktop, and post it back here please. For now just close RogueKiller.
 


Ad eundum quo no duck ante iit

#3 kbatu

kbatu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 28 August 2016 - 09:00 AM

Hey. I uninstalled the cracked applications. Sorry for missing file. I thought I had attached it to the post. Here is additions.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21-08-2016 01
Ran by Batuhan (23-08-2016 22:03:03)
Running from C:\Users\Batuhan\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2015-07-03 19:54:35)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-4134522837-3305369566-1149214307-500 - Administrator - Disabled)
Batuhan (S-1-5-21-4134522837-3305369566-1149214307-1000 - Administrator - Enabled) => C:\Users\Batuhan
Guest (S-1-5-21-4134522837-3305369566-1149214307-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\uTorrent) (Version: 3.4.8.42449 - BitTorrent Inc.)
7-Zip 15.05 beta x64 (HKLM\...\7-Zip) (Version:  - )
Adobe Acrobat Reader DC - Turkish (HKLM-x32\...\{AC76BA86-7AD7-1055-7B44-AC0F074E4100}) (Version: 15.017.20053 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Arma 3 (HKLM\...\Steam App 107410) (Version:  - Bohemia Interactive)
Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 9.0 - Atheros)
Auto Mouse Click v13.1 (HKLM-x32\...\{F5E3859D-0720-41F0-BAF5-4CBCDFD8F406}_is1) (Version: 13.1 - MurGee.com)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Brawlhalla (HKLM\...\Steam App 291550) (Version:  - Blue Mammoth Games)
CCleaner (HKLM\...\CCleaner) (Version: 5.07 - Piriform)
Company of Heroes (New Steam Version) (HKLM\...\Steam App 228200) (Version:  - Relic)
Company of Heroes 2 (HKLM\...\Steam App 231430) (Version:  - Relic Entertainment)
Cosmic DJ (HKLM\...\Steam App 297110) (Version:  - Gl33k)
Counter-Strike: Global Offensive (HKLM\...\Steam App 730) (Version:  - Valve)
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.1.0.0074 - Disc Soft Ltd)
DayZ (HKLM\...\Steam App 221100) (Version:  - Bohemia Interactive)
Diablo III (HKLM-x32\...\Diablo III) (Version:  - Blizzard Entertainment)
Discord (HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\Discord) (Version: 0.0.295 - Hammer & Chisel, Inc.)
DiskCheckup v3.3 (HKLM-x32\...\DiskCheckup_is1) (Version: 3.3.1000 - PassMark Software)
Dota 2 (HKLM\...\Steam App 570) (Version:  - Valve)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Eurobattle.net (HKLM-x32\...\Eurobattle.net) (Version:  - Eurobattle.net)
f.lux (HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\Flux) (Version:  - )
Free Alarm Clock (HKLM-x32\...\{8ED5A2F1-338F-4608-8AF7-BCD1ADC1E1F7}_is1) (Version: 4.0.1.0 - Comfort Software Group)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 52.0.2743.116 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
Insurgency (HKLM\...\Steam App 222880) (Version:  - New World Interactive)
Intel® Driver Update Utility 2.0 (x32 Version: 2.0.0.29 - Intel) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4226 - Intel Corporation)
Intel® Driver Update Utility (HKLM-x32\...\{8409c4f7-2340-4933-a304-5d37db4fb48b}) (Version: 2.0.0.29 - Intel)
Killing Floor (HKLM\...\Steam App 1250) (Version:  - Tripwire Interactive)
Left 4 Dead 2 (HKLM\...\Steam App 550) (Version:  - Valve)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Men of War (HKLM\...\Steam App 7830) (Version:  - Best Way)
Microsoft .NET Framework 4.5.1 RC (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50861 - Microsoft Corporation)
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170) (HKLM-x32\...\{41785C66-90F2-40CE-8CB5-1C94BFC97280}) (Version: 3.5.30730.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24210 (HKLM-x32\...\{f144e08f-9cbe-4f09-9a8c-f2b858b7ee7f}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24210 (HKLM-x32\...\{23658c02-145e-483d-ba6b-1eb82c580529}) (Version: 14.0.24210.0 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
Mount & Blade: Warband (HKLM\...\Steam App 48700) (Version:  - TaleWorlds Entertainment)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.7.9.2 - Notepad++ Team)
NVIDIA GeForce Experience 2.4.5.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.4.5.44 - NVIDIA Corporation)
NVIDIA Graphics Driver 353.30 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 353.30 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{B455E95A-B804-439F-B533-336B1635AE97}) (Version: 9.14.0702 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
ORION: Prelude (HKLM\...\Steam App 104900) (Version:  - Spiral Game Studios)
Project Reality: BF2 (HKLM\...\Project Reality: BF2 (pr)_is1) (Version: v1.3 - Project Reality)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.986 - Even Balance, Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.50.1123.2011 - Realtek)
Rising Storm/Red Orchestra 2 Multiplayer (HKLM\...\Steam App 35450) (Version:  - Tripwire Interactive)
Rocket League (HKLM\...\Steam App 252950) (Version:  - Psyonix, Inc.)
Rust (HKLM\...\Steam App 252490) (Version:  - Facepunch Studios)
Sandboxie 5.12 (64-bit) (HKLM\...\Sandboxie) (Version: 5.12 - Sandboxie Holdings, LLC)
SHIELD Streaming (Version: 4.1.2000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.4.5.44 - NVIDIA Corporation) Hidden
Skype™ 7.10 (HKLM-x32\...\{6A0549A9-1B96-498C-ACBC-3943001FEB19}) (Version: 7.10.101 - Skype Technologies S.A.)
Spotify (HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\Spotify) (Version: 1.0.33.106.g60b5d1f0 - Spotify AB)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Stellaris (HKLM\...\Steam App 281990) (Version:  - Paradox Development Studio)
TeamSpeak 3 Client (HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
The Elder Scrolls Online (HKLM-x32\...\The Elder Scrolls Online) (Version: 1.0.0.0 - Zenimax Online Studios)
The Elder Scrolls Online: Tamriel Unlimited (HKLM\...\Steam App 306130) (Version:  - Zenimax Online Studios)
UE4 Prerequisites (x64) (Version: 1.0.11.0 - Epic Games, Inc.) Hidden
UE4 Prerequisites (x64) (x32 Version: 1.0.13.0 - Epic Games, Inc.) Hidden
USB Network Joystick (HKLM-x32\...\{2A558A06-A44E-400D-95AD-D9FAA89AFD36}) (Version: V3.70a - )
USB Vibration Joystick (HKLM-x32\...\{4999B2F1-3E74-409A-B8B5-E94448AA9EA6}) (Version: 2007.01.01 - )
USB Vibration Wheel (BM) (HKLM-x32\...\{61A994FF-D39B-4937-9DB9-87EC4E91B316}) (Version: 1.00.0000 - ShanWan)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Warcraft III version 1.26a (HKLM-x32\...\{2F662157-53CB-41AA-815D-283B5E3E938E}_is1) (Version: 1.26a - )
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
Wireshark 1.12.7 (64-bit) (HKLM-x32\...\Wireshark) (Version: 1.12.7 - The Wireshark developer community, hxxp://www.wireshark.org)
World of Tanks (HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\...\{1EAC1D02-C6AC-4FA6-9A44-96258C37C812eu}_is1) (Version:  - Wargaming.net)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-4134522837-3305369566-1149214307-1000_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {46D9F005-C76B-4543-A855-9EA05E185BED} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-07-03] (Google Inc.)
Task: {46E2CCF8-F746-4D10-8C78-783E36FCFC68} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
Task: {6E7C69B5-3A03-4819-B594-0234F575EBE6} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe
Task: {71F86DC7-9DDE-476F-A060-43509811BDE1} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
Task: {BB1B7127-330D-4D25-958F-56AD8ECC9894} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-06-01] (Piriform Ltd)
Task: {BC162C56-E343-400F-B058-CA7760EFACD0} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-06-25] (Adobe Systems Incorporated)
Task: {CB7AF133-2450-40D2-ABB1-FAD39C7BD47D} - System32\Tasks\shutdown => C:\Windows\System32\shutdown.exe [2009-07-14] (Microsoft Corporation)
Task: {EB57E2DB-3036-492E-8652-04D2ABE39604} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-07-03] (Google Inc.)
Task: {F2A10539-42DF-4B41-AD1B-348279270FBE} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-08-15] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
Shortcut: C:\Users\Batuhan\AppData\Local\Microsoft\Windows\GameExplorer\{1089A16C-940B-48F0-A780-EEBF11D5A5A1}\SupportTasks\0\Support.lnk -> hxxp://microsoft.com/support/
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-04-15 23:13 - 2015-04-15 23:13 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2015-07-07 00:08 - 2016-07-15 16:23 - 00076152 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2015-07-07 00:08 - 2016-08-01 13:35 - 00107832 _____ () C:\Windows\SysWOW64\PnkBstrB.exe
2015-07-04 00:19 - 2015-06-17 09:48 - 00116368 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-08-23 22:01 - 2016-08-23 22:01 - 08742168 _____ () C:\Users\Batuhan\AppData\Local\NVIDIA\NvBackend\Packages\00009292\DAO.21080368.exe
2015-07-04 00:18 - 2015-06-17 12:10 - 00012104 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2016-04-08 16:45 - 2016-08-09 02:27 - 00785920 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2016-04-08 16:45 - 2015-07-02 01:06 - 04962816 _____ () C:\Program Files (x86)\Steam\v8.dll
2016-04-08 16:45 - 2015-07-02 01:06 - 01556992 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2016-04-08 16:45 - 2015-07-02 01:06 - 01187840 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2016-04-08 16:45 - 2016-08-16 23:54 - 02321184 _____ () C:\Program Files (x86)\Steam\video.dll
2016-04-08 16:45 - 2016-01-27 10:49 - 02549760 _____ () C:\Program Files (x86)\Steam\libavcodec-56.dll
2016-04-08 16:45 - 2016-01-27 10:49 - 00442880 _____ () C:\Program Files (x86)\Steam\libavutil-54.dll
2016-04-08 16:45 - 2016-01-27 10:49 - 00491008 _____ () C:\Program Files (x86)\Steam\libavformat-56.dll
2016-04-08 16:45 - 2016-01-27 10:49 - 00332800 _____ () C:\Program Files (x86)\Steam\libavresample-2.dll
2016-04-08 16:45 - 2016-01-27 10:49 - 00485888 _____ () C:\Program Files (x86)\Steam\libswscale-3.dll
2016-04-08 16:45 - 2016-08-16 23:54 - 00835360 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2016-04-08 16:45 - 2016-07-05 01:17 - 00266560 _____ () C:\Program Files (x86)\Steam\openvr_api.dll
2016-04-08 16:45 - 2016-08-04 23:56 - 49825056 _____ () C:\Program Files (x86)\Steam\bin\libcef.dll
2016-04-08 16:45 - 2015-09-25 02:52 - 00119208 _____ () C:\Program Files (x86)\Steam\winh264.dll
2016-08-05 00:14 - 2016-08-03 03:24 - 01771336 _____ () C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\libglesv2.dll
2016-08-05 00:14 - 2016-08-03 03:23 - 00094024 _____ () C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\libegl.dll
2016-08-05 00:14 - 2016-08-03 02:54 - 17602240 _____ () C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\PepperFlash\pepflashplayer.dll
2015-07-04 00:19 - 2015-06-17 12:10 - 00011920 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\.rdata:X [526]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\07165830.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\07165830.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 05:34 - 2016-03-08 22:17 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-4134522837-3305369566-1149214307-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: Airties AirTouch Service => 2
MSCONFIG\Services: AirTouch Check Service => 2
MSCONFIG\Services: BEService => 3
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: SplashtopRemoteService => 2
MSCONFIG\Services: SSUService => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\startupreg: DAEMON Tools Lite Automount => "C:\Program Files\DAEMON Tools Lite\DTAgent.exe" -autorun
MSCONFIG\startupreg: Discord => C:\Users\Batuhan\AppData\Local\Discord\app-0.0.291\Discord.exe
MSCONFIG\startupreg: f.lux => "C:\Users\Batuhan\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
MSCONFIG\startupreg: LogMeIn Hamachi Ui => "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
MSCONFIG\startupreg: Spotify => "C:\Users\Batuhan\AppData\Roaming\Spotify\Spotify.exe" -autostart -minimized
MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\Batuhan\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\steam.exe" -silent
MSCONFIG\startupreg: USB Gamepad => C:\Windows\USB Vibration\7906\USB Gamepad.exe -boot
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{D619B41F-8B1C-40C5-8D25-C4077FE2FC08}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{97737281-3876-4154-9ACD-BFD162D7C827}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{17D1EED0-5F81-4DDF-AFC3-BCD0937F671C}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{2C22CE89-7ED8-4E44-988D-F55EA8125AA9}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{21697A1A-D724-4939-B094-B8827F0242E4}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{51402E97-7B9E-4430-878A-967C080335D6}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{F0C72205-6F11-434C-ADEC-74C1B1775AAD}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{7E58A4EA-C554-48A8-A036-54969DE85F13}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{17181820-0152-4FD9-91AF-458A68862ECC}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{86691C24-66A5-4573-9E4D-7EE743CA82AF}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{5D304F85-1BEE-4029-B43D-9D2D7F85941B}] => (Allow) C:\Users\Batuhan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C36FA4B1-4C00-4239-8CC6-A827999F18D7}] => (Allow) C:\Users\Batuhan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{5FCDB8C3-2578-49B5-8A16-AFC30ABE9793}] => (Allow) C:\Users\Batuhan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{E51A6352-36D6-4486-B85D-5C566C88ED09}] => (Allow) C:\Users\Batuhan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{A512837A-F5F9-4570-972B-C7E6BDCBC154}] => (Allow) C:\Users\Batuhan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{FD360F09-F904-4272-98F4-B0274B57FAD8}] => (Allow) C:\Users\Batuhan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{3BD4E31F-E794-4138-A605-0D5D1FD0B6FA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{1BB9CC86-D8BC-402A-92D5-89C73D1637C2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{8A13D88B-6798-42AD-A98B-F57CB33DD10B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DayZ\DayZ_BE.exe
FirewallRules: [{F4325587-7B82-411F-9C84-66BE89A58588}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\DayZ\DayZ_BE.exe
FirewallRules: [TCP Query User{78524B72-736B-496A-A482-01DCBE053EF4}C:\program files (x86)\steam\steamapps\common\dayz\dayz.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\dayz\dayz.exe
FirewallRules: [UDP Query User{7C4515C5-376E-49D8-920B-43C0172FE074}C:\program files (x86)\steam\steamapps\common\dayz\dayz.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\dayz\dayz.exe
FirewallRules: [{BED3E1AA-BF62-4D31-BCA1-BB2831C26BDC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\FTL Faster Than Light\FTLGame.exe
FirewallRules: [{F33D6E30-3888-45EC-BA42-528880C618A0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\FTL Faster Than Light\FTLGame.exe
FirewallRules: [{84599D01-D279-4A97-8EE6-E2DF0C5192AA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Natural Selection 2\NS2.exe
FirewallRules: [{F3CD9790-8448-4BFD-A483-39F601FE6593}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Natural Selection 2\NS2.exe
FirewallRules: [TCP Query User{A73B01F1-1CAB-4E12-921B-15594CBCEC89}C:\program files (x86)\steam\steamapps\common\america's army\aapg\binaries\win32\aagame.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\america's army\aapg\binaries\win32\aagame.exe
FirewallRules: [UDP Query User{E42D62FE-F01B-403F-9AF0-89293E389009}C:\program files (x86)\steam\steamapps\common\america's army\aapg\binaries\win32\aagame.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\america's army\aapg\binaries\win32\aagame.exe
FirewallRules: [{8EF68F51-0B5F-49CD-BCF2-565A86C4686C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Left 4 Dead 2\left4dead2.exe
FirewallRules: [{C5E4058B-652B-4564-8B58-7DF260461517}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Left 4 Dead 2\left4dead2.exe
FirewallRules: [{81021976-41D1-4C58-8643-8700319317BB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\CastleCrashers\castle.exe
FirewallRules: [{6C03AAEA-E901-4255-92B3-B2560E13C2E8}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\CastleCrashers\castle.exe
FirewallRules: [{9ECC3742-0ED8-42BC-BEFB-068AD6050A5F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\PAYDAY The Heist\payday_win32_release.exe
FirewallRules: [{C336801D-4272-47C8-BB6A-B79AC66383C3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\PAYDAY The Heist\payday_win32_release.exe
FirewallRules: [TCP Query User{56DDB180-C12D-4EAA-B723-6AA2E37EA8DB}C:\program files (x86)\steam\steamapps\common\rocketleague\binaries\win32\rocketleague.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\rocketleague\binaries\win32\rocketleague.exe
FirewallRules: [UDP Query User{FBDBF2DB-7194-4929-B237-95E0A3AE0531}C:\program files (x86)\steam\steamapps\common\rocketleague\binaries\win32\rocketleague.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\rocketleague\binaries\win32\rocketleague.exe
FirewallRules: [{7264BB13-1A04-4A27-829E-7FD8C1D38B93}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
FirewallRules: [{7EB0C9FB-9FE4-4281-9F76-0718B974972C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
FirewallRules: [{B7CE070E-BD4B-4D24-B218-45E74966A42D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Galactic Civilizations II - Ultimate Edition\Twilight\GC2TwilightOfTheArnor.exe
FirewallRules: [{E485FD09-5D2C-4B8A-AC5D-7680986D913B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Galactic Civilizations II - Ultimate Edition\Twilight\GC2TwilightOfTheArnor.exe
FirewallRules: [{A3405D0A-9ADC-46FB-A638-144A5F824A92}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ContraptionMaker\ContraptionMaker.exe
FirewallRules: [{069DFB91-D9C5-4B09-85D7-C8E860429715}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ContraptionMaker\ContraptionMaker.exe
FirewallRules: [{8C05EEC5-2192-416F-8A76-FE7AAA096D56}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win32\dota2.exe
FirewallRules: [{133EF384-01E6-4C1F-A8EF-D5EE8652E4AC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win32\dota2.exe
FirewallRules: [{C47C19DC-4302-42DA-B973-9B7603A8F57F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2cfg.exe
FirewallRules: [{7BF338B1-3E7C-4B2D-8945-E0D0B7F74B48}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2cfg.exe
FirewallRules: [{19F7CAEF-11E8-4ED2-B5CE-4A8CE7EF6330}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\America's Army\AAPG\Binaries\AALauncher32.exe
FirewallRules: [{3EE1F1AD-F9C1-48F8-8EFC-97F9AEE1AD0B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\America's Army\AAPG\Binaries\AALauncher32.exe
FirewallRules: [{5A38CFED-F49B-4100-A3B1-73268C53EED3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Arma 3\arma3launcher.exe
FirewallRules: [{81DC6E18-AC62-4FDF-BD3F-AA43D7222398}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Arma 3\arma3launcher.exe
FirewallRules: [{4E27004B-C334-4861-89D5-D16297EF4402}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Arma 2\arma2.exe
FirewallRules: [{CA65EAE5-7B39-4395-9333-D2A1AC295FB3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Arma 2\arma2.exe
FirewallRules: [{942A04AA-EEE3-4262-9E49-FCE1EC03700C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\dota.exe
FirewallRules: [{082781D4-ACE7-4704-913A-315F86565E1E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\dota.exe
FirewallRules: [{29783CA5-7C1C-4193-89E2-A6B58182697A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\RPG MO\nw.exe
FirewallRules: [{A999CD3B-C820-4D13-BFC4-4BC6ACB268BD}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\RPG MO\nw.exe
FirewallRules: [{4DB17EA3-F8C3-4E8F-9B72-835A83C49BB2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Rise_of_Incarnates\exe\roi.exe
FirewallRules: [{689CE65E-D14A-42D5-A89F-85F6A1ADDE57}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Rise_of_Incarnates\exe\roi.exe
FirewallRules: [TCP Query User{4E430B27-636E-4F18-85BC-A6EF82701755}C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe] => (Block) C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe
FirewallRules: [UDP Query User{2F4A5343-E9CE-4FB5-9FDF-805464FB376F}C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe] => (Block) C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe
FirewallRules: [TCP Query User{7419EFFF-F571-4DA8-B5D4-DABEC5F0EC8C}C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe] => (Block) C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe
FirewallRules: [UDP Query User{899EAFED-C9B9-4841-BF4D-09DDBCB3A0E8}C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe] => (Block) C:\program files (x86)\2k games\gearbox software\borderlands\binaries\borderlands.exe
FirewallRules: [{C92C1D8E-7BEE-421B-89A7-57F97B6C0707}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\H1Z1\LaunchPad.exe
FirewallRules: [{5259B6A9-3FCD-45E8-ADB8-C0BFD3C815A4}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\H1Z1\LaunchPad.exe
FirewallRules: [TCP Query User{AF231EC4-B3CE-4A4E-9F86-D8FE2C76195E}C:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe
FirewallRules: [UDP Query User{35C6BD67-2373-4A77-95A8-387B5C5FAF21}C:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe
FirewallRules: [{C0E7617F-1270-4C41-91A7-87867812CDDD}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{BF227E53-0315-4B49-98FA-6D02EE918D91}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{2558ACD8-2161-4BA1-85BA-5D733AD266EB}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{7807D689-AD80-43AD-8B96-4A456A22BD2A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Poker Night at the Inventory\CelebrityPoker.exe
FirewallRules: [{2D0DC9E7-E260-4F83-BF18-7E8D8065FFF9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Poker Night at the Inventory\CelebrityPoker.exe
FirewallRules: [{836D1873-5431-40C6-B120-E78C5B3D840D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Dungeon Defenders 2\DunDefLauncher.exe
FirewallRules: [{66DB9381-8849-45BB-BF09-9F8F0D3DBED2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Dungeon Defenders 2\DunDefLauncher.exe
FirewallRules: [{AFCEE8A6-0FAE-446E-AC91-8DC7D75D262C}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\games\Rainbow Six Siege - Closed Beta\RainbowSix.exe
FirewallRules: [{48587861-F2DF-4EB8-AE9A-74CB3836AA20}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\games\Rainbow Six Siege - Closed Beta\RainbowSix.exe
FirewallRules: [TCP Query User{BA3730D0-41C6-45C1-98A5-88E96304A5A9}C:\users\batuhan\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\batuhan\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{FBB77FE0-7919-461B-A431-D5661393F740}C:\users\batuhan\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\batuhan\appdata\roaming\spotify\spotify.exe
FirewallRules: [{05A1ACF3-5AE8-4425-9846-9096DF5C44AB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Crypt of the NecroDancer\NecroDancer.exe
FirewallRules: [{4D661F3C-0612-48E9-A62C-4E4F947B50C1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Crypt of the NecroDancer\NecroDancer.exe
FirewallRules: [{3D9EC3A2-A18A-4085-99A0-0D871C02E9B9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\strife\bin\strife.exe
FirewallRules: [{5216E9D1-FD9F-4F5D-87D8-4CFC67D5009B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\strife\bin\strife.exe
FirewallRules: [{940440F7-CC43-4339-BC8E-45126E356A43}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MortalKombat_KompleteEdition\DiscContentPC\MKKE.exe
FirewallRules: [{3A07748B-E232-457B-8438-2A29A9A82E57}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MortalKombat_KompleteEdition\DiscContentPC\MKKE.exe
FirewallRules: [{E4084295-9FF9-4F3B-894D-76AEFCF3190E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MortalKombat_KompleteEdition\DiscContentPC\MKLauncher.exe
FirewallRules: [{6A0537EA-99DE-4CDC-9D66-01BCC8911F75}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MortalKombat_KompleteEdition\DiscContentPC\MKLauncher.exe
FirewallRules: [TCP Query User{296A2BB9-4003-45FC-B55A-ECA9F76272B2}C:\program files (x86)\steam\steamapps\common\arma 3\arma3.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\arma 3\arma3.exe
FirewallRules: [UDP Query User{C96847F8-FD4E-416F-AFFF-A0C40B808044}C:\program files (x86)\steam\steamapps\common\arma 3\arma3.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\arma 3\arma3.exe
FirewallRules: [{F7C2D19F-72D4-44FB-9C39-2DB12FAD05DC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
FirewallRules: [{123B86BA-F061-4ED0-8780-CC41E9E5AA7E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
FirewallRules: [{99405BA3-E84D-4564-A739-847E016F203A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Beginners Guide\beginnersguide.exe
FirewallRules: [{12C6065D-6C9E-4CF7-8D1F-C5F97368A16B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\The Beginners Guide\beginnersguide.exe
FirewallRules: [{E105EA7C-BE09-41FD-BA99-1A02FFE2047F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Star Wars Battlefront II\GameData\BattlefrontII.exe
FirewallRules: [{C65284BC-01E2-4417-873B-6CCB2D447BDB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Star Wars Battlefront II\GameData\BattlefrontII.exe
FirewallRules: [{E2810E8C-7CD7-4293-8D13-ADD7E4D16AF5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Rust\Rust.exe
FirewallRules: [{5B4EEB3F-91CF-4B15-A58C-549D0759EE27}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Rust\Rust.exe
FirewallRules: [TCP Query User{B088F6A6-C281-4542-AD16-42176FB4CD6F}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [UDP Query User{C9106000-696B-498C-9403-6C70E641AEE5}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [TCP Query User{811331F2-95E0-43A2-988D-DCB0BF39F476}C:\program files (x86)\heroes of the storm\versions\base39951\heroesofthestorm_x64.exe] => (Allow) C:\program files (x86)\heroes of the storm\versions\base39951\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{44D3D3E1-9AB3-4189-849A-0687D00EF9D1}C:\program files (x86)\heroes of the storm\versions\base39951\heroesofthestorm_x64.exe] => (Allow) C:\program files (x86)\heroes of the storm\versions\base39951\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{23C0DBF6-F332-4A32-9F05-8C34CBF345E3}C:\program files (x86)\heroes of the storm\versions\base39951\heroesofthestorm.exe] => (Allow) C:\program files (x86)\heroes of the storm\versions\base39951\heroesofthestorm.exe
FirewallRules: [UDP Query User{D977748C-D014-4F7D-A87A-93CFB8FC2D7D}C:\program files (x86)\heroes of the storm\versions\base39951\heroesofthestorm.exe] => (Allow) C:\program files (x86)\heroes of the storm\versions\base39951\heroesofthestorm.exe
FirewallRules: [TCP Query User{FDDD0F37-C139-49AA-AD3A-32B29504088A}C:\program files (x86)\diablo iii\diablo iii.exe] => (Allow) C:\program files (x86)\diablo iii\diablo iii.exe
FirewallRules: [UDP Query User{8CD8093E-C5D1-4200-A57A-79E71E255403}C:\program files (x86)\diablo iii\diablo iii.exe] => (Allow) C:\program files (x86)\diablo iii\diablo iii.exe
FirewallRules: [{6D10E89E-7B28-438F-8D80-5277203E7BC7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Company of Heroes 2\RelicCoH2.exe
FirewallRules: [{CDA5C004-84FF-4C3F-B6E3-5C3B525C51F0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Company of Heroes 2\RelicCoH2.exe
FirewallRules: [TCP Query User{4683604B-0795-4327-9BDD-5E56B7429B5D}C:\program files (x86)\city car driving\bin\win32\starter.exe] => (Block) C:\program files (x86)\city car driving\bin\win32\starter.exe
FirewallRules: [UDP Query User{1614DD39-7358-4687-AB73-0DAE8043F11A}C:\program files (x86)\city car driving\bin\win32\starter.exe] => (Block) C:\program files (x86)\city car driving\bin\win32\starter.exe
FirewallRules: [TCP Query User{9133535F-CF05-4B63-9171-2CEDA2E621B4}C:\users\batuhan\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\batuhan\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{E0CA06C0-495A-4B0E-B7FC-91B1B7030399}C:\users\batuhan\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\batuhan\appdata\roaming\spotify\spotify.exe
FirewallRules: [{261ABDA5-8532-4A88-910F-E655AB7D07DD}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\insurgency2\insurgency.exe
FirewallRules: [{91E9DC41-D9F9-4DCD-B2A6-6C83512B1DA5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\insurgency2\insurgency.exe
FirewallRules: [{C358D04D-DC58-47BE-841C-50D873AF9588}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ArcheAge\GlyphClient.exe
FirewallRules: [{8B551ED0-F0F5-4408-A67C-D5A2BA3B4961}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\ArcheAge\GlyphClient.exe
FirewallRules: [TCP Query User{2FDDC5C2-324F-4C5E-87AB-1D045B4CEC2D}C:\users\batuhan\desktop\sw\tamrielonline_live_server.exe] => (Allow) C:\users\batuhan\desktop\sw\tamrielonline_live_server.exe
FirewallRules: [UDP Query User{C6D6BD50-6E6A-41F1-83C7-E4244D39537A}C:\users\batuhan\desktop\sw\tamrielonline_live_server.exe] => (Allow) C:\users\batuhan\desktop\sw\tamrielonline_live_server.exe
FirewallRules: [{D345CF57-EF71-4DDC-9793-2E0E28E0BF4E}] => (Block) C:\users\batuhan\desktop\sw\tamrielonline_live_server.exe
FirewallRules: [{7D6B0B77-3E17-415F-A2B7-E71871EFD165}] => (Block) C:\users\batuhan\desktop\sw\tamrielonline_live_server.exe
FirewallRules: [{68B84968-1F75-4A52-BE34-DE4EFB8096B9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\divine_divinity\div.exe
FirewallRules: [{F37A85A9-42D2-429C-96B8-4386AE1DCB38}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\divine_divinity\div.exe
FirewallRules: [{1B25B985-9BAC-42A6-9EFA-A40795B4A835}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\divine_divinity\configtool.exe
FirewallRules: [{F51E4887-0C25-478C-9423-973CCAEF8C9E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\divine_divinity\configtool.exe
FirewallRules: [TCP Query User{7FE4C961-9130-4FA1-AA75-A395AECAD22A}C:\program files (x86)\warcraft iii\war3.exe] => (Allow) C:\program files (x86)\warcraft iii\war3.exe
FirewallRules: [UDP Query User{BE0D8BD5-A67B-4CA5-82B3-8FE288176778}C:\program files (x86)\warcraft iii\war3.exe] => (Allow) C:\program files (x86)\warcraft iii\war3.exe
FirewallRules: [TCP Query User{F4FBE0BF-06FA-4212-9F96-67A1D3D69AAD}C:\program files (x86)\eurobattle.net\gproxy.exe] => (Allow) C:\program files (x86)\eurobattle.net\gproxy.exe
FirewallRules: [UDP Query User{149A1FCD-6CB4-4137-A95D-4C8E5C231594}C:\program files (x86)\eurobattle.net\gproxy.exe] => (Allow) C:\program files (x86)\eurobattle.net\gproxy.exe
FirewallRules: [TCP Query User{9A5CA8DD-1B1D-46C7-A8B0-39E2FC80EA78}C:\program files (x86)\steam\steamapps\common\planetside 2\planetside2_x64.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\planetside 2\planetside2_x64.exe
FirewallRules: [UDP Query User{DAF49AE3-CDA9-4210-AE30-5C97E9BAA75F}C:\program files (x86)\steam\steamapps\common\planetside 2\planetside2_x64.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\planetside 2\planetside2_x64.exe
FirewallRules: [{73D76808-A4FB-4DF9-8050-D261133E9310}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Stellaris\stellaris.exe
FirewallRules: [{E6C79FE9-C8A2-4FEC-8143-195BB27C87AD}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Stellaris\stellaris.exe
FirewallRules: [{D885B10A-08E2-40E3-8B15-79D8D5817886}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Brawlhalla\Brawlhalla.exe
FirewallRules: [{FDB333DE-2605-4720-8469-A77E55BABD43}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Brawlhalla\Brawlhalla.exe
FirewallRules: [{8BB51B2D-8DBE-43DB-B053-42678328E741}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Zenimax Online\zosSteamStarter.exe
FirewallRules: [{8D29DC31-AF65-468F-A678-6B1D59FC2E7E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Zenimax Online\zosSteamStarter.exe
FirewallRules: [TCP Query User{C476BF65-12E6-406B-83A9-5556C85F518C}C:\users\batuhan\appdata\local\temp\i1465037727\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\batuhan\appdata\local\temp\i1465037727\windows\resource\jre\bin\javaw.exe
FirewallRules: [UDP Query User{3912B639-2CBF-49DE-BD39-B0571A80FFF9}C:\users\batuhan\appdata\local\temp\i1465037727\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\batuhan\appdata\local\temp\i1465037727\windows\resource\jre\bin\javaw.exe
FirewallRules: [TCP Query User{6BE68A0A-507E-432B-929B-63322E193783}C:\users\batuhan\downloads\tjoc-r-alpha-0.0.6\tjoc\windowsnoeditor\engine\binaries\win64\ue4game-win64-shipping.exe] => (Block) C:\users\batuhan\downloads\tjoc-r-alpha-0.0.6\tjoc\windowsnoeditor\engine\binaries\win64\ue4game-win64-shipping.exe
FirewallRules: [UDP Query User{EB2F2148-FE65-4A10-A66D-A68FC0AFA75D}C:\users\batuhan\downloads\tjoc-r-alpha-0.0.6\tjoc\windowsnoeditor\engine\binaries\win64\ue4game-win64-shipping.exe] => (Block) C:\users\batuhan\downloads\tjoc-r-alpha-0.0.6\tjoc\windowsnoeditor\engine\binaries\win64\ue4game-win64-shipping.exe
FirewallRules: [TCP Query User{69B15713-302C-45FD-AD1C-C118335F729F}C:\program files (x86)\steam\steamapps\common\arma 3\arma3.exe] => (Block) C:\program files (x86)\steam\steamapps\common\arma 3\arma3.exe
FirewallRules: [UDP Query User{9E7007E6-B1BD-481B-9808-E4324B523076}C:\program files (x86)\steam\steamapps\common\arma 3\arma3.exe] => (Block) C:\program files (x86)\steam\steamapps\common\arma 3\arma3.exe
FirewallRules: [{B9AB5EB7-88BB-423D-99B6-201A62EE6453}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Company of Heroes Relaunch\RelicCOH.exe
FirewallRules: [{9AE263B2-2695-4076-A661-ED8D60856F8B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Company of Heroes Relaunch\RelicCOH.exe
FirewallRules: [{EBC5F484-01E6-4416-886F-B25367E77E4F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\KillingFloor\System\KillingFloor.exe
FirewallRules: [{437AD7E6-7BE0-47DE-B51F-38C43D4567A6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\KillingFloor\System\KillingFloor.exe
FirewallRules: [{BF7286D9-36CD-48E8-92D8-5204599D894B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Red Orchestra 2\Binaries\Win32\ROGame.exe
FirewallRules: [{F6844D64-EC6A-4A97-B939-710C0E230D99}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Red Orchestra 2\Binaries\Win32\ROGame.exe
FirewallRules: [{F0B64CA8-92E0-4C94-831B-E45D2913853B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\rocketleague\Binaries\Win32\RocketLeague.exe
FirewallRules: [{62B34793-2893-4648-9AEE-B9C742F823A5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\rocketleague\Binaries\Win32\RocketLeague.exe
FirewallRules: [{6458B7A7-D920-4130-B16B-83EA592D3F73}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Men of War\mow.exe
FirewallRules: [{6D8A2FD3-B0D8-4ECE-BAD7-08C143F34AB9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Men of War\mow.exe
FirewallRules: [{EA9F0C33-23F6-4BF1-90EA-316AF0BF3B85}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Men of War\mow_editor.exe
FirewallRules: [{D80AAD82-B6FE-442B-A982-D9CBB8DF8635}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Men of War\mow_editor.exe
FirewallRules: [TCP Query User{BE4D29A3-A9B5-43C8-A902-7FAD344BF1C8}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{486E4C6B-A1F0-44A6-8DE9-ED5E40172749}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [{D6E7F8BC-4C90-4599-93C4-DB2E52C5DEA7}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{29F87DED-06E1-43BF-8386-84F631FDFCA7}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{6D528045-3EF8-4C26-A7CF-527C8686E289}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{C2DB49A4-60E6-4304-BF1C-422123E664EC}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{29AC39D0-5A9F-4451-8ED0-8098B0ACF4C9}] => (Allow) C:\Program Files (x86)\Project Reality\Project Reality BF2\prbf2.exe
FirewallRules: [{D943655B-D0A4-4DB8-B8C8-4533EF915ADC}] => (Allow) C:\Program Files (x86)\Project Reality\Project Reality BF2\mods\pr\bin\PRLauncher.exe
FirewallRules: [{D16C2EAA-047E-4E8B-9319-4640CEE4F581}] => (Allow) C:\Program Files (x86)\Project Reality\Project Reality BF2\mods\pr\bin\PRUpdater.exe
FirewallRules: [{0B55D6C9-8751-4E76-9549-A461E2DAB6EB}] => (Allow) C:\Program Files (x86)\Project Reality\Project Reality BF2\mods\pr\bin\PRMumble\PRMumble.exe
FirewallRules: [{54603BE2-A754-4599-A62F-3F5CD7635E7F}] => (Allow) C:\Program Files (x86)\Electronic Arts\Need for Speed™ Hot Pursuit\Launcher.exe
FirewallRules: [{59588CBD-46ED-45A7-82C8-C5118D82668D}] => (Allow) C:\Program Files (x86)\Electronic Arts\Need for Speed™ Hot Pursuit\Launcher.exe
FirewallRules: [TCP Query User{B7E00527-98FD-4A4D-8966-F6324EDAE57A}C:\program files (x86)\electronic arts\need for speed™ hot pursuit\nfs11.exe] => (Block) C:\program files (x86)\electronic arts\need for speed™ hot pursuit\nfs11.exe
FirewallRules: [UDP Query User{BD70AE3B-985B-4B03-B925-0EBA3AFECA6E}C:\program files (x86)\electronic arts\need for speed™ hot pursuit\nfs11.exe] => (Block) C:\program files (x86)\electronic arts\need for speed™ hot pursuit\nfs11.exe
FirewallRules: [TCP Query User{9E152B04-35D8-45FC-8F8B-D80087B074BF}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{EEFB62D4-E57A-46DB-BEAE-0EE17C943399}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [TCP Query User{B90FAEFA-137B-45A3-B8A0-2C1C820ACB0A}C:\program files (x86)\electronic arts\need for speed™ hot pursuit\nfs11.exe] => (Block) C:\program files (x86)\electronic arts\need for speed™ hot pursuit\nfs11.exe
FirewallRules: [UDP Query User{C0D4AD1B-FB31-495C-8896-21B3FABD94C0}C:\program files (x86)\electronic arts\need for speed™ hot pursuit\nfs11.exe] => (Block) C:\program files (x86)\electronic arts\need for speed™ hot pursuit\nfs11.exe
FirewallRules: [TCP Query User{67948543-6852-4040-97D3-9B0818B1CD09}C:\program files (x86)\steam\steamapps\common\space\spacegame\binaries\win64\spserver.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\space\spacegame\binaries\win64\spserver.exe
FirewallRules: [UDP Query User{6919AE55-AC3B-4D33-AE64-70D57E688DA4}C:\program files (x86)\steam\steamapps\common\space\spacegame\binaries\win64\spserver.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\space\spacegame\binaries\win64\spserver.exe
FirewallRules: [{14090801-4540-4B4A-B779-9222BC8D546F}] => (Block) C:\program files (x86)\steam\steamapps\common\space\spacegame\binaries\win64\spserver.exe
FirewallRules: [{77D3A21C-0E5D-4E68-80D4-6765D7C7AE09}] => (Block) C:\program files (x86)\steam\steamapps\common\space\spacegame\binaries\win64\spserver.exe
FirewallRules: [{1E08D8D2-3FF0-4C8E-B1E3-6ED1FD985C13}] => (Allow) C:\Games\World_of_Tanks\WoTLauncher.exe
FirewallRules: [{5B91817E-7BB5-47DF-A491-35D928483A61}] => (Allow) C:\Games\World_of_Tanks\WoTLauncher.exe
FirewallRules: [{DC770ECF-CD58-4E9E-9863-35B583681458}] => (Allow) C:\Games\World_of_Tanks\worldoftanks.exe
FirewallRules: [{FE46C4CD-03B0-4309-8353-38CA641CEF1F}] => (Allow) C:\Games\World_of_Tanks\worldoftanks.exe
FirewallRules: [{23935C17-C5E8-42D9-9ED8-F8FAA1E317A5}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{CB09A1A7-8A16-426F-8CA4-0237193DD4AE}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{4B53FD72-CFC4-4046-AFFB-0CE1D658312F}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{C2437A31-AA53-4DEE-B871-1CA7EE811758}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{54CFF355-2EEE-492B-92A1-3CF2D109E31C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Orion Dino Beatdown\Binaries\Win32\DinoHordeGame.exe
FirewallRules: [{E6D73A03-C6BB-4CB2-85ED-923C8B0388B3}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Orion Dino Beatdown\Binaries\Win32\DinoHordeGame.exe
FirewallRules: [{399C92C7-8980-412E-BD5B-F14ECB106FE8}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{1D9252A2-7750-4FA4-837E-76860FDEE28A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Space\spacegame\Binaries\Win64\Fractured Space.exe
FirewallRules: [{42782EF1-FA5E-4EF5-8EA9-5827FDCFCD1F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Space\spacegame\Binaries\Win64\Fractured Space.exe
FirewallRules: [{2BF495E0-43DB-4EB8-A3F5-B47B21108774}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Cosmic DJ\CosmicDJ.exe
FirewallRules: [{6FA9978F-F54A-479B-9496-CBF79C015590}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Cosmic DJ\CosmicDJ.exe
 
==================== Restore Points =========================
 
22-08-2016 22:02:25 Removed Need for Speed™ Hot Pursuit
23-08-2016 11:46:13 Windows Update
23-08-2016 11:51:39 Removed Splashtop Streamer.
23-08-2016 11:54:01 Removed LogMeIn Hamachi
23-08-2016 16:01:58 JRT Pre-Junkware Removal
 
==================== Faulty Device Manager Devices =============
 
Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/23/2016 04:08:54 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (08/23/2016 04:08:51 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (08/23/2016 03:57:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/23/2016 03:03:56 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (08/23/2016 03:03:26 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (08/23/2016 11:41:41 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/23/2016 12:31:52 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (08/22/2016 10:09:58 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
 
Error: (08/22/2016 09:55:43 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (08/22/2016 09:40:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (08/23/2016 06:11:16 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275 = This driver has been blocked from loading
 
Error: (08/23/2016 06:11:16 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Batuhan\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (08/23/2016 06:11:15 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275 = This driver has been blocked from loading
 
Error: (08/23/2016 06:11:15 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Batuhan\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (08/23/2016 06:11:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275 = This driver has been blocked from loading
 
Error: (08/23/2016 06:11:14 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Batuhan\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (08/23/2016 06:11:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275 = This driver has been blocked from loading
 
Error: (08/23/2016 06:11:14 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Batuhan\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (08/23/2016 06:11:13 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275 = This driver has been blocked from loading
 
Error: (08/23/2016 06:11:13 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Batuhan\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
 
CodeIntegrity:
===================================
  Date: 2016-03-08 21:17:02.752
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ratata\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2016-03-08 21:17:02.721
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ratata\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3210M CPU @ 2.50GHz
Percentage of memory in use: 40%
Total physical RAM: 5925.54 MB
Available physical RAM: 3514.92 MB
Total Virtual: 11849.25 MB
Available Virtual: 9510.84 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:465.66 GB) (Free:92.31 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: BCDD0307)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Here is GMER log.

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-08-28 16:32:06
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2AR10002 465,76GB
Running: z7t6grnp.exe; Driver: C:\Users\Batuhan\AppData\Local\Temp\fwdiyfog.sys
 
 
---- User code sections - GMER 2.2 ----
 
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82                         00000000700617fa 2 bytes CALL 768611a9 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88                     0000000070061860 2 bytes CALL 768611a9 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98                   0000000070061942 2 bytes JMP 74c96da1 C:\Windows\syswow64\WS2_32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109                  000000007006194d 2 bytes JMP 74c9e8de C:\Windows\syswow64\WS2_32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17           0000000076841401 2 bytes JMP 7688b263 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17             0000000076841419 2 bytes JMP 7688b38e C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17           0000000076841431 2 bytes JMP 769090f1 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42           000000007684144a 2 bytes CALL 768648ad C:\Windows\syswow64\kernel32.dll
.text  ...                                                                                                      * 9
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17              00000000768414dd 2 bytes JMP 769089ea C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17       00000000768414f5 2 bytes JMP 76908bc0 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17              000000007684150d 2 bytes JMP 769088e0 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17       0000000076841525 2 bytes JMP 76908caa C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17             000000007684153d 2 bytes JMP 7687fce8 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                  0000000076841555 2 bytes JMP 76886937 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17           000000007684156d 2 bytes JMP 769091a9 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17             0000000076841585 2 bytes JMP 76908d0a C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                000000007684159d 2 bytes JMP 769088a4 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17             00000000768415b5 2 bytes JMP 7687fd81 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17           00000000768415cd 2 bytes JMP 7688b324 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20       00000000768416b2 2 bytes JMP 7690906c C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31       00000000768416bd 2 bytes JMP 76908839 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82                         00000000700617fa 2 bytes CALL 768611a9 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88                     0000000070061860 2 bytes CALL 768611a9 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98                   0000000070061942 2 bytes JMP 74c96da1 C:\Windows\syswow64\WS2_32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109                  000000007006194d 2 bytes JMP 74c9e8de C:\Windows\syswow64\WS2_32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17           0000000076841401 2 bytes JMP 7688b263 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17             0000000076841419 2 bytes JMP 7688b38e C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17           0000000076841431 2 bytes JMP 769090f1 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42           000000007684144a 2 bytes CALL 768648ad C:\Windows\syswow64\kernel32.dll
.text  ...                                                                                                      * 9
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17              00000000768414dd 2 bytes JMP 769089ea C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17       00000000768414f5 2 bytes JMP 76908bc0 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17              000000007684150d 2 bytes JMP 769088e0 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17       0000000076841525 2 bytes JMP 76908caa C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17             000000007684153d 2 bytes JMP 7687fce8 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17                  0000000076841555 2 bytes JMP 76886937 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17           000000007684156d 2 bytes JMP 769091a9 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17             0000000076841585 2 bytes JMP 76908d0a C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17                000000007684159d 2 bytes JMP 769088a4 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17             00000000768415b5 2 bytes JMP 7687fd81 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17           00000000768415cd 2 bytes JMP 7688b324 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20       00000000768416b2 2 bytes JMP 7690906c C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrB.exe[2520] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31       00000000768416bd 2 bytes JMP 76908839 C:\Windows\syswow64\kernel32.dll
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW          0000000076861f0e 7 bytes JMP 00000000746a3990
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\kernel32.dll!RegSetValueExW            0000000076865bad 7 bytes JMP 00000000746a3fd0
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\kernel32.dll!RegSetValueExA            0000000076871431 7 bytes JMP 00000000746a3be0
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW           000000007687ea85 7 bytes JMP 00000000746a3980
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx   000000007690906c 7 bytes JMP 00000000746a34d0
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation   00000000769090f1 5 bytes JMP 00000000746a3580
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW     0000000076909447 5 bytes JMP 00000000746a34e0
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW        0000000076cc1e4c 5 bytes JMP 00000000746a3490
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW      0000000076cc1efa 5 bytes JMP 00000000746a3450
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW          0000000076cc2bdc 5 bytes JMP 00000000746a3590
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary             0000000076cc2e7e 5 bytes JMP 00000000746a32a0
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList     000000007505e74f 5 bytes JMP 00000000746a2ad0
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo       000000007505e989 5 bytes JMP 00000000746a2ae0
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\USER32.dll!CreateWindowExW             00000000751c8a39 5 bytes JMP 00000000746a29b0
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA         00000000751d4582 5 bytes JMP 00000000746a3220
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW         00000000751ee587 5 bytes JMP 00000000746a3290
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW    00000000752108ab 5 bytes JMP 00000000746a2830
.text  C:\Users\Batuhan\Downloads\z7t6grnp.exe[3348] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo  0000000075227b24 5 bytes JMP 00000000746a3210
 
---- Registry - GMER 2.2 ----
 
Reg    HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e8039a8c610b                              
Reg    HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e8039a8c610b (not active ControlSet)          
 
---- EOF - GMER 2.2 ----


#4 kbatu

kbatu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 28 August 2016 - 09:01 AM

Finally Roguekiller log which found some stuff.

 

RogueKiller V12.5.1.0 (x64) [Aug 22 2016] (Ücretsiz) by Adlice Software
 
İşletim Sistemi : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
-de başlatıldı : Normal mod
Kullanıcı : Batuhan [Yönetici]
-den başlatıldı : C:\Program Files\RogueKiller\RogueKiller64.exe
Mod : Tarama -- Tarih : 08/28/2016 16:33:30 (Duration : 00:18:34)
 
¤¤¤ İşlemler : 0 ¤¤¤
 
¤¤¤ Kayıt : 5 ¤¤¤
[Suspicious.Path|Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fwdiyfog (\??\C:\Users\Batuhan\AppData\Local\Temp\fwdiyfog.sys) -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fwdiyfog (\??\C:\Users\Batuhan\AppData\Local\Temp\fwdiyfog.sys) -> Bulundu
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A6C2B52-3C29-45D1-A009-9C652E715E06} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Bulundu
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6A6C2B52-3C29-45D1-A009-9C652E715E06} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Bulundu
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6A6C2B52-3C29-45D1-A009-9C652E715E06} | DhcpNameServer : 192.168.1.1 0.0.0.0 ([-][])  -> Bulundu
 
¤¤¤ Görevler : 0 ¤¤¤
 
¤¤¤ Dosyalar : 0 ¤¤¤
 
¤¤¤ Host Dosyaları : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Yüklendi) ¤¤¤
 
¤¤¤ Web tarayıcıları : 0 ¤¤¤
 
¤¤¤ MBR Kontrol : ¤¤¤
+++++ PhysicalDrive0: ST500LM012 HN-M500MBB ATA Device +++++
--- User ---
[MBR] a952b4078b695c5322f3a08b999de5ab
[BSP] 800bf1b818e6dc682d46714233caec26 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


#5 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 28 August 2016 - 06:09 PM

RogueKiller finds some local DNS settings and Gmer, and Gmer finds altered PunkBuster kernel text, but also finds Gmer's as well. I have never seen Gmer show Gmer like that. Gmer seeing it's own malware hooks?

 

Run Gmer again. After the initial scan finishes, click on the >>> at the top, then click the Processes tab. does it show any blank (empty) entries, or entries similar to 32*.exe?


Ad eundum quo no duck ante iit

#6 kbatu

kbatu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 28 August 2016 - 07:37 PM

Hi. First of all, initial scan found some threads which it didn't before. (Probably because junk removal tool closed all running processes but i dont know.) Here is what it found.

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-08-29 03:30:07
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2AR10002 465,76GB
Running: z7t6grnp.exe; Driver: C:\Users\Batuhan\AppData\Local\Temp\fwdiyfog.sys
 
 
---- Threads - GMER 2.2 ----
 
Thread  C:\Windows\System32\svchost.exe [1088:2420]                     000007fef67b9688
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [3796:3204]  000007fefb442b1c
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [3796:3852]  000007fef7f45124
 
---- EOF - GMER 2.2 ----
 
 
Also you said if GMER found empty entries in processes tab after initial scan. Yes there are many of them. Some have names while some have random number-letter names. Not sure how to send it to you though.
 
 
Edit
I used GMER in the past too. Maybe it found the old ones? 
 
Edit2
Just found out i was looking at services tab. 
There are some .exe*32 processes. I am listing them.
armsvc.exe*32
NvsNetworkService.exe*32
PnkBstrA.exe*32
PnkBstrB.exe*32
NvBackend.exe*32
z7t6grnp.exe*32
some chrome.exe*32's

Edited by kbatu, 28 August 2016 - 07:43 PM.


#7 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 29 August 2016 - 04:26 PM

In the Gmer processes, I was looking more for actual blank spaces, such as this:

 

62z77Hp.png

 

Processes, with nothing listed. Please do not run things such as Junk Remover, unless we discuss it her first. If the Gmer scan log you posted was done after running something like Junk Remover, without a reboot before running Gmer, please reboot and run Gmer again. The log you posted shows it finding a svchost.exe thread hook, which could be malware.


Ad eundum quo no duck ante iit

#8 kbatu

kbatu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 29 August 2016 - 05:02 PM

I just restarted my computer. GMER didn't find any blank processes or any threads like last time.



#9 kbatu

kbatu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 29 August 2016 - 05:04 PM

Wow. Just now i made a third scan to be sure and there are 2 threads.

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-08-30 01:03:46
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2AR10002 465,76GB
Running: z7t6grnp.exe; Driver: C:\Users\Batuhan\AppData\Local\Temp\fwdiyfog.sys
 
 
---- Threads - GMER 2.2 ----
 
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [1348:3772]  000007fefbce2b1c
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [1348:4188]  000007fef7865124
 
---- EOF - GMER 2.2 ----
 
-Edit-
And they vanished again...

Edited by kbatu, 29 August 2016 - 05:07 PM.


#10 kbatu

kbatu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 29 August 2016 - 05:52 PM

svhost came back.

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-08-30 01:51:36
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2AR10002 465,76GB
Running: z7t6grnp.exe; Driver: C:\Users\Batuhan\AppData\Local\Temp\fwdiyfog.sys
 
 
---- Threads - GMER 2.2 ----
 
Thread  C:\Windows\System32\svchost.exe [2908:3684]  000007fef57a9688
 
---- EOF - GMER 2.2 ----


#11 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 30 August 2016 - 04:44 PM

Gmer showing svchost doesn't necessarily mean infection. Are you having any issues right now?


Ad eundum quo no duck ante iit

#12 kbatu

kbatu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 30 August 2016 - 09:22 PM

Only slow computer but it doesnt mean %100 infection. Thanks for helping.



#13 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 31 August 2016 - 06:12 PM

Just to be sure, before moving forward, go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator".  At the prompt copy/paste the following, pressing Enter after each:


Go to Start - Run, and type the following (Enter after):

chkdsk /r

It will likely find volumes in use and ask if you want it to run on reboot - select Y for yes, then reboot. This will scan for files as well a locate and repair bad sectors of the disk.

 

After the reboot, posy back if there has been any improvement.

 

Also, do you happen to have or can borrow a Win 7 Ultimate 64 bit disk?

 

 


Ad eundum quo no duck ante iit

#14 kbatu

kbatu
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 01 September 2016 - 12:05 PM

It feels better than the last week.  Also I'm probably going to buy a windows key. Thank you for your help. :)



#15 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 01 September 2016 - 05:02 PM

Not real sure what that all meant.


Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users